Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key

image

Play button

image

Play button

image

Progress

1/257

Click to flip

257 Cards in this Set

  • Front
  • Back
QUESTION 1
Which of the following is NOT a valid access control mechanism?
A. DAC (Discretionary Access Control) list.
B. SAC (Subjective Access Control) list.
C. MAC (Mandatory Access Control) list.
D. RBAC (Role Based Access Control) list.
Answer: B
Explanation:
The three basic access control mechanisms are: MAC (Mandatory Access Control), DAC (Discretionary Access
Control) and RBAC (Role Based Access Control). There is no SAC (Subjective Access Control) list.
QUESTION 2
Which of the following best describes an access control mechanism in which access control decisions are
based on the responsibilities that an individual user or process has in an organization?
A. MAC (Mandatory Access Control)
B. RBAC (Role Based Access Control)
C. DAC (Discretionary Access Control)
D. None of the above.
Answer: B
Explanation:
Access control using the RBAC model is based on the role or responsibilities users have in the organization.
These usually reflect the organization's structure and can be implemented system wide.
QUESTION 3
Which of the following best describes an access control mechanism that allows the data owner to create
and administer access control?
A. MACs (Mandatory Access Control)
B. RBACs (Role Based Access Control)
C. LBACs (List Based Access Control)
D. DACs (Discretionary Access Control)
Answer: D
Explanation:
The DAC model allows the owner of a resource to control access privileges to that resource. This model is
dynamic in nature and allows the owner of the resource to grant or revoke access to individuals or groups of
individuals.
QUESTION 4
Which of the following is an inherent flaw in the DAC (Discretionary Access Control) model?
A. DAC (Discretionary Access Control) relies only on the identity of the user or process, leaving room for a
Trojan horse.
B. DAC (Discretionary Access Control) relies on certificates, allowing attackers to use those certificates.
C. DAC (Discretionary Access Control) does not rely on the identity of a user, allowing anyone to use an
account.
D. DAC (Discretionary Access Control) has no known security flaws.
Answer: A
Explanation:
The DAC model is more flexible than the MAC model. It allows the owner of a resource to control access
privileges to that resource. Thus, access control is entirely at the digression of the owner, as is the resource is shared. In other words, there are no security checks to ensure that malicious code is not made available for
sharing
QUESTION 5
Which of the following access control methods provides the most granular access to protected objects?
A. Capabilities
B. Access control lists
C. Permission bits
D. Profiles
Answer: B
Explanation:
Access control lists enable devices in your network to ignore requests from specified users or systems, or grant
certain network capabilities to them. ACLs allow a stronger set of access controls to be established in your
network. The basic process of ACL control allows the administrator to design and adapt the network to deal
with specific security threats
QUESTION 6
You work as the security administrator at Certkiller .com. You set permissions on a file object in a
network operating system which uses DAC (Discretionary Access Control). The ACL (Access Control
List) of the file is as follows:
Owner: Read, Write, Execute User A: Read, Write, - User B: -, -, - (None) Sales: Read,-, - Marketing: -,
Write, - Other Read, Write, -
User "A" is the owner of the file. User "B" is a member of the Sales group. What effective permissions
does User "B" have on the file?
A. User B has no permissions on the file.
B. User B has read permissions on the file.
C. User B has read- and write permissions on the file.
D. User B has read, write and execute permissions on the file
Answer: A
Explanation:
ACLs have a list of users and their associated access that they have been granted to a resource such as a file.
When a user attempts to access a resource the ACL is checked to see if the user has the required privileges, if
the required privileges are not found, access is denied. In this ACL, User B does not have an associated access privilege to the resource. Therefore User B has no permissions on the resource and will not be able to access it.
QUESTION 7
You work as the security administrator at Certkiller .com. Certkiller has a RBAC (Role Based Access
Control) compliant system for which you are planning the security implementation. There are three
types of resources including files, printers, and mailboxes and four distinct departments with distinct
functions including Sales, Marketing, Management, and Production in the system. Each department
needs access to different resources. Each user has a workstation. Which roles should you create to
support the RBAC (Role Based Access Control) model?
A. File, printer, and mailbox roles.
B. Sales, marketing, management, and production roles.
C. User and workstation roles.
D. Allow access and deny access roles.
Answer: B
Explanation:
Access control using the RBAC model is based on the role or responsibilities users have in the organization.
These roles usually reflect the organization's structure, such as its division into different departments, each with
its distinct role in the organization. Thus the RBAC model could be based on the different departments.
QUESTION 8
With regard to DAC (Discretionary Access Control), which of the following statements are true?
A. Files that don't have an owner CANNOT be modified.
B. The administrator of the system is an owner of each object.
C. The operating system is an owner of each object.
D. Each object has an owner, which has full control over the object.
Answer: D
Explanation:
The DAC model allows the owner of a resource to control access privileges to that resource. Thus, access
control is entirely at the digression of the owner who has full control over the resource.
QUESTION 9
Which of the following are used to make access decisions in a MAC (Mandatory Access Control)
environment?
A. Access control lists
B. Ownership
C. Group membership
D. Sensitivity labels
Answer: D
Explanation:
Mandatory Access Control is a strict hierarchical model usually associated with governments. All objects are
given security labels known as sensitivity labels and are classified accordingly. Then all users are given specific
security clearances as to what they are allowed to access.
QUESTION 10
Which of the following access control methods allows access control decisions to be based on security
labels associated with each data item and each user?
A. MACs (Mandatory Access Control)
B. RBACs (Role Based Access Control)
C. LBACs (List Based Access Control)
D. DACs (Discretionary Access Control)
Answer: A
Explanation:
Mandatory Access Control is a strict hierarchical model usually associated with governments. All objects are
given security labels known as sensitivity labels and are classified accordingly. Then all users are given specific
security clearances as to what they are allowed to access.
QUESTION 11
Which of the following access control methods relies on user security clearance and data classification?
A. RBAC (Role Based Access Control).
B. NDAC (Non-Discretionary Access Control).
C. MAC (Mandatory Access Control).
D. DAC (Discretionary Access Control).
Answer: C
Explanation:
MAC is a strict hierarchical mode that is based on classifying data on importance and categorizing data by
department. Users receive specific security clearances to access this data.
QUESTION 12
Which of the following is a characteristic of MAC (Mandatory Access Control)?
A. Uses levels of security to classify users and data.
B. Allows owners of documents to determine who has access to specific documents.
C. Uses access control lists which specify a list of authorized users.
D. Uses access control lists which specify a list of unauthorized users.
Answer: A
Explanation:
MAC is a strict hierarchical mode that is based on classifying data on importance and categorizing data by
department. Users receive specific security clearances to access this data.
QUESTION 13
Which of the following terms best represents a MAC (Mandatory Access Control) model?
A. Lattice
B. Bell La-Padula
C. BIBA
D. Clark and Wilson
Answer: A
Explanation:
The word lattice is used to describe the upper and lower bounds of a user's access permission. In other words, a
user's access differs at different levels. It describes a hierarchical model that is based on classifying data on
sensitivity and categorizing it at different levels. Users must have the correct level of security clearances to
access the data. This is the system that MAC is based on.
QUESTION 14
Which of the following password generators is based on challenge-response mechanisms?
A. asynchronous
B. synchronous
C. cryptographic keys
D. smart cards
Answer: B
Explanation:
An synchronous password generator, has an authentication server that generates a challenge (a large number or
string) which is encrypted with the private key of the token device and has that token device's public key so it
can verify authenticity of the request (which is independent from the time factor). That challenge can also
include a has of transmitted data, so not only can the authentication be assured; but also the data integrity.
QUESTION 15
Which of the following password management systems is designed to provide for a large number of
users?
A. self service password resets
B. locally saved passwords
C. multiple access methods
D. synchronized passwords
Answer: A
Explanation:
A self service password reset is a system where if an individual user forgets their password, they can reset it on
their own (usually by answering a secret question on a web prompt, then receiving a new temporary password
on a pre-specified email address) without having to call the help desk. For a system with many users, this will
significantly reduce the help desk call volume.
QUESTION 16
Which of the following provides the best protection against an intercepted password?
A. VPN (Virtual Private Network).
B. PPTP (Point-to-Point Tunneling Protocol).
C. One time password.
D. Complex password requirement.
Answer: C
Explanation:
A one time password is simply a password that has to be changed every time you log on; effectively making
any intercepted password good for only the brief interval of time before the legitimate user happens to login
themselves. So by chance, if someone were to intercept a password it would probably already be expired, or be
on the verge of expiration within a matter of hours.
QUESTION 17
Which of the following best describes a challenge-response session?
A. A workstation or system that generates a random challenge string that the user enters when prompted along
with the proper PIN (Personal Identification Number).
B. A workstation or system that generates a random login ID that the user enters when prompted along with the
proper PIN (Personal Identification Number).
C. A special hardware device that is used to generate random text in a cryptography system.
D. The authentication mechanism in the workstation or system does not determine if the owner should be
authenticated.
Answer: A
Explanation:
A common authentication technique whereby an individual is prompted (the challenge) to provide some private
information (the response). Most security systems that rely on smart cards are based on challenge-response. A user is given a code (the challenge) which he or she enters into the smart card. The smart card then displays a
new code (the response) that the user can present to log in.
Which of the following must be deployed for Kerberos to function correctly?
A. Dynamic IP (Internet Protocol) routing protocols for routers and servers.
B. Separate network segments for the realms.
C. Token authentication devices.
D. Time synchronization services for clients and servers.
Answer: D
Explanation:
Time synchronization is crucial because Kerberos uses server and workstation time as part of the authentication
process. Kerberos authentication uses a Key Distribution Center (KDC) to orchestrate the process. The KDC
authenticates the principle (which can be a user, a program, or a system) and provides it with a ticket. Once this
ticket is issued, it can be used to authenticate against other principles. This occurs automatically when a request
or service is performed by another principle. Kerberos is quickly becoming a common standard in network
environments. Its only significant weakness is that the KDC can be a single point of failure. If the KDC goes down, the uthentication process will stop.
QUESTION 19
Why are clocks used in a Kerberos authentication system?
A. To ensure proper connections.
B. To ensure tickets expire correctly.
C. To generate the seed value for the encryptions keys.
D. To benchmark and set the optimal encryption algorithm.
Answer: B
Explanation:
The actual verification of a client's identity is done by validating an authenticator. The authenticator contains
the client's identity and a timestamp.
To insure that the authenticator is up-to-date and is not an old one that has been captured by an attacker, the
timestamp in the authenticator is checked against the current time. If the timestamp is not close enough to the
current time (typically within five minutes) then the authenticator is rejected as invalid. Thus, Kerberos requires
your system clocks to be loosely synchronized (the default is 5 minutes, but it can be adjusted in Version 5 to be whatever you want).
QUESTION 20
Which of the following factors must be considered when implementing Kerberos authentication?
A. Kerberos can be susceptible to man in the middle attacks to gain unauthorized access.
B. Kerberos tickets can be spoofed using replay attacks to network resources.
C. Kerberos requires a centrally managed database of all user and resource passwords.
D. Kerberos uses clear text passwords.
Answer: C
Explanation:
If the key distribution centre is down, all of other systems dependent on those keys won't be able to function.
QUESTION 21
You work as the security administrator at Certkiller .com. You want to ensure that only encrypted
passwords are used during authentication. Which authentication protocol should you use?
A. PPTP (Point-to-Point Tunneling Protocol)
B. SMTP (Simple Mail Transfer Protocol)
C. Kerberos
D. CHAP (Challenge Handshake Authentication Protocol)
Answer: D
Explanation:
CHAP is commonly used to encrypt passwords. It provides for on-demand authentication within an ongoing
data transmission, that is repeated at random intervals during a session. The challenge response uses a hashing
function derived from the Message Digest 5 (MD5) algorithm.
QUESTION 22
Which of the following are the main components of a Kerberos server?
A. Authentication server, security database and privilege server.
B. SAM (Sequential Access Method), security database and authentication server.
C. Application database, security database and system manager.
D. Authentication server, security database and system manager.
Answer: A
Explanation:
Kerberos authentication uses a Key Distribution Center (KDC) to orchestrate the process. The KDC
authenticates the principle (which can be a user, a program, or a system) and provides it with a ticket. Once this
ticket is issued, it can be used to authenticate against other principles. This occurs automatically when a request
or service is performed by another principle.
QUESTION 23
When does CHAP (Challenge Handshake Authentication Protocol) perform the handshake process?
A. When establishing a connection and at anytime after the connection is established.
B. Only when establishing a connection and disconnecting.
C. Only when establishing a connection.
D. Only when disconnecting.
Answer: A
Explanation:
CHAP performance the handshake process when first establishing a connection; and then at random intervals
during the transaction session.
QUESTION 24
For which of the following can biometrics be used?
A. Accountability
B. Certification
C. Authorization
D. Authentication
Answer: D
Explanation:
Biometrics devices use physical characteristics to identify the user.
Incorrect answers:
A: Accountability does not require physical characteristics of users.
B: Certification does not require physical characteristics of users.
C: Authorization is not the same as authentication.
QUESTION 25
Which of the following is the most costly method of an authentication?
A. Passwords
B. Tokens
C. Biometrics
D. Shared secrets
Answer: C
Explanation:
Biometrics
These technologies are becoming more reliable, and they will become widely used over the next few years.
Many companies use smart cards as their primary method of access control. Implementations have been limited
in many applications because of the high cost associated with these technologies.
Incorrect answers:
A, B, D: Passwords, tokens and shared secrets are in use in most companies since they are not as costly as
biometrics.
QUESTION 26
Which of the following provides the strongest form of authentication?
A. token
B. username and password
C. biometrics
D. one time password
Answer: C
Explanation:
Biometrics is the use of authenticating a user by scanning on of their unique physiological body parts. Just like
in the movies, a user places their hand on a finger print scanner or they put their eyes against a retinal scanner.
If the image matches what's on the database, it authenticates the user. Since a persons fingerprint, blood vessel
print, or retinal image is unique the only way the system can authenticate is if the proper user is there. The only
way an unauthorized user to get access is to physically kidnap the authorized user and force them through the
system. For this reason, biometrics are the strongest (and the costliest) for of authentication
QUESTION 27
Which of the following represents the best method for securing a web browser?
A. Do not upgrade, as new versions tend to have more security flaws.
B. Disable any unused features of the web browser.
C. Connect to the Internet using only a VPN (Virtual Private Network) connection.
D. Implement a filtering policy for illegal, unknown and undesirable sites.
Answer: B
Explanation:
Features that make web surfing more exciting like: ActiveX, Java, JavaScript, CGI scripts, and cookies all pose
security concerns. Disabling them (which is as easy as setting your browser security level to High) is the best
method of securing a web browser, since its simple, secure, and within every users reach.
How many ports in TCP/IP (Transmission Control Protocol/Internet Protocol) are vulnerable to being
scanned, exploited, or attached?
A. 32
B. 1,024
C. 65,535
D. 16,777,216
Answer: C
Explanation:
Internet Control Message Protocol (ICMP) abuse and port scans represent known attack signatures. The Ping
utility uses ICMP and is often used as a probing utility prior to an attack or may be the attack itself. If a host is
being bombarded with ICMP echo requests or other ICMP traffic, this behavior should set off the IDS. Port
scans are a more devious form of attack/reconnaissance used to discover information about a system. Port
scanning is not an attack but is often a precursor to such activity. Port scans can be sequential, starting with port
1 and scanning to port 65535, or random. A knowledge-based IDS should recognize either type of scan and
send an alert.
QUESTION 29
Which of the following ports does a DNS (Domain Name Service) server require?
A. 21
B. 23
C. 53
D. 55
Answer: C
Explanation:
Port 53 is used for Domain Name System (DNS) Name Queries
Incorrect answers:
A: Ports 20 and 21 are associated with FTP, where 20 are used for file transfer data and 21 for command and
control data.
B: Telnet uses port 23.
D: DHCP makes use of port 55.
QUESTION 30
Which of the following occurs when a string of data is sent to a buffer that is larger than the buffer was
designed to handle?
A. Brute Force attack
B. Buffer overflow
C. Man in the middle attack
D. Blue Screen of Death
E. SYN flood
F. Spoofing attack
Answer: B
Explanation:
Buffer overflows occur when an application receives more data than it is programmed to accept. This situation
can cause an application to terminate. The termination may leave the system sending the data with temporary
access to privileged levels in the attacked system.
QUESTION 31
Which of the following attacks exploits the session initiation between the Transport Control Program
(TCP) client and server in a network?
A. Buffer Overflow
B. SYN Attack
C. Smurf
D. Birthday Attack
Answer: B
Explanation:
SYN flood is a DoS attack in which the hacker sends a barrage of SYN packets. The receiving station tries to
respond to each SYN request for a connection, thereby tying up all the resources. All incoming connections are
rejected until all current connections can be established. Change this if you want but in the SYN flood the
hacker sends a SYN packet to the receiving station with a spoofed return address of some broadcast address on
their network. The receiving station sends out this SYN packets (pings the broadcast address) which causes
multiple servers or stations to respond to the ping, thus overloading the originator of the ping (the receiving
station). Therefore, the hacker may send only 1 SYN packet, whereas the network of the attacked station is
actually what does the barrage of return packets and overloads the receiving station.
