Security+ 501 Chapter 5
A network technician is setting up a segmented network that will utilize a separate ISP to provide wireless access to the public area for a company. Which of the following wireless security methods should the technician implement to provide basic accountability for access to the public network? A. Captive portal B. Pre-sharedkey C. Enterprise D. Wi-Fi Protected setup
A. Captive portal A captive portal is a Web page that the user of a public-access network is obliged to view and interact with before access is granted. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hot spots for Internet users. The captive portal feature is a software implementation that blocks clients from accessing the network until user verification has been established. You can set up verification to allow access for both guests and authenticated users. Authenticated users must be validated against a database of authorized captive portal users before access is granted.
A user suspects someone has been accessing a home network without permission by spoofing the MAC address of an authorized system. While attempting to determine if an authorized user is logged into the home network, the user reviews the wireless router, which shows the following table for systems that are currently on the home network. Host name IP address MAC MAC filter DadPC 192.168.1.10 00:1D:1A:44:17:B5 On MomPC 192.168.1.15 21:13:D6:C5:42:A2 Off JuniorPC 192.168.2.16 42:A7:D1:25:11:52 On Unknown 192.168.1.18 10:B3:22:1A:FF:21 Off Which of the following should be the NEXT step to determine if there is an unauthorized user on the network? A. Deny the "unknown" host because the hostname is not known and MAC filtering is not applied to this host. B. Conduct a ping sweep of each of the authorized systems and see if an echo response is received. C. Apply MAC filtering and see if the router drops any of the systems D. Physically check each of the authorized systems to determine if they are logged onto the network.
A. Deny the "unknown" host because the hostname is not known and MAC filtering is not applied to this host. In Wireless Network devices like Wireless Access Points / Wireless Routers, etc. there is an option for MAC Filtering. The Wireless Routers I Access points connect to only those devices whose MAC addresses have already been approved to connect to them (Using a list of White Listed MAC addresses that is already stored inside them). This provides some basic level security and can prevent casual network browsers from connecting to the wireless network. But MAC filtering does not give adequate security for wireless networks due to MAC Spoofing which is discussed below. MAC Spoofing refers to the ability of changing your computer's MAC address to any MAC address you want and then connecting to the networks that have MAC filtering in place. This method is used by hackers to sniff a valid MAC address used in a wireless network and connect to the Wireless LAN after having changed their own MAC address to that valid MAC address.
The SSID broadcast for a wireless router has been disabled but a network administrator notices that unauthorized users are accessing the wireless network. The administer has determined that attackers are still able to detect the presence of the wireless network despite the fact the SSID has been disabled. Which of the following would further obscure the presence of the wireless network? A. Disable responses to a broadcast probe request B. Reroute wireless users to a honeypot C. Upgrade the encryption to WPA or WPA2 D. Create a non-zero length SSID for the wireless router
A. Disable responses to a broadcast probe request In order to make the discovery and selection of an AP easier, a Service Set Identifier (SSID) is assigned to it, which is human readable name for the network with a maximum length of 32 characters. Generally, AP devices have a unique SSID assigned to them at manufacturing time, but many users customize them for their convenience. A user, who desires to connect to a network, needs to select the SSID from the list of nearby networks and provide the corresponding password to establish a secure connection. To reduce user burden when re-connecting to known AP, devices typically cache credentials and SSIDs and scan for nearby APs. If a known AP is discovered, the device re-connects automatically to it. Although APs periodically announce their SSID and it is possible to scan them passively, the preferred way for scanning is active scanning by the client using WIFI probe request frames. A probe request is essentially a broadcast question: "Is AP with SSID xxxx listening? Please respond". These probe requests are sent out in bursts, one for every saved AP SSID, usually once every 60 seconds. Between the bursts the radio can be turned off, which saves power. Whenever an AP receives a probe request with its assigned SSID, it responds with a probe response frame and connection is initiated. The simplest and most secure option to obscure the presence of the wireless network of course is manually switch off WIFI when it is not used. Finding and disabling the option to automatically connect to WIFI networks should have similar effect. The option to not scan or automatically reconnect to known APs may not be present or may be ineffective disabling probe requests. In these cases it may be necessary to disable option to remember network for sensitive networks, to not use the device in places where monitoring is probable, and to manually switch off WIFI whenever possible.
While reviewing the monthly internet usage it is noted that there is a large spike in traffic classified as "unknown" and does not appear to be within the bounds of the organizations Acceptable Use Policy. Which of the following tool or technology would work BEST for obtaining more information on this traffic? A. IDS logs B. Firewall logs C. Protocol analyzer D. Increased spam filtering
A. IDS logs An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any malicious activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources, and uses alarm-filtering techniques to distinguish malicious activity from false alarms. Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are among the most sophisticated network security devices in use today. They inspect network packets and block suspicious ones, as well as alert administrators about attack attempts. These systems' logs contain valuable network threat information about attack types, devices being targeted, and more. You should monitor these logs and extract the information they provide in order to keep your network secure.
The data backup window has expanded into the morning hours and has begun to affect production users. The main bottleneck in the process is the time it takes to replicate the backups to separate severs at the offsite data center. Which of the following uses of deduplication could be implemented to reduce the backup window? A. Implement deduplication on the storage array to reduce the amount of drive space needed B. Implement deduplication at the network level between the two locations C. Implement deduplication on the server storage to reduce the data backed up D. Implement deduplication on both the local and remote servers
A. Implement deduplication on the storage array to reduce the amount of drive space needed Data deduplication is a data compression technique in which redundant or repeated copies of data are removed from a system. It is implemented in data backup and network data mechanisms and enables the storage of one unique instance of data within a database or information system (IS). Data deduplication is also known as intelligent compression, single instance storage, and commonality factoring or data reduction. Data deduplication works by analyzing and comparing incoming data segments with previously stored data. If data is already present, data deduplication algorithms discard the new data and create a reference. For example, if a document file is backed up with changes, the previous file and applied changes are added to the data segment. However, if there is no difference, the newer data file is discarded, and a reference is created. Similarly, a data deduplication algorithm scans outgoing data on a network connection to check for duplicates, which are removed to increase data transfer speed.
A security administrator is developing controls for creating audit trails and tracking if a PHI data breach is to occur. The administrator has been given the following requirements: All access must be correlated to a user account. All user accounts must be assigned to a single individual. User access to the PHI data must be recorded. Anomalies in PHI data access must be reported. Logs and records cannot be deleted or modified. Which of the following should the administrator implement to meet the above requirements? (Select three.) A. Perform regular permission audits and reviews B. Enable account lockoutthresholds C. Implement time-of-day restrictions. D. Eliminate shared accounts. E. Copy logs in real time to a secured WORM drive. F. Create a standard naming convention for accounts G. Implement usage auditing and review.
