Chapter 2

What command would generate the output shown here? A. nslookup B. ipconfig C. netstat -a D. dig

A. The output shown is from nslookup, which is used to interact with the DNS server for your domain.

What IPSec protocol provides authentication and encryption? A. AH B. ESP C. IKE D. ISAKMP

B. Encapsulating Security Payload provides both integrity and encryption.

Farès has implemented a flood guard. What type of attack is this most likely to defend against? A. SYN attack B. DNS poisoning C. MAC spoofing D. ARP spoofing

A. A SYN attack is a type of flooding attack that is a denial of service. Flood guards are either stand-alone or, more often, part of a firewall, and they prevent flooding attacks.

Omar is responsible for wireless security in his company. He wants completely different WiFi access (i.e., a different SSID, different security levels, and different authentication methods) in different parts of the company. What would be the best choice for Omar to select in WAPs? A. Fat B. Thin C. Repeater D. Full

A. A fat wireless access point (WAP) is one that has all the functionality needed, such as; ability to traffic forwarded between wired interfaces like a layer 2 or layer 3 switch and MAC filtering, and no other servers or devices are required. In this case, since each WAP might have completely different needs, a fat WAP is preferred.

Denish is looking for a solution that will allow his network to retrieve information from a wide range of web resources, while all traffic passes through a proxy. What would be the best solution? A. Forward proxy B. Reverse proxy C. SPI D. Open proxy

A. A forward proxy is a single location that provides access to a wide range of web sources.

You are responsible for always-on VPN connectivity for your company. You have been told that you must use the most secure mode for IPSec that you can. Which of the following would be the best for you to select? A. Tunneling B. AH C. IKE D. Transport

A. A tunneling mode is the mode wherein IPSec encrypts the entire packet, header, and data. This prevents someone sniffing traffic from gathering metadata about the traffic.

Shelly is very concerned about unauthorized users connecting to the company routers. She would like to prevent spoofing. What is the most essential antispoofing technique for routers? A. ACL B. Logon C. NIPS D. NIDS

A. Access control lists are Cisco's primary recommendation to prevent spoofing on routers. ACLs limit access to the router and its functionality.

Derrick is responsible for a web server cluster at his company. The cluster uses various load-balancing protocols. Derrick wants to ensure that clients connecting from Europe are directed to a specific server in the cluster. What would be the best solution to his problem? A. Affinity B. Binding C. Load balancing D. Round-robin

A. Affinity load balancing ties certain users or groups of users to a specific server so they will be routed to that server if possible.

Elizabeth is responsible for SIEM systems in her company. She monitors the company's SIEM screens every day, checking every hour. What, if any, would be a better approach for her to keep up with issues that appear in the logs? A. Automatic alerts B. Having logs forwarded to her email C. Nothing, this is fine. D. Review SIEM logs primarily when an incident occurs.

A. An SIEM aggregates logs from multiple servers and devices. It is difficult to review so many logs, and of course issues could occur when Elizabeth is away from the SIEM management console. Having automatic alerts is the best way to be made aware of issues that require Elizabeth's attention.

Gerald is a network administrator for a small financial services company. He is responsible for controlling access to resources on his network. What mechanism is responsible for blocking access to a resource based on the requesting IP address? A. ACL B. NIPS C. HIPS D. Port blocking

A. An access control list (ACL) has a list of which requestors are allowed access to which resources. Using an IP address to block or allow requests is a common technique.

You are the network administrator for an e-commerce company. You are responsible for the web server cluster. You are concerned about not only failover, but also load-balancing and using all the servers in your cluster to accomplish load-balancing. What should you implement? A. Active-active B. Active-passive C. Affinity D. Round-robin

A. An active-active cluster has all servers working, rather than keeping a duplicate server in reserve.

Terrance is trying to get all of his users to connect to a certificate server on his network. However, some of the users are using machines that are incompatible with the certificate server, and changing those machines is not an option. Which of the following would be the best solution for Terrance? A. Use an application proxy for the certificate server. B. Use NAT with the certificate server. C. Change the server. D. Implement a protocol analyzer.

A. An application proxy server is often used when the client and the server are incompatible for direct connection with the server.

Abigail is a security manager for a small company. Many employees want to use handheld devices, such as smartphones and tablets. The employees want to use these devices both for work and outside of work. Abigail is concerned about security issues. Which of the following would be the most secure solution? A. COPE B. CYOD C. Geotagging D. BYOD

A. Company-Provided Equipment provides the most security because the company owns and provides the equipment to employees. This allows the company to fully control security, such as preventing carrier unlocking, disable recording microphone, prevent WiFi direct and WiFi ad-hoc.