QUESTION 32
Which of the following attacks uses ICMP (Internet Control Message Protocol) and improperly
formatted MTUs (Maximum Transmission Unit) to crash a target computer?
A. Man in the middle attack
B. Smurf attack
C. Ping of death attack
D. TCP SYN (Transmission Control Protocol / Synchronized) attack
Answer: C
Explanation: The Ping of Death attack involved sending IP packets of a size greater than 65,535 bytes to
the target computer. IP packets of this size are illegal, but applications can be built that are capable of
creating them. Carefully programmed operating systems could detect and safely handle illegal IP
packets, but some failed to do this.
Remember that
MTU packets that are bigger than the maximum size the underlying layer can handle are fragmented into
smaller packets, which are then reassembled by the receiver. For ethernet style devices, the MTU is typically
1500.
Which of the following determines which operating system is installed on a system by analyzing its
response to certain network traffic?
A. OS (Operating System) scanning.
B. Reverse engineering.
C. Fingerprinting
D. Host hijacking.
Answer: C
Explanation:
Fingerprinting is the act of inspecting returned information from a server (ie. One method is ICMP Message
quoting where the ICMP quotes back part of the original message with every ICMP error message. Each
operating system will quote definite amount of message to the ICMP error messages. The peculiarity in the
error messages received from various types of operating systems helps us in identifying the remote host's OS.
QUESTION 34
Malicious port scanning determines the _______.
A. computer name
B. fingerprint of the operating system
C. physical cabling topology of a network
D. user ID and passwords
Answer: B
Explanation:
Malicious port scanning is an attempt to find an unused port that the system won't acknowledge. Several
programs now can use port scanning for advanced host detection and operating system fingerprinting. With
knowledge of the operating system, the hacker can look up known vulnerabilities and exploits for that particular
system.
QUESTION 35
Which of the following fingerprinting techniques exploits the fact that operating systems differ in the
amount of information that is quoted when ICMP (Internet Control Message Protocol) errors are
encountered?
A. TCP (Transmission Control Protocol) options.
B. ICMP (Internet Control Message Protocol) error message quenching.
C. Fragmentation handling.
D. ICMP (Internet Control Message Protocol) message quoting
Answer: D
ICMP Message quoting: The ICMP quotes back part of the original message with every ICMP error message.
Each operating system will quote definite amount of message to the ICMP error messages. The peculiarity in
the error messages received from various types of operating systems helps us in identifying the remote host's
OS
QUESTION 36
Which of the following type of attacks exploits poor programming techniques and lack of code review?
A. CGI (Common Gateway Interface) script
B. Birthday
C. Buffer overflow
D. Dictionary
Answer: C
Explanation:
Buffer overflows occur when an application receives more data than it is programmed to accept. This situation
can cause an application to terminate. The termination may leave the system sending the data with temporary
access to privileged levels in the attacked system. This exploitation is usually a result of a programming error in
the development of the software.
Which of the following network attacks misuses TCP's (Transmission Control Protocol) three way
handshake to overload servers and deny access to legitimate users?
A. Man in the middle.
B. Smurf
C. Teardrop
D. SYN (Synchronize)
Answer: D
Explanation:
SYN flood is a DoS attack in which the hacker sends a barrage of SYN packets. The receiving station tries to
respond to each SYN request for a connection, thereby tying up all the resources. All incoming connections are
rejected until all current connections can be established.
QUESTION 38
Which of the following is most common method of accomplishing DDoS (Distributed Denial of Service)
attacks?
A. Internal host computers simultaneously failing.
B. Overwhelming and shutting down multiple services on a server.
C. Multiple servers or routers monopolizing and over whelming the bandwidth of a particular server or router.
D. An individual e-mail address list being used to distribute a virus.
Answer: C
Explanation:
A distributed denial of service attack takes place from within, and is usually the doing of a disgruntled worker.
They set up zombie software that takes over numerous servers and routers within the network to overwhelm the
systems bandwidth
QUESTION 39
Which of the following is a DoS (Denial of Service) attack that exploits TCP's (Transmission Control
Protocol) three-way handshake for new connections?
A. SYN (Synchronize) flood.
B. ping of death attack.
C. land attack.
D. buffer overflow attack.
Answer: A
Explanation:
The SYN flood attack works when a source system floods and end system with TCP SYN requests, but
intentionally does not send out acknowledgements (ACK). Since TCP needs confirmation, the receiving
computer is stuck with half-open TCP sessions, just waiting for acknowledgement so it can reset the port.
Meanwhile the connection buffer is being overflowed, making it difficult or impossible for valid users to
connect, therefore their service is denied.
QUESTION 40
Which of the following is a DoS exploit that sends more traffic to a node than anticipated?
A. Ping of death
B. Buffer Overflow
C. Logic Bomb
D. Smurf
Answer: B
Explanation:
Buffer overflows occur when an application receives more data than it is programmed to accept. This situation
can cause an application to terminate. The termination may leave the system sending the data with temporary
access to privileged levels in the attacked system.
Incorrect answers:
QUESTION 41
Which of the following is a security breach that does not usually result in the theft of information or other security loss but the lack of legitimate use of that system?
A. CRL
B. DoS
C. ACL
D. MD2
Answer: B
Explanation:
DOS attacks prevent access to resources by users authorized to use those resources. An attacker may attempt to
bring down an e-commerce website to prevent or deny usage by legitimate customers.
Loki, NetCaZ, Masters Paradise and NetBus are examples of what type of attack?
A. brute force
B. spoofing
C. back door
D. man in the middle
Answer: C
Explanation:
Since backdoor's are publicly marketed/distributed software applications, they are characterized by having a
trade name.
QUESTION 43
What is usually the goal of TCP (transmission Control Protocol) session hijacking?
A. Taking over a legitimate TCP (transmission Control Protocol) connection.
B. Predicting the TCP (transmission Control Protocol) sequence number.
C. Identifying the TCP (transmission Control Protocol) port for future exploitation.
D. Identifying source addresses for malicious use.
Answer: A
Explanation:
The TCP/IP (Transmission Control Protocol/Internet Protocol) session state is altered in a way that intercepts
legitimate packets and allows a third party host to insert acceptable packets. Thus hijacking the conversation,
and continuing the conversation under the disguise of the legitimate party, and taking advantage of the trust
bond.
QUESTION 44
Which of the following best describes TCP/IP (Transmission Control Protocol/Internet Protocol) session
hijacking?
A. The TCP/IP (Transmission Control Protocol/Internet Protocol) session state is altered in a way that
intercepts legitimate packets and allows a third party host to insert acceptable packets.
B. The TCP/IP (Transmission Control Protocol/Internet Protocol) session state is altered allowing third party
hosts to create new IP (Internet Protocol) addresses.
C. The TCP/IP (Transmission Control Protocol/Internet Protocol) session state remains unaltered allowing third
party hosts to insert packets acting as the server.
D. The TCP/IP (Transmission Control Protocol/Internet Protocol) session state remains unaltered allowing third
party hosts to insert packets acting as the clie
Answer: A
Explanation:
A detailed site on how to hijack a TCP/IP a session can be found at:
http://staff.washington.edu/dittrich/talks/qsm-sec/script.html
QUESTION 45
What characteristic of TCP/IP (transmission Control Protocol/Internet Protocol) does TCP/IP
(transmission Control Protocol/Internet Protocol) session hijacking exploit?
A. The fact that TCP/IP (transmission Control Protocol/Internet Protocol) has no authentication mechanism,
thus allowing a clear text password of 16 bytes
B. The fact that TCP/IP (transmission Control Protocol/Internet Protocol) allows packets to be tunneled to an
alternate network
C. The fact that TCP/IP (transmission Control Protocol/Internet Protocol) has no authentication mechanism, and
therefore allows connectionless packets from anyone
D. The fact that TCP/IP (transmission Control Protocol/Internet Protocol) allows a packet to be spoofed and
inserted into a stream, thereby enabling commands to be executed on the remote host
Answer: D
Explanation:
TCP/IP's
QUESTION 46
Which of the following attacks can be mitigated against by implementing the following ingress/egress
traffic filtering?
* Any packet coming into the network must not have a source address of the internal network.
* Any packet coming into the network must have a destination address from the internal network.
* Any packet leaving the network must have a source address from the internal network.
* Any packet leaving the network must not have a destination address from the internal networks.
* Any packet coming into the network or leaving the network must not have a source or destination
address of a private address or an address listed in RFC19lS reserved space.
A. SYN (Synchronize) flooding
B. spoofing
C. DoS (Denial of Service) attacks
D. dictionary attacks
Answer: B
Explanation:
By having strict addressing filters; an administrator prevents a spoofed address from gaining access.
QUESTION 47
In which of the following attacks does the attacker pretend to be a legitimate user?
A. Aliasing
B. Spoofing
C. Flooding
D. Redirecting
Answer: B
Explanation:
A spoofing attack is simply an attempt by someone or something masquerading as someone else. This type of
attack is usually considered an access attack.
QUESTION 48
Which of the attacks can involve the misdirection of the domain name resolution and Internet traffic?
A. DoS (Denial of Service)
B. Spoofing
C. Brute force attack
D. Reverse DNS (Domain Name Service)
Answer: B
Explanation:
A spoofing attack is simply an attempt by someone or something masquerading as someone else.
Incorrect answers:
QUESTION 49
In an IP (Internet Protocol) spoofing attack, what field of an IP (Internet Protocol) packet does the
attacker manipulate?
A. The version field.
B. The source address field.
C. The source port field.
D. The destination address field.
Answer: B
Explanation:
In IP Spoofing a hacker tries to gain access to a network by pretending his or her machine has the same network
address as the internal network.
QUESTION 50
You are the network administrator at Certkiller .com. You discover that your domain name server is
resolving the domain name to the wrong IP (Internet Protocol) address and thus misdirecting Internet
traffic. You suspect a malicious attack. Which of the following would you suspect?
A. DoS (Denial of Service)
B. Spoofing
C. brute force attack
D. reverse DNS (Domain Name Service
Answer: B
Explanation:
Spoofing is when you forge the source address of traffic, so it appears to come from somewhere else, preferably
somewhere safe and trustworthy. Web spoofing is a process where someone creates a convincing copy of a
legitimate website or a portion of the world wide web, so that when someone enters a site that they think is safe,
they end up communicating directly with the hacker. To avoid this you should rely on certificates, IPSEC, and
set up a filter to block internet traffic with an internal network address.
QUESTION 51
What is the process of forging an IP (Internet Protocol) address to impersonate another machine called?
A. TCP/IP (Transmission Control Protocol/Internet Protocol) hijacking
B. IP (Internet Protocol) spoofing
C. man in the middle
D. replay
Answer: B
Explanation:
The word spoofing was popularized in the air-force. When a fighter jet notices an enemy missile (air-to-air or
surface-to-air) coming, the pilot will fire off a flair or a chaff (depending on whether or not the missile is heat
seeking or radar guided) to spoof (trick) the missile into going after the wrong target. IP spoofing works the
same way, and is commonly used by computer hackers because it's easy to implement, it takes advantage of
someone else's trust relationship, it makes it harder to identify the source of the true attack, and it focuses
attention away to an innocent 3rd party.
QUESTION 52
You are the security administrator at Certkiller .com. You detect intruders accessing your internal
network. The source IP (Internet Protocol) addresses originate from trusted networks. What type of
attack are you experiencing?
A. social engineering
B. TCP/IP (Transmission Control Protocol/Internet Protocol) hijacking
C. smurfing
D. spoofing
Answer: D Explanation:
Spoofing is the process of trying to deceive, or to spoof, someone into believing that a source address is coming
from somewhere else.
QUESTION 53
What is an attack whereby two different messages using the same hash function produce a common
message digest known as?
A. man in the middle attack.
B. ciphertext only attack.
C. birthday attack.
D. brute force attack.
Answer: C
Explanation:
A birthday attack is based on the principle that amongst 23 people, the probability of 2 of them having the same
birthday is greater the 50%. By that rational if an attacker examines the hashes of an entire organizations
passwords, they'll come up with some common denominators.
Incorrect answers:
Which of the following can be deterred against by increasing the keyspace and complexity of a password?
A. dictionary
B. brute force
C. inference
D. frontal
Answer: B
Explanation: A brute force attack is when a computer program try's EVERY single keystroke combination until it cracks the
password. If you had a bike lock or a brief case with three combinations of numbers (0-9), there were 999
possible choices, so if you started at 000 and worked your way up you could attempt every number in about 20
minutes and eventually crack the lock. A computer keyboard has millions of possibilities, but since computers ...
QUESTION 55
Which type of attack can easily break a user's password if the user uses simple and meaningful things
such as pet names or birthdays for their passwords?
A. Dictionary attack
B. Brute Force attack
C. Spoofing attack
D. Random guess attack
E. Man in the middle attack
F. Change list attack
G. Role Based Access Control attack
H. Replay attack
I. Mickey Mouse attack
Answer: A
Explanation:
A dictionary attack is an attack which uses a dictionary of common words to attempt to find the password of a
user.
QUESTION 56
What should the minimum length of a password be to deter dictionary password cracks?
A. 6 characters.
B. 8 characters.
C. 10 characters.
D. 12 characters.
Answer: B
Explanation:
A dictionary attack is a preliminary brute force attempt at guessing a password. Dictionary attacks work on the
principle that most people choose a simple word or phrase as a password. By having a computer try every word,
or phrase in a dictionary; most passwords can be hacked in a matter of hours. Since passwords become
exponentially more difficult to crack with each character, passwords greater then 8 characters consume
excessive time and resources to crack.
QUESTION 57
In which of the following does someone use an application to capture and manipulate packets as they are
passing through your network?
A. DDos
B. Back Door
C. Spoofing
D. Man in the Middle
Answer: D
Explanation:
The method used in these attacks places a piece of software between a server and the user. The software
intercepts and then sends the information to the server. The server responds back to the software, thinking it is
the legitimate client. The attacking software then sends this information on to the server, etc. The man in the
middle software may be recording this information, altering it, or in some other way compromising the security
of your system
Which of the following is the best defense against a man in the middle attack?
A. Virtual LAN (Local Area Network)
B. GRE (Generic Route Encapsulation) tunnel IPIP (Internet Protocol-within-Internet Protocol Encapsulation
Protocol)
C. PKI (Public Key Infrastructure)
D. Enforcement of badge system
Answer: C
Explanation:
PKI is a two-key system. Messages are encrypted with a public key. Messages are decrypted with a private key.
If you want to send an encrypted message to someone, you would request their public key. You would encrypt
the message using their public key and send it to them. They would then use their private key to decrypt the
message.
Which of the following is the best defense against man in the middle attacks?
A. A firewall
B. Strong encryption
C. Strong authentication
D. Strong passwords
Answer: B
Explanation:
Encryption makes the intercepted data unreadable to the interceptor.
You are the security administrator at Certkiller .com. All Certkiller users have a token and 4-digit
personal identification number (PIN) that are used to access their computer systems. The token performs
off-line checking for the correct PIN. To which of the following type of attack is Certkiller vulnerable?
A. Birthday
B. Brute force
C. Man-in-the-middle
D. Smurf
Answer: B
Explanation: Brute force attacks are performed with tools that cycle through many possible character,
number, and symbol combinations to guess a password. Since the token allows offline checking of PIN,
the cracker can keep trying PINS until it is cracked.
What is an attack in which the attacker spoofs the source IP address in an ICMP ECHO broadcast
packet so it seems to have originated at the victim's system, in order to flood it with REPLY packets
called?
A. SYN flood attack
B. Smurf attack
C. Ping of Dead Attack
D. Denial of Service (DOS) Attack
Answer: B
Explanation:
A smurf attack uses IP spoofing and broadcasting to send a ping to a group of hosts in a network.
Incorrect answers:
QUESTION 62
Which type of attack is based on the probability of two different messages using the same hash function
producing a common message digest?
A. Differential cryptanalysis
B. Differential linear cryptanalysis
C. Birthday attack
D. Statistical attack
Explanation:
A good hashing algorithm should not produce the same hash value for two different messages. If the algorithm
does produce the same value for two distinctly different messages, it is referred to as a collision. If an attacker
finds an instance of a collision, he has more information to use when trying to break the cryptographic methods
used. A complex way of attacking a one-way hash function is called the birthday attack.
If an attacker has one hash value and wants to find a message that hashes to the same hash value, this process
could take him years. However, if he just wants to find any two messages with the same hashing value, it could
take him only a couple hours.
QUESTION 63
Which of the following attacks attempts to crack passwords?
A. SMURF
B. Spamming
C. Teardrop
D. Dictionary
Answer: D
Explanation:
Dictionaries may be used in a cracking program to determine passwords. A short dictionary attack involves
trying a list of hundreds or thousands of words that are frequently chosen as passwords against several systems.