A. Perform regular permission audits and reviews D. Eliminate shared accounts. G. Implement usage auditing and review.
A security analyst wants to harden the company's VoIP PBX. The analyst is worried that credentials may be intercepted and compromised when IP phones authenticate with the PBX. Which of the following would best prevent this from occurring? A. Require SIPS on connections to the PBX B. Implement SRTP between the phones and the PBX. C. Place the phones and PBX in their own VLAN D. Restrict the phone connections to the PBX
A. Require SIPS on connections to the PBX In Voice over IP telephony, two standard protocols are used. SIP (Session Initiation Protocol port 5060) creates the connection from peer to peer (e.g. phone to phone or phone to phone system). Let's say it sets the switches for the audio stream. Once the connection is established, the RTP (Real time Transport Protocol) is used to transport the audio or video data. A big security issue of standard SIP/RTP connections is that SIP messages and RTP streams can be intercepted and read/listened to by everyone with basic network technology knowledge. Due to this, it is recommended to use plain SIP/RTP only in local area networks (LAN) and not via the public internet. To overcome the security flaws of SIP and RTP and safely make secure calls via the internet, encrypted versions of both protocols have been developed. SIPS (port 5061), which stands for SIP Secure, is SIP, extended with TLS (Transport Layer Security). With this TLS, a secure connection between IP PBX and VoIP telephone can be established using a handshake approach. SRTP encodes the voice into encrypted IP packages and transport those via the internet from the transmitter (IP phone system) to the receiver (IP phone or softphone), once SIPS has initiated a secure connection. To allow the receiver to decrypt the packages, a key is sent via SIPS, while the connection is initiated in the previous step.
A company was recently audited by a third party. The audit revealed the company's network devices were transferring files in the clear. Which of the following protocols should the company use to transfer files? A. SCP B. HTTPS C. SNMP3 D. LDAPS
A. SCP Secure copy protocol or SCP is a means of securely transferring computer files between a local host and a remote host or between two remote hosts. It is based on the Secure Shell (SSH) protocol.
A server administrator needs to administer a server remotely using RDP, but the specified port is closed on the outbound firewall on the network. How could he access the server using RDP on a port other than the typical registered port for the RDP protocol? A. SSH B. TLS C. SCP D. MPLS
A. SSH To create an SSH tunnel, a given port of your local machine needs to be forwarded to a port on a remote machine, which will be the other end of the tunnel. This is the job of the SSH Server. Once the SSH tunnel has been established, the user simply connects to the local end of the tunnel in order to access the remote host transparently. Secure Shell, or SSH, is used to create a secure channel between a local and remote computer. While SSH is commonly used for secure terminal access and file transfers, it can also be used to create a secure tunnel between computers for forwarding other network connections that are not normally encrypted. SSH, tunnels are also useful for allowing outside access to internal network resources. Let us look at a concrete example of how to set up an SSH Tunnel. You are the IT technician at your office and need to connect to a client through an SSH server to perform work using RDP, but it is protected by a company firewall. You need to get through the firewall in order to perform your work. The solution is to create an SSH Tunnel in Remote Desktop Manager to carry the RDP communication.
Audit logs from a small company's vulnerability scanning software show the following findings: Destinations scanned: -Server001- Internal human resources payroll server -Server101-lnternet-facingweb server -Server201- SQL server for Server101 -Server301- Jumpbox used by systems administrators accessible from the internal network Validated vulnerabilities found: -Server001- Vulnerable to buffer overflow exploit that may allow attackers to install software -Server101- Vulnerable to buffer overflow exploit that may allow attackers to install software -Server201-0S updates not fully current -Server301- Accessible from internal network without the use of jumpbox -Server301-Vulnerable to highly publicized exploit that can elevate user privileges Assuming external attackers who are gaining unauthorized information are of the highest concern, which of the following servers should be addressed FIRST? A. Server101 B. Server201 C. Server001 D. Server301
A. Server101 If your network is in any way connected to the Internet, the security of your network is being put to the test. Your Internet-facing servers are being probed by hackers looking for ways to damage your resources or steal them. It is important that no holes are left unplugged which would allow hackers easy access. You should start off by launching scans to the firewall or router that is hosted on your public IP address. This will automatically scan any services which are running on different server, and which are exposed on the Internet via Port Address Translation. In addition, if you have any services, such as a website, hosted on a server at a hosting provider, it would be a good idea to scan this server too. You might need to check with your hosting provider before you launch any scans.
A new firewall has been placed into service at an organization. However, a configuration has not been entered on the firewall. Employees on the network segment covered by the new firewall report they are unable to access the network. Which of the following steps should be completed to BEST resolve the issue? A. The firewall should be configured to prevent user traffic from matching the implicit deny rule B. The firewall should be configured with access lists to allow inbound and outbound traffic C. The firewall should be configured with port security to allow traffic D. The firewall should be configured to include an explicit deny rule.
A. The firewall should be configured to prevent user traffic from matching the implicit deny rule The implicit deny security stance treats everything not given specific and selective permission as suspicious. Network boundaries that follow an implicit deny concept only allows specific IP addresses and/or service ports while blocking all others.
A security administrator is configuring a new network segment, which contains devices that will be accessed by external users, such as web and FTP server. Which of the following represents the MOST secure way to configure the new network segment? A. The segment should be placed on a separate VLAN, and the firewall rules should be configured to allow external traffic. B. The segment should be placed in the existing internal VLAN to allow internal traffic only C. The segment should be placed on an extranet, and the firewall rules should be configured to allow both internal and external traffic. D. The segment should be placed on an intranet, and the firewall rules should be configured to allow external traffic
A. The segment should be placed on a separate VLAN, and the firewall rules should be configured to allow external traffic. A network segment is a portion of a computer network that is separated from the rest of the network by a device such as a repeater, hub, bridge, switch or router. Each segment can contain one or multiple computers or other hosts. The type of segmentation differs according to the type of device used. Firewall and VLANs provide a route to partition the network into smaller zones, assuming you have defined and are enforcing a ruleset which controls the communication paths. A sound security policy entails segmenting the network into multiple zones with varying security requirements and enforcing a rigorous policy of what is allowed to move from zone to zone.
During a monthly vulnerability scan, a server was flagged for being vulnerable to an Apache Struts exploit. Upon further investigation, the developer responsible for the server informs the security team that Apache Struts is not installed on the server. Which of the following BEST describes how the security team should reach to this incident? A. The server has been compromised by malware and needs to be quarantined B. The Struts module needs to be hardened on the server C. The Apache software on the server needs to be patched and updated D. The finding is a false positive and can be disregarded
A. The server has been compromised by malware and needs to be quarantined The critical Remote Code Execution (RCE) vulnerability CVE-2017- 9805 was recently discovered in Apache Struts 2, a popular open source framework used to build and deploy Java-based web applications. It was revealed that the flaw stems from Apache Struts' unsafe method of de-serializing untrusted data. Your initial reaction may be to take your entire network offline but that could actually cause additional damage to your company's operations, not to mention relationships with customers and reputation in the marketplace. Instead, strategically isolate and take offline just the impacted applications; or, if necessary, take down the servers or computers those applications live on. This will quarantine the affected applications and devices while still allowing your company to continue to do business.