Maria is a security engineer with a large bank. Her CIO has asked her to investigate the use of context-aware authentication for online banking. Which of the following best describes context-aware authentication? A. In addition to username and password, authentication is based on the entire context (location, time of day, action being attempted, etc.). B. Without a username or password, authentication is based on the entire context (location, time of day, action being attempted, etc.). C. Authentication that requires a username and password, but in the context of a token or digital certificate D. Authentication that requires a username and password, but not in the context of a token or digital certificate

A. Context-aware authentication does still require a username and password, but in addition to those criteria, it examines the user's location, time of day they are logging in, computer they are logging in from, what they are trying to do, and so forth.

What technology was first introduced in Windows Vista and still exists in Windows that helps prevent malware by requiring user authorization to run executables? A. DEP B. DLP C. UTM D. ANT

A. Date Execution Prevention (DEP) requires the user to authorize any executable to execute. It should be noted that this is the definition Microsoft used for its functionality. A more technical definition is that Data Execution Prevention is preventing software from accessing restricted memory such as the operating system's memory.

Edward is a security manager for a bank. He has recently been reading a great deal about malware that accesses system memory. He wants to find a solution that would stop programs from utilizing system memory. Which of the following would be the best solution? A. DEP B. FDE C. UTM D. IDS

A. Date Execution Prevention (DEP) specifically monitors programs accessing system memory and prevents that. Note that the Microsoft implementation of DEP simply requires the end user to authorize all program execution.

What command produced the output shown here? tracert -h 10 www.chuckeasttom.com tracert www.chuckeasttom.com netstat www.chuckeasttom.com nmap www.chuckeasttom.com

A. The tracert command is used to trace the route to a target (the equivalent command in Linux is traceroute). The -h command sets the maximum number of hops before giving up.

You work at a defense contracting company. You are responsible for mobile device security. Some researchers in your company use company-issued tablets for work. These tablets may contain sensitive, even classified data. What is the most important security measure for you to implement? A. FDE B. GPS tagging C. Geofencing D. Content management

A. Full-disk encryption (FDE) is the best way to protect data on any device. In this scenario, the sensitive data on the tablets is the most important concern; therefore, securing that data with FDE is the most important security measure to take.

When using any HIDS/HIPS or NIDS/NIPS, the output is specific to the vendor. However, what is the basic set of information that virtually all HIDSs/HIPSs or NIDSs/NIPSs provide? A. IP addresses (sender and receiver), ports (sender and receiver), and protocol B. IP addresses (sender and receiver), ports (sender and receiver), and attack type C. IP addresses (sender and receiver), ports (sender and receiver), usernames, and machine names D. Usernames, machine names, and attack type

A. HIDSs/HIPSs and NIDSs/NIPSs each have output that the vendor specifies. But all such devices will output what protocol the traffic was, the source and destination IP addresses, as well as the source and destination port. More information may be provided, but this is the essential basic information all IDSs/IPSs display.

Frank is a network administrator for a small college. The college has implemented a simple NIDS. However, the NIDS seems to only catch well-known attacks. What technology is this NIDS likely missing? A. Heuristic scanning B. Signature scanning C. Passive scanning D. Active scanning

A. Heuristic scanning involves scanning for anomalous behavior that might indicate an attack, even if there is no known attack signature.

There has been a breach of the ACME network. John manages the SIEM at ACME. Part of the attack disrupted NTP; what SIEM issue would this most likely impact? A. Time synchronization B. Correlation C. Event duplication D. Events not being logged

A. If Network Time Protocol (NTP) is disrupted, then the various servers that forward logs to the SIEM might not have the same time. This could lead to events that actually took place at the same time appearing to have occurred at different times.

Hector is responsible for NIDS/NIPS in his company. He is configuring a new NIPS solution. What part of the NIPS collects data? A. Sensor B. Data source C. Manager D. Analyzer

A. In any IDS (HIDS/HIPS; NIDS/NIPS), the sensors collect data from the network segment they are on and forward that information to the analyzer.

Emiliano is a network administrator for a large web-hosting company. His company also issues digital certificates to web-hosting clients. He wants to ensure that a digital certificate will not be used once it has been revoked. He also wants to ensure that there will be no delay between when the certificate is revoked and when browsers are made aware that it is revoked. What solution would be best for this? A. OCSP B. X.509 C. CRL D. PKI

A. Online Certificate Status Protocol (OCSP) checks the status of a certificate in real time. So when the browser is about to download a certificate, it first gets a real-time update if the certificate is valid or not.

