Chapter 14
A network switch detects a DHCP frame on the LAN that appears to have come from a DHCP server that is not located on the local network. In fact, it appears to have originated from outside the organizations firewall. As a result, the switch drops the DHCP message from that server. Which security feature was enabled on the switch to accomplish this? -IGMP snooping -dynamic ARP inspection -Port security -DHCP snooping
-DHCP snooping
What security mechanism can be used to detect attacks originating on the Internet or from within an internal trusted subnet? -IDS -FIREWALL -Biometric system -Security alarm
-IDS
You are concerned about attacks directed at your network firewall. You want to be able to identify and be notified of any attacks. In addition, you want the system to take immediate action when possible to stop or prevent the attack Which tool should you use? -packet sniffer -port scanner -IDS -IPS
-IPS
Which of the following are security devices that perform stateful inspection of packet data, looking for patterns that indicate malicious code? -IPS -ACL -IDS -Firewall -VPN
-IPS -IDS
Members of the Sales team use laptops to connect to the company network. While traveling, they connect their laptops to the Internet through airport and hotel networks. You are concerned that these computers will pick up viruses that could spread to your private network. You would like to implement a solution that prevents the laptops from connecting to your network unless anti-virus software and the latest operating system patches have been installed. Which solution should you use? -DMZ -NIDS -NAC -NAT -VLAN
-NAC
Match network access protection (NAP) component term with proper definition. Term: -NAP client -NAP server -Enforcement server (ES) -remediation server Definition: -generates a statement of health (SoH) that reports the client configuration for health requirements. -runs the system health validator (SVH) program -is client connection point to the network. -contain resources accessible to non-compliant computers on the limited access network.
-NAP client --generates a statement of health (SoH) that reports the client configuration for health requirements. -NAP server --runs the system health validator (SVH) program -Enforcement server (ES) --is client connection point to the network. -remediation server --contain resources accessible to non-compliant computers on the limited access network.
You want to make sure that a set of servers will only accept traffic for specific network services. You have verified that the servers are only running the necessary services, but you also want to make sure that the servers will not accept packets sent to those services. Which tool should you use? -IDS -IPS -System logs -Port scanner -packet sniffer
-Port scanner
Match the port security MAC address type on the left with its description on the right Type: -SecureConfigured -SecureDynamic -SecureSticky Description: -a MAC address manually identified as an allowed address -a MAC address that has been learned and allowed by the switch -a MAC address that is manually configured or dynamically learned that is saved in the config file.
-SecureConfigured --a MAC address manually identified as an allowed address -SecureDynamic --a MAC address that has been learned and allowed by the switch -SecureSticky --a MAC address that is manually configured or dynamically learned that is saved in the config file.
What actions can a typical passive intrusion detection system (IDS) take when it detects an attack? (select 2) -LAN-side clients are halted and removed from the domain. -The IDS logs all pertinent data about the intrusion -an alert is generated and delivered via email, the console, or an SNMP trap. -The IDS configuration is changed dynamically, and the source IP address is banned.
-The IDS logs all pertinent data about the intrusion -an alert is generated and delivered via email, the console, or an SNMP trap.
your company is a small start-up that has leased office space in a building shared by other businesses. all businesses share a common network infrastructure. A single switch connects all devices in the building to the router that provides internet access. you would like to make sure that your computers are isolated from computers used by other companies. which feature should you request to have implemented? -port security -VPN -Spanning tree -VLAN
-VLAN
match terms with definition Term: -Wardriving -War Dialing -Banner grabbing -Firewalking Definition: -Identifying phone numbers with modems -scanning for wireless access poiints -identifying OS type and version -identifying services that can pass through a firewall
-Wardriving --scanning for wireless access poiints -War Dialing --Identifying phone numbers with modems -Banner grabbing --Banner grabbing -Firewalking --identifying services that can pass through a firewall
Drag each penetration test characteristic to its appropriate test name. characteristic: -the tester has no prior knowledge of the target system -the tester has detailed information about the target system prior to starting the test. -the tester has the same amount of information that would be available to a typical insider in the organization. -the tester does not have prior information about the system, and the administrator has no knowledge that the test is being performed. Either the attacker has prior knowledge about the target system or the administrator knows that the test is being performed. Names: -White box test -Grey box test -Black box test -single blind test -double blind test
-White box test --the tester has detailed information about the target system prior to starting the test. -Grey box test --the tester has the same amount of information that would be available to a typical insider in the organization. -Black box test --the tester has no prior knowledge of the target system -single blind test -Either the attacker has prior knowledge about the target system or the administrator knows that the test is being performed. -double blind test --the tester does not have prior information about the system, and the administrator has no knowledge that the test is being performed.
