CS-416: Lessons 6 and 7

¡Supera tus tareas y exámenes ahora con Quizwiz!

Which of the following statements is true regarding social engineering?

At the most basic level, social engineering is a fancy term for a con job.

Which of the following refers to a protocol that provides integrity protection for packet headers and data, as well as user authentication?

Authentication Header (AH)

You are creating a Phase 1 definition for a VPN tunnel in pfSense firewall. Which option in the Proposal section creates a secure tunnel using two-way authentication on both sides of the VPN connection?

Authentication Method > EAP-MSChapv2

Which term describes programs used to control access to computer resources, enforce policies, audit usage, and provide billing information?

Authentication, authorization, and accounting (AAA) services

Which of the following refers to a system designed, built, and deployed specifically to serve as a frontline defense for a network?

Bastion host OS

Which of the following is NOT supported by IPsec?

Data availability

A VPN deployment plan does not need to take into consideration the support of encryption protocols.

False

A dedicated connection is always off and available for immediate transmission of data only when there is an emergency.

False

A host VPN is a VPN that establishes a secure VPN over trusted VPN connections.

False

A one-way function refers to a mathematical operation performed in one direction; reversing the operation is easy.

False

A personal firewall is an appliance firewall placed on the border or edge of an organization's network.

False

A public network is a very secure network.

False

Anonymity is the capability of a network or system user to remain known on the system.

False

Client virtualization is a concept that combines the personal computer desktop environment with the physical desktop machine by using a client/server model of computing.

False

Deploy firewalls as quickly as possible.

False

If you do not eliminate personal communications, business functions can continue unhindered.

False

In typical end user/browser usage, SSL/TLS authentication is two-way.

False

Instability is not considered a potential threat associated with software VPNs.

False

Internally connected implementation uses a firewall in front of the VPN to protect it from Internet-based attacks and behind the firewall to protect the internal network.

False

Intranet access allows businesses, partners, vendors, suppliers, and so on to gain access to resources.

False

It is uncommon to leverage a VPN to provide untrustworthy hosts access to portions of the network.

False

One of the advantages of L2TP is that it provides a mechanism for encrypting the data being tunneled.

False

One of the primary benefits of an open-source solution is access to vendor support.

False

Port forwarding supports caching, encryption endpoint, and load balancing.

False

Setting up dedicated hardware environments for each customer allows the service provider to take advantage of economies of scale.

False

Software firewalls cannot be bastion hosts.

False

Standard client configuration of a VPN does not include antivirus, anti-malware, and firewall software.

False

Symmetric cryptography encodes and decodes information using different keys for each process.

False

The IPv6 IPSec is a set of national standards that use cryptographic security services to provide confidentiality, data origin authentication and data integrity.

False

The SSH protocol consists of two major components: the Transport Layer Protocol and the User Authentication Protocol.

False

The least common method for implementing a highly available VPN involves buying two VPN hardware units and configuring them as a highly available pair.

False

The more expensive it is, the better the security solution.

False

The performance characteristics of a VPN supporting remote clients are generally the same as the performance characteristics of a VPN supporting site-to-site connections.

False

The scope of the VPN policy should include actual policy language.

False

The term weakest link describes an organization's filtering configuration; it's the answer to the question, "What should be allowed and what should be blocked?"

False

The use of PPP has extended the availability of IPv4 address space, thereby extending the life span of IPv4.

False

The version of VPN software being used does not impact the stability of the rollout of a successful VPN deployment.

False

VPNs increase the risk caused by insecure access locations and prevent interaction with LAN resources.

False

When conducting an inventory, you don't need to include protocols in use or the port(s) in use. You just need to include the likely source and destination addresses.

False

When considering training, one should determine the mechanism for training before gathering the appropriate information.

False

When too much data crosses a network segment, throughput and latency are increased.

False

You cannot replace a native or default software firewall product in a general-purpose operating system (OS) with a third-party option.

False

In which type of environment do you block all access to all resources, internal and external, by default, and then use the principle of least privilege by adding explicit and specific allow-exceptions only when necessary based on job descriptions?

Filter-free

Which of the following is not a security strategy?

Firewall policies

What are Global Enterprises Domain Name Servers?

