CS-416: Lessons 6 and 7
Which of the following statements is true regarding social engineering?
At the most basic level, social engineering is a fancy term for a con job.
Which of the following refers to a protocol that provides integrity protection for packet headers and data, as well as user authentication?
Authentication Header (AH)
You are creating a Phase 1 definition for a VPN tunnel in pfSense firewall. Which option in the Proposal section creates a secure tunnel using two-way authentication on both sides of the VPN connection?
Authentication Method > EAP-MSChapv2
Which term describes programs used to control access to computer resources, enforce policies, audit usage, and provide billing information?
Authentication, authorization, and accounting (AAA) services
Which of the following refers to a system designed, built, and deployed specifically to serve as a frontline defense for a network?
Bastion host OS
Which of the following is NOT supported by IPsec?
Data availability
A VPN deployment plan does not need to take into consideration the support of encryption protocols.
False
A dedicated connection is always off and available for immediate transmission of data only when there is an emergency.
False
A host VPN is a VPN that establishes a secure VPN over trusted VPN connections.
False
A one-way function refers to a mathematical operation performed in one direction; reversing the operation is easy.
False
A personal firewall is an appliance firewall placed on the border or edge of an organization's network.
False
A public network is a very secure network.
False
Anonymity is the capability of a network or system user to remain known on the system.
False
Client virtualization is a concept that combines the personal computer desktop environment with the physical desktop machine by using a client/server model of computing.
False
Deploy firewalls as quickly as possible.
False
If you do not eliminate personal communications, business functions can continue unhindered.
False
In typical end user/browser usage, SSL/TLS authentication is two-way.
False
Instability is not considered a potential threat associated with software VPNs.
False
Internally connected implementation uses a firewall in front of the VPN to protect it from Internet-based attacks and behind the firewall to protect the internal network.
False
Intranet access allows businesses, partners, vendors, suppliers, and so on to gain access to resources.
False
It is uncommon to leverage a VPN to provide untrustworthy hosts access to portions of the network.
False
One of the advantages of L2TP is that it provides a mechanism for encrypting the data being tunneled.
False
One of the primary benefits of an open-source solution is access to vendor support.
False
Port forwarding supports caching, encryption endpoint, and load balancing.
False
Setting up dedicated hardware environments for each customer allows the service provider to take advantage of economies of scale.
False
Software firewalls cannot be bastion hosts.
False
Standard client configuration of a VPN does not include antivirus, anti-malware, and firewall software.
False
Symmetric cryptography encodes and decodes information using different keys for each process.
False
The IPv6 IPSec is a set of national standards that use cryptographic security services to provide confidentiality, data origin authentication and data integrity.
False
The SSH protocol consists of two major components: the Transport Layer Protocol and the User Authentication Protocol.
False
The least common method for implementing a highly available VPN involves buying two VPN hardware units and configuring them as a highly available pair.
False
The more expensive it is, the better the security solution.
False
The performance characteristics of a VPN supporting remote clients are generally the same as the performance characteristics of a VPN supporting site-to-site connections.
False
The scope of the VPN policy should include actual policy language.
False
The term weakest link describes an organization's filtering configuration; it's the answer to the question, "What should be allowed and what should be blocked?"
False
The use of PPP has extended the availability of IPv4 address space, thereby extending the life span of IPv4.
False
The version of VPN software being used does not impact the stability of the rollout of a successful VPN deployment.
False
VPNs increase the risk caused by insecure access locations and prevent interaction with LAN resources.
False
When conducting an inventory, you don't need to include protocols in use or the port(s) in use. You just need to include the likely source and destination addresses.
False
When considering training, one should determine the mechanism for training before gathering the appropriate information.
False
When too much data crosses a network segment, throughput and latency are increased.
False
You cannot replace a native or default software firewall product in a general-purpose operating system (OS) with a third-party option.
False
In which type of environment do you block all access to all resources, internal and external, by default, and then use the principle of least privilege by adding explicit and specific allow-exceptions only when necessary based on job descriptions?
Filter-free
Which of the following is not a security strategy?