Donald is working as a network administrator. He is responsible for the database cluster. Connections are load-balanced in the cluster by each new connection being simply sent to the next server in the cluster. What type of load-balancing is this? A. Round-robin B. Affinity C. Weighted D. Rotating

A. Round-robin load balancing simply sends each new connection to the next server in the cluster.

Teresa is responsible for incident response at ACME Company. There was a recent breach of the network. The breach was widespread and affected many computers. As part of the incident response process, Teresa will collect the logs from the SIEM, which aggregates logs from 20 servers. Which of the following should she do first? A. Event de-duplication B. Log forwarding C. Identify the nature of the attack D. Identify the source IP of the attack

A. Since 20 servers send logs to the SIEM, de-duplicating events will be important.

Remote employees at your company frequently need to connect to both the secure company network via VPN and open public websites, simultaneously. What technology would best support this? A. Split tunnel B. IPSec C. Full tunnel D. TLS

A. Split tunneling allows a mobile user to access dissimilar security domains like a public network (e.g., the Internet) and a local LAN or WAN at the same time.

What command would produce the image shown here? A. ping -n 6 -l 100 192.168.1.1 B. ping 192.168.1.1 -n 6 -s 100 C. ping #6 s 100 192.168.1.1 D. ping -s 6 -w 100 192.168.1.1

A. The -n command is used to set the number of ping packets to send—in this case, 6—and -l sets the size—in this case, 100 bytes.

Omar is a network administrator for ACME Company. He is responsible for the certificate authorities within the corporate network. The CAs publish their CRLs once per week. What, if any, security issue might this present? A. Revoked certificates still being used B. Invalid certificates being issued C. No security issue D. Certificates with weak keys

A. The certificate revocation list designates certificates that have been revoked for some reason. Those certificates should no longer be used. But if the CRL is published only once per week, then a revoked certificate could potentially be used for up to a week after being revoked.

You are responsible for network security at an insurance company. A lot of employees bring their own devices. You have security concerns about this. You have decided to implement a process whereby when users connect to your network, their devices are scanned. If a device does not meet your minimum security requirements, it is not allowed to connect. What best describes this? A. NAC B. SPI C. IDS D. BYOD

A. The correct answer is NAC, or Network Access Control. NAC is a network management solution that defines and implements a policy that enables only compliant and trusted endpoint devices to access network resources.

John is concerned about the security of data on smartphones and tablets that his company issues to employees. Which of the following would be most effective in preventing data loss, should a device be stolen? A. Remote wipe B. Geolocation C. Strong PIN D. Limited data storage

A. The most effective protection against data loss is the ability to remotely wipe the phone.

Gabriel is using nmap to scan one of his servers whose IP address is 192.168.1.1. He wants to perform a ping scan, but the network blocks ICMP, so he will try a TCP ping scan and do so very slowly. Which of the following would accomplish that? A. nmap -O -PT -T1 192.168.1.1 B. nmap -O - T3 192.168.1.1 C. nmap -T -T1 192.168.1.1 D. nmap -PT -T5 192.168.1.1

A. The nmap -O flag indicates that you want to guess the operating system. The -PT scan means do a ping with TCP. The -T1 is a very slow scan.

You are responsible for firewalls in your company. You are reviewing the output of the gateway firewall. What basic information would any firewall have in its logs? A. For all traffic: the source and destination IP and port, protocol, and whether it was allowed or denied B. For only blocked traffic: the source and destination IP and port as well as the reason for the traffic being denied/blocked C. For all traffic: the source and destination IP and port, whether it was allowed or denied, and the reason it was denied/blocked D. For only blocked traffic: the source and destination IP, protocol, and the reason it was denied/blocked

A. The standard items in any firewall log are the source and destination IP address and port of all traffic, the protocol the traffic is using, and whether that traffic was allowed or denied.

John has discovered that an attacker is trying to get network passwords by using software that attempts a number of passwords from a list of common passwords. What type of attack is this? A. Dictionary B. Rainbow table C. Brute force D. Session hijacking

A. This is an example of a dictionary attack. The attacker uses a list of words that are believed to be likely passwords.

Someone has been rummaging through your company's trash bins seeking to find documents, diagrams, or other sensitive information that has been thrown out. What is this called? A. Dumpster diving B. Trash diving C. Social engineering D. Trash engineering

A. This is the term for rummaging through the waste/trash.

Daryll has been using a packet sniffer to observe traffic on his company's network. He has noticed that traffic between the web server and the database server is sent in clear text. He wants a solution that will not only encrypt that traffic, but also leverage the existing digital certificate infrastructure his company has. Which of the following would be the best solution for Daryll? A. TLS B. SSL C. IPSec D. WPA2

A. Transport Layer Security (TLS) can be used to secure any network communication (HTTP, LDAP, SMTP, etc.) and it uses digital certificates.

Sheila is responsible for data backups for all the company servers. She is concerned about frequency of backup and about security of the backup data. Which feature, found in some backup utility software, would be most important to her? A. Using data encryption B. Digitally signing the data C. Using automated backup scheduling D. Hashing the backup data

A. When backing up data, if you do not encrypt the data, then it would be possible for anyone to restore the backup and have access to all data you have backed up. Not all backup utilities include data encryption.