a security administrator is conducting a penetration test on a network. she connects a notebook system running linux to a wireless network and then uses NMAP to probe various network hosts to see which operating system they are running. which process did the administrator use in the penetration test in this scenario? -active fingerprinting -passive fingerprinting -firewalking -network enumeration
-active fingerprinting
You are concerned about protecting your network from network-based attacks from the internet. Specifically, you are concerned about zero day attacks (attacks that have not yet been identified or that do not have prescribed protections.) Which type of device should you use? -host based firewall -network based firewall -anti-virus scanner -signature based IDS -anomaly based IDS
-anomaly based IDS
What does a tarpit specifically do to detect and prevent intrusion into your network? -uses a packet sniffer to examine network traffic and identify known attack patterns, then locks the attackers connection to prevent any further intrusion activities -passively monitors and logs suspiciois activity until it detects a known attack pattern, then shuns the intruder by dropping their connection -entices intruders by displaying a vulnerability, configuration flow, or data that appears to be of value. -answers connection requests in such a way that the attacking computer is stuck for a period of time
-answers connection requests in such a way that the attacking computer is stuck for a period of time
which of the following activities are typically associated with a penetration test? (select two) -attempting social engineering -running a port scanner -creating a performance baseline -interviewing employees to verify the security policy is being followed -running a vulnerability scanner on network servers.
-attempting social engineering -running a port scanner
you are the network administrator for the city library. throughout the library, there are several groups of computers that provide puublic access to the internet. supervision of the computers has been difficult. youve had problems with patrons bringing their personal laptops into the library and disconnecting the network cables from library computers, to connect their laptops to the internet. the library computers are in groups of four. each group of four computers is connected to a hubthat is connected to the libarry network through an access port on a switch. you want to restrict access to the network so that only the library computers are permitted connectivity to the internet. what can you do to fix this problem? -configure port security on the switch -create a VLAN for each group of 4 computers -create static MAC addresses for each computer and associate them with a VLAN. -remove the hub and place each library computer on its own access port.
-configure port security on the switch
which of the following actions should you take to reduce the attack surface of a server? -install a host based IDS -install anti-malware software -install the latest patches and hotfixes -disable unused services
-disable unused services
A network switch is configured to perform the following checks on its ports. -all ARP requests and responses are intercepted -each intercepted request is verified to ensure that is has a valid IP-to-MAC address binding -if the packet has a valid Binding, the switch forwards the packet to the appropriate destination -if the packet has an invalid binding What security feature was enabled on the switch to accomplish this? -DHCP snooping -port security -dynamic ARP inspection -IGMP snooping
-dynamic ARP inspection
As a security precaution, you have implemented IPsec between any two devices on your network. IPsec provides encryption for traffic between devices. You would like to implement a solution that can scan the contents of the encrypted traffic to prevent any malicious attacks. Which solution should you implement? -protocol analyzer -host based IDS -VPN concentrator -network based IDS -port scanner
-host based IDS
you have decided to perform a dobule-blind penetration test. which of the following actions should you perform first? -run system fingerprinting software -perform operational reconnaissance -engage in social engineering -inform senior management
-inform senior management
which of the following activities are considered passive in regards to the function of an intrusion detection system? (select 2) -disconnecting a port being used by a zombie -listening to network traffic -transmitting FIN or RES packets to an external host -monitoring the audit trails on a server
-listening to network traffic -monitoring the audit trails on a server
creating fake resources such as honeypots, honeynets, and tarpits, fulfills which of the following main intrusion detection and prevention goals? (select 2) -detect anomalous behavior that varies from standard activity patterns, also referred to as heuristic recognition. -entice attackers to reveal their IDS signatures, which can then be matched to known attack patterns. -offers attackers a target that occupies their time and attention while distracting them from valid resources -reveals info about an attackers methods and gathers evidence for identification or prosecution purposes -detect attacks that are unique to the services on valid system resources and monitor application activity. -lures attackers into a non critical network segment where their actions are passively monitored and logged, then shuns the attacker by simply dropping their connection
-offers attackers a target that occupies their time and attention while distracting them from valid resources -reveals info about an attackers methods and gathers evidence for identification or prosecution purposes