Firewall policies
What are Global Enterprises Domain Name Servers?
A.NS.INETSEARCH.COM and B.NS.INETSEARCH.COM
Which of the following describes a dedicated leased line?
Allows communication between one site and another
Which of the following refers to encoding and decoding information using related but different keys for each process?
Asymmetric cryptography
TCP is responsible for providing reliable transmissions from one system to another, and IP is responsible for addressing and route selection.
True
The Secure Shell (SSH) protocol works in combination with rsync to back up, copy, and mirror files securely.
True
The definition of a business task should consider whether or not the task is necessary. If the task is necessary, the organization's security solution should make the task possible.
True
The fewer rules you need to check before you grant an Allow, the less delay to the traffic stream.
True
The higher the encryption levels of VPN, the greater the impact on the memory and processor of the endpoint devices.
True
To allow clients to use a single public address to access a cluster of internal Web servers, you can deploy reverse proxy to support load balancing or load distribution across multiple internal resource hosts.
True
To mitigate the risk of security threats and breaches, all installers should be trained before installing the VPN.
True
To prevent spoofing of transactions, IPv6 IPSec uses a cryptographic checksum that incorporates a shared encryption key so the receiver can verify that is was sent by the apparent sender.
True
Transport mode encryption protects only the original IP packet's payload, which retains its original IP header.
True
VPN hardware can suffer from an unsecured default configuration or misconfiguration.
True
Virtual VPNs provide a total logical separation of the VPN's instances in terms of system resources, routing tables, user databases, and policy management interfaces.
True
When developing a deployment plan for the VPN, power, heating, and cooling requirements are generally covered in the VPN's technical specifications.
True
When security interferes with doing business and an organization believes that security can be turned off because it is inconvenient, it's only a matter of time before a catastrophic compromise occurs.
True
Wireshark can be used in the absence of a firewall, with a firewall set to allow all traffic, or even in the presence of a firewall to inventory all traffic on the network.
True
You should consider placing rules related to more common traffic earlier in the set rather than later.
True
You should not automatically purchase the product your cost/benefit analysis says is the best option.
True
You should spend security funds somewhat evenly to secure the overall organization, rather than over-securing one area and neglecting another.
True
Which term refers to a type of business telephone network?
Private Branch Exchange (PBX)
Which of the following is an operating system built exclusively to run on a bastion host device?
Proprietary OS
Which of the following refers to an operating system built exclusively to run on a bastion host device?
Proprietary OS
Which of the following provides faster access to static content for external users accessing internal Web servers?
Reverse caching
Which of the following statements is true when adding a rule in pfSense firewall to allow users the ability to connect with an IPsec VPN?
Select the Add button with the down arrow to add the rule after any existing rules.
Which of the following should specifically be included in the organization's VPN solution?
The prohibiting of split tunneling
Which term describes encryption that protects the entire original IP packet's header and payload?
Tunnel mode encryption
What name is given to a method that proves identity using two different authentication factors?
Two-factor authentication
Which of the following is not a firewall type?
Universal
Which of the following describes the principle that for an organization's security policy to be effective, everyone must be forced to work within it and follow its rules?
Universal participation
The Security and Exchange Commission's 10K report and Annual Report to Stock Holders is a(n):
open source of information about publicly-traded companies.
What firewall does Global Enterprises use?
pfsense
When creating a server certificate for an IPsec-based VPN, the Common Name field would ordinarily hold a Fully Qualified Domain Name (FQDN). What other technology is required to use an FQDN in this instance?
A DNS server
Which of the following describes a service level agreement (SLA)?
A contractual commitment by a service provider or support organization to its customers or users
When configuring a certificate authority (CA) in pfSense firewall, what does the default Lifetime value refer to?
A length of time, in days
Which of the following describes optical carrier (OC)?
A network carrier line—often leased or dedicated—which uses fiber optic cables for high-speed connections
What is a pre-shared key in a virtual private network (VPN)?
A password that is known to both the server and the client
Which of the following characteristics relates to Point-to-Point Protocol (PPP)?