Mark is looking for a proxy server for his network. The purpose of the proxy server is to ensure that the web servers are hidden from outside clients. All of the different web servers should appear to the outside world as if they were the proxy server. What type of proxy server would be best for Mark to consider? A. Forward B. Reverse C. Transparent D. Firewall

B. A reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. The sources appear to the client as if they came from the proxy server. In other words, the entire outside world appears as the proxy server to the client.

What is the purpose of screen locks on mobile devices? A. To encrypt the device B. To limit access to the device C. To load a specific user's apps D. To connect to WiFi

B. A screen lock limits access to users who know the code.

Olivia has discovered steganography tools on an employee's computer. What is the greatest concern regarding employees having steganography tools? A. Password cracking B. Data exfiltration C. Hiding network traffic D. Malware

B. An employee could hide sensitive data in files using steganography and then exfiltrate that data.

You are a security officer for a large law firm. You are concerned about data loss prevention. You have limited the use of USBs and other portable media, you use an IDS to look for large volumes of outbound data, and a guard searches all personnel and bags before they leave the building. What is a key step in DLP that you have missed? A. Portable drives B. Email C. Bluetooth D. Optical media

B. An insider could send out data as an email attachment.

Employees in your company are allowed to use tablets. They can select a tablet from four different models approved by the company but purchased by the employee. What best describes this? A. BYOD B. CYOD C. COPE D. BYOE

B. Choose Your Own Device (CYOD) allows employees to bring their own devices to work, but only if they are chosen from a list of approved models.

What best describes mobile device content management? A. Limiting how much content can be stored. B. Limiting the type of content that can be stored. C. Blocking certain websites. D. Digitally signing authorized content.

B. Content management for a mobile device involves limiting what content can be placed on the phone.

Mohaned is an IT manager for a hotel. His hotel wants to put wireless access points on each floor. The specifications state that the wireless access points should have minimal functionality, with all the configuration, authentication, and other functionality centrally controlled. What type of wireless access points should Mohaned consider purchasing? A. Fat B. Controller-based C. Stand-alone D. 801.11i

B. Controller-based wireless access points have minimal functionality, with most functions centrally controlled.

Mike is responsible for testing security at his company. He is using a tool that identifies vulnerabilities and provides mechanisms to test them by attempting to exploit them. What best describes this type of tool? A. Vulnerability scanner B. Exploit framework C. Metasploit D. Nessus

B. Exploit frameworks are tools that provide a framework for finding vulnerabilities and then attempting to exploit those vulnerabilities. These tools are an important part of network security testing.

What does geofencing accomplish? A. Provides the location for a mobile device. B. Limits the range a mobile device can be used in. C. Determines WiFi coverage areas. D. Segments the WiFi.

B. Geofencing sets up geographic boundaries, beyond which a device won't work.

Sarah is the CIO for a small company. She recently had the entire company's voice calls moved to VoIP. Her new VoIP system is using SIP with RTP. What might be the concern with this? A. SIP is not secure. B. RTP is not secure. C. RTP is too slow. D. SIP is too slow.

B. Real-time Transport Protocol (RTP) is used to transport VoIP and video signals, but it is not encrypted. Secure Real-time Transport Protocol (SRTP) should be used.

You are responsible for email server security in your company. You want to implement encryption of all emails, using third-party authenticated certificates. What protocol should you implement? A. IMAP B. S/MIME C. PGP D. SMTP-S

B. Secure Multipurpose Internet Mail Extensions (S/MIME) encrypts email using X.509 certificates that are created and authenticated by a trusted third party.

Francis is a security administrator at a large law firm. She is concerned that confidential documents, with proprietary information, might be leaked. The leaks could be intentional or accidental. She is looking for a solution that would embed some identifying information into documents in such a way that it would not be seen by the reader but could be extracted with the right software. What technology would best meet Francis's needs? A. Symmetric encryption B. Steganography C. Hashing D. Asymmetric encryption

B. Steganography allows you to embed data, messages, or entire files in other files. It is common to use this to embed some identifying mark that would track the owner of the document and perhaps its originating location. Steganography can track confidential documents.

You are responsible for authentication methods at your company. You have implemented fingerprint scanners to enter server rooms. Frequently people are being denied access to the server room, even though they are authorized. What problem is this? A. FAR B. FRR C. CER D. EER

B. The false rejection rate (FRR) is the rate at which authentication attempts are rejected when they should have succeeded. When you are getting a high number of authorized individuals being denied access, that is due to an FRR that is too high.

What command would generate the output shown here? A. netstat -a B. netstat -o C. arp -a D. arp -g

B. The netstat command displays all connections, and the -o flag shows the process that owns that connection.

When you are considering an NIDS or NIPS, what are your two most important concerns? A. Cost and false positives B. False positives and false negatives C. Power consumption and cost D. Management interface and cost

B. The total number of erroneous reports (i.e., false positives and false negatives) is the biggest concern because this determines effectiveness of the system.