Although most systems resist such attacks, some do not. In one case, one system in five yielded to a particular dictionary attack.
Incorrect answers:
QUESTION 64
Which of the following is an effective method of preventing computer viruses from spreading?
A. Require root/administrator access to run programs.
B. Enable scanning of e-mail attachments.
C. Prevent the execution of .vbs files.
D. Install a host based IDS (Intrusion Detection System)
Answer: B
Explanation:
Viruses get into your computer in one of three ways. They may enter your computer on a contaminated floppy
or CD-ROM, through e-mail, or as a part of another program.
QUESTION 65
What would a user's best plan of action be on receiving an e-mail message warning of a virus that may
have accidentally been sent in the past, and suggesting that the user to delete a specific file if it appears
on the user's computer?
A. Check for the file and delete it immediately.
B. Check for the file, delete it immediately and copy the e-mail to all distribution lists.
C. Report the contents of the message to the network administrator.
D. Ignore the message. This is a virus hoax and no action is required.
Answer: C
Explanation:
In such a scenario the most rational answer is to tell your network administrator. Most network administrators
don't have much to do most of the day, so they live for an opportunity like this
What should a network administrator's first course of action be on receiving an e-mail alerting him to
the presence of a virus on the system if a specific executable file exists?
A. Investigate the e-mail as a possible hoax with a reputable anti-virus vendor.
B. Immediately search for and delete the file if discovered.
C. Broadcast a message to the entire organization to alert users to the presence of a virus.
D. Locate and download a patch to repair the file.
Answer: A
Explanation:
If a virus threat is for real, the major anti-virus players like Symantec, McAfee, or Sophos will know about it
before you, and they will have details on their sites.
QUESTION 67
Which of the following is the major difference between a worm and a Trojan horse?
A. Worms are spread via e-mail while Trojan horses are not.
B. Worms are self replicating while Trojan horses are not.
C. Worms are a form of malicious code while Trojan horses are not.
D. There is no difference.
Answer: B Explanation:
A worm is different from a virus. Worms reproduce themselves, are self-contained and do not need a host
application to be transported. The Trojan horse program may be installed as part of an installation process.
They do not reproduce or self replicate.
QUESTION 68
Which of the following can distribute itself without using a host file?
A. Virus.
B. Trojan horse.
C. Logic bomb.
D. Worm.
Answer: D
Explanation:
Worms are dangerous because they can enter a system by exploiting a 'hole' in an operating system. They don't'
need a host file, and they don't need any user intervention to replicate by themselves. Some infamous worms
were: Morris, Badtrans, Nimda, and Code Red.
QUESTION 69
What type of program will record system keystrokes in a text file and e-mail it to the author, and will
also delete system logs every five days or whenever a backup is performed?
A. Virus.
B. Back door.
C. Logic bomb.
D. Worm.
Answer: C Explanation:
A logic bomb is a special kind of virus or Trojan horse that is set to go off following a preset time interval, or
following a pre-set combination of keyboard strokes. Some unethical advertisers use logic bombs to deliver the
right pop-up advertisement following a keystroke, and some disgruntled employees set up logic bombs to go off
to sabotage their company's computers if they feel termination is imminent.
QUESTION 70
The system administrator of the company has resigned. When the administrator's user ID is deleted, the
system suddenly begins deleting files. What type of malicious code is this?
A. Logic bomb
B. Virus
C. Trojan horse
D. Worm
Answer: A
Explanation:
A Logic bomb is a virus or Trojan horse that is built to go off when a particular event occurs or a certain
amount of time passes, in this case when the system administrator user ID was deleted.
QUESTION 71
What is an application that appears to perform a useful function but instead contains some sort of
malicious code called?
A. Worm
B. SYN flood
C. Virus
D. Trojan Horse
E. Logic Bomb
Answer: D
Explanation:
A Trojan horse attaches itself to another file, such as a word processing document. Trojan horses may also
arrive as part of an e-mail for free game, software, or other file. When the Trojan horse activates and performs
its task, it infects all of the word processing or template files. Consequently, every new file will carry the Trojan
horse. The Trojan horse may not be visible because it masks itself inside of a legitimate program.
QUESTION 72
What is a piece of code that appears to do something useful while performing a harmful and unexpected
function like stealing passwords called?
A. Virus
B. Logic bomb
C. Worm
D. Trojan horse
Answer: D
Explanation:
Trojan horses are programs that enter a system or network under the guise of another program. A Trojan Horse
may be included as an attachment or as part of an installation program. The Trojan Horse could create a back
door or replace a valid program during installation. The Trojan Program would then accomplish its mission
under the guise of another program. Trojan Horses can be used to compromise the security of your system and
they can exist on a system for years before they are detected.
QUESTION 73
What is a piece of malicious code that has no productive purpose but can replicate itself and exist only to
damage computer systems or create further vulnerabilities called?
A. Logic Bomb
B. Worm
C. Trojan Horse
D. SYN flood
E. Virus
Answer: E
Explanation:
A virus is a piece of software designed to infect a computer system. The virus may do nothing more than reside
on the computer. A virus may also damage the data on your hard disk, destroy your operating system, and
possibly spread to other systems.
QUESTION 74
Which of the following is used to describe an autonomous agent that copies itself into one or more host
programs, then propagates when the host is run?
A. Trojan horse
B. Back door
C. Logic bomb
D. Virus
Answer: D
Explanation:
A virus is a piece of software designed to infect a computer system. I can go into this further, but the answer is
obvious.
QUESTION 75
What is a program that can infect other programs by modifying them to include a version of it called?
A. Replicator
B. Virus
C. Trojan horse
D. Logic bomb
Answer: B
Explanation:
A virus can do many things and including itself in a program is one of them. A virus is a program intended to
damage a computer system.
QUESTION 76
What type of virus can hides itself by intercepting disk access requests?
A. Multipartite.
B. Stealth.
C. Interceptor.
D. Polymorphic
Answer: B
Explanation:
A stealth virus will attempt to avoid detection by masking itself from applications. It may attach itself to the
boot sector of the hard drive. When a system utility or program runs, the stealth virus redirects commands
around itself so as to avoid detection. An infected file may report a file size different from what is actually present in order to avoid detection.
QUESTION 77
Which of the following are characteristics of a computer virus?
A. Find mechanism, initiation mechanism and propagate.
B. Learning mechanism, contamination mechanism and exploit.
C. Search mechanism, connection mechanism and integrate.
D. Replication mechanism, activation mechanism and objective.
Answer: D
Explanation:
Replication mechanism: To replicate a virus needs to attach itself to the right code, where it can replicate and
spread past security systems into other systems.
Activation mechanism: Most viruses require the user to actually do something. During the 80's and early 90's
most viruses were activated when you booted from a floppy disk, or inserted a new floppy disk into an infected
drive. Nowadays most computer virus's come as email forwards, and they require the user to execute.
Objective: many viruses have no objective at all, but some have the objective to delete data, hog up memory, or
crash the system.
QUESTION 78
What is a program that appears to be useful but contains hidden code that allows unauthorized
individuals to exploit or destroy data is commonly known?
A. A virus
B. A Trojan horse
C. A worm
D. A back door
Answer: B
Explanation: A Trojan horse appears to be useful software (and in fact may be), but code is hidden inside that will attack
your system directly or allow the system to be infiltrated by the originator of the code
Incorrect answers:
QUESTION 79
With regards to the use of Instant Messaging, which of the following type of attack can best be guarded
against by user awareness training?
A. Social engineering
B. Stealth
C. Ambush
D. Multi-pronged
Answer: A
Explanation:
The only preventative measure in dealing with social engineering attacks is to educate your users and staff to
never give out passwords and user Ids over the phone, via e-mail, or to anyone who is not positively verified as
being who they say they are.
QUESTION 80
What is the most common method of social engineering?
A. looking through users' trash for information
B. calling users and asking for information
C. e-mailing users and asking for information
D. e-mail
Answer: B
Explanation: Social engineering is a process where an attacker attempts to acquire information about your network and
system by talking to people in the organization. A social engineering attack may occur over the phone, by
e-mail, or by a visit.
QUESTION 81
What do intruders use most often to gain unauthorized-access to a system?
A. brute force attack.
B. key logging.
C. Trojan horse.
D. social engineering.
Answer: D
Explanation:
Social engineering is a process where an attacker attempts to acquire information about your network and
system by talking to people in the organization. A social engineering attack may occur over the phone, by
e-mail, or by a visit.
The answer is not written in the book, but the easiest way to gain information would be social engineering
QUESTION 82
Which of the following measures can be used to guard against a social engineering attack?
A. Education, limit available information and security policy.
B. Education, firewalls and security policy.
C. Security policy, firewalls and incident response.
D. Security policy, system logging and incident response.
Answer: A Explanation:
A seems to be the best answer. The other answers involving objects and social engineering are verbal attacks
QUESTION 83
Which of the following is an example of the theft of network passwords without the use of software tools?
A. Trojan programs.
B. Social engineering.
C. Sniffing.
D. Hacking.
Answer: B
Explanation:
Social engineering is any means of using people to seek out information. These people practice espionage to:
break in without detection, disguise themselves in, trick others into giving them access, or trick others into
giving them information.
QUESTION 84
Which of the following type of attack CANNOT be deterred solely through technical means?
A. Dictionary.
B. Man in the middle.
C. DoS (Denial of Service).
D. Social engineering.
Answer: D
Explanation:
Because of human rights laws, it is unlawful to use technology to directly control people's emotions and
behaviors. For this reason social engineering attacks cannot be deterred through technical means.
QUESTION 85
Why do social engineering attacks often succeed?
A. strong passwords are not required
B. lack of security awareness
C. multiple logins are allowed
D. audit logs are not monitored frequentl
Answer: B
Explanation:
Social engineering attacks work because of the availability heuristic, law of reciprocity, and law of consistency.
In the past people have had experiences where a co-worker with a legitimate problem asked for help and been
grateful for it. So by consistency, they feel the urge to help others again the way they've helped out somebody
in the past. By availability, when someone asks for help, they associate ...
QUESTION 86
In which of the following would an attacker impersonate a dissatisfied customer of a company and
requesting a password change on the customer's account?
A. Hostile code.
B. Social engineering.
C. IP (Internet Protocol) spoofing.
D. Man in the middle attack.
Answer: B
Explanation: Social engineering is using deception to engineer human emotions into granting access.
QUESTION 87
You are the network administrator at Certkiller .com. During a routing site audit of Certkiller 's wireless
network, you discover an unauthorized Access Point under the desk of Sales department user. When
questioned, she denies any knowledge of it, but informs you that her new boyfriend has been to visit her
several times, including taking her to lunch one time. What type of attack have you become a victim of?
A. SYN Flood.
B. Distributed Denial of Service.
C. Man in the Middle attack.
D. TCP Flood.
E. IP Spoofing.
F. Social Engineering
G. Replay attack
H. Phone tag
I. Halloween attack
Answer: F
Explanation:
Social engineering is a process where an attacker attempts to acquire information about your network and
system by talking to people in the organization. A social engineering attack may occur over the phone, be
e-mail, or by a visit.
QUESTION 88
Which of the following is the most effective defense against a social engineering attack?
A. Marking of documents
B. Escorting of guests
C. Badge security system
D. Training and awareness
Answer: D
Explanation:
Social engineering is the method of using human intelligence methods to gain access or information about your
organization. The only preventative measure in dealing with social engineering attacks is to educate your users
and staff to never give out passwords and user Ids over the phone, via e-mail, or to anyone who is not positively
verified as being who they say they are.
QUESTION 89
Which of the following network mapping tools uses ICMP (Internet Control Message Protocol)?
A. port scanner.
B. map scanner.
C. ping scanner.
D. share scanner.
Answer: C
Explanation:
Ping confirms a connection by sending and receiving ICMP packets.
QUESTION 90
What can an attacker can determine which network services are enabled on a target system?
A. Installing a rootkit on the target system.
B. Checking the services file.
C. Enabling logging on the target system.
D. Running a port scan against the target system.
Answer: D
Explanation:
A TCP/IP network makes many of the ports available to outside users through the router. These ports will
respond in a predictable manner when queried. An attacker can systematically query a network to determine
which services and ports are open. This process is called port scanning, and it can reveal a great deal about your
network. Port scans can be performed both internally and externally. Many routers, unless configured
appropriately, will let all the protocols pass through them.
QUESTION 91
What type of port scan is used to determine which ports are in a listening state and then performs a two
way handshake?
A. TCP (transmission Control Protocol) SYN (Synchronize) scan
B. TCP (transmission Control Protocol) connect scan
C. TCP (transmission Control Protocol) fin scan
D. TCP (transmission Control Protocol) null scan
Answer: A
Explanation:
In SYN scanning, a TCP SYN packet is sent to the port(s) to be scanned. If the port responds with a TCP SYN
ACK packet, then the port is listening. If it replies with a TCP RST packet, then it is not.
Incorrect answers:
QUESTION 92
Which of the following is a VPN (Virtual Private Network) protocol that operates at the Network Layer (Layer 3) of the OSI (Open Systems Interconnect) model?
A. PPP (Point-to-Point Protocol)
B. SSL (Secure Sockets Layer)
C. L2TP (Layer Two Tunneling Protocol)
D. IPSec (Internet Protocol Security)
Answer: D
Explanation:
IPSec works at the network layer of the OSI layer model and is a key factor in VPNs.
Incorrect answers:
QUESTION 93
Which of the following is a tunneling protocol that only works on IP networks?
A. IPX
B. L2TP
C. PPTP
D. SSH
Answer: C
Explanation:
You can access a private network through the Internet or other public network by using a virtual private
network (VPN) connection with the Point-to-Point Tunneling Protocol (PPTP). It was developed as an
extension of the Point-to-Point Protocol (PPP), PPTP tunnels and/or encapsulates IP, IPX, or NetBEUI
protocols inside of PPP datagrams. PPTP does not require a dial-up connection. It does, however, require IP
connectivity between your computer and the server.
QUESTION 94
On a firewall, which ports must be open in order to support L2TP (Layer Two Tunneling Protocol) and
PPTP (Point-to-Point Tunneling Protocol) connections respectively?
A. TCP (Transmission Control Protocol) port 635 and UDP (User Datagram Protocol) port 654
B. TCP (Transmission Control Protocol) port 749 and UDP (User Datagram Protocol) port 781
C. UDP (User Datagram Protocol) port 1701 and TCP (transmission Control Protocol) port 1723
D. TCP (Transmission Control Protocol) port 1812 and UDP (User Datagram Protocol) port 1813
Answer: C
Explanation:
L2TP uses UDP port 1701 while PPTP uses port 1723 and TCP for connections.
QUESTION 95
Which of the following are VPN (Virtual Private Network) tunneling protocols? (Choose two)
A. PPP (Point-to-Point Protocol).
B. SLIP (Serial Line Internet Protocol).
C. L2TP (Layer Two Tunneling Protocol).
D. SMTP (Simple Mail Transfer Protocol).
E. PPTP (Point-to-Point Tunneling Protocol).
Answer: C, E
Explanation:
PPTP and L2TP are both VPN tunneling protocols. L2TP is more sophisticated and gaining more popularity
QUESTION 96
In addition to opening the appropriate L2TP (Layer Two Tunneling Protocol) and IKE (Internet Key
Exchange) transport layer ports on the perimeter router and firewall, what steps must be performed on
the perimeter router and firewall to allow AH (Authentication Header) and ESP (Encapsulating Security
Payload) tunnel-encapsulated IPSec (Internet Protocol Security) traffic to flow between a client and the
firewall?
A. The perimeter router and firewall must allow inbound protocol number 51 for ESP (Encapsulating Security
Payload) encapsulated IPSec (Internet Protocol Security) traffic
B. The perimeter router and firewall must allow inbound protocol number 49 for ESP (Encapsulating Security
Payload) encapsulated IPSec (Internet Protocol Security) traffic
C. The perimeter router and firewall must allow inbound protocol numbers 50 and 51 for ESP (Encapsulating
Security Payload) and All (Authentication Header) encapsulated IPSec (Internet Protocol Security) traffic
D. The perimeter router and firewall must allow inbound protocol numbers 52 and 53 for AH (Authentication
Header) and ESP (Encapsulating Security Payload) encapsulated IPSec (Internet Protocol Security) traffic
Answer: C
Explanation:
The most secure firewall configuration is one in which the firewall permits only IKE and IPSec traffic to flow
between the specific IP addresses of the peers. However, if these addresses are not static, or if there are many
addresses, a less secure configuration might be required to permit IPSec and IKE traffic to flow between
subnets.
When a firewall or filtering router exists between IPSec peers, it must be configured to forward IPSec traffic on
UDP source and destination port 500, IP protocol 50 (ESP), or IP protocol 51 (AH).
QUESTION 97
Which of the following can be used to authenticate and encrypt IP (Internet Protocol) traffic?
