Security Pro Practice Questions Chapter 6

6.1.3) Attempting to find the root password on a web server by brute force.

Active Attack

Which of the following are performed by the Microsoft Baseline Security Analyzer (MBSA) tool?

Check for missing patches Check user accounts for weak passwords Check for open ports EXPLANATION Microsoft Baseline Security Analyzer (MBSA) is a vulnerability scanner that can check for the following weaknesses: Open ports Active IP addresses Running applications or services Missing critical patches Default user accounts that have not been disabled Default, blank, or common passwords

Which of the following describes a false positive when using an IPS device?

Legitimate traffic being flagged as malicious

Which of the following authentication protocols transmits passwords in cleartext, and is, therefore, considered too insecure for modern networks?

PAP EXPLANATION The password authentication protocol (PAP) is considered insecure because it transmits password information in clear text. Anyone who sniffs PAP traffic from a network can view the password information from a PAP packet with a simple traffic analyzer.

6.1.3) Sniffing network packets or performing a port scan.

Passive Attack

6.3.4) Instant messaging does not provide which of the following?

Privacy EXPLANATION Instant messaging does not provide privacy. Many Instant messaging clients communicate in cleartext or use an easily broken basic encryption scheme to protect integrity rather than confidentiality. Because of this, a sniffing attack is most likely to succeed with communications between instant messaging clients. When you employ an instant messaging system, you should assume all of your communications are being intercepted and never discuss confidential, personal, or sensitive issues.

You want to use a tool to scan a system for vulnerabilities, including open ports, running services, and missing patches. Which tools should you use?

Retina, Nessus EXPLANATION Vulnerability scanning tools include Nessus, Retina Vulnerability Assessment Scanner, and Microsoft Baseline Security Analyzer (MBSA).

You want to be able to identify the services running on a set of servers on your network. Which tool would best give you the information you need?

Vulnerability scanner EXPLANATION Use a vulnerability scanner to gather information about systems, such as the applications or services running on the system. The vulnerability scanner often combines functions found in other tools and can perform additional functions, such as identifying open firewall ports, missing patches, and default or blank passwords.

Which of the following ports are used with TACACS?

49 EXPLANATION Terminal Access Controller Access-Control System (TACACS) uses TCP and UDP ports 49. Port 22 is used by Secure Shell (SSH). Protocol numbers 50 and 51 are used by IPsec. Ports 1812 and 1813 are used by Remote Authentication Dial-In User Service (RADIUS). Port 3389 is used by Remote Desktop Protocol (RDP).

You want to deploy SSL to protect authentication traffic with your LDAP-based directory service. Which port does this action use?

636 EXPLANATION To use SSL for LDAP authentication, use port 636. Port 80 is used for HTTP, while port 443 is used for HTTPS (HTTP with SSL). Simple LDAP authentication uses port 389.

Which ports does LDAP use by default? (Select two.)

636 389 EXPLANATION LDAP (Lightweight Directory Access Protocol) uses ports 389 and 636 by default. Port 636 is used for LDAP over SSL. This is the secure form or mode of LDAP. Unsecured LDAP uses port 389. Port 69 is used by TFTP. Port 110 is used by POP3. Port 161 is used by SNMP.

6.5.8) You want to increase the security of your network by allowing only authenticated users to access network devices through a switch. Which of the following should you implement? a. IPsec b. Port security c. Spanning tree d. 802.1x

802.1x EXPLANATION 802.1x authentication is an authentication method used on a LAN to allow or deny access base on a port or connection to the network. 802.1x is used for port authentication on switches and authentication to wireless access points. 802.1x requires an authentication server for validating user credentials. This server is typically a RADIUS server. Authenticated users are allowed full access to the network; unauthenticated users only have access to the RADIUS server. Port security uses the MAC address to allow or deny connections based on the MAC address of the device, not user authentication. Spanning tree is a protocol for identifying multiple paths through a switched network. IPsec is a tunneling protocol that adds encryption to packets.

Which of the following is an appropriate definition of a VLAN? a. A physical collection of devices that belong together and are connected to the same wire or physical switch. b. A device used to filter WAN traffic. c. A logical grouping of devices based on service need, protocol, or other criteria. d. A device used to route traffic between separate networks.