Joanne has implemented TLS for communication with many of her networks servers. She wants to ensure that the traffic cannot be sniffed. However, users now complain that this is slowing down connectivity. Which of the following is the best solution? A. Increase RAM on servers. B. Change routers to give more bandwidth to traffic to these servers. C. Implement TLS accelerators. D. Place all servers in clusters with extensive load-balancing.

C. A TLS accelerator is a processor that handles processing, specifically processor-intensive public-key encryption for Transport Layer Security (TLS). This should significantly improve server responsiveness.

Hans is a network administrator for a large bank. He is concerned about employees violating software licenses. What would be the first step in addressing this issue? A. Performing software audits B. Scanning the network for installed applications C. Establishing clear policies D. Blocking the ability of users to install software

C. A clear security policy must be created that explains software licensing and the company processes for software licensing. Without clear policies, any other countermeasures will be less effective.

Mia is responsible for security devices at her company. She is concerned about detecting intrusions. She wants a solution that would work across entire network segments. However, she wants to ensure that false positives do not interrupt work flow. What would be the best solution for Mia to consider? A. HIDS B. HIPS C. NIDS D. NIPS

C. A network intrusion detection system (NIDS) will detect intrusions across a network segment, but it won't block the possible attacks, thus not disrupting work due to false positives.

Mahmoud is considering moving all company desktops to a VDI deployment. Which of the following would be a security advantage of VDI? A. Employees can work from any computer in the company. B. VDI is more resistant to malware. C. Patch management is centrally controlled. D. It eliminates man-in-the-middle attacks.

C. Virtual Desktop Infrastructure does have all patch management centrally controlled.

Lars is responsible for incident response at ACME Company. He is particularly concerned about the network segment that hosts the corporate web servers. He wants a solution that will detect potential attacks and notify the administrator so the administrator can take whatever action he or she deems appropriate. Which of the following would be the best solution for Lars? A. HIDS B. HIPS C. NIDS D. NIPS

C. A network intrusion detection system (NIDS) will detect suspected attacks on a given network segment and notify the administrator. For example, in an anomaly detection, the administrator will be notified if there are any deviation from an expected pattern or behavior.

ACME Company has several remote offices. The CIO wants to set up permanent secure connections between the remote offices and the central office. What would be the best solution for this? A. L2TP VPN B. IPSEC VPN C. Site-to-site VPN D. Remote-access VPN

C. A site-to-site VPN is a permanent VPN connection between sites. Connecting remote offices is a typical site-to-site VPN implementation.

Enrique is responsible for web application security at his company. He is concerned about attacks such as SQL injection. Which of the following devices would provide the best protection for web attacks on his web application server? A. ACL B. SPI C. WAF D. IDS

C. A web application firewall (WAF) is designed to provide firewall protection that also will protect against specific web attacks.

What does application management accomplish for mobile devices? A. Only allows applications from the iTunes store to be installed B. Ensures the company has a list of all applications on the devices C. Ensures only approved applications are installed on the devices D. Updates patches on all applications on mobile devices

C. Application management is primarily concerned with ensuring only authorized and approved applications are installed on mobile devices.

Frank is a web server administrator for a large e-commerce company. He is concerned about someone using netcat to connect to the company web server and retrieving detailed information about the server. What best describes his concern? A. Passive reconnaissance B. Active reconnaissance C. Banner grabbing D. Vulnerability scanning

C. Banner grabbing is a process whereby someone connects to a target web server and attempts to gather information, literally grabbing the web services "banner." This is often done by telnetting into the web server. It can also be done with netcat, using an HTTP request.

Your company has hired an outside security firm to perform various tests of your network. During the vulnerability scan you will provide that company with logins for various systems (i.e., database server, application server, web server, etc.) to aid in their scan. What best describes this? A. A white-box test B. A gray-box test C. A credentialed scan D. A logged-in scan

C. By giving the tester logins, you are allowing him to conduct a privilege scan (i.e., a scan with some privileges).

Terrance is implementing IPSec. He wants to ensure that the packets are encrypted, and that the packet and all headers are authenticated. What should he implement? A. AH B. ESP C. AH and ESP D. IKE

C. ESP provides encryption and AH provides complete authentication, including the header, so both are needed to meet the requirements.

You have been asked to implement a secure protocol for transferring files that uses digital certificates. Which protocol would be the best choice? A. FTP B. SFTP C. FTPS D. SCP

C. FTPS is File Transfer Protocol with SSL/TLS and uses digital certificates to secure file transfer.

You are responsible for firewalls in your organization. You are concerned about ensuring that all firewalls are properly configured. The gateway firewall is configured as follows: to only allow inbound traffic on a very few specific, required ports; all traffic (allowed or blocked) is logged and logs forwarded to the SIEM. What, if anything, is missing from this configuration? A. Nothing, it is a good configuration. B. Encrypting all traffic C. Outbound connection rules D. Digital certificate authentication for inbound traffic

C. Firewalls do block inbound traffic and can be configured to fine-tune that blocking. However, they can and should also be configured to handle outbound traffic. This can prevent data exfiltration and other breaches.