A protocol commonly used in establishing a direct connection between two networking nodes
Which of the following characteristics relates to the term algorithm?
A set of rules and procedures—usually mathematical in nature—that can define how the encryption and decryption processes operate
Which of the following describes Layer 2 Tunneling Protocol (L2TP)?
An older protocol largely replaced by IPSec and SSL/ TLS-based VPNs in production environments, but still in use in some older environments
Which of the following describes a general purpose OS?
An operating system such as Windows or Linux that can support a wide variety of purposes and functions, but which, when used as a bastion host OS, must be hardened and locked down
Which of the following describes security stance?
An organization's filtering configuration; it answers the question, "What should be allowed and what should be blocked?"
Which of the following reflects the ability of a network or system user to remain unknown?
Anonymity
Which of the following does port forwarding support?
Any service on any port
Which of the following is a dedicated hardware device that functions as a black-box sentry?
Appliance firewall
Which type of architecture deploys the VPN so that traffic to and from the VPN is not firewalled?
Bypass architecture
Which type of architecture recognizes that the VPN is vulnerable to attack if placed directly in the Internet, and therefore places the Internet-facing VPN connection behind a firewall?
Bypass architecture
Which of the following refers to a communication pathway, circuit, or frequency dedicated or reserved for a specific transmission?
Channel
Which of the following forces all traffic, communications, and activities through a single pathway or channel that can be used to control bandwidth consumption, filter content, provide authentication services, or enforce authorization.
Chokepoint
Which term describes the seemingly random and unusable output from a cryptographic function applied to original data?
Ciphertext
Which of the following is most likely to occur in the VPN?
Client attack
Which name is given to a VPN created between a client and a server either within the same local network or across a WAN link or intermediary network to support secure client interaction with the services of a resource host?
Client-to-server VPN
Which of the following statements is NOT true of a split tunnel virtual private network (VPN) configuration?
Clients do not route IPsec traffic through the VPN tunnel.
Which type of architecture places a firewall in front of the VPN to protect it from Internet-based attacks as well as behind a firewall to protect the internal network?
DMZ architecture
Which of the following is one of the easiest ways to compromise a VPN?
Compromising the authentication credentials
adjust ranges of addresses or ports, what should you do?
Consider reconfiguring the network rather than using a too complex or too long rule set.
Most companies will list the company address and phone number on the __________ page of the Web site.
Contact Us
Which e-mail server does Global Enterprises use?
Courier
Which of the following terms describes hiding information from unauthorized third parties?
Cryptography
Which term describes the process of converting ciphertext back into plain text?
Decryption
Which of the following is one of the most common and easily exploited vulnerabilities on any hardware network device?
Default password
It is often said in the security community that to be the best __________, one must be the best attacker.
Defender
It's important to evaluate the purpose and content of your firewall policy. Which of the following is not an evaluation method?
Determine how to write a policy that is as short as possible to avoid confusion.
When determining the number of users affected by a VPN problem, which troubleshooting step is being performed?
Determining scope
Which term is used to describe a public-key, cryptography-based mechanism for proving the source (and possibly integrity) of a dataset or message?
Digital signature
Which of the following is similar to defense in depth and supports multiple layers of security?
Diversity of defense
Which term describes an approach to security similar to defense in depth in that it supports multiple layers, but uses a different security mechanism at each or most of the layers?
Diversity of defense
Which of the following is commonly used with an authentication header to provide both confidentiality and integrity protection for communications?
Encapsulating Security Payload (ESP)
Which term describes the second core IPSec security protocol; it can perform authentication to provide integrity protection, although not for the outermost IP header?
Encapsulating Security Payload (ESP)
Which term describes a process by which malicious code can enter from a non-secure network, and make a hairpin, or sharp turn, and enter a secure network with little or no trouble because it is entering from a secure and verified endpoint?
Hairpinning
Which Global Enterprises employee used to work for the Los Angeles Police Department?
Heath Andreeson
Which term describes a VPN created between two individual hosts across a local or intermediary network?
Host-to-host VPN
The inability to encrypt or otherwise protect the data stream between the client and server is a drawback of which protocol?