A logical grouping of devices based on service need, protocol, or other criteria.

What is mutual authentication?

A process by which each party in an online communication verifies the identity of each other party. EXPLANATION Mutual authentication is the process by which each party in an online communication verifies the identity of each other party. Mutual authentication is most common in VPN links, SSL connections, and e-commerce transactions. In each of these situations, both parties in the communication want to ensure that they know whom they are interacting with.

Which of the following is the best example of remote access authentication?

A user establishes a dial-up connection to a server to gain access to shared resources. EXPLANATION Remote access allows a host to connect remotely to a private server or a network to access resources on that server or network. Remote access connections are typically used to connect remotely to servers at your office, but can also describe the type of connections used to connect to an internet service provider (ISP) for internet access. A remote access server (RAS) is a server configured to allow remote access connections.

Which of the following statements about virtual networks is true? (Select two.)

A virtual network is dependent on the configuration and physical hardware of the host operating system. Multiple virtual networks can be associated with a single physical network adapter. EXPLANATION A virtual network is made up of one or more virtual machines configured to access local or external network resources. Some important facts about virtual networks include: - Virtual machines support an unlimited number of virtual networks, and an unlimited number of virtual machines can be connected to a virtual network. - Multiple virtual networks can be associated with a single physical network adapter. - When a virtual network is created, its configuration is dependent on the configuration and physical hardware, such as the type and number of network adapters, of the host operating system. - Accessing a network and network resources requires that the operating system on the virtual machine be configured as a part of the network.

6.4.3) Which of the following switch attacks associates the attacker's MAC address with the IP address of the victim's devices?

ARP spoofing/poisoning EXPLANATION ARP spoofing/poisoning associates the attacker's MAC address with the IP address of the victim.

6.1.3) Perpetrators attempt to compromise or affect the operations of a system.

Active Attack EXPLANATION Active attacks are when perpetrators attempt to compromise or affect the operations of a system in some way. For example, trying to brute force the root password on a web server is considered an active attack. A distributed denial of service (DDoS) attack is also an active attack.

A security administrator is conducting a penetration test on a network. She connects a notebook system running Linux to the wireless network and then uses NMAP to probe various network hosts to see which operating system they are running. Which process did the administrator use in the penetration test in this scenario? Network enumeration Passive fingerprinting Firewalking Active fingerprinting

Active fingerprinting EXPLANATION Active fingerprinting was used by the administrator in this scenario. Active fingerprinting is a form of system enumeration that is designed to gain as much information about a specific computer as possible. It identifies operating systems based upon ICMP message quoting characteristics. Portions of an original ICMP request are repeated (or quoted) within the response, and each operating system quotes this information back in a slightly different manner. Active fingerprinting can determine the operating system and even the patch level. Passive fingerprinting is similar to active fingerprinting. However, it does not utilize the active probes of specific systems. Network enumeration (also called network mapping) involves a thorough and systematic discovery of as much of the corporate network as possible, using: - Social engineering - Wardriving - War dialing - Banner grabbing - Firewalking Firewalking uses traceroute techniques to discover which services can pass through a firewall or a router. Common firewalking tools are Hping and Firewalk.

Which of the following are characteristics of TACACS+? (Select two.)

Allows three different servers, one each for authentication, authorization, and accounting Uses TCP EXPLANATION TACACS+ was originally developed by Cisco for centralized remote access administration. TACACS+: Provides three protocols, one each for authentication, authorization, and accounting. This allows each service to be provided by a different server. Uses TCP. Encrypts the entire packet contents. Supports more protocol suites than RADIUS. RADIUS is used by Microsoft servers for centralized remote access administration. RADIUS: Combines authentication and authorization using policies to grant access. Uses UDP. Encrypts only the password. Often uses vendor-specific extensions. RADIUS solutions from different vendors might not be compatible.