A security analyst is reviewing the following output from an IPS: [**] [1:2467:7] EXPLOIT IGMP IGAP message overflow attempt [**] [Classification: Attempted Administrator Privilege Gain) [Priority: ] 07/30-19:45:02.238185 250.19.18.71 -> 250.19.18.22 IGMP TTL:255 TOS: 0x0 ID: 9742 IpLen:20 DgmLen: 502 MF Frag offset: 0xlFFF Frag Size: 0x01E2 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name-2004-0367] Given this output, which of the following can be concluded? (Select two.) A. The source IP of the attack is coming from 250.19.18.71 B. The TTL value is outside of the expected range, triggering the alert C. The source IP of the attack is coming from 250.19.18.22. D. The attacker sent a malformed TCP packet, triggering the alert E. The attacker sent a malformed IGAP packet, triggering the alert.
A. The source IP of the attack is coming from 250.19.18.71 E. The attacker sent a malformed IGAP packet, triggering the alert. Internet Group Membership Authentication Protocol (IGAP) is a variant of IGMPv2 that adds user authentication. IGAP enables an IP multicast service provider to authenticate requests to join a specific multicast group based on user information. All lGAP messages are sent with the IP TTL field set to 1 and use the IP Router Alert option in their IP header as per the IGMPv2 requirements. EXPLOIT IGMP IGAP message overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 05/29- 19:44:02.238185: message explaining the possible consequences of the attack. 249.94.153.251: Source IP: this is the IP address where snort believes the attack come from. 249.94.153.77: The destination IP: this is the IP address of the attack target. IGMP TTL:255 TOS:OxO ID : 9744 lpLen:20 DgmLen:502 MF Frag Offset: Ox1FFF Frag Size: Ox01E2 : Basically, in this attack the attacker creates and sends a malformed IGAP packet, and if decoded by a vulnerable version of Ethereal/tethereal, can cause a buffer overflow and the subsequent execution of arbitrary code. So, this data describes information about the IGMP packet that triggered the alert. Like Time to Live (TTL) and Type of Service (TOS) for more information look at http-: //www.tcP-iP-QUide.com /fre e/t IPDatagramGe neralFormat.htm (http-: // www.tcRiP-9 Uide.com/free/t IPDatagramGeneralFormat.htm) [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0367] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0176] [Xref => http://www.securityfocus.com/bid/9952]: these are additional links that provide more information about the vulnerability that make this attack possible. The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information security vulnerabilities. Please note that packet crafting and packet spoofing are often mistakenly assumed to be the same technique; however, they are very different from the impact standpoint. Spoofing is used by attackers to hide their identities and presence on the network. Spoofing is primarily used to gain network information such as open ports, running services, active hosts, etc., during which time the target host fails to trace the attacker. On the other hand, packet crafting takes a step further by trying to test the presence, functionality or the accuracy of target network's firewall rules, and intrusion detection systems. Packet crafting requires in-depth knowledge of TCP packets and how they work, and is more of a manually orchestrated attack than a programmatic one. This makes it a technically advanced way of trying to hack into networks.
When connected to a secure WAP, which of the following encryption technologies is MOST likely to be configured when connecting to WPA2- PSK? A. MD5 B. AES C. WEP D. DES
B. AES It can be confusing to see the acronyms WPA2, WPA, and WEP because they might all seem so similar that it doesn't matter what you choose to protect your network with, but there are some differences between them. The least secure is WEP, which provides security equal to that of a wired connection. WEP broadcasts messages using radio waves and is much easier to crack. This is because the same encryption key is used for every data packet. If enough data is analyzed by an eavesdropper, the key can be easily found with automated software (even in just a few minutes). It's best to avoid WEP entirely. WPA improves on WEP in that it provides the TKIP encryption scheme to scramble the encryption key and verify that it hasn't been altered during the data transfer. The major difference between WPA2 and WPA is that WPA2 further improves the security of a network because it requires using a stronger encryption method called AES. Several different forms of WPA2 security keys exist. WPA2 Pre Shared Key (PSK) utilizes keys that are 64 hexadecimal digits long and is the method most commonly used on home networks. Many home routers interchange "WPA2 PSK" and "WPA2 Personal" mode; they refer to the same underlying technology.
Which of the following is the appropriate network structure used to protect servers and services that must be provided to external clients without completely eliminating access for internal users? A. Subnet B. DMZ C. VLAN D. NAC
B. DMZ In computer networks, a DMZ (demilitarized zone), also sometimes known as a perimeter network or a screened subnetwork, is a physical or logical subnet that separates an internal local area network (LAN) from other untrusted networks, usually the internet. External-facing servers, resources and services are located in the DMZ. Therefore, they are accessible from the internet, but the rest of the internal LAN remains unreachable. This provides an additional layer of security to the LAN as it restricts the ability of hackers to directly access internal servers and data via the internet. Any service provided to users on the public internet should be placed in the DMZ network. Some of the most common of these services include web servers and proxy servers, as well as servers for email, domain name system (DNS), File Transfer Protocol (FTP) and voice over IP (VoIP).
A global gaming console manufacturer is launching a new gaming platform to its customers. Which of the following controls reduces the risk created by malicious gaming customers attempting to circumvent control by way of modifying consoles? (Select TWO) A. Manual software upgrades B. Firmware version control C. Automatic updates D. Vulnerability scanning E. Application firewalls F. Network segmentation
B. Firmware version control C. Automatic updates Version control systems are a category of software tools that help a software team manage changes to source code over time. Version control software keeps track of every modification to the code in a special kind of database. If a mistake is made, developers can turn back the clock and compare earlier versions of the code to help fix the mistake while minimizing disruption to all team members. For almost all software projects, the source code is like the crown jewels - a precious asset whose value must be protected. For most software teams, the source code is a repository of the invaluable knowledge and understanding about the problem domain that the developers have collected and refined through careful effort. Version control protects source code from both catastrophe and the casual degradation of human error and unintended consequences. The game console features automatic updatable software. This software includes the operating system as well as many system, game, and media apps for the game console. During a system update, the software on your console is updated through a download and-install process. The system software updates may sometimes update the system's firmware, but this is not common for most updates. System updates help improve your experience with the addition of new features as well as improvement of existing features. The updates will be downloaded from the game console service directly to your game console and subsequently installed.
A network administrator is attempting to troubleshoot an issue regarding certificates on a secure website. During the troubleshooting process, the network administrator notices that the web gateway proxy on the local network has signed all of the certificates on the local machine. Which of the following describes the type of attack the proxy has been legitimately programmed to perform? A. Transitive access B. Man-in-the-middle C. Replay D. Spoofing
B. Man-in-the-middle A man-in-the-middle (MITM) proxy is an SSL-capable proxy that works as man-in-the-middle for HTTP and HTTPS communication. A very good interactive tool allows for monitoring, modifying and replaying of HTTP/HTTPS traffic that goes through it. When using an HTTPS proxy server, there is very little difference in how the server functions from a HTTP server. It is set up between the internal network and the internet. All requests to any website, including HTTP or HTTPS sites go through the intermediate server, the proxy, and appear to the website to originate from the server. This protects the interior IP addresses in a network. Not only does this limit the information that hackers can obtain about the interior network, but it also allows the network IT administrator to control access to specific sites and to more effectively manage the use of resources.