Isabella has found netcat installed on an employee's computer. That employee is not authorized to have netcat. What security concern might this utility present? A. It is a password cracker. B. It is a packet sniffer. C. It is a network communication utility. D. It is a DoS tool.

C. Netcat is a tool widely used by network administrators to establish communication between two machines. Having netcat on a machine could indicate an intruder has compromised that machine and installed netcat as a backdoor, or that the employee is setting up covert communication channels.

You are responsible for the security of web servers at your company. You are configuring the WAF and want to allow only encrypted traffic to and from the web server, including traffic from administrators using a command-line interface. What should you do? A. Open port 80 and 23, and block port 443. B. Open port 443 and 23, and block port 80. C. Open port 443 and 22, and block port 80 and 23. D. Open port 443, and block all other ports.

C. Port 442 is used for HTTPS, HTTP encrypted via TLS. Port 22 is used for secure shell (SSH), which is a secure, encrypted command-line interface often used by administrators. Port 80 is for unencrypted HTTP traffic. Port 23 is for telnet, an insecure command-line interface.

You have been assigned to select a backup communication method for your company to use in case of significant disasters that disrupt normal communication. Which option would provide the most reliability? A. Cellular B. WiFi C. SATCOM D. VoIP

C. Satellite communications are most resistant to disasters that disrupt communications.

Ahmed is responsible for VoIP at his company. He has been directed to ensure that all VoIP calls have the option to be encrypted. What protocol is best suited for security VoIP calls? A. SIP B. TLS C. SRTP D. SSH

C. Secure Real-Time Transport Protocol (SRTP) is used to encrypt and secure RTP. RTP is the protocol for transmitting VoIP.

Frank believes there could be a problem accessing the DHCP server from a specific client. He wants to check by getting a new dynamic IP. What command will do this? A. ipconfig /request B. NETSTAT -renew C. ipconfig /renew D. NETSTAT /request

C. The ipconfig /renew command will request a new IP from the DHCP server.

You are responsible for security at Acme Company. Recently, 20 new employee network accounts were created, with the default privileges for the network. You have discovered that eight of these have privileges that are not needed for their job tasks. Which security principle best describes how to avoid this problem in the future? A. Least privileges B. Separation of duties C. Implicit deny D. Weakest link

C. The security concept of implicit deny states that any new access account will by default be denied all access. When a request is made for specific privileges for that account, then the privileges are explicitly applied. This means that by default all privileges are implicitly denied.

Jarod is concerned about DLP in his organization. Employees all have cloud-based solutions for data storage. What DLP-related security hazard, if any, might this create? A. No security hazard B. Malware from the cloud C. Data exfiltration through the cloud D. Security policies don't apply to the cloud.

C. Using cloud storage means that data is placed in the cloud, and can be accessed from outside the network. This presents a problem for data loss prevention (DLP) since it provides a convenient way to exfiltrate data from the network.

John is implementing virtual IP load-balancing. He thinks this might alleviate network slowdowns, and perhaps even mitigate some of the impact of a denial-of-service attack. What is the drawback of virtual IP load-balancing? A. It is resource-intensive. B. Most servers don't support it. C. It is connection-based, not load-based. D. It works only on Unix/Linux servers.

C. Virtual IP load balancing does not take the load of each interface into account and assumes all loads are essentially similar.

Mary is concerned that SIEM logs at her company are not being stored long enough, or securely enough. She is aware that it is possible a breach might not be discovered until long after it occurs. This would require the company to analyze older logs. It is important that Mary find an SIEM log backup solution that can a) handle all the aggregate logs of the SIEM, b) be maintained for a long period of time, and c) be secure. What solution would be best for her? A. Back up to large-capacity external drives. B. Back up to large-capacity backup tapes. C. Back up to WORM storage. D. Back up to tapes that will be stored off-site.

C. Write once, read many (WORM) storage is a type of high-capacity storage wherein once the data is written to the storage, it cannot be edited. It provides both high-capacity storage and secure storage, since the backups cannot be tampered with.

Charles is responsible for security for web servers in his company. Some web servers are used for an internal intranet, and some for external websites. He has chosen to encrypt all web traffic, and he is using self-signed X.509 certificates. What, if anything, is wrong with this approach? A. He cannot encrypt all HTTP traffic. B. He should use PGP certificates. C. He should not use self-signed certificates. D. Nothing; this is an appropriate configuration.

C. X.509 is the most common standard for digital certificates. It is relatively easy to create your own self-signed certificate. However, if you use a self-signed certificate on a public website, everyone visiting the website will receive a security error message from their browser.