Which of the following activities are typically associated with a penetration test? (Select two.) Attempting social engineering Running a port scanner Creating a performance baseline Running a vulnerability scanner on network servers Interviewing employees to verify that the security policy is being followed

Attempting social engineering Running a port scanner EXPLANATION Penetration testing is an organization's attempt to circumvent security controls to identify vulnerabilities in their information systems. It simulates an actual attack on the network and is conducted from outside the organization's security perimeter. Penetration testing helps assure the effectiveness of an organization's security policy, security mechanism implementations, and deployed countermeasures. Penetration testing typically uses tools and methods that are available to attackers. Penetration testing might start with attempts at social engineering or other reconnaissance activities followed by more active scans of systems and actual attempts to access secure systems. A vulnerability scanner checks a system for weaknesses. Vulnerability scanners typically require administrative access to a system and are performed internally to check for weaknesses, but not to test system security. Typically, penetration testers cannot run a vulnerability scanner unless they have gained authorized access to a system. A performance baseline is created by an administrator to identify normal network and system performance. Auditing might include interviewing employees to make sure that security policies are being followed.

RADIUS is primarily used for what purpose?

Authenticating remote clients before access to the network is granted EXPLANATION RADIUS (Remote Authentication Dial-In User Service) is primarily used for authenticating remote clients before access to the network is granted. RADIUS is based on RFC 2865. RADIUS maintains client profiles in a centralized database. RADIUS offloads the authentication burden for dial-in users from the normal authentication of local network clients. For environments with a large number of dial-in clients, RADIUS provides improved security, easier administration, improved logging, and less performance impact on LAN security systems.

You want to protect the authentication credentials you use to connect to the LAB server in your network by copying them to a USB drive. Click the option you use in Credential Manager to protect your credentials.

Back up Credentials EXPLANATION Within Credential Manager, use the Back up Credentials and Restore Credentials links to back up and restore credentials. It is recommended that you back up credentials to a removable device, such as a USB flash drive, to protect them from a hard disk crash on the local system.

6.2.6) While developing a network application, a programmer adds functionally that allows her to access the running program without authentication so she can capture debugging data. The programmer forgets to remove this functionality prior to finalizing the code and shipping the application. What type of security weakness does this represent?

Backdoor EXPLANATION A backdoor is an unprotected access method or pathway. Backdoors may include hard-coded passwords or hidden service accounts. They are often added during development as a shortcut to circumvent security. If they are not removed, they present a security problem.

Network-based intrusion detection is most suited to detect and prevent which types of attacks?

Bandwidth-based denial of service

Network-based intrusion detection is most suited to detect and prevent which types of attacks? a. Buffer overflow exploitation of software b. Application implementation flaws c. Bandwidth-based denial of service d. Brute force password attack

Bandwidth-based denial of service EXPLANATION Network-based intrusion detection systems are best suited to detect and prevent bandwidth-based denial of service attacks. This type of attack manipulates network traffic in such a way that network-based IDS can easily detect it. The other forms of attack are content-specific and directed at a host.

6.4.3) Which is a typical goal of MAC spoofing? a. Causing a switch to enter fail open mode b. Bypassing 802.1x port-based security c. Causing incoming packets to broadcast to all ports d. Rerouting local switch traffic to a specified destination

Bypassing 802.1x port-based security EXPLANATION MAC spoofing is changing the source MAC address on frames sent by the attacker. It is typically used to bypass 802.1x port-based security, bypass wireless MAC filtering, or hide the identity of the attacker's computer. MAC flooding causes a switch to enter fail open mode, which causes incoming packets to be broadcast out to all ports. ARP spoofing/poisoning associates the attacker's MAC address with the IP address of the victim.

Which remote access authentication protocol periodically and transparently re-authenticates during a logon session by default?

CHAP

You are configuring a dial-up connection to a remote access server. Which protocols would you choose to establish the connection and authenticate, providing the most secure connection possible? (Select two.) CHAP PAP SLIP PPPoe PPP

CHAP PPP EXPLANATION Choose PPP and CHAP for the connection. Choose point-to-point protocol (PPP) for the connection. PPP is preferred over serial line interface protocol (SLIP) because it can negotiate encryption protocols to use for the connection. Point-to-point protocol over Ethernet (PPPoE) is similar to PPP, but is used for a cable (not a dial-up) connection. Choose challenge handshake authentication protocol (CHAP) for authentication. CHAP uses hashing to protect the passwords and allows re-authentication. Avoid using password authentication protocol (PAP) because it transmits credentials in the clear (unencrypted).

6.4.3) Drag the description on the left to the appropriate switch attack type shown on the right. MAC Spoofing

Can be used to hide the identity of the attacker's computer or impersonate another device on the network.