Which of the following delineates why it is important to perform egress filtering and monitoring on Internet connected security zones of interfaces on a firewall? A. To rebalance the amount of outbound traffic and inbound traffic B. Outbound traffic could be communicating to known botnet sources C. To prevent DDoS attacks originating from external network D. Egress traffic is more important than ingress traffic for malware prevention
B. Outbound traffic could be communicating to known botnet sources In computer networking, egress filtering is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. Typically it is information from a private TCP/IP computer network to the Internet that is controlled. A focal point for any network security administrator is the network perimeter. Companies spend a lot of time guarding against traffic that might enter their networks and not enough time guarding against traffic that might leave their networks. Typically, a company establishes a perimeter defense by blocking all inbound traffic, then letting only specific traffic types reach specific internal systems. To ease management headaches down the road, the company defines traffic rules that let all outbound traffic leave the network. After all, allowing all outbound traffic means no future rule definitions will be required to meet future needs. This approach also means the cost of managing perimeter security will be lower because no one will need to define new outbound rules. However, think about that action for a moment. Are the savings really worth the risk in today's world? Zone-based policy firewalls examine source and destination zones from the ingress and egress interfaces for a firewall policy. It is not necessary that all traffic flowing to or from an interface be inspected; you can designate that individual flows in a zone pair be inspected through your policy map that you apply across the zone pair. The policy map will contain class maps that specify individual flows. Traffic with the inspect action will create a connection in the firewall table and be subject to state checking. Traffic with the pass action will bypass the zone firewall completely, not creating any sessions. You can also configure inspect parameters like TCP thresholds and timeouts on a per-flow basis. The bottom line is that you must protect against unwanted outbound traffic as fiercely as you protect against unwanted inbound traffic. Consider adding various content filters to your overall security arsenal. Content filtering tools can screen and prevent the movement of both inbound and outbound traffic over a variety of protocols, including Web, SMTP, POP3, and more. By using such technology, you can significantly reduce a huge portion of the risk associated with general Internet connectivity.
A network technician is trying to determine the source of an ongoing network based attack. Which of the following should the technician use to view 1Pv4 packet data on a particular internal network segment? A. Firewall B. Protocol Analyzer C. Switch D. Proxy
B. Protocol Analyzer A protocol analyzer is a computer application used to track, intercept and log network traffic that passes over a digital network. It analyzes network traffic and generates a customized report to assist organizations in managing their networks. Protocol analyzers also may be used by hackers to intrude on networks and steal information from network transmissions. A protocol analyzer is also known as a sniffer, network analyzer or packet analyzer.
Which of the following use the SSH protocol? (Select two) A. SNMP B. SFTP C. Telnet D. FTPS E. SSL F. SCP
B. SFTP F. SCP SSH, also known as Secure Socket Shell is a network protocol that provides administrators with a secure way to access a remote computer. SSH also refers to the suite of utilities that implement the protocol. Secure Shell provides strong authentication and secure encrypted data communications between two computers connecting over an insecure network such as the Internet. SSH is widely used by network administrators for managing systems and applications remotely, allowing them to log in to another computer over a network, execute commands and move files from one computer to another. SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding TCP ports and X11 Unix connections; it can transfer files using the associated SSH file transfer (SFTP) or secure copy (SCP) protocols
A security administrator needs to implement a system that detects possible intrusions based upon a vendor provided list. Which of the following BEST describes this type of IDS? A. Heuristic B. Signature based C. Anomaly-based D. Behavior-based
B. Signature based Most intrusion detection systems (IDS) are what are known as signature-based. This means that they operate in much the same way as a virus scanner, by searching for a known identity - or signature - for each specific intrusion event. In addition, while signature-based IDS is very efficient at sniffing out known signatures of attack it does just like anti-virus software depend on receiving regular signature updates in order to keep in touch with variations in hacker technique. In other words, signature-based IDS are only as good as its database of stored signatures.
A security analyst wishes to increase the security of an FTP server. Currently, all trails to the FTP server are unencrypted. Users connecting to the FTP server use a variety of modern FTP client software. The security analyst wants to keep the same port and protocol, while also still allowing unencrypted connections. Which of the following would BEST accomplish these goals? A. Use implicit TLS on the FTP server B. Use explicit FTPS for the connections. C. Use SSH tunneling to encrypt the FTP traffic D. Require the SFTP protocol to connect to the file server.
B. Use explicit FTPS for the connections Explicit FTPS is the newer method of FTPS transfer and has generally overtaken implicit FTPS use, with the exception of legacy systems. When explicit FTPS is used, a traditional FTP connection is established on the same standard port as FTP. Once the connection is made (before login), a secure SSL connection is established via port 21. Today, explicit FTPS (also FTPES) is supported by the majority of FTP servers since it is an approved, standard way of protecting data. With explicit FTPS, before a transfer can begin, the client will request encryption information to determine what portions of the data is protected. If the client has not set up these security requests, one of two things occurs - either the connection is declined, or the transfer is made insecurely using the basic FTP protocol. Explicit FTPS inherently provides users with flexibility regarding how files are sent. Therefore, you could choose to send data unencrypted, but protect your user credentials, or you could protect all information sent in a transfer. The client can decide how secure they want file transfers to be. The server can also disallow insecure requests, thereby forcing the client to use FTPS and not FTP.
A network administrator wants to implement a method of securing internal routing. Which of the following should the administrator implement? A. NAT B. VPN C. PAT D. DMZ
B. VPN A virtual private network (VPN) is a network that is constructed using public wires - usually the Internet - to connect remote users or regional offices to a company's private, internal network. A VPN secures the private network, using encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted. This type of network is designed to provides a secure, encrypted tunnel in which to transmit the data between the remote user and the company network. One way of protecting data as it passes between internal and remote locations is by implementing a virtual private network (VPN). VPNs have been around for a long time (over 20 years) and have been used in two primary ways: protecting the data from a host machine to a central location (client to network), or protecting the data from one organizational network to another (network to network). Both types of VPN have been implemented over the public Internet.
A system administrator wants to provide balance between the security of a wireless network and usability. The administrator is concerned with wireless encryption compatibility of older devices used by some employees. Which of the following would provide strong security and backward compatibility when accessing the wireless network? A. WPA using a preshared key B. WPA2 using a RADIUS back-end for 802.1x authentication C. Open wireless network and SSL VPN D. WEP with a 40-bit key
B. WPA2 using a RADIUS back-end for 802.1x authentication PA2-Enterprise with 802.1x authentication can be used to authenticate users or computers in a domain. The supplicant (wireless client) authenticates against the RADIUS server (authentication server) using an EAP method configured on the RADIUS server.