Hypertext Transfer Protocol (HTTP)
Which of the following statements is NOT true of IPsec?
IPsec can provide authentication but not encryption.
The next generation IP version and successor to IPv4 is called what?
IPv6
Which term describes a network, network link, or channel located between the endpoints of a VPN?
Intermediary network
At which layer of the TCP/IP model does IPsec operate?
Internet
Which of the following negotiates, creates, and manages security associations?
Internet Key Exchange (IKE)
Which of the following represents a standards-based protocol suite designed specifically for securing Internet Protocol communications?
Internet Protocol Security (IPSec)
Internet Key Exchange v2 (IKEv2) is an IPsec-based VPN protocol that uses NAT transversal (NAT-T). What is the purpose of NAT-T?
It allows IPsec traffic to pass through a NAT server.
Which term describes an early proprietary protocol from Microsoft?
Point-to-Point Tunneling Protocol (PPTP)
Which one of the following is not a benefit of having a written firewall policy?
It defines how to use a reverse proxy to add an additional layer of protection and control between Internet-based users and internally hosted servers.
Which of the following characteristics relates to authentication header (AH)?
It is a protocol that provides integrity protection for packet headers and data, as well as user authentication.
Which of the following statements is true regarding the job ad used to lure LouAnne Garfinkle?
It was specifically designed to appeal to LouAnne Garfinkle.
Which of the following statements is true regarding key length when configuring a certificate authority (CA) in pfSense firewall?
Keys that are larger than the standard length take more time to process.
Which layer of the OSI model is the Data Link Layer?
Layer 2
Which of the following refers to an early communications protocol that competed with Point-to-Point Tunneling Protocol?
Layer 2 Forwarding (L2F) Protocol
Which of the following is a benefit of an open-source VPN solution?
Low cost
Which section of the VPN policy should be as specific as possible, leaving little open to interpretation?
Policy
You are creating a Phase 1 definition for a VPN tunnel in pfSense firewall. Which option in the Proposal section allows connections from any matching client?
Peer identifier > Any
Which of the following is an advantage of SSL/TLS VPNs over IPSec VPNs?
Platform independence
Although it provides a mechanism for creating tunnels through an IP network, which of the following does not provide a mechanism for encrypting the data being tunneled?
Point-to-Point Protocol (PPP)
Which of the following documents an organization's rules for using a VPN?
Remote access policy
What is compression?
Removal of redundant or superfluous data or space to reduce the size of a data set
Where did LouAnne Garfinkle work before coming to Global Enterprises?
Rugs-R-Us
Which of the following is a type of hashing algorithm?
SHA-256
When configuring a certificate authority (CA) in pfSense firewall, what is the default Digest Algorithm value?
SHA256
Which section of the VPN policy describes the systems, networks, or people covered by the policy?
Scope
Which of the following refers to a network protocol that is a method for secure remote logon and other secure network services over a public network?
Secure Shell (SSH)
Which of the following key VPN protocols used today is the main alternative for a VPN solution that does not leverage an IPSec solution?
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
Which of the following is not a common reason for deploying a reverse proxy?
Time savings
Which of the following statements is true regarding today's attack methods?
Senior criminals or terrorist leaders often coordinate the efforts of specialists, paying each for their services.
Examples of users purposefully avoiding or violating security—that is, not actively supporting and participating in security—include all of the following except which one?
Setting strong passwords
Which of the following statements is true regarding LouAnne Garfinkle's blog?
She included details of software problems she has had and how many problems were fixed.
Which of the following refers to any product that appears in a vendor's PowerPoint slide deck, but is not yet available in one of its products?
Slideware
Which of the following can affect the stability of a VPN deployment?
Software version
When enabling IPsec Mobile Client Support for remote VPN users in pfSense firewall, you were instructed to type 172.31.1.0 in the Virtual Address Pool section and select 24 from the subnet drop-down list. What does this step accomplish?
Specifies a virtual IPv4 address for clients
Security through obscurity can be both a good strategy and a bad one depending on the type of security.
True
Which of the following statements is true regarding targeted attacks?