6.4.3) Drag the description on the left to the appropriate switch attack type shown on the right. MAC Flooding

Causes packets to fill up the forwarding table and consumes so much of the switch's memory that it enters a state called fail open mode.

6.2.6) You've just deployed a new Cisco router so you can connect a new segment to your organization's network. The router is physically located in a server room that can only be accessed with an ID card. You've backed up the the router configuration to a remote location in an encrypted file. You access the router configuration from your notebook computer by connecting it to the console port on the router. The web-based management interface uses the default user name of cusadmin and a password of highspeed. What should you do to increase the security of this device?

Change the user name and create a more complex password EXPLANATION You should change the user name and create a more complex password. The default user name and password for Cisco routers and other routers can be found on the internet, so they should both be changed when the router is put into production.

Which of the following is not true regarding cloud computing? Typical cloud computing providers deliver common business applications online that are accessed from another web service or software like a web browser. The term cloud is used as a metaphor for the internet. Cloud computing is software, data access, computation, and storage services provided to clients through the internet. Cloud computing requires end user to have knowledge of the physical location and configuration of the system that delivers the services.

Cloud computing requires end user to have knowledge of the physical location and configuration of the system that delivers the services.

You have a small network of devices connected using a switch. You want to capture the traffic that is sent from Host A to Host B. On Host C, you install a packet sniffer that captures network traffic. After running the packet sniffer, you cannot find any captured packets between Host A and Host B. What should you do? Configure the default gateway address on hosts A and B with the IP address of Host C Manually set the MAC address of Host C to the MAC address of Host A Connect hosts A and B together on the same switch port through a hub Configure port mirroring

Configure port mirroring EXPLANATION You need to configure port mirroring on the switch. In a network that uses a switch, network traffic is sent through the switch to only the destination device. In this scenario, Host C will only receive broadcast traffic and traffic addressed to its own MAC address. With port mirroring, all frames sent to all other switch ports will be forwarded on the mirrored port. Alternatively, you could put Host C on the same switch port as either Host A or Host B using a hub. All devices connected to the hub will be able to see the traffic sent to all other devices connected to the hub. Changing the MAC address on Host C would cause a conflict with duplicate addresses being used. Setting the default gateway would not affect the path of packets on the LAN. The default gateway is only used for traffic that goes outside of the current subnet.

You are responsible for maintaining Windows workstation operating systems in your organization. Recently, an update from Microsoft was automatically installed on your workstations that caused an application that was developed in-house to stop working. To keep this from happening again, you decide to test all updates on a virtual machine before allowing them to be installed on production workstations. Currently, all of your testing virtual machines do not have a network connection. However, they need to be able to connect to the update servers at Microsoft to download and install updates. What should you do?

Connect the virtual network interfaces in the virtual machines to the virtual switch. Create a new virtual switch configured for bridged (external) networking. EXPLANATION Creating an internal or host-only virtual switch would not allow the virtual machines to communicate on the production network through the hypervisor's network interface. Disabling the hypervisor's switch port would also isolate the virtual machines from the production network.

You are an application developer. You use a hypervisor with multiple virtual machines installed to test your applications on various operating systems versions and editions. Currently, all of your testing virtual machines are connected to the production network through the hypervisor's network interface. However, you are concerned that the latest application you are working on could adversely impact other network hosts if errors exist in the code. To prevent issues, you decide to isolate the virtual machines from the production network. However, they still need to be able to communicate directly with each other. What should you do?

Connect the virtual network interfaces in the virtual machines to the virtual switch. Create a new virtual switch configured for host-only (internal) networking.

Drag the software-defined networking (SDN) layer on the left to the appropriate function on the right. This layer receives it requests from the application layer. This layer is also known as the infrastructure layer. This layer communicates with the control layer through what's called the northbound interface. This layer provides the physical layer with configuration and instructions. On this layer, individual networking devices use southbound APIs to communicate with the control plane.