A.NS.INETSEARCH.COM and B.NS.INETSEARCH.COM

Which of the following describes a dedicated leased line?

Allows communication between one site and another

Which of the following refers to encoding and decoding information using related but different keys for each process?

Asymmetric cryptography

TCP is responsible for providing reliable transmissions from one system to another, and IP is responsible for addressing and route selection.

True

The Secure Shell (SSH) protocol works in combination with rsync to back up, copy, and mirror files securely.

True

The definition of a business task should consider whether or not the task is necessary. If the task is necessary, the organization's security solution should make the task possible.

True

The fewer rules you need to check before you grant an Allow, the less delay to the traffic stream.

True

The higher the encryption levels of VPN, the greater the impact on the memory and processor of the endpoint devices.

True

To allow clients to use a single public address to access a cluster of internal Web servers, you can deploy reverse proxy to support load balancing or load distribution across multiple internal resource hosts.

True

To mitigate the risk of security threats and breaches, all installers should be trained before installing the VPN.

True

To prevent spoofing of transactions, IPv6 IPSec uses a cryptographic checksum that incorporates a shared encryption key so the receiver can verify that is was sent by the apparent sender.

True

Transport mode encryption protects only the original IP packet's payload, which retains its original IP header.

True

VPN hardware can suffer from an unsecured default configuration or misconfiguration.

True

Virtual VPNs provide a total logical separation of the VPN's instances in terms of system resources, routing tables, user databases, and policy management interfaces.

True

When developing a deployment plan for the VPN, power, heating, and cooling requirements are generally covered in the VPN's technical specifications.

True

When security interferes with doing business and an organization believes that security can be turned off because it is inconvenient, it's only a matter of time before a catastrophic compromise occurs.

True

Wireshark can be used in the absence of a firewall, with a firewall set to allow all traffic, or even in the presence of a firewall to inventory all traffic on the network.

True

You should consider placing rules related to more common traffic earlier in the set rather than later.

True

You should not automatically purchase the product your cost/benefit analysis says is the best option.

True

You should spend security funds somewhat evenly to secure the overall organization, rather than over-securing one area and neglecting another.

True

Which term refers to a type of business telephone network?

Private Branch Exchange (PBX)

Which of the following is an operating system built exclusively to run on a bastion host device?

Proprietary OS

Which of the following refers to an operating system built exclusively to run on a bastion host device?

Proprietary OS

Which of the following provides faster access to static content for external users accessing internal Web servers?

Reverse caching

Which of the following statements is true when adding a rule in pfSense firewall to allow users the ability to connect with an IPsec VPN?

Select the Add button with the down arrow to add the rule after any existing rules.

Which of the following should specifically be included in the organization's VPN solution?

The prohibiting of split tunneling

Which term describes encryption that protects the entire original IP packet's header and payload?

Tunnel mode encryption

What name is given to a method that proves identity using two different authentication factors?

Two-factor authentication

Which of the following is not a firewall type?

Universal

Which of the following describes the principle that for an organization's security policy to be effective, everyone must be forced to work within it and follow its rules?

Universal participation

The Security and Exchange Commission's 10K report and Annual Report to Stock Holders is a(n):

open source of information about publicly-traded companies.

What firewall does Global Enterprises use?

pfsense

When creating a server certificate for an IPsec-based VPN, the Common Name field would ordinarily hold a Fully Qualified Domain Name (FQDN). What other technology is required to use an FQDN in this instance?

A DNS server

Which of the following describes a service level agreement (SLA)?

A contractual commitment by a service provider or support organization to its customers or users

When configuring a certificate authority (CA) in pfSense firewall, what does the default Lifetime value refer to?

A length of time, in days

Which of the following describes optical carrier (OC)?

A network carrier line—often leased or dedicated—which uses fiber optic cables for high-speed connections

What is a pre-shared key in a virtual private network (VPN)?

A password that is known to both the server and the client

Which of the following characteristics relates to Point-to-Point Protocol (PPP)?

A protocol commonly used in establishing a direct connection between two networking nodes

Which of the following characteristics relates to the term algorithm?