A. ESP (Encapsulating Security Payload)
B. S/MIME (Secure Multipurpose Internet Mail Extensions)
C. IPSec (Internet Protocol Security)
D. IPv2 (Internet Protocol version 2)
Answer: C
IPSec provides secure authentication and encryption of data and headers. IPSec can work in tunneling mode or
transport mode. In tunneling mode, the data or payload and message headers are encrypted. Transport mode
encrypts only the payload.
Which of the following can be used to create a VPN (Virtual Private Network)?
A. PPP (Point-to-Point Protocol).
B. PPTP (Point-to-Point Tunneling Protocol).
C. SLIP (Serial Line Internet Protocol).
D. ESLIP (Encrypted Serial Line Internet Protocol).
Answer: B
Explanation:
Tunneling refers creating a virtual dedicated connection between two systems or networks. You create the
tunnel between the two ends by encapsulating the data in a mutually-agreed-upon protocol for transmission. In
most tunnels, the data passed through the tunnel appears at the other side as part of the network. Point to point
tunneling protocol was originally proposed by Microsoft and its associates and it works by embedding its very
own network protocol within the TCP/IP packets.
QUESTION 99
Which of the following are VPN (Virtual Private Network) tunneling protocols?
A. IPSec (Internet Protocol Security), L2TP (Layer Two Tunneling Protocol), and SSL (Secure Sockets Layer)
B. IPSec (Internet Protocol Security), L2TP (Layer Two Tunneling Protocol), and PPP (Point-to-Point
Protocol)
C. L2TP (Layer Two Tunneling Protocol), PPTP (Point-to-Point Tunneling Protocol), and SSL (Secure Sockets
Layer)
D. PPTP (Point-to-Point Tunneling Protocol), L2TP (Layer Two Tunneling Protocol), and IPSec (Internet
Protocol Security)
Answer: D
Explanation:
Tunneling refers creating a virtual dedicated connection between two systems or networks. You create the
tunnel between the two ends by encapsulating the data in a mutually-agreed-upon protocol for transmission. In most tunnels, the data passed through the tunnel appears at the other side as part of the network. It's obvious
that L2TP and PPTP are tunneling protocols because the word tunneling is in the acronyms for their name, but
IPSec is also considered a tunneling protocol because it creates a secure tunnel connection
QUESTION 100
What is the biggest benefit to using RADIUS (Remote Authentication Dial-in User Service) for a
multi-site VPN (Virtual Private Network) that supports a large number of remote users?
A. RADIUS (Remote Authentication Dial-in User Service) provides for a centralized user database.
B. RADIUS (Remote Authentication Dial-in User Service) provides for a decentralized user database.
C. No user database is required with RADIUS (Remote Authentication Dial-in User Service).
D. User database is replicated and stored locally on all remote systems.
Answer: A
Explanation:
Since RADIUS keeps its credentials and keys in a centralized database, it's ideal for a large population of
remote users. RADIUS authenticate
QUESTION 101
On a firewall, which ports must be open in order to support TACACS?
A. 21
B. 161
C. 53
D. 49
Answer: D
Explanation:
TACACS uses both TCP and UDP port 49.
QUESTION 102
On a firewall, which ports must be open in order to support SSH (Secure Shell)?
A. TCP (Transmission Control Protocol) port 22
B. UDP (User Datagram Protocol) port 69
C. TCP (Transmission Control Protocol) port 179
D. UDP (User Datagram Protocol) port 17
Answer: A
Explanation:
SSH uses port 22 and TCP for connections.
QUESTION 103
Which of the following is an alternative to using telnet?
A. DES (Data Encryption Standard).
B. S-Telnet.
C. SSH (Secure Shell).
D. PKI (Public Key Infrastructure).
Answer: C
Explanation:
Secure Shell is like telnet in the sense that an administrator may enter commands into a remote server, except
that is uses an encrypted and authenticated connection [(RSA) cryptography for connection and authentication;
and IDEA, Blowfish, or DES for data stream encryption.] instead of Telnet's cleartext.
QUESTION 104
On a firewall, which ports must be open in order to support IMAP4?
A. 80
B. 3869
C. 21
D. 110
E. 143
F. 443
Answer: E
Explanation:
Internet Message Access Protocol is an email feature that is similar to POP3 but has the ability to search for key
words while the messages are on the mail server. The current version of IMAP (IMAP4) uses port 143 and TCP
for connection.
QUESTION 105
What is the main DISADVANTAGE of using a third party mail relay?
A. Spammers can utilize the relay.
B. The relay limits access to specific users.
C. The relay restricts the types of e-mail that maybe sent.
D. The relay restricts spammers from gaining access.
Answer: A
Explanation: Using a third party email relay can put you in an advantage of getting unnecessary spam. Anyone on the
internet can relay an unsolicited email through an SMTP server, and the message will appear to be legitimate
coming from the email server, and it makes it much more difficult to trace the spammer.
QUESTION 106
What is the purpose of S/MIME (Secure Multipurpose Internet Mail Extensions)?
A. To encrypt user names and profiles to ensure privacy
B. To encrypt messages and files
C. To encrypt network sessions acting as a VPN (Virtual Private Network) client
D. To automatically encrypt all outbound messages
Answer: B
Explanation:
Secure MIME (S/MIME) is a standard used for encrypting e-mail. S/MIME can also contain signature data.
S/MIME provides encryption, integrity, and authentication when used in conjunction with PKI.
What do you require in order to use S/MIME (Secure Multipurpose Internet Mail Extensions)?
A. A digital certificate.
B. A server side certificate.
C. A SSL (Secure Sockets Layer) certificate.
D. A public certificate.
Answer: A
Explanation:
What differentiates S/MIME from MIME is that it uses RSA asymmetric encryption and it relies on a digital
certificate for authentication.
QUESTION 108
What are the possible results of a malformed MIME (Multipurpose Internet Mail Extensions) header?
A. It can create a back door that will allow an attacker free access to a company's private network.
B. It can create a virus that infects a user's computer.
C. It can cause an unauthorized disclosure of private information.
D. It can cause an e-mail server to crash.
Answer: D
Explanation:
Microsoft Exchange Server 5.0 & 5.5 had a vulnerability that made it suspect to crashes following a malformed
MIME header. Patches have since been released.
Incorrect answers:
A: It does not create a backdoor. This is usually the
QUESTION 109
Which of the following is often used to encrypt e-mail messages?
A. S/MIME
B. BIND
C. DES
D. SSL
Answer: A
Explanation:
Secure MIME (S/MIME) is a standard used for encrypting e-mail. S/MIME can also contain signature data.
S/MIME provides encryption, integrity, and authentication when used in conjunction with PKI.
QUESTION 110
Which of the following represents the greatest benefit of using S/MIME /Secure Multipurpose Internet
Mail Extension)?
A. It allows users to send encrypted and digitally sign e-mail messages.
B. It allows users to send anonymous e-mails.
C. It allows users to send e-mails with a return receipt.
D. It expedites the delivery of e-mail.
Answer: A
Explanation:
Secure MIME (S/MIME) is a standard used for encrypting e-mail. S/MIME can also contain signature data.
S/MIME provides encryption, integrity, and authentication when used in conjunction with PKI.
Which of the following is a possible technical impact of receiving large quantifies of spam?
A. DoS (Denial of Service).
B. Processor underutilization.
C. Reduction in hard drive space requirements.
D. Increased network throughput.
Answer: A
Explanation:
In systems where no email filters are set up, it is possible for some users to receive over a hundred unsolicited
emails a day! If every user on a network received that much email, the human time necessary to sort through
those emails will be Herculean. The system resources required to: process, download, and store such email can
potentially reduce a networks availability to zero; thus denying service.
QUESTION 112
With regard to viruses and hoaxes, which of the following is TRUE? (Choose the best answer)A. Hoaxes can create as much damage as a real virus.
B. Hoaxes are harmless pranks and should be ignored.
C. Hoaxes can help educate user about a virus.
D. Hoaxes carry a malicious payload and can be destructive.
Answer: A
Explanation: Hoaxes do have the possibility of causing as much damage as viruses. Many hoaxes instruct
the recipient to forward the message to everyone that they know and thus causes network congestion and
heavy e-mail activity. Hoaxes also often instruct the user to delete files on their computer that may cause
their computer or a program to quit functioning.
QUESTION 113
Which types of attachments should be filtered from e-mails to minimize the danger of viruses?
A. Text files.
B. Image files.
C. Sound files.
D. Executable files.
Answer: D
Explanation:
Many newer viruses spread using email. The infected system includes an attachment to any e-mail that you
send to another user. The recipient opens this file thinking it is something you legitimately sent them. When
they open the file, the virus infects the target system. Many times the virus is in an executable attachment.
QUESTION 114
Which of the following is the primary attribute associated with e-mail hoaxes?
A. E-mail hoaxes create unnecessary e-mail traffic and panic in non-technical users.
B. E-mail hoaxes take up large amounts of server disk space.
C. E-mail hoaxes can cause buffer overflows on the e-mail server.
D. E-mail hoaxes can encourage malicious users.
Answer: A
Explanation:
Although answer choices B, C, D have a degree of truth to them; the BEST answer is
A. Email hoaxes often
create unnecessary traffic because they ask users to forward an email to everyone in address book, and whether
it is a computer virus or a blind, crippled, starving, cancer victim child suffering from Herpes it creates undue
panic and emotion in the work setting.
QUESTION 115
Which of the following does PGP use to encrypt data?
A. An asymmetric scheme
B. A symmetric scheme
C. a symmetric key distribution system
D. An asymmetric key distribution
Answer: A
Explanation:
PGP is a shareware implementation of RSA encryption. Pretty Good Privacy (PGP) is a set of software tools
that allows you to encrypt, decrypt, and digitally sign computer data and e-mail. PGP's encryption and
decryption services are asymmetric.
QUESTION 116
Which of the following mail standards relies on a "Web of Trust"?
A. Secure Multipurpose Internet Mail extensions (S/MIME)
B. Pretty Good Privacy (PGP)
C. MIME Object Security Services (MOSS)
D. Privacy Enhanced Mail (PEM)
Answer: B
Explanation:
"PGP does not use a hierarchy of CAs, or any type of formal trust certificates, but relies on a "web of trust" in
its key management approach. Each user generates and distributes his or her public key, and users sign each
other's public keys, which creates a community of users who trust each other. This is different than the CA
approach where no one trusts each other, they only trust the CA.
QUESTION 117
Which of the following defines the ability to verify that an e-mail message received has not been modified
in transit?
A. Authorization
B. Non-repudiation
C. Integrity
D. Cryptographic mapping
Answer: C
Explanation:
The goal of integrity is to verify that information being used is accurate and hasn't been tampered with.
Integrity is coupled with accountability to ensure that data is accurate and that a final authority exists to verify
this, if needed.
Which of the following would best protect the confidentiality and integrity of an e-mail message?
A. SHA-1 (Secure Hashing Algorithm 1)
B. IPSec (Internet Protocol Security)
C. Digital signature
D. S/MIME (Secure Multipurpose Internet Mail Extensions)
Answer: D
Explanation:
Secure Multipurpose Internet Mail Extensions (S/MIME) is a standard used for encrypting e-mail.
S/MIME contains signature data. It uses the PKCS #7 standard (Cryptographic Message Syntax
Standard) and is the most widely supported standard used to secure e-mail communications.
QUESTION 119
You work as the security administrator at Certkiller .com. You want to configure the Certkiller network to
allow only HTTP (Hypertext Transfer Protocol) traffic for outbound Internet connections. You also want
to set permissions to allow only certain users to browse the web. Which of the following should you use?
A. A packet filtering firewall.
B. A protocol analyzer.
C. A proxy server.
D. A stateful firewall.
Answer: C
Explanation:
A proxy server is a type of server that makes a single Internet connection and services requests on behalf of
many users. It is a server that is situated between a client and a server; that intercessors requests. Proxy servers
are used for two reasons:
* To filter requests, so a strict parent or company can prevent their kids or employees from viewing the wrong
sties.
* The increase performance, so multiple users accessing the same information (like a school, or a library,) can
fetch common information from the proxy server.
QUESTION 120
You work as the security administrator at Certkiller .com. You notice that an e-mail server is currently
relaying e-mail (including spam) for any e-mail server requesting relaying. On further investigation you
discover the existence of /etc/mail/relay domains. How should you modify the relay domains file to
prevent relaying for non-explicitly named domains?
A. Move the .* entry to the bottom of the relay domains file and restart the e-mail process.
B. Move the .* entry to the top of the relay domains file and restart the e-mail process.
C. Delete the .* entry in the relay domains file and restart the e-mail process.
D. Delete the relay domains file from the /etc/mail folder and restart the e-mail process.
Answer: C
Explanation:
The symbol: *.* is known as a wild card mask, and just like in poker when a file matches a wild card anything
goes. By deleting the wild card, it prevents ANY email server (including the SPAM servers) from relaying goes. By deleting the wild card, it prevents ANY email server (including the SPAM servers) from relaying
information.
What is the main purpose of an e-mail relay server?
A. It is used to block all spam, which allows the e-mail system to function more efficiently without the
additional load of spam.
B. It is used to prevent viruses from entering the network.
C. It is used to defend the primary e-mail server and limit the effects of any attack.
D. It is used to eliminate e-mail vulnerabilities since all e-mail is passed through the relay first.
Answer: C
Explanation:
An email relay will essentially make your mail server invisible to the internet, so you can protect yourself from
port scans, viruses, and arbitrary access.
QUESTION 122
Why should e-mail server be configured to prevent e-mail relay?
A. Untraceable, unwanted e-mail can be sent.
B. An attacker can gain access and take over the server.
C. Confidential information in the server's e-mail boxes can be read using the relay.
D. The open relay can be used to gain control of nodes on additional networks.
Answer: A
Explanation:
If someone can find a way to relay email through the relay server, they can send thousands of unsolicited emails
a day without the recipients having a way to pinpoint the source.
QUESTION 123
Which of the following can be used to exploit the clear text nature of an Instant-Messaging session?
A. Packet sniffing.
B. Port scanning.
C. Cryptanalysis.
D. Reverse engineering.
Answer: A
Explanation:
Since only clear unencrypted text is being sent across the world through multitudes of WAN equipment and
routers; it is easy for someone to sniff your conversation and eavesdrop on every word you type.
On a firewall, which ports must be open in order to support e-mail communication using SMTP (Simple
Mail Transfer Protocol)?
A. TCP (Transmission Control Protocol) port 110 to all inbound and outbound connections.
B. UDP (User Datagram Protocol) port 110 to all inbound connections.
C. UDP (User Datagram Protocol) port 25 to all inbound connections.
D. TCP (Transmission Control Protocol) port 25 to all inbound and outbound connections.
Answer: D
Explanation:
TCP port 25 is reserved for SMTP while port 110 is for POP3.
QUESTION 125
How many steps are used during the SSL (Secure Sockets Layer) handshake process?
A. Five
B. Six
C. Seven
D. Eight
Answer: B
Explanation:
SSL establishes a stateful connection negotiated by a handshaking procedure between client and server. During
this handshake, the client and server exchange the specifications for the cipher that will be used for that session.
QUESTION 126
What will the SSL (Secure Sockets Layer) enabled server do first when a user clicks to browse a secure
page?
A. Use its digital certificate to establish its identity to the browser.
B. Validate the user by checking the CRL (Certificate Revocation List).
C. Request the user to produce the CRL (Certificate Revocation List).
D. Display the requested page on the browser, then provide its IP (Internet Protocol) address for verification
Answer: A
Explanation:
The Secure Socket Layer is used to establish a secure communication connection between two TCP-based
machines. This protocol uses the handshake method. When a connection request is made to the server, the
server sends a message back to the client indicating a secure connection is needed. The client then sends the
server a certificate indicating the capabilities of the client. The server then evaluates the certificate and responds
with a session key and an encrypted private key. The session is secure after this process.
QUESTION 127
Which of the following types of encryption does SSL (Secure Sockets Layer) use?
A. Asymmetric
B. Symmetric
C. Public Key
D. Secret
Answer: B
Explanation: The Secure Sockets Layer (SSL) protocol uses both asymmetric and symmetric key
exchange. It uses asymmetric keys for the SSL handshake. During the handshake, the master key, is
encrypted with the receivers public passes from the client to the server. The client and server make their
own session keys using the master key. The session keys encrypt and decrypt data for the remainder of
the session. Symmetric key exchange occurs during the exchange of the cipher specification, or
encryption level
Which of the following steps in the SSL (Secure Socket Layer) protocol allows for client and server authentication, MAC (Mandatory Access Control) and encryption algorithm negotiation, and selection of
cryptographic keys?
A. SSL (Secure Sockets Layer) alert protocol.
B. SSL (Secure Sockets Layer) change cipher spec protocol.
C. SSL (Secure Sockets Layer) record protocol.
D. SSL (Secure Sockets Layer) handshake protocol.
Answer: D
Explanation:
SSL Handshake Protocol
* runs before any application data is transmitted
* provides mutual authentication
* establishes secret encryption keys
* establishes secret MAC keys
QUESTION 129
Which of the following protocols is used to encrypt traffic between a web browser and web server?