Teresa is responsible for network administration at a health club chain. She is trying for find a communication technology that uses low power and can spend long periods in low-power sleep modes. Which of the following technologies would be the best fit? A. WiFi B. Cellular C. Bluetooth D. ANT

D. ANT is a proprietary wireless network technology that provides low-power modes and is used in WiFi settings. It has been used in sports-related technologies.

Debra is the network administrator for her company. Her company's web servers are all in a cluster. Her concern is this: if one of the servers in the cluster fails, will the backup server be capable of running for a significant amount of time? She wants to make sure that the backup won't soon fail. What would be her best choice in clustering? A. Active-active B. Round-robin C. Affinity D. Active-passive

D. An active-passive cluster has backup servers that are not handling any workload. They are brought into action if the primary server fails. This means the backup server will not have been subjected to any workload and is effectively a new machine.

Dominick is responsible for security at a medium-sized insurance company. He is very concerned about detecting intrusions. The IDS he has purchased states that he must have an IDS on each network segment. What type of IDS is this? A. Active B. IPS C. Passive D. Inline

D. An inline IDS is actually in the traffic line (i.e., on the network segment where traffic is).

Mary is responsible for network security at a medium-sized insurance company. She is concerned that the offices are too open to public traffic and someone could simply connect a laptop to an open RJ45 jack and access the network. Which of the following would best address this concern? A. ACL B. IDS C. VLAN D. Port security

D. By mapping network jacks to specific MAC addresses of machines, you can prevent a rogue machine from being connected.

Juan is responsible for the SIEM in his company. The SIEM aggregates logs from 12 servers. In the event that a breach is discovered, which of the following would be Juan's most important concern? A. Event duplication B. Time synchronization C. Impact assessment D. Correlation

D. Correlating the events from the servers related to the breach would be the most important issue to address for the SIEM manager.

You are responsible for network management at your company. You have been using SNMP for many years. You are currently using SNMP v2. A colleague has recently suggested you upgrade to SNMP v3. What is the primary benefit of SNMP v3? A. It is much faster. B. It integrates with SIEM. C. It uses CHAP authentication. D. It is encrypted.

D. Earlier versions of SNMP sent all traffic in clear text. SNMP v3 sends all data encrypted.

Victor is concerned about data security on BYOD and COPE. He is concerned specifically about data exposure should the device become lost or stolen. Which of the following would be most effective in countering this concern? A. Geofencing B. Screen lock C. GPS tagging D. Device encryption

D. Encrypting a mobile device is the best way to ensure the data on the device is secure. If the device is stolen or simply misplaced, then the data cannot be retrieved.

You are concerned about an attacker enumerating all of your network. What protocol might help at least mitigate this issue? A. HTTPS B. TLS C. IPSec D. LDAPS

D. Lightweight Directory Access Protocol Secure (LDAPS) would at least mitigate the risk. LDAP is a directory of the network (computers, users, etc.). Securing that would help mitigate network enumeration.

Which of the following email security measures would have the most impact on phishing emails? A. Email encryption B. Hardening the email server C. Digitally signing email D. Spam filter

D. Phishing emails are often sent out to masses of people and a spam filter would block at least some of that, thus reducing the phishing email attacks.

Teresa is responsible for WiFi security in her company. Her main concern is that there are many other offices in the building her company occupies and that someone could easily attempt to breach their WiFi from one of these locations. What technique would be best in alleviating her concern? A. Using thin WAPs B. Geofencing C. Securing the Admin screen D. WAP placement

D. Placing the WAPs carefully so as to provide the best coverage for the company, with minimum overlap outside the company, will be the best way to keep those in adjacent offices from attempting to breach the WiFi. When placing WAPs for the best coverage, one needs to focus on signal strength to ensure there is no gaps between WPAs.

Lilly is a network administrator for a medium-sized financial services company. She wants to implement company-wide encryption and digital signing of emails. But she is concerned about cost, since there is a very limited budget for this. What would be her best choice? A. SMTPS B. S/MIME C. IMAPS D. PGP

D. Pretty Good Privacy (PGP) is very appropriate for email security. It provides self-signed certificates for email signing and encrypting. It is also very low cost.

Elizabeth is responsible for secure communications at her company. She wants to give administrators the option to log in remotely and to execute command-line functions, but she wants this to only be possible via a secure, encrypted connection. What action should she take on the firewall? A. Block port 23 and allow ports 20 and 21. B. Block port 22 and allow ports 20 and 21. C. Block port 22 and allow port 23. D. Block port 23 and allow port 22.

D. Secure Shell (SSH) uses port 22 and provides a secure, encrypted command-line interface. Telnet uses port 23 and is not secure.