a security administrator is conducting a penetration test on a network. she connects a notebook system to a mirror port in a network switch. she then uses a packet sniffer to monitor traffic and to try and determine which operating system they are running. which process did the administrator use in the penetration test in this scenario? -active fingerprinting -passive fingerprinting -firewalking -network enumeration
-passive fingerprinting
which of the following uses hacking techniques to proactively discover internal vulnerabilities? -reverse engineering -inbound scanning -penetration testing -passive reconnaissance
-penetration testing
An active IDS system often performs which of the following actions? (select 2) -perform reverse lookups to identify an intruder. -request a second logon test for users performing abnormal activities -Trap and delay the intruder until the authorities arrive -update filters to clock suspected traffic
-perform reverse lookups to identify an intruder. -update filters to clock suspected traffic
Properly configured passive IDS and system audit logs are an integral part of a comprehensive security plan. What step must be taken to ensure that the information is useful in maintaining a secure environment? -the accounting department must compress the logs on a quarterly basis -all files must be verified with the IDS checksum -all logs should be deleted and refreshed monthly -periodic reviews must be conducted to detect malicious activity or policy violations.
-periodic reviews must be conducted to detect malicious activity or policy violations. audit logs are useless unless periodically reviewed
You manage a network that uses switches. in the lobby of your building are three RJ45 ports connected to a switch you want to make sure that visitiors cannot plug their computers into the free network jacks and connect to the network, but employees who plug into those same jacks should be able to connect to the network. which feature would you use? -mirroring -spanning tree -port authentication -bonding -VLANs
-port authentication
what type of security service uses MAC addresses to identify devices that are allowed or denied a connection to a switch? -port security -traffic shaping -MAC spoofing -Secure sockets layer
-port security
A network utilizes a Network Access Control (NAC) solution to protect against malware. When a wired or wireless host tries to connect to the network, a NAC agent on the host checks it to make sure it has all of the latest operating system updates installed and that the latest antivirus definitions have been applied. What is this process called? -quarantine -port security -remediation -posture assessment
-posture assessment
You have a company network with a single switch. All devices connect to the network through the switch. You want to control which devices will be able to connect to your network. For devices that do not have the latest operating system patches, you want to prevent access to all network devices except for a special server that holds the patches that the computers need to download. Which of the following components will be part of your solution? (Select two.) -remediation servers -802.11x authentication -DMZ -extranet -honeypot
-remediation servers -802.11x authentication
Which of the following is the most common detection method used by an IDS? -signature -behavior -heuristic -anomaly
-signature
If maintaining confidentiality is of the utmost importance to your organization, what is the best response when an intruder is detected on your network? -record audit trails about the intruder -delay the intruder -terminate the intruder's session -monitor the intruders actions
-terminate the intruder's session
what is the primary purpose of penetration testing? -test the effectiveness of your security perimeter -evaluate newly developed firewalls -assess the skill level of new IT security staff -infiltrate a competitors network.
-test the effectiveness of your security perimeter
You have just installed a new network based IDS system that uses signature recognition. What should you do on a regular basis? -generate a new baseline -modify clipping levels -update the signature files -check for backdoors
-update the signature files
what is the main difference between, vulnerability scanning and penetration testing. -vulnerabililty scanning is performed with a detailed knowledge of the system; penetration testing starts with no knowledge of the system -vulnerability scanning uses approved methods and tools; penetration testing uses hacking tools -the goal of vulnerability scanning is to identify potential weaknesses; the goal of penetration testing is to attack a system -vulnerability scanning is performed within the security perimeter; penetration testing is performed outside of the security perimeter
-vulnerability scanning is performed within the security perimeter; penetration testing is performed outside of the security perimeter
In which of the following situations would you use port security? -you want to restrict the device that could connect through a switch port -you want to prevent MAC address spoofing -you want to control the packets sent and recieved by a router -you want to prevent sniffing attacks on the network.
-you want to restrict the device that could connect through a switch port
Which of the following types of penetration tests teams will provide you with the information that is most revealing of a real-world hacker attack? -full knowledge team -split knowledge team -partial knowledge team -zero knowledge team
-zero knowledge team