A. IPSec (Internet Protocol Security)
B. HTTP (Hypertext Transfer Protocol)
C. SSL (Secure Sockets Layer)
D. VPN (Virtual Private Network)
Answer: C
Explanation:
The Secure Sockets Layer (SSL) is used to establish a secure communication connection between two
TCP-based machines.
QUESTION 130
Which of the following protocols does a web server use to encrypt data?
A. TCP/IP (Transmission Control Protocol/Internet Protocol)
B. ActiveX
C. IPSec (Internet Protocol Security)
D. SSL (Secure Sockets Layer)
Answer: D
Explanation:
The Secure Socket Layer is used to establish a secure communication connection between two TCP-based
machines. This protocol uses the handshake method. When a connection request is made to the server, the
server sends a message back to the client indicating a secure connection is needed. The client then sends the
server a certificate indicating the capabilities of the client. The server then evaluates the certificate and responds
with a session key and an encrypted private key. The session is secure after this process.
QUESTION 131
In which lengths are SSL (Secure Sockets Layer) session keys available? (Choose two)
A. 40-bit
B. 64-bit.
C. 128-bit.
D. 1,024-bit.
A. C
Explanation:
SSL comes in two strengths, 40-bit and 128-bit, which refer to the length of the "session key" generated by
every encrypted transaction. The longer the key, the more difficult it is to break the encryption code.
QUESTION 132
Which of the following protocols is used to secure web transactions?
A. S/MIME (Secure Multipurpose Internet Mail Extensions)
B. XML (Extensible Makeup Language)
C. SSL (Secure Sockets Layer)
D. SMTP (Simple Mail Transfer Protocol)
Answer: C
Explanation:
The Secure Socket Layer is used to establish a secure communication connection between two TCP-based
machines. This protocol uses the handshake method. When a connection request is made to the server, the
server sends a message back to the client indicating a secure connection is needed. The client then sends the
server a certificate indicating the capabilities of the client. The server then evaluates the certificate and responds
with a session key and an encrypted private key. The session is secure after this process.
QUESTION 133
Which of the following represents the main advantage of using SSL (Secure Sockets Layer) has over
HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer)?
A. SSL (Secure Sockets Layer) offers full application security for HTTP (Hypertext Transfer Protocol) while
HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer) does not.
B. SSL (Secure Sockets Layer) supports additional application layer protocols such as FTP (File Transfer
Protocol) and NNTP (Network News Transport Protocol) while HTTPS (Hypertext Transfer Protocol over
Secure Sockets Layer) does not.
C. SSL (Secure Sockets Layer) and HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer) are
transparent to the application.
D. SSL (Secure Sockets Layer) supports user authentication and HTTPS (Hypertext Transfer Protocol over
Secure Sockets Layer) does not.
Answer: B
Explanation:
SSL on its own works at the session layer (layer 5) so it has more versatility in protocols that it supports.
Incorrect answers:
QUESTION 134
What does a web client and server require in order for an SSL (Secure Sockets Layer) connection to be
established between them automatically?
A. A shared password.
B. A certificate signed by a trusted root CA (Certificate Authority).
C. An address on the same subnet.
D. A common operating system.
Answer: B
Explanation:
For an SSL connection to compete, the web client and server should have a trusted certificate to confirm
authenticity.
A shared password, address on the same subnet, and a common operating system are ludicrous answers because
they defy the reason why SSL exists.
QUESTION 135
Which of the following is a key function introduced SSLv3.0 (Secure Sockets Layer version 3.0)?
A. The ability to act as a CA (Certificate Authority).
B. The ability to force client side authentication via digital certificates.
C. The ability to use x.400 certificates.
D. The ability to protect transmissions with 1024-bit symmetric encryption.
Answer: B
Explanation:
There are three versions of SSL out right now: SSL v.2, SSL v.3, and TLSv1 which is still going through
standardization. SSL v.2 ensures encrypted data between client and serer. The server can authenticate the client,
and the client can option to authenticate the server. SSL v.3 was enhanced for security and efficiency. It
includes data compression, the ability of either the client or server requesting a renegotiation of the ciphers and
shared key at any moment, and the use of certificate chains.
QUESTION 136
On a firewall, which ports must be open in order to support SSL (Secure Sockets Layer)?
A. UDP (User Datagram Protocol) transport layer protocol and port 80
B. TCP (Transmission Control Protocol) transport layer protocol and port 80
C. TCP (Transmission Control Protocol) transport layer protocol and port 443
D. UDP (User Datagram Protocol) transport layer protocol and port 69
Answer: C
Explanation:
Secure Sockets Layer is secure, so it would be natural to assume that it uses the connection orientated TCP
instead of UDP. Secondly, TCP port 80 is HTTP, which stands for (hyper text transfer protocol) TCP port 443
is HTTPS which stands for hyper text transfer protocol over secure socket layer'
Which of the following allows secure access to a web page, regardless of the browser type or vendor?
A. Certificates with SSL (Secure Sockets Layer).
B. Integrated web with NOS (Network Operating System) security.
C. SSL (Secure Sockets Layer) only.
D. None of the above.
Answer: A
Explanation:
Regardless of whether or not you use Netscape Navigator or Microsoft Internet Explorer, if you come across a
page with a security certificate and an SSL connection (most likely for banking, investments, or purchases) you
will have secure access.
QUESTION 138
Between which layers of the OSI (Open Systems Interconnection) model does SSL (Secure Sockets Layer)
operate? (Choose all that apply)
A. The Application Layer.
B. The Transport Layer
C. The Network Layer
D. The Data Link Layer
E. The Physical Laye
Answer: A, B
Explanation:
SSL is associated with secure transactions (credit card purchases and online banking) over your web browser,
so naturally it operates between the top two layers of the OSI model. SSL is a protocol that secures messages by
operating between the Application layer (HTTP) and the Transport layer.
QUESTION 139
What makes Instant Messaging extremely insecure compared to other messaging systems?
A. It is a peer-to-peer network that offers most organizations virtually no control over it.
B. Most IM clients are actually Trojan Horses.
C. It is a centrally managed system that can be closely monitored.
D. It uses the insecure Internet as a transmission medium.
Answer: A
Explanation:
Answer: A seems to be the most correct of these answer.
Instant messaging is a form of immediate e-mail that takes place between two or more users. IM clients are
often prone to hostile code (usually in the form of file transfers) and subject to social engineering attacks,
wherein a hacker plays upon the culpability of a user to get what they need.
QUESTION 140
Which of the following is the greatest vulnerability of using Instant Messaging clients?
A. Theft of root user credentials.
B. Disconnection from the file server.
C. Hostile code delivered by file transfer.
D. Slow Internet connections.
E. Loss of email privileges.
F. Blue Screen of Death errors.
Answer: C
Explanation:
Instant Messaging (IM) enables users to communicate in real-time using text messages and to exchange files
(pictures, music, and so on) with one another. Thus IM clients can also be compromised by malicious code,
Trojan Horse programs, and traditional DoS attacks. IM clients are often prone to hostile code (usually in the
form of file transfers) and subject to social engineering attacks, wherein a hacker plays upon the culpability of a
user to get what they need.
QUESTION 141
Which of the following is the biggest problem associated with Instant Messaging?
A. It is widely deployed and difficult to control.
B. It was created without security in mind.
C. It is easily spoofed.
D. It is created with file sharing enabled.
Answer: B
Explanation:
Instant messaging was created for speed and simplicity. They wanted a program that was feature rich, but not
memory intensive so more people could be online more often. Since the text is unencrypted, it's very easy for
someone to eavesdrop on a message, hijack the conversation and send a virus that's disguised as an innocent
graphic file.
QUESTION 142
Which of the following is Instant Messaging most vulnerable to?
A. DoS (Denial of Service).
B. fraud.
C. stability.
D. sniffing.
Answer: D
Explanation:
Since instant messenger conversations are sent unencrypted (in clear-text) it's very easy for someone to use a
sniffer on the line to eavesdrop on the entire conversation.
QUESTION 143
With which privileges are ActiveX control executed?
A. Current user account
B. Administrator account
C. Guest account
D. System account
Answer: A
Explanation:
When you're online and you execute an ActiveX control; the only thing that can control it, are the individual
user settings of the current user
QUESTION 144
Which of the following is responsible for displaying an install dialog box for an ActiveX component?
A. The user's browser setting.
B. The <script> meta tag.
C. The condition of the sandbox.
D. The negotiation between the client and the server.
Answer: A
Explanation:
ActiveX components are downloaded to the client hard disk, potentially allowing additional security breaches.
Web browsers can be configured so that they require confirmation to accept an ActiveX control.
Incorrect answers:
QUESTION 145
Which of the following are used to prove where ActiveX controls originated from?
A. Encryption.
B. Their location on the web server.
C. SSL (Secure Sockets Layer).
D. Digital signatures.
Answer: D
Explanation:
ActiveX controls are digitally signed with an Authenticode signature, verified by a Certificate Authority. The
controls are restricted by that signature only, not by the web browser settings.
QUESTION 146
Which of the following can be used to track a user's browsing habits on the Internet?
A. Digital certificates
B. Cookies
C. ActiveX controls
D. Web server cache
Answer: B
Explanation: Cookies are text files that a browser maintains on the user's hard disk. A cookie will typically contain
information about the user. Cookies are used to provide persistent, customized web experience for each visit.
Cookies do contain username and passwords for each site you visit or login into
QUESTION 147
Which of the following can be used to retain connection data, user information, history of sites visited,
and can be used by attackers for spoofing an on-line identity?
A. HTTPS (Hypertext Transfer Protocol over SSL).
B. Cookies.
C. HTTP (Hypertext Transfer Protocol)/l.0 Caching.
D. vCard v3.0.
Answer: B
Explanation:
Cookies were originally developed by Netscape as a convenience feature to save user settings across multiple
sites, servers, and webpages. For example, some cookies save passwords and login information so a user doesn't
have to enter it every time they visit a page. Since cookies contain valuable information like: user name, IP
address, browser, and operating system a hacker can use cookie information for spoofing.
QUESTION 148
Which one of the following would most likely lead to a CGI (Common Gateway Interface) security
problem?
A. HTTP (Hypertext Transfer Protocol) protocol.
B. Compiler or interpreter that runs the CGI (Common Gateway Interface) script.
C. The web browser.
D. External data supplied by the user.
Answer: D
Explanation:
Common Gateway Interface is an older form of scripting that was used extensively in early web systems. CGI
scripts could be used to capture data from a user using simple forms. The CGI script ran on the web server, and
it interacted with the client browser. CGI is a doubtful choice in new applications because of its security issues,
but it still widely used in older systems.
Although the answer is not given in the paragraph from the book, the answer would be D.
QUESTION 149
When hosting a web server with CGI (Common Gateway Interface) scripts, which permissions should the
directories for public view have?
A. Read
B. Execute
C. Read and Write
D. Read, Write, and Execute
E. Full Control
Answer: B
Explanation:
Common Gateway Interface is an older form of scripting that was used extensively in early web systems. CGI
scripts could be used to capture data from a user using simple forms. The CGI script ran on the web server, and
it interacted with the client browser. CGI is frowned upon in new applications because of its security issues, but
it still widely used in older systems.
QUESTION 150
Which of the following is similar to SSLv3 (Secure Sockets Layer version 3)?
A. TLS (Transport Layer Security).
B. MPLS (Multi-Protocol Label Switching).
C. SASL (Simple Authentication and Security Layer).
D. MLS (Multi-Layer Switching).
Answer: A
Explanation:
Transport Layer Security is an end-to-end encryption protocol that is similar to and based on SSL version 3.0
except it uses stronger encryption, and not entirely interoperable. It is specified in ISO 10736 as part of the
transport layer in a protocol stack; defined in RFC 2246.
QUESTION 151
On a firewall, which ports must be open in order to allow LDAP (Lightweight Directory Access Protocol)
traffic?
A. 389 and 636
B. 389 and 139
C. 636 and 137
D. 137 and 139
Answer: A
Explanation:
The 'well known' LDAP ports are 389 for LDAP and 636 for LDAP SSL.
Incorrect answers:
B: Port 139 is the NetBIOS session service port.
C: NetBIOS services occurs via ports 137, 138, and 139
D: Port 139 is the NetBIOS session service port.
QUESTION 152
What is the start of the LDAP (Lightweight Directory Access Protocol) directory called?
A. Head
B. Root
C. Top
D. Tree
Answer: B
Explanation:
LDAP directories are arranged as trees. The top of the hierarchy is called the LDAP root. Below the topmost 'root' node, country information appears, followed by entries for companies, states or national organizations.
Next comes entries for organizational units, such as branch offices and departments. Finally we locate
individuals, which in X.500 and LDAP include people, shared resources such as printers, and documents. An
LDAP directory server thus makes it possible for a corporate user to find the information resources she needs
anywhere on the enterprise network
QUESTION 153
How are LDAP (Lightweight Directory Access Protocol) directories arranged?
A. As linked lists.
B. As trees.
C. As stacks.
D. As queues.
Answer: B
Explanation:
Directories are displayed best as directory trees, so naturally LDAP uses trees. LDAP is based from an
object-orientated access model built to directory enabled networking (DEN) standards.
The top of the hierarchy is called the LDAP root. The LDAP root server creates the hierarchy and the rest of the
structure (and resources) branch out from that location. LDAP uses objects to represent computers, user
accounts, shared resources, services, and so on.
QUESTION 154
Which of the following is vulnerable to having username and password information intercepted by
packet sniffing?
A. SSH (Secure Shell)
B. SSL (Secure Sockets Layer)
C. FTP (File Transfer Protocol)
D. HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer)
Answer: C
Explanation: FTP has a major flaw. The user ID and password are not encrypted and are subject to packet capture.
How can you ensure that only authorized users can access a FTP (File Transfer Protocol) server?
A. Allow blind authentication.
B. Disable anonymous authentication.
C. Redirect FTP (File Transfer Protocol) to another port.
D. Only give the address to users that need access.
Answer: B
Explanation:
Early FTP servers did not offer security. Security was based on the honor system. Most logons to an FTP site
used the anonymous logon. By convention, the logon ID was the user's email address, and the password was
anonymous.
QUESTION 156
Should you enabling anonymous FTP (File Transfer Protocol) read/write access, which of the following
could occur?
A. An upload and download directory for each user.
B. Detailed logging information for each user.
C. The storage and distribution of unlicensed software.
D. Fewer server connections and less network bandwidth utilization
Answer: C
Explanation:
Anonymous FTP is based on good faith. But if it used to take advantage of the non-secure logon, then answer C
would seem to be the best answer.
QUESTION 157
What is the purpose of a FTP (File Transfer Protocol) bounce attack?
A. Exploiting a buffer overflow vulnerability on the FTP (File Transfer Protocol) server
B. Rebooting the FTP (File Transfer Protocol) server
C. Storing and distributing malicious code
D. Establishing a connection between the FTP (File Transfer Protocol) server and another computer
Answer: D
Explanation:
FTP bounce is a method that attackers use to protect their identity when scanning your network, by bouncing
the scan off a vulnerable FTP server. In some implementations of FTP daemons, the PORT command can be
misused to open a connection to a port of the attacker's choosing on a machine that the attacker could not have
accessed directly.
QUESTION 158
On a firewall, which ports must be open in order to allow FTP (File Transfer Protocol) traffic?
A. 20 and 21.
B. 25 and 110.
C. 80 and 443.
D. 161 and 162.
Answer: A
Explanation:
In basic FTP operations, port 20 is the data port and port 21 is the command port.
Incorrect answers:
B: Port 25 is for SMTP. Port 110 is for POP3
C: Port 80 is used by HTTP (used for the World Wide Web) and port 443 for HTTPS (used for secure web
connections)
D: Ports 161 and 162 are used for SNMP messages and traps respectively
QUESTION 159
Which of the following ports are used to access FTP (File Transfer Protocol)?
A. 80 and 443.
B. 20 and 21.
C. 21 and 23.
D. 20 and 80.
Answer: B
Explanation:
In basic FTP operations, port 20 is the data port and port 21 is the command port.
Incorrect answers:
A: Port 80 is used by HTTP (used for the World Wide Web) and port 443 for HTTPS (used for secure web
connections)
C: Port 23 is used by Telnet.
D: Port 80 is used by HTTP.
QUESTION 160
Which of the following do attackers most often use to identify the presence of an 801.11b network?
A. War driving
B. Direct inward dialing
C. War dialing
D. Packet driving
Answer: A
Explanation: War driving is the practice of literally driving around looking for free connectivity from Wi-Fi networks.
Incorrect Answers
B: Does not apply.
C: In war dialing combinations of numbers are tested to find network back doors via modem.
D: Does not apply.
QUESTION 161
What is the maximum data transmission rate of IEEE (Institute of Electrical and Electronics Engineers)
802.11b?