Joanne is responsible for all remote connectivity to her company's network. She knows that administrators frequently log in to servers remotely to execute command-line commands and Linux shell commands. She wants to make sure this can only be done if the transmission is encrypted. What protocol should she use? A. HTTPS B. RDP C. Telnet D. SSH

D. Secure Shell gives a remote command-line interface that is encrypted.

Juanita is a network administrator for a large university. The university has numerous systems, each with logs she must monitor and analyze. What would be the best approach for her to view and analyze logs from a central server? A. NAC B. Port forwarding C. IDS D. SIEM

D. Security Information and Event Management (SIEM) systems are designed specifically for log aggregation and analysis.

Mary is a network administrator for ACME Company. She sometimes needs to run a packet sniffer so that she can view the network traffic. She wants to find a well-known packet sniffer that works on Linux. Which of the following would be her best choice? A. Ophcrack B. Nmap C. Wireshark D. Tcpdump

D. Tcpdump is a widely used packet sniffer, made for Linux but ported to Windows. It works from the shell in Linux (the command line in Windows) and allows the user to dump current network traffic.

You are responsible for network security at a university. Faculty members are issued laptops. However, many of the faculty members leave the laptops in their offices most of the time (sometimes even for weeks). You are concerned about theft of laptops. In this scenario, what would be the most cost-effective method of securing the laptops? A. FDE B. GPS tagging C. Geofencing D. Tethering

D. Tethering is usually inexpensive, and simply tethering a portable device to a desk makes it difficult to steal the device. No antitheft method is foolproof, but tethering is simple, cost effective, and reasonably effective.

Derrick is a network administrator for a large company. The company network is segmented into zones of high security, medium security, low security, and the DMZ. He is concerned about external intruders and wishes to install a honeypot. Which is the most important zone to put the honeypot in? A. High security B. Medium security C. Low security D. DMZ

D. The DMZ is the best location for a honeypot, if the concern is outside intruders. An intruder is likely to first breach the outer firewall of the DMZ. A honeypot could conceivably catch the intruder there and prevent him or her from going further into the network.

John is looking for a new firewall for a small company. He is concerned about DoS attacks, particularly the SYN flood. Which type of firewall would give the best protection against the SYN flood? A. Packet filter B. Application gateway C. Bastion D. SPI

D. The correct answer is stateful packet inspection (SPI). SPI looks at the entire context of the conversation and will stop SYN floods.

Gerald is setting up new wireless access points throughout his company's building. The wireless access points have just the radio transceiver, with no additional functionality. What best describes these wireless access points? A. Fat B. Repeater C. Thick D. Thin

D. The term for this is thin wireless access point.

John is responsible for security of his company's new e-commerce server. He wants to ensure that online transactions are secure. What technology should he use? A. L2TP B. IPSec C. SSL D. TLS

D. Transport Layer Security (TLS) is used to encrypt and secure web traffic.

Ahmed is responsible for VPN connections at his company. His company uses IPSec exclusively. He has decided to implement IPSec in a mode that encrypts the data of only the packet, not the headers. What is this called? A. Tunneling B. IKE C. ESP D. Transport

D. Transport mode is the mode wherein IPSec encrypts the data, but not the packet header.

William is a security officer for a large bank. When executives' laptops are decommissioned, he wants to ensure that the data on those laptops is completely wiped so that it cannot be recovered, even using forensic tools. How many times should William wipe a hard drive? A. 1 B. 3 C. 5 D. 7

D. US DoD data sanitization standard DoD 5220.22-M recommends an average of 7 complete wipes to wipe data. The standard has a matrix wherein you match the sensitivity of the data to a specific number of wipes, but the general rule is 7.

You are responsible for security at your company. One of management's biggest concerns is that employees might exfiltrate sensitive data. Which of the following would you implement first? A. IPS B. Routine audits of user machines C. VLAN D. USB blocking

D. USB blocking will prevent anyone from plugging in a USB and taking out data.

John is responsible for network security at a very small company. Due to both budget constraints and space constraints, John can select only one security device. What should he select? A. Firewall B. Antivirus C. IDS D. UTM

D. Unified threat management (UTM) combines multiple security services into one device. It is common for a UTM to have firewall, antivirus, and IDS services all in one device.

Maria is responsible for monitoring IDS activity on her company's network. Twice in the past month there has been activity reported on the IDS that investigation has shown was legitimate traffic. What best describes this? A. False negative B. Passive C. Active D. False positive

D. When an IDS (or any security device) labels legitimate traffic as an attack, that is called a false positive.

Elizabeth is responsible for security at a defense contracting company. She is concerned about users within her network exfiltrating data by attaching sensitive documents to emails. What solution would best address this concern? A. Email encryption B. USB blocking C. NIPS D. Content filtering

D. While most people think of content filtering in regard to filtering content you view, it can also be thought of in terms of content that is sent out. Implementing content filtering ensures that the problem of data exfiltration via email will be mitigated.