Malicious traffic from an internal network has been detected on an unauthorized port on an application server. Which of the following network based security controls should the engineer consider implementing? A. NAT B. HIPS C. ACLs D. MAC Filtering
C. ACLs Access control list (in further text: ACL) is a set of rules that controls network traffic and mitigates network attacks. More precisely, the aim of ACLs is to filter traffic based on a given filtering criteria on a router or switch interface. Initially, ACLs were the only means of providing firewall protection. Even though there are many other types of firewalls and alternatives to ACLs in existence, they are still used today, even in combination with other technologies (like in virtual private networks to define which traffic should be encrypted and sent via VPN tunnel) and you should master them in order to achieve success at the CCNA level and beyond. Reasons why you should use ACLs: • Limit network traffic to increase network performance • Provide traffic flow control • Provide a basic level of security for network access by defining which part of the network/server/service can be accessed by a host a nd which cannot • Granular control over traffic entering or existing the network
A security administrator returning from a short vacation receives an account lock-out message when attempting to log into the computer. After getting the account unlocked the security administrator immediately notices a large amount of email alerts pertaining to several different user accounts being locked out during the past three days. The security administrator uses system logs to determine that the lock-outs were due to a brute force attack on all accounts that has been previously logged into that machine. Which of the following can be implemented to reduce the likelihood of this attack going undetected? A. Account lockout policies B. User access reviews C. Continuous monitoring D. Password complexity rules
C. Continuous monitoring Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization's financial and operational environment. The financial and operational environment consists of people, processes, and systems working together to support efficient and effective operations. Continuous monitoring is one part of a six-step process in the NIST Risk Management Framework (RMF), from NIST publication 800-53. Continuous monitoring is an essential step for organizations to identify and measure the security implications for planned and unexpected changes to hardware, software, and firmware and to assess vulnerabilities in a dynamic threat space.
A system administrator is configuring a site-to-site VPN tunnel. Which of the following should be configured on the VPN concentrator during the IKE phase? A. RIPEMD B. ECDHE C. Diffie-Hellman D. HTTPS
C. Diffie-Hellman IKE is a key management protocol standard that is used in conjunction with the IPsec standard. IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IPsec can be configured without IKE, but IKE enhances IPsec by providing additional features, flexibility, and ease of configuration for the IPsec standard. IKE is a hybrid protocol that implements the Oakley key exchange and Schema key exchange inside the Internet Security Association Key Management Protocol (ISAKMP) framework. Diffie-Hellman is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecure communications channel. Diffie-Hellman is used within IKE to establish session keys.
An organization is using a tool to perform a source code review. Which of the following describes the case in which the tool incorrectly identifies the vulnerability? A. True negative B. True positive C. False positive D. False negative
C. False positive A static code analysis tool will often produce false positive results where the tool reports a possible vulnerability that in fact is not. This often occurs because the tool cannot be sure of the integrity and security of data as it flows through the application from input to output. False positive results might be reported when analyzing an application that interacts with closed source components or external systems because without the source code it is impossible to trace the flow of data in the external system and hence ensure the integrity and security of the data.
Which of the following are methods to implement HA in a web application server environment? (Select two.) A. Reverse proxies B. Routers C. Load balancers D. VPN concentrators E. Application layer firewalls
C. Load balancers E. Application layer firewalls A load balancer is a networking device that distributes traffic across multiple back-end servers in order to improve website response times. The Web Application Firewall can act as a stand-alone load balancer or work in conjunction with other load balancers. Situated in front of back-end servers, it distributes incoming traffic across the servers using the configured algorithm. The Web Application Firewall supports load balancing of all types of applications. Load balancing ensures that subsequent requests from the same IP address will be routed to the same back-end server as the initial request. This guarantee of persistence requires an awareness of server health so subsequent requests are not routed to a server which is no longer responding. The Web Application Firewall can monitor server health by tracking server responses to actual requests and marking the server as out-of service when errors exceed a user configured threshold. In addition, the Web Application Firewall can perform out-of-band health checks, requests created and sent to a server at configured time intervals to verify its health.
A system administrator wants to implement an internal communication system that will allow employees to send encrypted messages to each other. The system must also support non- repudiation. Which of the following implements all these requirements? A. Bcrypt B. Blowfish C. PGP D. SHA
C. PGP Pretty Good Privacy (PGP) is a methodology used for encrypting and decrypting digital files and communications over the Internet. It was released with the BassOmatic symmetric key algorithm but later replaced by the International Data Encryption Algorithm (IDEA) to circumvent certain BassOmatic flaws. Created by Phil Zimmerman in 1991, PGP was initially designed for email security. PGP works on the public key cryptography mechanism, where users encrypt and decrypt data using their respective public and private keys. PGP uses a symmetric encryption key to encrypt messages, and a public key is used with each sent and received message. First, the receiver must use its private key to decrypt the key and then decrypt the message through the decrypted symmetric key. PGP also provides data/file integrity services by digitally signing messages, allowing receivers to learn whether or not message confidentiality is compromised. PGP is also used to encrypt files stored on a computer and/or complete hard disk drives.
While performing a penetration test, the technicians want their efforts to go unnoticed for as long as possible while they gather useful data about the network they are assessing. Which of the following would be the BEST choice for the technicians? A. Vulnerability scanner B. Offline password cracker C. Packet sniffer D. Banner grabbing
C. Packet sniffer Penetration testing allows the pinpointing of vulnerabilities on a network and provides identification of suspicious packets moving across the network. Being able to Identify routine network traffic is also valuable because it provides a look at how a normal network environment operates, making it easier to identify anomalies and vulnerabilities. During packet capture using a packet sniffer, a data packet that is moving over a computer network is intercepted. After the packet is captured, it is analyzed to diagnose and solve any problems - most likely security problems - that exist on the network
A new security policy in an organization requires that all file transfers within the organization be completed using applications that provide secure transfer. Currently, the organization uses FTP and HTTP to transfer files. Which of the following should the organization implement in order to be compliant with the new policy? A. Replace FTP with SFTP and replace HTTP with Telnet B. Replace FTP with FTPS and replaces HTTP with TFTP C. Replace FTP with SFTP and replace HTTP with TLS D. Replace FTP with FTPS and replaces HTTP with IPSec
C. Replace FTP with SFTP and replace HTTP with TLS For decades, companies have relied on FTP (file transfer protocol) as their basic method of transferring files. However, as data security became a larger and more urgent issue for many companies, a number of alternative FTP solutions arose to address the security vulnerabilities of basic FTP. SFTP or FTP over SSH, increases FTP security by establishing a secure channel between the party sending data and the party receiving it. The SSH stands for "Secure Shell," meaning two computers establish an SSH-encrypted channel prior to logging in and transferring data. The secure channel protects data from being accessed by a party other than the intended recipient. TLS (Transport Layer Security) is just an updated, more secure, version of SSL. We still refer to our security certificates as SSL because it is a more commonly used term, but when you are buying SSL from Symantec, you are actually buying the most up to date TLS certificates with the option of ECC, RSA or DSA encryption. HTTPS (Hyper Text Transfer Protocol Secure) appears in the URL when a website is secured by an SSL certificate. The details of the certificate, including the issuing authority and the corporate name of the website owner, can be viewed by clicking on the lock symbol on the browser bar.
Which of the following should be used to implement voice encryption? A. SSLv3 B. VDSL C. SRTP D. VoIP
C. SRTP Voice encryption (SRTP) The Secure Real Time Transport Protocol (SRTP) is based on the Real Time Transport Protocol (RTP). SRTP is used for example in internet telephony Voice over IP (VoIP), in order to guarantee an eavesdrop-secure transfer of telephone data between multiple conversation participants.