A. 10 Mbps (Megabits per second)
B. 10.5 Mbps (Megabits per second)
C. 11 Mbps (Megabits per second)
D. 12 Mbps (Megabits per second)
Answer: C
Explanation:
The 802.11b standard provides for bandwidth of up to 11Mbps in the 2.4GHz frequency spectrum.
Incorrect answers:
A, B: This is below the maximum bandwidth that can be accommodated by 802.11b.
D: This is above the maximum bandwidth that 802.11b can accommodate.
QUESTION 162
Which of the following can be used to prevent intruders from using access points on a wireless network?
A. ESP (Encapsulating Security Payload)
B. WEP (Wired Equivalent Privacy)
C. TLS (Transport Layer Security)
D. SSL (Secure Sockets Layer)
Answer: B
Explanation:
The 802.11 standard describes the communication that occurs in wireless local area networks (LANs). The
Wired Equivalent Privacy (WEP) algorithm is used to protect wireless communication from eavesdropping. A
secondary function of WEP is to prevent unauthorized access to a wireless network; this function is not an
explicit goal in the 802.11 standard, but it is frequently considered to be a feature of WEP.
QUESTION 163
Which of the following provides privacy, data integrity and authentication for handled devices in a
wireless network environment?
A. WEP (Wired Equivalent Privacy)
B. WAP (Wireless Application Protocol)
C. WSET (Wireless Secure Electronic Transaction)
D. WTLS (Wireless Transport Layer Security)
Answer: D
Explanation: Short for Wireless Transport Layer Security. WTLS is the security layer of the WAP,
providing privacy, data integrity and authentication for WAP services.
QUESTION 164
Between which of the following does WTLS (Wireless Transport Layer Security) provides security
services?
A. A Web server.
B. A mobile device.
C. A Wireless client.
D. A Wireless network interface card.
E. A WAP (Wireless Application Protocol) gateway
Answer: B, E
Explanation:
Since most wireless devices are low in: memory, processing power, and bandwidth capability creating a
security mechanism is a difficult task. WTLS is the security layer of the Wireless Applications Protocol (WAP).
WTLS provides authentication, encryption, and data integrity for wireless devices between a wireless device
and the WAP gateway.
QUESTION 165
Which of the following provides a WLAN (Wireless Local Area Network) with the level of security
associated with a LAN (Local Area Network)?
A. WEP (Wired Equivalent Privacy)
B. ISSE (Information Systems Security Engineering)
C. ISDN (Integrated Services Digital Network)
D. VPN (Virtual Private Network)
Answer: A
Explanation:
Wired Equivalent Privacy is a wireless protocol designed to provide privacy equivalent to that of a wired
network.
QUESTION 166
What should be done to secure the wireless network environment that uses access points as repeaters?
A. Ensure that employees use complex passwords.
B. Ensure that employees are only using issued wireless cards in their systems.
C. Ensure that WEP (Wired Equivalent Privacy) is being used.
D. Ensure that everyone is using adhoc mode.
Answer: C
Explanation:
If every access point is secured to WEP standards, the entire range covered by the wireless system will be
encrypted to a security level that equals a conventional wired network, thus preventing sniffing and
unauthorized 'drive by' access.
In a wireless network that uses WEP (Wired Equivalent Privacy) to provide wireless security, which of
the following may authenticate to an access point?
A. Only the administrator.
B. Anyone can authenticate.
C. Only users within the company.
D. Only users with the correct WEP (Wired Equivalent Privacy) key.
Answer: D
Explanation:
WEP relies on a secret key that is shared between a mobile station (eg. a laptop with a wireless Ethernet card)
and an access point (ie. a base station). The secret key is used to encrypt packets before they are transmitted,
and an integrity check is used to ensure that packets are not modified in transit. Server authentication requires
the workstation to authenticate against the server (access point).
QUESTION 168
What is the purpose of WEP (Wired Equivalent Privacy)?
A. To provide a WLAN (Wireless Local Area Network) with the same level of security as a wired LAN (Local
Area Network).
B. To provide a collision preventive method of media access for a WLAN (Wireless Local Area Network).
C. To provide a WLAN (Wireless Local Area Network) with a wider access area that that of a wired LAN
(Local Area Network).
D. To allow radio frequencies to penetrate walls
Answer: A
Explanation:
WEP is a security protocol for 802.11b (wireless) networks that attempts to establish the same security for them
as would be present in a wired network. It is designed to provide privacy equivalent to that of a wired network.
QUESTION 169
On which of the following is the WAP (Wireless Application Protocol) programming model based?
A. Client, original server, WEP (Wired Equivalent Privacy)
B. Code design, code review, documentation
C. Client, original server, wireless interface card
D. Client, gateway, original server
Answer: D
Explanation:
Wireless networking is not unlike networking on cable. Computers can be connected to form a client/server
network. Hubs and switches can be used to connect network segments and allow communications over a
broader area.
WAP systems communicate using a WAP gateway system. The gateway converts information back and forth
between HTTP and WAP, as well as encodes and decodes between the security protocols.
QUESTION 170
Which of the following can be used to provide security and privacy in a WLAN (Wireless Local Area
Network)?
A. SWP (Secure WLAN Protocol)
B. WEP (Wired Equivalent Privacy)
C. SSL (Secure Sockets Layer)
D. S/MIME (Secure Multipurpose Internet Mail Extensions)
Answer: B
Explanation:
WEP is a security protocol for 802.11b (wireless) networks that attempts to establish the same security for them
as would be present in a wired network. It is designed to provide privacy equivalent to that of a wired network.
QUESTION 171
What type of program highlights the vulnerabilities of servers on the network to various exploits and
suggests ways to mitigate the vulnerabilities?
A. Intrusion detection
B. Port scanner
C. Vulnerability scanner
D. Trojan scanner
Answer: C
Explanation:
A vulnerability assessment uses a set of tools to identify vulnerabilities in a network. It usually works by
scanning the network for IP hosts and identifying the different services running on the computers on the
network. Each service is then probed to test the service for its security against known vulnerabilities. These
tools then reports the vulnerabilities it finds on each computer, their level of risk, and suggests methods for
mitigating these risks.
QUESTION 172
Which of the following can be used to review network traffic and determine which services are running
on the network?
A. A sniffer.
B. An IDS (Intrusion Detection System).
C. A firewall.
D. A router.
Answer: A
Explanation:
Packet sniffers are used to capture, monitor and analyze network traffic. There legitimate purpose is to find
traffic flow problems and bottlenecks. However, hackers use it to capture data, to use in replay attacks.
You work as a security administrator at Certkiller .com. You are reconfiguring a UNIX server so as to
make it less susceptible to an attacker obtaining the user account passwords. You decide to have the
encrypted passwords contained within a file that is readable only by root. What is a common name for
this file?
A. passwd
B. shadow
C. hosts.allow
D. hosts.deny
Answer: B
Explanation:
The shadow password file is a UNIX file that contains password related user information, including the
encrypted user passwords. This file is readable only by superuser and/or members of a specified group that has
root access because the file is only readable by root.
Which of the following is NOT a valid reason for supporting the recommendation that only essential
services be provided by a particular host, and any unnecessary services be disabled?
A. Each additional service increases the risk of compromising the host, the services that run on the host, and
potential clients of these services.
B. Different services may require different hardware, software, or a different discipline of administration.
C. When fewer services and applications are running on a specific host, fewer log entries and fewer interactions
between different services are expected, which simplifies the analysis and maintenance of the system from a
security point of view.
D. If a service is not using a well known port, firewalls will not be able to disable access to this port, and an
administrator will not be able to restrict access to this service.
Explanation:
All services are part of the operating system and do not require additional software. Furthermore, services are
optimized to run on a computer that meets the minimum system requirements for the operating system.
Therefore no additional hardware is required. However, a
QUESTION 175
You work as a security administrator at Certkiller .com. On examining the server's list of protocols that
are bound and active on each network interface card, you notice a relatively large number of protocols.
What should you do to ensure network security?
A. Unnecessary protocols do not pose a significant to the system and should be left intact for compatibility
reasons.
B. There are no unneeded protocols on most systems because protocols are chosen during the installation.
C. Unnecessary protocols should be disabled on all server and client machines on a network as they pose great
risk.
D. Using port filtering ACLs (Access Control List) at firewalls and routers is sufficient to stop malicious attacks
on unused protocols.
Answer: C
Explanation:
Leaving additional network services enabled may cause difficulties and can create vulnerabilities in your
network. As much as possible, configure your network devices as restrictively as you can.
QUESTION 176
Why are single servers often the targets of attack?
A. Because they contain application launch scripts.
B. Because they contain security policy settings.
C. Because they contain credentials for many systems and users.
D. Because they contain master encryption keys.
Answer: C
Explanation:
In a single server environment, all user credentials are stored on one server. A successful attack on that server
will thus give the attacker access to usernames, addresses, and password hashes for all network users.
QUESTION 177
You work as a security administrator at Certkiller .com. A network administrator has just replaced a hub
with a switch. When you use software to sniff packets from the network, you notice that you can detect
communication only between his computer and the servers on the network. You cannot detect
communications between other network clients and the servers. The network administrator assures you
that the switch is functioning properly. What is the most likely cause of this problem?
A. With the exception of broadcasts, switches do not forward traffic out all ports.
B. The switch is setup with a VLAN (Virtual Local Area Network) utilizing all ports.
C. The software used to sniff packets is not configured properly.
D. The sniffer's Ethernet card is malfunctioning.
Answer: A
Explanation:
Switches were originally designed to segment networks to make communications more efficient. Unless traffic
is sent to the broadcast address, a switch will not forward traffic out all ports. For this reason, sniffers cannot be
used on a switched network.
QUESTION 178
What should be performed before implementing a wireless solution?
A. Ensure ad hoc mode is enabled on the access points.
B. Ensure that all users have strong passwords.
C. Purchase only Wi-Fi (Wireless Fidelity) equipment.
D. Perform a thorough site survey.
Answer: D
Explanation:
Geography and architecture can affect wireless availability and integrity. It would be crucial to perform a site
survey first, to locate any geographical and architectural obstacles so they can be accommodated.
QUESTION 179
Which of the following security mechanisms can be used to control the flow of packets traveling through
routers?
A. ACL (Access Control List)
B. Fault tolerance tables
C. OSPF (Open Shortest Path First) policy
D. Packet locks
Answer: C
Explanation:
ACLs control access to resources based on user permissions or IP address. On a router, an ACL can allow or
deny a machine access to a network based on the machine's IP address.
QUESTION 180
In which of the following can privilege policy based tables be used to confine sensitive data traffic to
workstations on a specific subnet?
A. A router.
B. A server.
C. A modem.
D. A VPN (Virtual Private Network).
Answer: A
Explanation:
A router with an access control list is a powerful line of defense against users on the outside, and users on the
inside. It can be configured to prevent or allow specific systems from accessing a network based to the system's
IP addresses, thus controlling the flow of data.
In a VPN (Virtual Private Network), which of the following will be encrypted by using IPSec (Internet
Protocol Security) in the tunnel mode?
A. One time pad used in handshaking.
B. Payload and message header.
C. Hashing algorithm and all e-mail messages.
D. Message payload only.
Answer: B
Explanation:
In IPSec the payload and the header are known as the ESP (Encapsulating Security Payload) and AH
(Authentication Header).
QUESTION 182
What is the first step in implementing a firewall?
A. Blocking unwanted incoming traffic.
B. Blocking unwanted outgoing traffic.
C. Developing a firewall policy.
D. Protecting against DDoS (Distributed Denial of Service) attacks.
Answer: C
Explanation:
A firewall is a hardware or software component that to protect a private network from another, usually external
and untrusted, network by use filters to control the network traffic that enters and/or leaves a network. The first
step in implementing a firewall is to develop a firewall policy that defines how the firewall should filter traffic
and the types of traffic that should be blocked or allowed.
What does a firewall use to ensure that each packet is part of an established TCP (Transmission Control
Protocol) session?
A. A packet filter.
B. A stateless inspection.
C. A stateful inspection.
D. A circuit level gateway.
Answer: C
Explanation:
A stateful inspection firewall uses a state table to keep track of every communications channel at all levels of
the network. This provides additional security in connectionless protocols such as User Datagram Protocol
(UDP) and Internet Control Message Protocol (ICMP).
QUESTION 185
What is the basic strategy for configuring the rules for a secure firewall?
A. Permit all.
B. Deny all.
C. Default permit.
D. Default deny.
Answer: D
Explanation:
A firewall is a hardware or software component that to protect a private network from another, usually external
and untrusted, network by use filters to control the network traffic that enters and/or leaves a network. It should
be configured to allow only explicitly permitted. All types of traffic and ports that are not explicitly permitted,
should be denied by default.
QUESTION 186
Which of the following is a security consideration that is introduced by a VPN (Virtual Private
Network)?
A. An intruder can intercept VPN (Virtual Private Network) traffic and create a man in the middle attack.
B. Captured data is easily decrypted because there are a finite number of encryption keys.
C. Tunneled data CANNOT be authenticated, authorized or accounted for.
D. A firewall CANNOT inspect encrypted traffic.
Answer: D
Explanation:
A firewall can't inspect traffic once it is channeled into a VPN. When a firewall sees a VPN channel, it
considers it as already passing security checks. The firewall does not have the ability to see through the
encrypted channel.
QUESTION 187
Which of the following can be used to limit hostile sniffing on a LAN (Local Area Network)?
A. An ethernet switch.
B. An ethernet hub.
C. A CSU/DSU (Channel Service Unit/Data Service Unit).
D. A firewall.
Answer: A
Explanation:
Switches were originally designed to segment networks to make communications more efficient. Unless traffic
is sent to the broadcast address, a switch will not forward traffic out all ports. For this reason, sniffers cannot be
used on a switched network.
QUESTION 188
Which of the following represents the best protection against the abuse of remote maintenance of PBX
(Private Branch Exchange) system?
A. Keep maintenance features turned off until needed
B. Insists on strong authentication before allowing remote maintenance
C. Keep PBX (Private Branch Exchange) in locked enclosure and restrict access to only a few people.
D. Check to see if the maintenance caller is on the list of approved maintenance personnel
Answer: A
Explanation:
PBX systems are maintained by the vendor of the system. This is accomplished through remote maintenance.
You can prevent an attacker from exploiting a PBX system by turning off maintenance features until the vendor
informs you that maintenance is required.
Which of the following security mechanisms can be applied to modems to better authenticate remote
users?
A. firewalls
B. encryption
C. SSH (Secure Shell)
D. callback
Answer: D
Explanation:
Callback is security measure that can be implemented in remote access authentications. When a user connects
to the modem, the modem calls the user back at a predefined telephone number. This limits remote access to the
network.
Which of the following method would most likely allow an attacker that is attempting to penetrate a
company's network through its remote access system to gain access?
A. War dialer.
B. Trojan horse.
C. DoS (Denial of Service).
D. Worm.
Answer: A
Explanation:
A war dialer is a program that dials a block of telephone numbers in the attempt to fins a remote access
computer to connect to. Although advances in telecom technology has made it easier to identify war dialers,war dialer remain a threat to remote access systems
You work as a security administrator at Certkiller .com. Mobile users require remote connectivity in
order to access shared files and e-mail on the corporate network. All mobile uses have laptops equipped
with Ethernet adapters. Some also have modems. What is the best remote access solution to allow all
mobile users to access the corporate network?
A. ISDN (Integrated Services Digital Network).
B. Dial-up.
C. SSL (Secure Sockets Layer).
D. VPN (Virtual Private Network).
Answer: D
Explanation:
A VPN is a network connection that tunnels through a public network, providing the same level of security as a
local connection. When the salesmen create a VPN connection, they will be required to authenticate to the VPN
server. Once authenticated, they will virtual access to a private network that is safe, secure, and encrypted.
However, their access to resources on the private network will be determined by their permissions on those
resources.
QUESTION 192
Which of the following is the most effective in preventing network traffic sniffing?
A. Deploy an IDS (Intrusion Detection System).
B. Disable promiscuous mode.
C. Use hubs instead of routers.
D. Use switches instead of hubs.
Answer: D
Explanation:
Switches were originally designed to segment networks to make communications more efficient. Unless traffic
is sent to the broadcast address, a switch will not forward traffic out all ports. For this reason, sniffers cannot be
used on a switched network.
QUESTION 193
Which two parts does an IDS (Intrusion Detection Systems) typically consist of? (Choose two)
A. A router.
B. A sensor.
C. A firewall
D. A console.
Answer: B D
Explanation:
An IDS has a number of components including a sensor and an analyzer. The sensor collects the data which is
then passed on to the analyzer. The analyzer analyzes the data for suspicious activity. When suspicious activity
is identified, an alert is sent to the operator either via e-mail or a console.
What is the main advantage of using a multi-homed firewall?