Control layer Physical layer Application layer Control layer Physical layer

6.5.8) Which of the following applications typically use a 802.1x authentication? Controlling access through a router Controlling access through a switch Authenticating VPN users through the Internet Controlling access through a wireless access point Authenticating remote access clients

Controlling access through a switch Controlling access through a wireless access point EXPLANATION 802.1x authentication is an authentication method used on a LAN to allow or deny access based on a port or connection to the network. 802.1x is used for port authentication on switches and authentication to wireless access points. 802.1x requires an authentication server for validating user credentials. This server is typically a RADIUS server. Remote access authentication is handled by remote access servers or a combination of remote access servers and a RADIUS server for centralized authentication. VPN connections can be controlled by remote access servers or by special devices called a VPN concentrator.

6.1.3) You notice that over the last few months more and more static systems, such as the office environment control system, the security system, and lighting controls, are connecting to your network. You know that these devices can be a security threat. Which of the following measures can you take to minimize the damage these devices can cause if they are compromised?

Create a VLAN to use as a low-trust network zone for these static systems to connect to EXPLANATION If your network has static systems, such as IoT devices, then you probably want to have them on their own network segment. This minimizes the damage they can cause to a single network segment and makes identifying issues with them much easier. The most common way to segment networks is to create VLANs for each network zone. You do have some control over static systems, but very little, so they would best be placed in a low-trust zone. The internet would be classified as a no-trust zone, since you have no control over it.

A manager has told you she is concerned about her employees writing their passwords for websites, network files, and database resources on sticky notes. Your office runs exclusively in a Windows environment. Which tool could you use to prevent this behavior? Computer Management Credential Manager Local Users and Groups Key Management Service

Credential Manager EXPLANATION Credential Manager securely stores account credentials for network resources, such as file servers, websites, and database resources. Local Users and Groups manages only local account credentials. Key Management Service is used to manage the activation of Windows systems on the network. Computer Management is used to complete Windows management tasks, such as viewing the Event Log, managing hardware devices, and managing hard disk storage.

A security administrator logs on to a Windows server on her organization's network. She then runs a vulnerability scan on that server. What type of scan was conducted in this scenario?

Credentialed scan EXPLANATION In a credentialed scan, the security administrator authenticates to the system prior to starting the scan. A credentialed scan usually provides detailed information about potential vulnerabilities. For example, a credentialed scan of a Windows workstation allows you to probe the registry for security vulnerabilities.

6.4.3) Which protocol should you disable on the user access ports of a switch? a. PPTP b. TCP c. IPsec d. DTP

DTP EXPLANATION Switches have the ability to automatically detect ports that are trunk ports and negotiate the trunking protocol used between devices. DTP is not secure and allows unauthorized devices to possibly modify configuration information. You should disable the DTP services on the switch's end user (access) ports.

You are using a vulnerability scanner that conforms to the OVAL specifications. Which of the following items contains a specific vulnerability or security issue that could be present on a system?

Definition EXPLANATION The Open Vulnerability and Assessment Language (OVAL) is an international standard for testing, analyzing, and reporting the security vulnerabilities of a system. Each vulnerability, configuration issue, program, or patch that might be present on a system is identified as a definition. OVAL repositories are like libraries or databases that contain multiple definitions.

Which of the following best describes the concept of a virtual LAN? a. Devices on the same network logically grouped as if they were on separate networks b. Devices in separate networks (i.e. different network addresses) logically grouped as if they were in the same network c. Devices connected through the Internet that can communicate without using a network address d. Devices connected by a transmission medium other than cable (i.e. microwave, radio transmissions) e. Devices on different networks that can receive multicast packets

Devices on the same network logically grouped as if they were on separate networks EXPLANATION A virtual LAN is created by identifying a subset of devices on the same network, and logically identifying them as if they were on separate networks. Think of VLANs as a subdivision of a LAN.

Which of the following functions can a port scanner provide?

Discovering unadvertised servers Determining which ports are open on a firewall EXPLANATION Port scanners can determine which TCP/UDP ports are open on a firewall and identify servers that may be unauthorized or running in a test environment. Many port scanners provide additional information, including the host operating system and version, of any detected servers. Hackers use port scanners to gather valuable information about a target, and system administrators should use the same tools for proactive penetration testing and ensuring compliance with all corporate security policies.

6.1.3) As a security professional, you need to understand your network on multiple levels. You should focus on the following areas: - Entry points - Inherent vulnerabilities - Documentation - Network baseline Used to identify a weak network architecture or design.