A set of rules and procedures—usually mathematical in nature—that can define how the encryption and decryption processes operate

Which of the following describes Layer 2 Tunneling Protocol (L2TP)?

An older protocol largely replaced by IPSec and SSL/ TLS-based VPNs in production environments, but still in use in some older environments

Which of the following describes a general purpose OS?

An operating system such as Windows or Linux that can support a wide variety of purposes and functions, but which, when used as a bastion host OS, must be hardened and locked down

Which of the following describes security stance?

An organization's filtering configuration; it answers the question, "What should be allowed and what should be blocked?"

Which of the following reflects the ability of a network or system user to remain unknown?

Anonymity

Which of the following does port forwarding support?

Any service on any port

Which of the following is a dedicated hardware device that functions as a black-box sentry?

Appliance firewall

Which type of architecture deploys the VPN so that traffic to and from the VPN is not firewalled?

Bypass architecture

Which type of architecture recognizes that the VPN is vulnerable to attack if placed directly in the Internet, and therefore places the Internet-facing VPN connection behind a firewall?

Bypass architecture

Which of the following refers to a communication pathway, circuit, or frequency dedicated or reserved for a specific transmission?

Channel

Which of the following forces all traffic, communications, and activities through a single pathway or channel that can be used to control bandwidth consumption, filter content, provide authentication services, or enforce authorization.

Chokepoint

Which term describes the seemingly random and unusable output from a cryptographic function applied to original data?

Ciphertext

Which of the following is most likely to occur in the VPN?

Client attack

Which name is given to a VPN created between a client and a server either within the same local network or across a WAN link or intermediary network to support secure client interaction with the services of a resource host?

Client-to-server VPN

Which of the following statements is NOT true of a split tunnel virtual private network (VPN) configuration?

Clients do not route IPsec traffic through the VPN tunnel.

Which type of architecture places a firewall in front of the VPN to protect it from Internet-based attacks as well as behind a firewall to protect the internal network?

DMZ architecture

Which of the following is one of the easiest ways to compromise a VPN?

Compromising the authentication credentials

adjust ranges of addresses or ports, what should you do?

Consider reconfiguring the network rather than using a too complex or too long rule set.

Most companies will list the company address and phone number on the __________ page of the Web site.

Contact Us

Which e-mail server does Global Enterprises use?

Courier

Which of the following terms describes hiding information from unauthorized third parties?

Cryptography

Which term describes the process of converting ciphertext back into plain text?

Decryption

Which of the following is one of the most common and easily exploited vulnerabilities on any hardware network device?

Default password

It is often said in the security community that to be the best __________, one must be the best attacker.

Defender

It's important to evaluate the purpose and content of your firewall policy. Which of the following is not an evaluation method?

Determine how to write a policy that is as short as possible to avoid confusion.

When determining the number of users affected by a VPN problem, which troubleshooting step is being performed?

Determining scope

Which term is used to describe a public-key, cryptography-based mechanism for proving the source (and possibly integrity) of a dataset or message?

Digital signature

Which of the following is similar to defense in depth and supports multiple layers of security?

Diversity of defense

Which term describes an approach to security similar to defense in depth in that it supports multiple layers, but uses a different security mechanism at each or most of the layers?

Diversity of defense

Which of the following is commonly used with an authentication header to provide both confidentiality and integrity protection for communications?

Encapsulating Security Payload (ESP)

Which term describes the second core IPSec security protocol; it can perform authentication to provide integrity protection, although not for the outermost IP header?

Encapsulating Security Payload (ESP)

Which term describes a process by which malicious code can enter from a non-secure network, and make a hairpin, or sharp turn, and enter a secure network with little or no trouble because it is entering from a secure and verified endpoint?

Hairpinning

Which Global Enterprises employee used to work for the Los Angeles Police Department?

Heath Andreeson

Which term describes a VPN created between two individual hosts across a local or intermediary network?

Host-to-host VPN

The inability to encrypt or otherwise protect the data stream between the client and server is a drawback of which protocol?

Hypertext Transfer Protocol (HTTP)

Which of the following statements is NOT true of IPsec?

IPsec can provide authentication but not encryption.

The next generation IP version and successor to IPv4 is called what?

IPv6

Which term describes a network, network link, or channel located between the endpoints of a VPN?