A. It is relatively inexpensive to implement.
B. The firewall rules are easier to manage.
C. If the firewall is compromised, only the systems in the DMZ (Demilitarized Zone) are exposed.
D. An attacker must circumvent two firewalls.
Answer: C
Explanation:
A firewall is a hardware or software component that to protect a private network from another, usually external
and untrusted, network by use filters to control the network traffic that enters and/or leaves a network. A
multi-homed firewall has two or more network cards. This allows for the distinction between multiple networks
and allows for the creation of a demilitarized zone (DMZ). The DMZ hosts publicly accessible servers, such as
web or FTP. The firewall provides secured but public access to the DMZ, while blocking access to the private
network. If the multi-homed firewall is compromised, only the systems in the DMZ will be exposed.
QUESTION 195
Which of the following is the best defense against IP (Internet Protocol) spoofing attacks?
A. Deploying intrusion detection systems.
B. Creating a DMZ (Demilitarized Zone).
C. Applying ingress filtering to routers.
D. There is no good defense against IP (Internet Protocol) spoofing.
Answer: C
Explanation:
In IP Spoofing attacks the attacker attempts to gain access to the internal network by using an IP address that
matches the internal network address, thus pretending his or her computer is on the internal network. This
attack can be prevented by implementing ingress IP address filtering at the network perimeter. This will block
inbound traffic from the outside.
QUESTION 196
Which of the following is usually NOT included in security requirements for servers?
A. The absence of vulnerabilities used by known forms of attack against server hosts.
B. The ability to allow administrative activities to all users.
C. The ability to deny access to information on the server other than that intended to be available.
D. The ability to disable unnecessary network services that may be built into the operating system or server
software.
Answer: B
Explanation:
Granting any user administrative privileges would allow any user full control over the system and would render
that administrative account obsolete. This would not be a good security measure.
QUESTION 197
You work as a security administrator at Certkiller .com. You need to confine sensitive data traffic to a
specific subnet. Which of the following could you use?
A. A router.
B. A server.
C. A switch.
D. A VPN (Virtual Private Network).
Answer: A
Explanation:
A router with an access control list is a powerful line of defense against users on the outside, and users on the
inside. It can be configured to prevent or allow specific systems from accessing a network based to the system's
IP addresses, thus controlling the flow of data.
QUESTION 198
What may an active detection IDS system perform when it discovers an unauthorized connection
attempt? (Choose all that apply)
A. Inform the attacker that he is connecting to a protected network.
B. Shut down the server or service.
C. Provide the attacker the usernames and passwords for administrative accounts.
D. Break of suspicious connections.
Answer: B, D
Explanation:
Active response involves taking an action based upon an attack or threat. The goal of an active response would
be to take the quickest action possible to reduce the potential impact of an event. Terminating connections,
processes, or sessions are responses that may occur in the event of an unauthorized connection.
QUESTION 199
Which of the following attacks CANNOT be detected by an IDS (Intrusion Detection System)?
A. DoS (Denial of Service)
B. Exploits of bugs or hidden features
C. Spoofed e-mail
D. Port scan
Answer: C
Explanation:
An intrusion detection system (IDS) monitors inbound and outbound network traffic on a host or network in
order to detect an attempted intrusion. E-mail messages are not network traffic, therefore spoofed emails will
not be detected by the IDS.
What are servers or workstations that run programs and utilities for recording probes and attacks
against them called?
A. Firewalls.
B. Host based IDS (Intrusion Detection System).
C. Proxies.
D. Active targets.
Answer: B
Explanation:
An intrusion detection system (IDS) monitors inbound and outbound network traffic on a host or network in
order to detect an attempted intrusion. Host based IDS solutions are made up of programs and processes
running on a host, server, or workstation that monitor event logs, application logs, port access, and other
process to identify suspicious behavior or signatures associated with an attack. They differ from network based
IDS that seek: string signatures, port signatures, and header signatures.
QUESTION 201
Which of the following is a DISADVANTAGE of employing an IDS (Intrusion Detection System)?A. False positives.
B. Throughput decreases.
C. Compatibility.
D. Administration.
Answer: A
Explanation:
An intrusion detection system (IDS) monitors inbound and outbound network traffic on a host or network in
order to detect an attempted intrusion. Sometimes an IDS will mistake legitimate traffic for an intrusion. This is
called a false positive.
QUESTION 202
With regard to network based lDSs (Intrusion Detection Systems), which of the following statements is
true?
A. Network based IDSs (Intrusion Detection System) are never passive devices that listen on a network
wire-without interfering with the normal operation of a network.
B. Network based IDSs (Intrusion Detection System) are usually passive devices that listen on a network wire
while interfering with the normal operation of a network.
C. Network based IDSs (Intrusion Detection System) are usually intrusive devices that listen on a network wire
while interfering with the normal operation of a network.
D. Network based IDSs (Intrusion Detection System) are usually passive devices that listen on a network wire
without interfering with the normal operation of a network.
Answer: D
Explanation:
In a passive system, the IDS detects a potential security breach, logs the information and signals an alert. In a
reactive system, the IDS responds to the suspicious activity by logging off a user or by reprogramming the
firewall to block network traffic from the suspected malicious source.
QUESTION 203
What type of system will examine all packets on an internal network for known attack signatures? A. A vulnerability scanner.
B. A packet filter.
C. A host based IDS (Intrusion Detection System).
D. A network based IDS (Intrusion Detection System).
Answer: D
Explanation:
An intrusion detection system (IDS) monitors inbound and outbound network traffic on a host or network in
order to detect an attempted intrusion. This can be either a host based IDS, which monitors traffic to and from a
single host, or a network based IDS, which monitors network traffic. Thus, network based IDS is not limited to
a single server but monitors the traffic over the entire network
QUESTION 204
Which of the following network media types is most immune to eavesdropping and electromagnetic
interference?
A. STP (Shielded Twisted Pair) cable.
B. UTP (Unshielded Twisted Pair) cable.
C. Coaxial cable.
D. Fiber-optic cable.
Answer: D
Explanation:
Fiber-optic, as a media, is relatively secure because it cannot be easily tapped. It is the strongest media
available to defeat EMI and RFI in my opinion.
Which of the following media types provides the lowest risk to RF (Radio Frequency) eavesdropping?
A. Coaxial cable.
B. Fiber optic cable.
C. Twisted pair wire.
D. Unbounded.
Answer: B
Explanation:
Fiber optic cable is relatively secure because it cannot be easily tapped. It is the strongest media available to
defeat EMI and RFI in my opinion.
QUESTION 206
Which of the following media types provides the most protection against electromagnetic interference?
A. Coaxial cable.
B. UTP (Unshielded Twisted Pair).
C. STP (Shielded Twisted Pair).
D. Fiber optic cable.
Answer: D
Explanation:
Fiber is designed for short- and long-range transmissions at speeds higher than 1Gbps. It uses light pulses for
signal transmission, making it immune to RFI and EMI.
QUESTION 207
Which of the following media types provides the least protection against electromagnetic interference?
A. Coaxial cable.
B. UTP (Unshielded Twisted Pair).
C. STP (Shielded Twisted Pair).
D. Fiber optic cable.
Answer: B
Explanation:
UTP has no shielding and is prone to radio frequency interference (RFI) and electromagnetic interference
(EMI); however, its installation is relatively simple and its cost low.
QUESTION 208
On which of the following types of network cabling is eavesdropping the MOST difficult?
A. Fiber optic cable.
B. Coaxial cable.
C. UTP (Unshielded Twisted Pair).
D. STP (Shielded Twisted Pair).
Answer: A Explanation:
As far as security is concerned, fiber cabling eliminates the tapping of electrical signals that is possible in the
case of twisted pair and coax. Tapping fiber cable without service interruption and specially constructed
equipment is impossible, which makes stealing service or eavesdropping on traffic significantly more difficult
QUESTION 209
You work as the security administrator at Certkiller .com. You want to establish a secure connection
between headquarters and a branch office over a public network. In which mode should you configure
the router at each location to use IPSec (Internet Protocol Security)?
A. Secure
B. Tunnel
C. Transport
D. Data link
Answer: B
Explanation:
IPSec provides secure authentication and encryption of data and headers. IPSec can work in Tunneling mode or
Transport mode. In Tunneling mode, the data or payload and message headers are encrypted. Transport mode
encrypts only the payload.
QUESTION 210
Which of the following can be used to mitigate against sniffers and decrease broadcast traffic?
A. VPN (Virtual Private Network)
B. DMZ (Demilitarized Zone)
C. VLAN (Virtual Local Area Network)
D. RADIUS (Remote Authentication Dial-in User Service)
Answer: C
Explanation:
A VLAN allows you to create groups of users and systems and segment them on the network. This
segmentation allows you to hide segments of the network from other segments and control access. You can
think of a VLAN as a good way to contain network traffic. VLANS are created by using a switch, and switched
networks mitigate against sniffers.
QUESTION 211
You work as the network administrator at Certkiller .com. You want to restrict internal access to other
parts of the network. Your solution will be hardware based and must be implemented with the least
amount of administrative effort. Which of the following would be your best solution?
A. Implement firewalls between subnets to restrict access.
B. Implement a VLAN (Virtual Local Area Network) to restrict network access.
C. Implement a proxy server to restrict access.
D. Implement a VPN (Virtual Private Network).
Answer: B
Explanation:
Implement a VLAN (Virtual Local Area Network) to restrict network access is the best answer. VLAN's would
restrict access only to their local VLAN, and this would require less administrative overhead than setting up
firewalls at each subnet. They are also hardware based (at the switch and MAC level) Firewalls are used so that
external users (outside the organization cannot get in), whereas VLAN's are used within an organization to
provide security
QUESTION 212
What is the process by which remote users make a secure connection to internal resources after
establishing an Internet connection called?
A. Channeling
B. Tunneling
C. Throughput
D. Forwarding
Answer: B
Explanation:
Tunneling refers to the ability to create a virtual dedicated connection between two systems or network. The
tunnel is created between the two ends by encapsulating the data in a mutually agreed upon protocol for
transmission. For example: a VPN or even SSL.
QUESTION 213
Which of the following is a VPN (Virtual Private Network) tunneling protocol?
A. AH (Authentication Header).
B. SSH (Secure Shell).
C. IPSec (Internet Protocol Security).
D. DES (Data Encryption Standard).
Answer: C
Explanation:
IPSec provides secure authentication and encryption of data and headers. IPSec can work in tunneling mode or
transport mode. In tunneling mode, the data or payload and message headers are encrypted. Transport modes
encrypt only the payload.
QUESTION 214
Tunneling is ________.
A. the process of using the Internet as part of a private secure network
B. the ability to burrow through three levels of firewalls
C. the ability to pass information over the Internet within the shortest amount of time
D. the process of creating a tunnel which can capture data
Answer: A
Explanation:
Civil engineers build tunnels to allow one direction of traffic flow to be protected against another traffic flow.
They will build a tunnel under a river, or underneath a highway. Network engineers use tunneling to protect a
data flow from the elements of the internet. They tunnel by placing ordinary/non-secure IP packets into
encrypted/secure IP packets.
QUESTION 215
Which of the following best describes tunneling?
A. The act of encapsulating encrypted/secure IP packets inside of ordinary/non-secure IP packets.
B. The act of encapsulating ordinary/non-secure IP packets inside of encrypted/secure IP packets.
C. The act of encapsulating encrypted/secure IP packets inside of encrypted/non-secure IP packets.
D. The act of encapsulating ordinary/secure IP packets inside of ordinary/non-secure IP packets.
Answer: B
Explanation:
Tunneling refers creating a virtual dedicated connection between two systems or networks. You create the
tunnel between the two ends by encapsulating the data in a mutually-agreed-upon protocol for transmission. In
most tunnels, the data passed through the tunnel appears at the other side as part of the network. Tunneling
sends private data across a public network by placing (encapsulating) that data into other packets. Most tunnels
are virtual private networks (VPNs).
QUESTION 216
What is the primary purpose of NAT (Network Address Translation)?
A. To translate IP (Internet Protocol) addresses into user friendly names.
B. To hide internal hosts from the public network.
C. To use on public IP (Internet Protocol) address on the internal network as a name server.
D. To hide the public network from internal hosts.
Answer: B
Explanation:
NAT effectively hides your network from the world. This makes it much harder to determine what systems
exist on the other side of the router
QUESTION 217
When connecting the following IP (Internet Protocol) address schemes to the Internet, which one will
require NAT (Network Address Translation)?
A. 204.180.0.0/24
B. 172.16.0.0/24
C. 192.172.0.0/24
D. 172.48.0.0/24
Answer: B
Explanation:
The NAT server provides IP addresses to the hosts or systems in the network and tracks inbound and outbound
traffic. A company that uses NAT presents a single connection to the network. This connection may be through
a router or a NAT server. The only information that an intruder will be able to get
QUESTION 218
Which of the following can be used to accomplish NAT (Network Address Translation)?
A. Static and dynamic NAT (Network Address Translation) and PAT (Port Address Translation).
B. Static and hide NAT (Network Address Translation).
C. Static and hide NAT (Network Address Translation) and PAT (Port Address Translation).
D. Static, hide, and dynamic NAT (Network Address Translation).
Answer: A
Explanation:
Both NAT and PAT can be configured for static and dynamic address translation.
QUESTION 219
What is the area in which a system administrator would place the web server to isolate it from other
servers on the network called?
A. Honey pot
B. Hybrid subnet
C. DMZ (Demilitarized Zone)
D. VLAN (Virtual Local Area Network)
Answer: C
Explanation:
A Demilitarized Zone is used by a company that wants to host its own Internet services without sacrificing
unauthorized access to its private network.
QUESTION 220
You work as the network administrator at Certkiller .com. You want to configure a new web server to
provide HTTP (Hypertext Transfer Protocol), SSL (Secure Sockets Layer), FTP (Pile Transfer Protocol),
and SMTP (Simple Mail Transfer Protocol) services. The web server will be placed into a DMZ
(Demilitarized Zone). Which standard ports must you open on the firewall to allow traffic to and from
the server?
A. 119, 23, 21, 80.
B. 443, 119, 21, 1250.
C. 80, 443, 21, 25.
D. 80, 443, 110, 21.
Answer: C
Explanation:
Port 80 is used by HTTP
Port 443 is used by HTTPS (HTTP over SSL)
Port 21 is used by FTP, and
Port 25 is used by SMTP
QUESTION 221
When connecting a network to the Internet, which of the following will ensure that the internal network
IP (Internet Protocol) addresses are not compromised?
A. A honey pot
B. A NAT (Network Address Translation).
C. A VPN (Virtual Private Network).
D. A screened network.
Answer: B
Explanation:
Network address translation will allow you to connect multiple computers to the internet with just one IP
address, because it works as an agent between the internal network and the outside networks.
QUESTION 222
Which of the following best describes a DMZ (Demilitarized Zone)?
A. An application program with a state that authenticates the user and allows the user to be categorized based
on privilege.
B. A network between a protected network and an external network in order to provide an additional layer of
security.
C. The entire area between the network of origin and the destination network.
D. An application that allows the user to remove any offensive of an attacker.
Answer: B
Explanation:
A Demilitarized Zone is used by a company that wants to host its own Internet services without sacrificing
unauthorized access to its private network.
It is a computer or small subnetwork that sits between a trusted internal network, such as a corporate private
LAN, and an untrusted external network, such as the public Internet. Typically, the DMZ contains devices
accessible to Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (e-mail) servers and DNS
servers. The term comes from military use, meaning a buffer area between two enemies.
QUESTION 223
Which of the following would be placed in a DMZ (Demilitarized Zone)?
A. A customer account database
B. Staff workstations
C. A FTP (File Transfer Protocol) server
D. A SQL (Structured Query Language) based database server
Answer: C
Explanation:
A DMZ is an area where you can place a public server for access by people you might not trust otherwise. By
isolating a server in a DMZ, you can hide or remove access to other areas of your network.
A FTP server can be used by people from outside of your network and should be placed in the DMZ.
QUESTION 224
Which of the following best describes an extranet?
A. An area or zone set aside for business to store extra servers for internal use.
B. An area or zone accessible to the general public for accessing the business' web site.
C. An area or zone that allows a business to securely transact with other businesses.
D. An area or zone added after the original network was built for additional storage.
Answer: C
Explanation: An extranet is a private network that uses the Internet protocol and the public
telecommunication system to securely share part of a business's information or operations with suppliers,
vendors, partners, customers, or other businesses. An extranet can be viewed as part of a company's
intranet that is extended to users that are trustworthy. An extranet allows you to connect to a partner via
a private network or a connection using a secure communications channel using the Internet.
QUESTION 225
Which of the following is the general philosophy behind a DMZ?
A. Any system on the DMZ can be compromised because it's accessible from the Internet.
B. Any system on the DMZ cannot be compromised because it's not accessible from the Internet.
C. Some systems on the DMZ can be compromised because they are accessible from the Internet.
D. Any system on the DMZ cannot be compromised because it's by definition 100% safe and not accessible
from the Internet.
Answer: A
Explanation:
A DMZ (demilitarized zone) is an area in a network that allows restrictive access to untrusted users and isolates
the internal network from access by external users and systems. It does so by using routers and firewalls to limit
access to sensitive network resources.
QUESTION 226
Which of the following would NetBus and Back Orifice be an example of?