Documentation EXPLANATION Documentation: Document all network assets in your organization and create a suitable network diagram that you can use as a reference. This is probably one of the most important components of knowing your system. If you don't know the underlying infrastructure of your network, then you can't adequately secure it. Proper network documentation and diagrams will not only help you identify a weak network architecture or design, but it will also protect against system sprawl and unknown systems.

Which of the following is a characteristic of TACACS+?

EXPLANATION TACACS+ was originally developed by Cisco for centralized remote access administration. TACACS+: Uses TCP port 49 Encrypts the entire packet contents, not just authentication packets. Supports more protocol suites than RADIUS.

6.1.3) As a security professional, you need to understand your network on multiple levels. You should focus on the following areas: - Entry points - Inherent vulnerabilities - Documentation - Network baseline Public-facing servers, workstations, Wi-Fi networks, and personal devices.

Entry points EXPLANATION Entry points: Recognize all vulnerabilities and entry points for possible attacks. This includes public-facing servers, workstations, Wi-Fi networks, and personal devices. Primarily, you must account for anything that connects to the network as a possible entry point.

6.1.3) Unauthorized individuals try to breach a network from off-site.

External Attack EXPLANATION External attacks are when unauthorized individuals try to breach a network from off-site. Remember that perpetrators of external attacks are unauthorized for any level of access to the network.

You have configured an NIDS to monitor network traffic. Which of the following describes harmless traffic that has been identified as a potential attack by the NIDS device?

False positive EXPLANATION False positive traffic assessment means that the system identified harmless traffic as offensive and generated an alarm or stopped the traffic.

Which of the following identifies an operating system or network service based on its response to ICMP messages? Social engineering Fingerpritnting Firewalking Port scanning

Fingerprinting EXPLANATION Fingerprinting identifies an operating system or network service based on its response to ICMP messages. Portions of the original ICMP request are repeated (or quoted) within the response. Each operating system quotes this information back in a slightly different manner. Port scanning pings every port on an external interface or attempts a connection in order to discover which ports are open and active, and which are not. Firewalking uses traceroute to discover which services can pass through a firewall or a router. Social engineering exploits human nature to obtain information, often by impersonating someone of authority and requesting data.

6.3.4) You are implementing a new application control solution. Prior to enforcing your application whitelist, you want to monitor user traffic for a period of time to discover user behaviors and log violations for later review. How should you configure the application control software to handle applications not contained in the whitelist? a. Drop b. Flag c. Tarpit d. Block

Flag EXPLANATION When using an application control solution, an application whitelist is defined centrally and applied to all network devices. Only applications contained in the whitelist are allowed. Applications not whitelisted can have several actions applied: Blocked applications are not allowed. The session will be dropped if it uses UDP and reset if it uses TCP. Flagged applications are allowed, but a violation is logged when they are identified. Tarpitted applications are not allowed. However, the connection between hosts is kept alive while the application data itself is silently dropped. This makes it appear to both hosts that the other host is receiving the data, but is not responding. Note: Not all application control solutions support tarpitting application traffic.

KWalletManager is a Linux-based credential management system that stores encrypted account credentials for network resources. Which encryption methods can KWalletManager use to secure account credentials? (Select two.) GPG Kerberos Twofish Blowfish HMAC-SHA1

GPG Blowfish EXPLANATION KWalletManager offers two encryption options for protecting stored account credentials: - Blowfish - GPG HMAC-SHA1 is most often used with one-time passwords. Kerberos is used for login authentication and authorization in a Windows domain. Twofish is an encryption mechanism that is similar to the Blowfish block cipher, but has not been standardized at this point.

What do host-based intrusion detection systems often rely upon to perform detection activities? a. Remote monitoring tools b. Host system auditing capabilities c. External sensors d. Network traffic

Host system auditing capabilities EXPLANATION A host-based IDS often relies upon the host system's auditing capabilities to perform detection activities. The host-based IDS uses the logs of the local system to search for attack or intrusion activities. Host-based IDS does not analyze network traffic, use external sensors, or rely upon remote monitoring tools.