A system administrator wants to provide for and enforce wireless access accountability during events where external speakers are invited to make presentations to a mixed audience of employees and non-employees. Which of the following should the administrator implement? A. Shared accounts B. Preshared passwords C. Sponsored guest D. Least privilege
C. Sponsored guest Do you have guests at your workplace that require internet access? The advantage to deploying a sponsored guest network is the security that comes with it. By secluding this network, you can control who has access to your company's network of computers, servers, and printers. This also allows you to limit the internet resources available to visitors. You can restrict the guest network to a speed that offers reasonable access without affecting the network performance available to your employees.
As part of a new industry regulation, companies are required to utilize secure, standardized OS settings. A technician must ensure the OS settings are hardened. Which of the following is the BEST way to do this? A. Use a protocol analyzer B. Use a vulnerability scanner. C. Use a configuration compliance scanner. D. Use a passive, in-line scanner
C. Use a configuration compliance scanner. Compliance scanning focuses on the configuration settings (or security hardening) being applied to a system. In short, compliance scans assess adherence to a specific compliance framework. Hardening consists of applying security guidance from the various compliance frameworks applicable to your company. For example, if your company must comply with HIPAA and/or HITRUST regulations, then your computing systems must be configured (or hardened) to satisfy these regulations. Once applied, the hardening for each system can be verified and/or confirmed via a compliance scan. When a compliance scan is performed against a single computing system, it produces a report that defines how well the system is hardened against the selected compliance framework. These results contribute to the system's overall security posture. Combining the compliance scan reports/results of all systems helps define the overall security posture of your system and/or infrastructure.
An administrator is replacing a wireless router. The configuration of the old wireless router was not documented before it stopped functioning. The equipment connecting to the wireless network uses older legacy equipment that was manufactured prior to the release of the 802.11i standard. Which of the following configuration options should the administrator select for the new wireless router? A. WPA+TKIP B. WPA+CCMP C. WPA2+TKIP D. WPA2+CCMP
C. WPA2+TKIP The short version is that TKIP is an older encryption standard used by the WPA standard. AES is a newer Wi-Fi encryption solution used by the new-and-secure WPA2 standard. In theory, that's the end of it. But, depending on your router, just choosing WPA2 may not be good enough. While WPA2 is supposed to use AES for optimal security, it can also use TKIP where backward compatibility with legacy devices is needed. In such a state, devices that support WPA2 will connect with WPA2 and devices that support WPA will connect with WPA. So "WPA2" doesn't always mean WPA2-AES. However, on devices without a visible "TKIP" or "AES" option, WPA2 is generally synonymous with WP A2-AES
A network administrator at a small office wants to simplify the configuration of mobile clients connecting to an encrypted wireless network. Which of the following should be implemented if the administrator does not want to provide the wireless password or the certificate to the employees? A. WPA2-PSK B. 802.1x C. WPS D. TKIP
C. WPS Wi-Fi Protected Setup (WPS) is a wireless network setup solution that lets you automatically configure your wireless network, add new devices, and enable wireless security. Wireless routers, access points, USB adapters, printers, and all other wireless devices that have WPS capabilities, can all be easily set up to communicate with each other, usually with just a push of the button.
Joe, the security administrator, sees this in a vulnerability scan report: "The server 10.1.2.232 is running Apache 2.2.20 which may be vulnerable to a mod_cgi exploit." Joe verifies that the mod_cgi module is not enabled on 10.1.2.232. This message is an example of: A. a threat B. a risk C. a false positive D. a false negative
C. a false positive When you think you have a specific vulnerability in your program but in fact, you do not it is referred to as a False Positive. Many security scanners such as Nessus scan an application (or service/daemon) and attempt to find vulnerability in it. Sometimes the signatures make mistakes and report a vulnerability that may not exist. False positive are not limited to scanners they also affect Web Application Firewalls (WAF) and NIDS/HIDS/NIPS/HIPS. These monitoring products may report an attack attempt but sometimes confuse the data it received with valid information.
A company is developing a new secure technology and requires computers being used for development to be isolated. Which of the following should be implemented to provide the MOST secure environment? A. An ad hoc network with NAT B. A honeypot residing in a DMZ C. A bastion host D. An air gapped computer network E. perimeter firewall and IDS
D. An air gapped computer network An air gap, air wall or air gapping is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network.
A system's administrator has finished configuring firewall ACL to allow access to a new web answer. PERMIT TCP from: ANY to: 192.168.1.10:80 PERMIT TCP from: ANY to: 192.168.1.10:443 DENY TCP from: ANY to: ANY The security administrator confirms form the following packet capture that there is network traffic from the internet to the web server: TCP 10.23.243.2:2000->192.168.1.10:80 POST/default's TCP 172.16.4.100:1934->192.168.1.10:80 GET/session.aspx? user_1_sessionid= a12ad8741d8f7e7ac723847aa8231a The company's internal auditor issues a security finding and requests that immediate action be taken. With which of the following is the auditor MOST concerned? A. Misconfigured firewall B. Implicit deny C. Default configuration D. Clear text credentials
D. Clear text credentials The biggest security issue with such traffic is the human-readable and understandable format it is in, even sensitive information as user credentials. Clear-text traffic can be easily understood by human beings without any additional processing, as we will see under this section. Many common protocols in our networks communicate in such a manner.
An administrator has configured a new Linux server with the FTP service. Upon verifying that the service was configured correctly, the administrator has several users test the FTP service. Users report that they are able to connect to the FTP service and download their personal files, however, they cannot transfer new files to the server. Which of the following will most likely fix the uploading issue for the users? A. Configure the FTP daemon to utilize PAM authentication pass through user permissions B. Reconfigure the ftp daemon to operate without utilizing the PSAV mode C. Set the Boolean selinux value to allow FTP home directory uploads D. Create an ACL to allow the FTP service write access to user directories
D. Create an ACL to allow the FTP service write access to user directories As a System Administrator, our first priority will be to protect and secure data from unauthorized access. We all are aware of the permissions that we set using some helpful Linux commands like chmod, chown, chgrp... etc. However, these default permission sets have some limitation and sometimes may not work as per our needs. For example, we cannot set up different permission sets for different users on same directory or file. Thus, Access Control Lists (ACLs) were implemented. ACLs (Access Control Lists) allow us doing the same trick. These ACLs allow us to grant permissions for a user, group and any group of any users, which are not in the group list of a user. Linux groups are a mechanism to manage a collection of computer system users. All Linux users have a user ID and a group ID and a unique numerical identification number called a userid (UID) and a groupid (GID) respectively. Groups can be assigned to logically tie users together for a common security, privilege and access purpose. It is the foundation of Linux security and access. Files and devices may be granted access based on a user's ID or group ID. File, directory and device (special file) permissions are granted based on "user", "group" or "other" (world) identification status. Permission is granted (or denied) for read, write and execute access. Access Control Lists (ACLs) are applied to files and directories. ACLs are an addition to the standard Unix file permissions (r,w,x,-) for User, Group, and Other for read, write, execute and deny permissions. ACLs give users and administrator's flexibility and direct fine-grained control over who can read, write, and execute files.