Targeted attacks often couple real-world crime or terrorism with cybercrime and cyberterrorism.
Which term describes the act of working from a home, remote, or mobile location while connecting into the employer's private network, often using a VPN?
Telecommuting
Which of the following describes anonymity?
The capability for a network or system user to remain unknown
Which of the following characteristics describes an edge router?
The last device owned and controlled by an organization before an ISP or telco connection
Support for quality of service (QoS) is built into IPv6, whereas it was an add-on in IPv4.
True
What is the Internet Engineering Task Force (IETF)?
The standards body for Internet-related engineering specifications
When employees have multiple concurrent connections, what might be happening to the VPN system?
There may be a security issue.
Why do you need to configure a pass rule in pfSense firewall when configuring an IPsec VPN?
To prevent incoming VPN connections from being blocked by the firewall
Which component of Secure Shell (SSH) Protocol provides server authentication, confidentiality, and integrity with perfect forward secrecy?
Transport layer protocol
Which term describes encryption that protects only the original IP packet's payload?
Transport mode encryption
"Privacy" is considered keeping information about a network or system user from being disclosed to unauthorized people.
True
A VPN appliance can be placed inside and outside the corporate firewall.
True
A VPN policy should address which authorization methods are permitted on the system.
True
A digital envelope is a secure communication based on public-key cryptography that encodes a message or data with the public key of the intended recipient.
True
A private key is kept secret and used only by the intended entity.
True
A split tunnel is a VPN connection that allows simultaneous access to the secured VPN link and unsecured access to the Internet across the same connection.
True
A technique for securing a data exchange or verifying identity is through out of band communication, which uses an alternative route, mechanism, or pathway.
True
Allowing every communication is a bad idea from a security standpoint as well as a productivity one.
True
Anonymity is the capability for a network or system user to remain unknown.
True
Determining who the target audience for training is takes place in the planning stage.
True
Diversity of defense uses a different security mechanism at each or most of the layers.
True
Fragmentation occurs when a dataset is too large for maximum supported size of a communication container, such as a segment, packet, or frame. The original dataset divides into multiple sections or fragments for transmission across the size-limited medium, and then reassembles on the receiving end.
True
Hashing verifies data integrity by using algorithms to produce unique numbers from datasets known as hash values.
True
IPSec is a mandatory component for IPv6, and is used to natively protect IPv6 data as it is sent over the network.
True
Identity proofing is a form of authentication.
True
In a denial of service attack, the attacker is trying to crash or overload the VPN.
True
Nonrepudiation ensures that a sender cannot deny sending a message.
True
One function of an SSL VPN is that it usually connects using a Web browser, whereas an IPSec VPN generally requires client software on the remote system.
True
One of the drawbacks of HTTP is that it does not include the ability to encrypt or otherwise protect the data stream between the client and server.
True
One of the most critical steps in VPN troubleshooting is determining whether the correction results in new problems.
True
One of the most important steps in VPN troubleshooting is documenting processes and procedures.
True
One proposed migration strategy for the move from IPv4 to IPv6 includes allowing two IPv6 hosts to create a tunnel for traffic between two IPv6 hosts through an IPv4 network.
True
Operating system virtualization is the emulation of an operating system environment hosted on another operating system.
True
Rekeying triggers the generation of a new symmetric encryption key and secure exchange of that key.
True
Rule-set ordering is critical to the successful operation of firewall security.
True
What version of the firewall did Global Enterprises install?
Version 2.0
Which of the following identifies, tracks, and mitigates known weaknesses on hosts or applications within a computing environment?
Vulnerability management
What is the difference between social engineering and reverse social engineering?
With social engineering, the con artist goes to the target, while with reverse social engineering, the con artist gets the target to come to them.
Non-targeted, non-specific attacks are referred to as:
attacks of convenience.
In the lab, the first step in the reconnaissance mission was to:
conduct an Internet search to find the correct target company.
Sites such as whois.net that are common sources of information are considered:
domain name registration services.
An organization can guard against social engineering and reverse social engineering:
through awareness training.