Intermediary network

At which layer of the TCP/IP model does IPsec operate?

Internet

Which of the following negotiates, creates, and manages security associations?

Internet Key Exchange (IKE)

Which of the following represents a standards-based protocol suite designed specifically for securing Internet Protocol communications?

Internet Protocol Security (IPSec)

Internet Key Exchange v2 (IKEv2) is an IPsec-based VPN protocol that uses NAT transversal (NAT-T). What is the purpose of NAT-T?

It allows IPsec traffic to pass through a NAT server.

Which term describes an early proprietary protocol from Microsoft?

Point-to-Point Tunneling Protocol (PPTP)

Which one of the following is not a benefit of having a written firewall policy?

It defines how to use a reverse proxy to add an additional layer of protection and control between Internet-based users and internally hosted servers.

Which of the following characteristics relates to authentication header (AH)?

It is a protocol that provides integrity protection for packet headers and data, as well as user authentication.

Which of the following statements is true regarding the job ad used to lure LouAnne Garfinkle?

It was specifically designed to appeal to LouAnne Garfinkle.

Which of the following statements is true regarding key length when configuring a certificate authority (CA) in pfSense firewall?

Keys that are larger than the standard length take more time to process.

Which layer of the OSI model is the Data Link Layer?

Layer 2

Which of the following refers to an early communications protocol that competed with Point-to-Point Tunneling Protocol?

Layer 2 Forwarding (L2F) Protocol

Which of the following is a benefit of an open-source VPN solution?

Low cost

Which section of the VPN policy should be as specific as possible, leaving little open to interpretation?

Policy

You are creating a Phase 1 definition for a VPN tunnel in pfSense firewall. Which option in the Proposal section allows connections from any matching client?

Peer identifier > Any

Which of the following is an advantage of SSL/TLS VPNs over IPSec VPNs?

Platform independence

Although it provides a mechanism for creating tunnels through an IP network, which of the following does not provide a mechanism for encrypting the data being tunneled?

Point-to-Point Protocol (PPP)

Which of the following documents an organization's rules for using a VPN?

Remote access policy

What is compression?

Removal of redundant or superfluous data or space to reduce the size of a data set

Where did LouAnne Garfinkle work before coming to Global Enterprises?

Rugs-R-Us

Which of the following is a type of hashing algorithm?

SHA-256

When configuring a certificate authority (CA) in pfSense firewall, what is the default Digest Algorithm value?

SHA256

Which section of the VPN policy describes the systems, networks, or people covered by the policy?

Scope

Which of the following refers to a network protocol that is a method for secure remote logon and other secure network services over a public network?

Secure Shell (SSH)

Which of the following key VPN protocols used today is the main alternative for a VPN solution that does not leverage an IPSec solution?

Secure Sockets Layer (SSL)/Transport Layer Security (TLS)

Which of the following is not a common reason for deploying a reverse proxy?

Time savings

Which of the following statements is true regarding today's attack methods?

Senior criminals or terrorist leaders often coordinate the efforts of specialists, paying each for their services.

Examples of users purposefully avoiding or violating security—that is, not actively supporting and participating in security—include all of the following except which one?

Setting strong passwords

Which of the following statements is true regarding LouAnne Garfinkle's blog?

She included details of software problems she has had and how many problems were fixed.

Which of the following refers to any product that appears in a vendor's PowerPoint slide deck, but is not yet available in one of its products?

Slideware

Which of the following can affect the stability of a VPN deployment?

Software version

When enabling IPsec Mobile Client Support for remote VPN users in pfSense firewall, you were instructed to type 172.31.1.0 in the Virtual Address Pool section and select 24 from the subnet drop-down list. What does this step accomplish?

Specifies a virtual IPv4 address for clients

Security through obscurity can be both a good strategy and a bad one depending on the type of security.

True

Which of the following statements is true regarding targeted attacks?

Targeted attacks often couple real-world crime or terrorism with cybercrime and cyberterrorism.

Which term describes the act of working from a home, remote, or mobile location while connecting into the employer's private network, often using a VPN?

Telecommuting

Which of the following describes anonymity?