Many employees are receiving email messages similar to the one shown below: From IT department To employee Subject email quota exceeded Please click on the following link http://www.website.info /email.php? quota=1Gb_(http:// www.website.info/email.RhR?guota=1 Gb) and provide your username and password to increase your email quota. Upon reviewing other similar emails, the security administrator realized that all the phishing URLs have the following common elements; they all use HTTP, they all come from .info domains, and they all contain the same URL. Which of the following should the security administrator configure on the corporate content filter to prevent users from accessing the phishing URL, while at the same time minimizing false positives? A. Redirect http://www,*.lnfo/email.php? quota=*TOhttp://company.com/corporate_polict.html B. BLOCK http://www.*.info/" C. DROP http://"website.info/ernail.php?* D. DENY http://*.info/ernail.php?quota=1Gb
D. DENY http://*.info/ernail.php?quota=1Gb Phishing sites are sites that attackers disguise as legitimate websites with the aim to steal user information, especially the credentials that provide access to your network. When a phishing email enters a network, it takes just a single user to click the link and enter credentials to set a breach into motion. You can detect and prevent in progress phishing attacks, thereby preventing credential theft, by controlling sites to which users can submit corporate credentials based on the site's URL category. This allows you to block users from submitting credentials to untrusted sites while allowing users to continue to submit credentials to corporate and sanctioned sites. To enable Credential phishing prevention you must configure both User-ID to detect when users submit valid corporate credentials to a site (as opposed to personal credentials} and URL Filtering to specify the URL categories in which you want to prevent users from entering their corporate credentials. In this question, the security administrator would block access to the known dangerous URL phishing attack in the content filter using DENY http:://*.info/email.php?quota=1Gb.
Two users need to securely share encrypted files via email. Company policy prohibits users from sharing credentials or exchanging encryption keys. Which of the following can be implemented to enable users to share encrypted data while abiding by company policies? A. PKI B. Key escrow C. Hashing D. Digital signatures
D. Digital signatures Digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document. The digital equivalent of a handwritten signature or stamped seal, a digital signature offers security that is far more inherent and it is intended to solve the problem of tampering and impersonation in digital communications. Digital signatures can provide the added assurances of evidence of origin, identity and status of an electronic document, transaction or message and can acknowledge informed consent by the signer.
A network administrator wants to ensure that users do not connect any unauthorized devices to the company network. Each desk needs to connect a VoIP phone and computer. Which of the following is the BEST way to accomplish this? A. Make users sign an Acceptable use Agreement B. Configure the phones on one VLAN, and computers on another C. Enable and configure port channels D. Enforce authentication for network devices
D. Enforce authentication for network devices The best cyber security comes in layers, making it difficult or frustrating for an intruder to fight through each line of defense to break into the network and gain access to data. One of the front-line defenses should be network access control (NAC) and its ability to restrict network access to devices and users that are authorized and authenticated. The emphasis of NAC is the access control - who or what has authorized permission to access the network. This includes both users and devices. The NAC network intercepts the connection requests, which are then authenticated against a designated identity and access management system. Access is either accepted or denied based on a pre-determined set of parameters and policies that are programmed into the system.
An administrator thinks the UNIX systems may be compromised, but a review of system log files provides no useful information. After discussing the situation with the security team, the administrator suspects that the attacker may be altering the log files and removing evidence of intrusion activity. Which of the following actions will help detect attacker attempts to further alter log files? A. Enable verbose system logging B. Set the bash_historylog file to "read only" C. Change the permissions on the user's home directory D. Implement remote syslog
D. Implement remote syslog Syslog is used on a variety of server/devices to give system information to the system administrator. Syslog is a standard for computer data logging. It allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them. Syslog can be used for computer system management and security auditing as well as generalized informational, analysis, and debugging messages. It is supported by a wide variety of devices (like printers and routers) and receivers across multiple platforms. Because of this, syslog can be used to integrate log data from many different types of systems into a central repository. If you have your routers, firewalls, switches, Linux servers and/or other hardware pointing to a secured centralized syslog server, when someone does attempt to attack one of the above devices log files can be safely off-site in a secure location. If syslog files are kept on the device this gives an attacker the ability to clean up their tracks. A remote syslog server allows you to separate the software that generates the messages and events from the system that stores and analyzes them. When enabled, the network driver sends messages to a syslog server on the local Intranet or Internet through a VPN tunnel. The syslog server can be configured by specifying the name or IP address. For each device that you wish to send its event logs to your syslog server, you need to ensure that its remote -syslog service is enabled and that it is pointed at the IP address of your server. Take note that Syslog uses UDP port 514; each sending device and the receiving Syslog collector need to be able to access this port.
A security analyst has set up a network tap to monitor network traffic for vulnerabilities. Which of the following techniques would BEST describe the approach the analyst has taken? A. Passive vulnerability scanning B. Compliance scanning C. Credentialed scanning D. Port scanning
D. Port scanning A TAP (Test Access Point) is a passive splitting mechanism installed between a 'device of interest' and the network. TAPs transmit both the send and receive data streams simultaneously on separate dedicated channels, ensuring all data arrives at the monitoring device in real time. Most enterprise switches copy the activity of one or more ports through a Switch Port Analyzer (SPAN) port, also known as a mirror port. An analysis device can then be attached to the SPAN port to access network traffic. When deciding whether to use a TAP or SPAN to port scan the two primary factors that will affect your decision are the type of analysis and amount of bandwidth. A TAP is ideal when analysis requires seeing all the traffic, including physical-layer errors. A TAP is required if network utilization is moderate to heavy. An Aggregator TAP can be used as an effective compromise between a TAP and SPAN port, delivering some of the advantages of a TAP and none of the disadvantages of a SPAN port. When deciding whether to use a TAP or SPAN the two primary factors that will affect your decision are the type of analysis and amount of bandwidth. A SPAN port performs well on low-utilized networks or when analysis is not affected by dropped packets.
A Chief Security Officer (CSO) has been unsuccessful in attempts to access the website for a potential partner (www.example.net). Which of the following rules is preventing the CSO from accessing the site? Blocked sites: *.nonews.com, *.rumorhasit.net, *.mars A. Rule 2: deny from inside to outside source any destination any service ping B. Rule 4: deny from any to any source any destination any service any C. Rule 1: deny from inside to outside source any destination any service smtp D. Rule 3: deny from inside to outside source any destination {blocked sites} service http-https
D. Rule 3: deny from inside to outside source any destination {blocked sites} service http-https Because all traffic from a higher-security interface to a lower-security interface is allowed, access lists enable you to either allow traffic from lower-security interfaces or restrict traffic from higher-security interfaces. The firewall supports two types of access lists: • Inbound-Inbound access lists apply to traffic as it enters an interface. • Outbound-Outbound access lists apply to traffic as it exits an interface. The terms "inbound" and "outbound" refer to the application of an access list on an interface, either to traffic entering the firewall on an interface or to traffic exiting the firewall on an interface. These terms do not refer to the movement of traffic from a lower security interface to a higher security interface, commonly known as inbound, or from a higher to lower interface, commonly known as outbound. An outbound access list is useful, for example, if you want to allow only certain hosts on the inside networks to access web server on the outside network. Rather than creating multiple inbound access lists to restrict access, you can create a single outbound access list that allows only the specified hosts. Rule 3: deny from inside to outside source any destination {blocked sites} service http-https is preventing the CSO from accessing the site.