A. A virus
B. An illicit server
C. A spoofing tool
D. An allowable server
Answer: B
Explanation:
Illicit servers are also known as 'backdoors.' They allow system access without using a security check.
An illicit server is an application/program that shouldn't be there but is operating on the network, and one that is
commonly used to gain unauthorized control by allowing someone to bypass normal authentication. NetBus is
one of the best-known examples of an illicit server.
QUESTION 227
What are the three categories of active responses relating to intrusion detection?
A. Collect additional information, maintain the environment, and take action against the intruder.
B. Collect additional information, change the environment, and alert the manager.
C. Collect additional information, change the environment, and take action against the intruder.
D. Discard any additional information, change the environment, and take action against the intruder.
Answer: C
Explanation:
An active intrusion detection response is to begin taking action against the intruder as soon as the breach is
detected. Te principles are: detection (collect additional information), deflection (change the environment), and
countermeasures (take action against the intruder).
So changing the environment to spoof the attacker and hide your valuable resources; and collecting details
about the source of the intrusion and the type of intrusion to gather evidence for prosecution and future system
hardening are all components of active intrusion detection.
QUESTION 228
What is it called when an authorized access is detected as an intrusion or attack?
A. A false negative
B. A false intrusion
C. A false positive
D. A false alarm
Answer: B
Explanation:
False intrusion is a false alarm, when there is no need of any alarm.
QUESTION 229
Which of the following is the most important step that should be taken in response to a security breach?
A. encryption
B. authentication
C. containment
D. intrusion
Answer: C
Explanation:
When the hull of a ship ruptures, the crew seals the locks to contain the damage. When a population is exposed
to a disease like SARS, those infected are quarantined to contain further infection. When a network's security is
breached, it may take a while to fix the problem, and in the panic it's possible to actually spread the damage
further, so the most important initial step is to contain the breach to minimize damage and ease reconstruction.
QUESTION 230
Which of the following involves the process of analyzing log files after an attack has started?
A. Active detection
B. Overt detection
C. Covert detection
D. Passive detection
Answer: D
Explanation:
Passive intrusion detection systems involve the manual review of event logs and application logs. The
inspection involves analysis and detection of attack patterns in event log data.
QUESTION 231
You work as the security administrator at Certkiller .com. Certkiller has been receiving a high volume of
attacks on the Certkiller .com web site. You want to collect information on the attackers so that legal action
can be taken. Which of the following can you use to accomplish this?
A. A DMZ (Demilitarized Zone).
B. A honey pot.
C. A firewall.
D. A new subnet.
Answer: B
Explanation:
A deception active response fools the attacker into thinking the attack is succeeding while monitoring the
activity and potentially redirecting the attacker to a system that is designed to be broken. This allows the
operator or administrator to gather data about how the attack is unfolding and what techniques are being used in
the attack. This process is referred to as sending them to the honey pot.
QUESTION 232
What is a honey pot?
A. A false system or network to attract attacks away from your real network.
B. A place to store passwords.
C. A sage haven for your backup media.
D. Something that exist only in theory.
Answer: A
Explanation:
A honey pot is a computer that has been designed as a target for computer attacks. The benefit of a honey pot
system is that it will draw attackers away from a higher value system or it will allow administrators to gain
intelligence about an attack strategy.
QUESTION 233
Can honey pots be used to preventing attackers from gaining access to critical systems?
A. Yes
B. No
C. It depends on the style of attack used.
Answer: A
Explanation:
A honey pot is a computer that has been designed as a target for computer attacks.
QUESTION 234
What is a server that is used to attract a potential intruder's attention called?
A. Honey pot
B. Lame duck
C. Teaser
D. Pigeon
Answer: A
Explanation:
A honey pot is a computer that has been designed as a target for computer attacks. The benefit of a honey pot
system is that it will draw attackers away from a higher valued systems or it will allow administrators to gain
intelligence about an attack strategy
QUESTION 235
What information do honey pots collect?
A. IP (Internet Protocol) addresses and identity of internal users.
B. Data on the identity, access, and compromise methods used by the intruder.
C. Data regarding and the identity of servers within the network.
D. IP (Internet Protocol) addresses and data of firewalls used within the network.
Answer: B
Explanation:
A honey pot is a computer that has been designed as a target for computer attacks. The benefit of a honey pot
system is that it will draw attackers away from a higher valued systems or it will allow administrators to gain
intelligence about an attack strategy.
QUESTION 236
Which of the following is a decoy system that is designed to divert an attacker from accessing critical
systems while collecting information about the attacker's activity?
A. A DMZ (Demilitarized Zone).
B. A honey pot.
C. An intrusion detector.
D. A screened host.
Answer: B
Explanation:
A honey pot is a computer that has been designed as a target for computer attacks. The benefit of a honey pot
system is that it will draw attackers away from a higher valued systems or it will allow administrators to gain
intelligence about an attack strategy.
QUESTION 237
When would a severed T1 line most likely be considered?
A. When planning data recovery.
B. When planning off site storage.
C. When planning media destruction.
D. When planning incident response
Answer: D
Explanation:
Telecommunications technology is developing to the point where all communications occur via data links to
phone companies using standard data transmission technologies, such as T1 or T3. This means that both voice
and data communications are occurring over the same network connection to a phone company or a provider.
This allows a single connection for all communications to a single provider of these services. If someone
intentionally severs a T1 cable you have a serious incident on your hands. An attack like this should be
considered when planning incident response.
QUESTION 238
What is the main purpose of TCP (Transmission Control Protocol) wrappers?
A. Preventing IP (Internet Protocol) spoofing.
B. Controlling access to selected services.
C. Encrypting TCP (Transmission Control Protocol) traffic.
D. Sniffing TCP ('transmission Control Protocol) traffic to troubleshoot
Answer: B
Explanation:
TCP wrappers are an additional method of providing security against unwelcome visitors. In a Solaris
environment there's a TCP daemon called inted which responds to TCP/IP connections and initiates the right
program to furnish the needs of that request. A TCP wrapper, wraps itself around this daemon with a tcpd
program which logs the incoming request first, putting up an optional layer of access control that can allow or
deny a request depending on where its from.
QUESTION 239
Which of the following is NOT a characteristic of DEN (Directory Enabled Networking)?
A. It is mapped into the directory defined as part of the LDAP (Lightweight Directory Access Protocol).
B. It is inferior to SNMP (Simple Network Management Protocol).
C. It is an object oriented information model.
D. It is an industry standard indicating how to construct and store information about a network's users,
applications and data.
Answer: B
Explanation:
LDAP utilizes an object-oriented access model defined by the Directory Enabled Networking (DEN) standard,
which is based on the Common Information Model (CIM) standard. Buffer overflow vulnerabilities, Format
string vulnerabilities may result in unauthorized access to enact commands on the LDAP server or impair its
normal operation, and improperly formatted requests may be used to create an effective denial of service (DoS)
attack against the LDAP server, preventing it from responding to normal requests; are the vulnerabilities of
LDAP. However, it is certainly not inferior to SNMP.
QUESTION 240
You work as the security administrator at TestLing.com. When you perform a port scan against your
server you discover four open TCP (Transmission Control Protocol) ports: 25, 110, 143 and 389. You
want to close all unnecessary ports to decrease unnecessary exposure. However, Certkiller users must be
able to connect to the corporate network from home, send and receive messages on the Internet, read
e-mail by beams of the IMAPv.4 (Internet Message Access Protocol version 4) protocol, and search into a
directory services database for user e-mail addresses, and digital certificates. All the e-mail related
services, as well as the directory server, run on the scanned server. Which of the ports you filter out
without affecting functionality?
A. 25
B. 110
C. 143
D. 389
Answer: B
Explanation:
Internet Message Access Protocol v4 uses port 143 and TCP for connections. POP3 uses port 110 and TCP for
connections and therefore can be filtered out to decrease unnecessary exposure
QUESTION 241
For security purposes, which of the following should be implemented after installing a new operating
system?
A. Create application user accounts.
B. Rename the guest account.
C. Rename the administrator account, disable the guest accounts.
D. Create a secure administrator account.
Answer: C
Explanation:
Renaming the administrator account name and disabling the guest account will reduce the risk of a computer
being attacked, because administrator accounts typically have full rights to all network resources.
Incorrect answers:
QUESTION 242
On a firewall, which port should be open to allow SNMP traffic?
A. 21
B. 161
C. 53
D. 49
Answer: B
Explanation:
SNMP uses UDP port 161
QUESTION 243
Which of the following are the three entities of the SQL (Structured Query Language) security model?
(Choose three)
A. tables
B. actions
C. objects
D. users
Answer: B, C, D
Explanation:
Objects are what the user constructs (ie: tables, columns, views, domains).
Actions are the operations performed on the objects. (ie: select, insert, delete, reference)
Users invoke the actions on the objects.
QUESTION 244
You work as the security administrator at Certkiller .com. Certkiller employees often download files from
a FTP (File Transfer Protocol) server. You are in the process of installing a firewall. How you configure
the firewall?
A. Open port 119 to all inbound connections.
B. Open port 119 to all outbound connections.
C. Open port 20/21 to all inbound connections.
D. Open port 20/21 to all outbound connections.
Answer: D
Explanation:
Ports 20 and 21 are used for FTP. If you only allow outbound connections, you will allow a hacker to download
the contents of your server (good if you are in advertising, and your server is full of promotional materials) but
never upload anything detrimental or malicious to it.
QUESTION 245
Which of the following associates users and groups to certain rights to use, read, write, modify, or
execute objects on the system?
A. Public key ring.
B. ACL (Access Control List).
C. Digital signature.
D. CRL (Certificate Revocation Lists).
Answer: B
Explanation:
An access control list (ACL) is a table that tells a computer operating system which access rights each user has
to a particular system object, such as a file directory or individual file. Each object has a security attribute that
identifies its access control list. The list has an entry for each system user with access privileges. The most
common privileges include the ability to read a file (or all the files in a directory), to write to the file or files,
and to execute the file (if it is an executable file, or program). Microsoft Windows NT/2000, Novell's NetWare,
Digital's OpenVMS, and Unix-based systems are among the operating systems that use access control lists. The
list is implemented differently by each operating system.
QUESTION 246
Which of the following can limit exposure and vulnerability exposed by port scans?
A. Disable the ability to remotely scan the registry.
B. Leave all processes running for possible future use.
C. Close all programs or processes that use a UDP (User Datagram Protocol) or TCP (Transmission Control
Protocol) port.
D. Uninstall or disable any programs or processes that are not needed for the proper use of the server.
Answer: D
Explanation:
Hackers perform port scans to find out which of the 65,535 ports are being used in hope of finding an
application with a vulnerability. By uninstalling and disabling any program or processes that aren't really necessary, one greatly reduces the likelihood of an attack.
QUESTION 247
Which of the following represents an advantage of using the NTFS file system over the FAT16 and
FAT32 file systems?
A. Integral support for streaming audio files.
B. Integral support for UNIX compatibility.
C. Integral support for dual-booting with Red Hat Linux.
D. Integral support for file and folder level permissions.
Answer: D
Explanation:
The NTFS was introduced with Windows NT to address security problems. With NTFS files, directories, and
volumes can each have their own security.
QUESTION 248
How can a DHCP (Dynamic Host Configuration Protocol) service be secured?
A. Block ports 67 and 68 at the firewall.
B. Block port 53 at the firewall.
C. Block ports 25 and 26 at the firewall.
D. Block port 110 at the firewall.
Answer: A
Explanation:
DHCP works over UDP ports 67 and 68.
QUESTION 249
Which of the following can help secure DNS (Domain Name Service) information?
A. Block all unnecessary traffic by using port filtering.
B. Prevent unauthorized zone transfers.
C. Require password changes every 30 days.
D. Change the default password.
Answer: B
Explanation:
A DNS zone is an area in the DNS hierarchy that is managed as a single unit. If a domain name server allows
zone transfer, it will allow another DNS server (one from a different domain) to access its DNS library of IP
addresses and names; which could fall into hackers' hands if they were to pose as a DNS server.
QUESTION 250
You work as an e-mail administrator at Certkiller .com. You want prevent malicious users from sending
e-mails from non-existent domains. What should you do?
A. Enable DNS (Domain Name Service) reverse lookup on the e-mail server.
B. Enable DNS (Domain Name Service) forward lookup on the e-mail server.
C. Enable DNS (Domain Name Service) recursive queries on the DNS (Domain Name Service) server.
D. Enable DNS (Domain Name Service) reoccurring queries on the DNS (Domain Name Service)
Answer: A
Explanation:
DNS reverse lookup takes a numbered IP address and converts it to a domain name. This is a very easy process,
and there are free reverse DNS lookup services online. With reverse DNS a spammer won't be able to hide.
QUESTION 251
What is SSL (Secure Sockets Layer) used for?
A. To secure communications with file and print servers.
B. To secure communications with RADIUS (Remote Authentication Dial-in User Service) servers.
C. To secure communications with AAA (Authentication, Authorization, and Administration) servers.
D. To secure communications with web servers.
Answer: D
Explanation:
SSL is used to secure a connection between a web user and a web server for transactions like: banking,
securities, and ecommerce.
Which of the following is a common type of attack on web servers?
A. Birthday.
B. Buffer overflow.
C. Spam.
D. Brute force.
Answer: B
Explanation:
Buffer overflow occur when an application receives more data that it is programmed to accept. This situation
can cause an application to terminate. The termination may leave the system sending the data with temporary
access to privileged levels in the attacked system.
QUESTION 253
Which of the following should be prevented between a DNS (Domain Name) server and untrusted node?
A. Name resolutions.
B. Reverse ARP (Address Resolution Protocol) requests.
C. System name resolutions.
D. Zone transfers.
Answer: D
Explanation:
Users who can start zone transfers from your server can list all of the records in your zones.
QUESTION 254
You work as a security administrator at Certkiller .com. You want to secure you primary DNS (Domain
Name Service) server against DoS (Denial of Service) attacks and hackers. How should you configure the
primary DNS (Domain Name Service)?
A. Disable the DNS (Domain Name Service) cache function.
B. Disable application services other than DNS (Domain Name Service).
C. Disable the DNS (Domain Name Service) reverse lookup function.
D. Allow only encrypted zone transfer to a secondary DNS (Domain Name Service) server.
Answer: B
Explanation:
If a DNS server was only configured to handle DNS and nothing else, the only type of packets that could take
up any resources will be domain name requests. Overwhelming an entire server's services with domain name
requests alone is an engineering feat.
QUESTION 255
What should be a system administrator's line of action when a patch is released for a server?
A. Immediately download and install the patch.
B. Test the patch on a non-production server then install the patch to production.
C. Not install the patch unless there is a current need.
D. Install the patch and then backup the production server.
Answer: B
Explanation:
Software patches are good for network security, because they are developed the fix known vulnerabilities. So
even if everything's operating normally, a patch is still very beneficial. When you patch an operating system,
there's always a risk that something can go wrong which can compromise your data and server operation. It
would be wise to backup your data BEFORE, installing a patch, and it would also be wise to test the patch on
your least important servers first.
QUESTION 256
When disabling services to harden a machine against external attacks, what process should be followed?
A. Disable services such as DHCP (Dynamic Host Configuration Protocol) client and print servers from servers
that do not use/serve those functions.
B. Disable one unnecessary service after another, while reviewing the effects of the previous action.
C. Research the services and their dependencies before disabling any default services.
D. Disable services not directly related to financial operations.
Answer: C
Explanation:
Platform hardening procedures can be categorized into three basic areas:
* The first area to address is removing unused software and processes from the workstations. The services and
processes may create opportunities for exploitation.
* The second are involves ensuring that all services and applications are up-to-date and configured in the most
secure manner allowed. This may include assigning passwords, limiting access, and restricting capabilities.
* The third area to address involves the minimization of information dissemination about the operating system,
Actualtests.com - The Power of Knowing services, and capabilities of the system.
Basically this means do some research insofar as services and their dependencies are concerned for your
system.
QUESTION 257
Which of the following represents the best way to harden an application that is developed in house?
A. Use an industry recommended hardening tool.
B. Ensure that security is given due considerations throughout the entire development process.
C. Try attacking the application to detect vulnerabilities, then develop patches to fix any vulnerabilities found.
D. Ensure that the auditing system is comprehensive enough to detect and log any possible intrusion,
identifying existing vulnerabilities.
Answer: B
Explanation:
The Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Sybex Publishers, Alameda,
2004, book discusses application hardening and refers this to the web, FTP, and E-mail servers. The question
refers to programming new applications. Although I could not find any information in the book about
programming hardening, I would say that answer B is the best choice out of the four answers.
QUESTION 258
When securing a server, which of the following would require the most effort due to lack of available
documentation?
A. Hardening the OS (Operating System).
B. Configuring the network.
C. Creating a proper security policy.
D. Installing the latest hot fixes and patches.
Answer: A
Explanation:
Operating system hardening is easy when you know of a well documented patch or hotfix. When you're
hardening an operating system for the unexpected, it's a long task.