The capability for a network or system user to remain unknown

Which of the following characteristics describes an edge router?

The last device owned and controlled by an organization before an ISP or telco connection

Support for quality of service (QoS) is built into IPv6, whereas it was an add-on in IPv4.

True

What is the Internet Engineering Task Force (IETF)?

The standards body for Internet-related engineering specifications

When employees have multiple concurrent connections, what might be happening to the VPN system?

There may be a security issue.

Why do you need to configure a pass rule in pfSense firewall when configuring an IPsec VPN?

To prevent incoming VPN connections from being blocked by the firewall

Which component of Secure Shell (SSH) Protocol provides server authentication, confidentiality, and integrity with perfect forward secrecy?

Transport layer protocol

Which term describes encryption that protects only the original IP packet's payload?

Transport mode encryption

"Privacy" is considered keeping information about a network or system user from being disclosed to unauthorized people.

True

A VPN appliance can be placed inside and outside the corporate firewall.

True

A VPN policy should address which authorization methods are permitted on the system.

True

A digital envelope is a secure communication based on public-key cryptography that encodes a message or data with the public key of the intended recipient.

True

A private key is kept secret and used only by the intended entity.

True

A split tunnel is a VPN connection that allows simultaneous access to the secured VPN link and unsecured access to the Internet across the same connection.

True

A technique for securing a data exchange or verifying identity is through out of band communication, which uses an alternative route, mechanism, or pathway.

True

Allowing every communication is a bad idea from a security standpoint as well as a productivity one.

True

Anonymity is the capability for a network or system user to remain unknown.

True

Determining who the target audience for training is takes place in the planning stage.

True

Diversity of defense uses a different security mechanism at each or most of the layers.

True

Fragmentation occurs when a dataset is too large for maximum supported size of a communication container, such as a segment, packet, or frame. The original dataset divides into multiple sections or fragments for transmission across the size-limited medium, and then reassembles on the receiving end.

True

Hashing verifies data integrity by using algorithms to produce unique numbers from datasets known as hash values.

True

IPSec is a mandatory component for IPv6, and is used to natively protect IPv6 data as it is sent over the network.

True

Identity proofing is a form of authentication.

True

In a denial of service attack, the attacker is trying to crash or overload the VPN.

True

Nonrepudiation ensures that a sender cannot deny sending a message.

True

One function of an SSL VPN is that it usually connects using a Web browser, whereas an IPSec VPN generally requires client software on the remote system.

True

One of the drawbacks of HTTP is that it does not include the ability to encrypt or otherwise protect the data stream between the client and server.

True

One of the most critical steps in VPN troubleshooting is determining whether the correction results in new problems.

True

One of the most important steps in VPN troubleshooting is documenting processes and procedures.

True

One proposed migration strategy for the move from IPv4 to IPv6 includes allowing two IPv6 hosts to create a tunnel for traffic between two IPv6 hosts through an IPv4 network.

True

Operating system virtualization is the emulation of an operating system environment hosted on another operating system.

True

Rekeying triggers the generation of a new symmetric encryption key and secure exchange of that key.

True

Rule-set ordering is critical to the successful operation of firewall security.

True

What version of the firewall did Global Enterprises install?

Version 2.0

Which of the following identifies, tracks, and mitigates known weaknesses on hosts or applications within a computing environment?

Vulnerability management

What is the difference between social engineering and reverse social engineering?

With social engineering, the con artist goes to the target, while with reverse social engineering, the con artist gets the target to come to them.

Non-targeted, non-specific attacks are referred to as:

attacks of convenience.

In the lab, the first step in the reconnaissance mission was to:

conduct an Internet search to find the correct target company.

Sites such as whois.net that are common sources of information are considered:

domain name registration services.

An organization can guard against social engineering and reverse social engineering:

through awareness training.


Conjuntos de estudio relacionados

International Macro exam 2 CH 17, 18, 19, 20

View Set

DERIV: Basics of Derivative Pricing and Valuation

View Set

Q4L2 - Formulating an Evaluative Statement

View Set

Care of the Newborn and Infant Overview

View Set

AP World History Vocabulary 1900-Present

View Set

Chapter 07 Business Marketing (7-8 - 7-8b.)

View Set