After correctly configuring a new wireless enabled thermostat to control the temperature of the company's meeting room, Joe, a network administrator determines that the thermostat is not connecting to the internet-based control system. Joe verifies that the thermostat received the expected network parameters and it is associated with the AP. Additionally, the other wireless mobile devices connected to the same wireless network are functioning properly. The network administrator verified that the thermostat works when tested at his residence. Which of the following is the MOST likely reason the thermostat is not connecting to the internet? A. The thermostat is using the incorrect encryption algorithm B. the WPA2 shared likely is incorrect C. The company's DHCP server scope is full D. The company implements a captive portal
D. The company implements a captive portal Most large enterprises run remarkably secure WLANs. They minimize open-authentication access points - and those use captive portals - and implement WPA2-enterprise authentication and encryption protocols, which are very difficult to crack. However, well-configured access points inhibit the growth of the Internet of Things (loT) over Wi-Fi. The emerging loT model (from the residential world) connects headless sensors over wireless connections to a cloud service that manages them and collects traffic. This service then offers a portal for analytics and smartphone-based user-control. A captive portal is a web page or splash screen displayed before users can access the Internet, apps, or services using a desktop computer or mobile device. Often, captive portals display as login interfaces to guest WiFi connections, like those you find in restaurants, cafes, airport lounges, and hotel business centers. Captive portals serve as gatekeepers to guest WiFi connections. Most manufacturers are now using them as entry points for their network connections. Another popular reason for using captive portals is to provide a system for authenticating users before they are granted access to the internet. Users that do not have a valid username and password will not be granted access to the network.
A workstation puts out a network request to locate another system. Joe, a hacker on the network, responds before the real system does, and he tricks the workstation into communicating with him. Which of the following BEST describes what occurred? A. The hacker used a pass-the-hash attack B. The hacker-exploited importer key management C. The hacker used a race condition D. The hacker exploited weak switch configuration
D. The hacker exploited weak switch configuration Attacks on switches are easier to perpetrate than you might think. Easy to find and download from the Internet, these tools show people how to exploit badly configured networks and physical weaknesses in the LAN, making it depressingly easy for them to launch a devastating VLAN or switch attack. VLANs are implemented at layer 2 of the OSI network model. The majority of layer 2 (data link layer) attacks exploit the inability of a switch to track an attacker, because the switch has no inherent mechanism to detect that an attack is occurring. This weakness means that this same attacker can perform malicious acts against the network path, altering the path and exploiting the change without detection. Despite the scale and variety of switch and VLAN threats - and their potentially devastating impact on networks - they can all be effectively mitigated through the combination of good network management practices, effective network design and the application of advanced security products. Switches and VLANs can be secure, and organizations should not be perturbed from deploying them because of the threats; rather they should deploy them wisely to mitigate the threats.
An analyst wants to implement a more secure wireless authentication for office access points. Which of the following technologies allows for encrypted authentication of wireless clients over TLS? A. PEAP B. EAP C. RADIUS D. WPA2
D. WPA2 Short for Wi-Fi Protected Access 2, WPA2 is the security method added to WPA for wireless networks that provides stronger data protection and network access control. It provides enterprise and consumer Wi-Fi users with a high level of assurance that only authorized users can access their wireless networks. Based on the IEEE 802.11i standard, WPA2 provides government grade security by implementing the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant AES encryption algorithm and 802.1x based authentication. There are two versions of WPA2: WPA2- Personal, and WPA2-Enterprise. WPA2-Personal protects unauthorized network access by utilizing a set-up password. WPA2- Enterprise verifies network users through a server using TLS. WPA2 is backward compatible with WPA.
A security administrator wishes to implement a secure a method of file transfer when communicating with outside organizations. Which of the following protocols would BEST facilitate secure file transfers? (Select TWO) A. TFTP B. FTP C. SMTP D. SNMP E. FTPS F. SCP
E. FTPS F. SCP Secure copy protocol (SCP) is a means of securely transferring computer files between a local host and a remote host or between two remote hosts. It is based on the Secure Shell (SSH) protocol. "SCP" commonly refers to both the Secure Copy Protocol and the program itself. FTPS (commonly referred to as FTP/SSL) is a name used to encompass a number of ways in which FTP software can perform secure file transfers. Each way involves the use of a SSL/TLS layer below the standard FTP protocol to encrypt the control and/or data channels. In explicit mode (also known as FTPES), an FTPS client must "explicitly request" security from an FTPS server and then step-up to a mutually agreed encryption method. If a client does not request security, the FTPS server can either allow the client to continue insecure or refuse the connection. Negotiation is not allowed with implicit FTPS configurations. A client is immediately expected to challenge the FTPS server with a TLS/SSL Client Hello message. If such a message is not received by the FTPS server, the server will drop the connection.
A network administrator adds an ACL to allow only HTTPS connections from host 192.168.2.3 to web server 192.168.5.2. After applying the rule, the host is unable to access the server. The network administrator runs the output and notices the configuration below: accesslist 102 permit tcp host 192.168.2.6 eq 3389 host 192.168.5.2 accesslist 102 deny ip any any log accesslist 102 permit tcp hoct 192.168.2.3 eq 143 host 192.168.5.2 Which of the following rules would be BEST to resolve the issue? A. accesslist 102 permit tcp host 192.168.2.3 host 192.168.5.2 eq 443 accesslist 102 permit tcp host 192.168.2.6 host 192.168.5.2 eq 3389 accesslist 102 deny ip any any log B. accesslist 102 permit tcp host 192.168.2.6 host 192.168.5.2 eq 3389 accesslist 102 deny ip any any log · accesslist 102 permit tcp host 192.168.2.3 host 192.168.5.2 eq 443 C. accesslist 102 permit tcp host 192.168.2.3 eq 443 host 192.168.5.2 accesslist 102 deny ip any any log accesslist 102 permit tcp host 192.168.2.6 eq 3389 host 192.168.5.2 D. accesslist 102 permit tcp host 192.168.2.3 host 192.168.5.2 accesslist 102 permit tcp host 192.168.2.6 eq 3389 host 192.168.5.2 accesslist102 deny ip any any log
Option A Access Control List as the name suggests is a list that grants or denies permissions to the packets trying to access services attached to that computer hardware. ACLs are usually implemented on the firewall router that decides about the flow of traffic. If the packet matches the specified parameters, then it is allowed to travel inside the network otherwise the packet is dropped. Network administrators modify a standard Access Control List (ACL) by adding lines. Each new entry you add to the Access Control List (ACL) appears at the bottom of the list. Remember, the way in which access control lists work is TOP DOWN. So, when the firewall received a packet on that interface it will logically go through the access control list entries or "ACEs" from the top down until it finds a match and will then action what the first matched rule defines whether it be permit or deny. It is not based on the most specific criteria, it is just the first match from the top down.