6.8.7) As a security precaution, you have implemented IPsec that is used between any two devices on your network. IPsec provides encryption for traffic between devices. You would like to implement a solution that can scan the contents of the encrypted traffic to prevent any malicious attacks. Which solution should you implement? a. Port scanner b. VPN concentrator c. Host-based IDS d. Protocol analyzer e. Network-based IDS

Host-based IDS EXPLANATION A host-based IDS is installed on a single host and monitors all traffic coming in to the host. A host-based IDS can analyze encrypted traffic because the host operating system decrypts that traffic as it is received. A network-based IDS is a dedicated device installed on the network. It analyzes all traffic on the network. It cannot analyze encrypted traffic because the packet contents are encrypted so that only the recipient can read the packet contents. A protocol analyzer examines packets on the network, but cannot look at the contents of encrypted packets. A port scanner probes a device to identify open protocol ports. A VPN concentrator is a device used to establish remote access VPN connections.

Which of the following devices is computer software, firmware, or hardware that creates and runs virtual machines?

Hypervisor EXPLANATION A hypervisor is computer software, firmware, or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine. Each virtual machine is called a guest machine. The hypervisor provides the guest operating systems with a virtual operating platform and manages the execution of the guest operating systems.

Which of the following devices can monitor a network and detect potential security attacks? a. IDS b. Proxy c. Load Balancer d. DNS server e. CSU/DSU

IDS EXPLANATION An intrusion detection system (IDS) is a special network device that can detect attacks and suspicious activity. A proxy server is a type of firewall that can filter based on upper-layer data. A CSU/DSU is a device that converts the signals received from the WAN provider into a signal that can be used by equipment at the customer site. A DNS server provides IP address-to-host name resolution. Load balancing configures a group of servers in a logical group called a server farm. Incoming requests to the group are distributed to individual members within the group.

Which of the following are security devices that perform stateful inspection of packet data and look for patterns that indicate malicious code? Firewall VPN IDS ACL IPS

IDS, IPS EXPLANATION An intrusion detection system (IDS) and an intrusion prevention system (IPS) are devices that scan packet contents looking for patterns that match known malicious attacks. Signature files identify the patterns of all known attacks. When a packet matches the pattern indicated in the signature file, the packet can be dropped or an alert can be sent. Firewalls use an access control list (ACL) to filter packets based on the packet header information. Firewalls can filter packets based on port, protocol, or IP address. A virtual private network (VPN) is an encrypted communication channel established between two entities to exchange data over an unsecured network.

You are concerned about attacks directed at your network firewall. You want to be able to identify and be notified of any attacks. In addition, you want the system to take immediate action to stop or prevent the attack, if possible. Which tool should you use?

IPS

Which of the following devices is capable of detecting and responding to security threats?

IPS EXPLANATION An intrusion prevention system (IPS) can detect and respond to security events. An IPS differs from an IDS because it can respond to security threats, not just detect them.

6.3.4) Your organization's security policy specifies that peer-to-peer file sharing is not allowed. Recently, you received an anonymous tip that an employee has been using a BitTorrent client to download copyrighted media while at work. You research BitTorrent and find that it uses TCP ports 6881-6889 by default. When you check your perimeter firewall configuration, only ports 80 and 443 are open. When you check your firewall logs, you find that no network traffic using ports 6881-6889 has been blocked. What should you do?

Implement an application control solution EXPLANATION In this scenario, the best solution would be to implement an application control solution. A firewall alone may be insufficient to block the use of network applications. Knowledgeable users can circumvent firewall ACLs by reconfiguring network applications to use ports commonly left open. In this scenario, if the accusations are founded, then the employee may have reconfigured his BitTorrent client to use port 80 or 443, allowing the traffic through the firewall unimpeded. An application control solution can be used to block unauthorized network applications. Application control implementations use application signatures to identify specific applications. The contents of packets are inspected and compared to these signatures to identify the associated application, regardless of which protocol or port is in use.

Your organization uses a web server to host an e-commerce site. Because this web server handles financial transactions, you are concerned that it could become a prime target for exploits. You want to implement a network security control that will analyze the contents of each packet going to or from the web server. The security control must be able to identify malicious payloads and block them. What should you do? a. Implement an application-aware IPS in front of the web server b. Implement an application-aware IDS in front of the web server c. Implement a packet-filtering firewall in front of the web server d. Install an anti-malware scanner on the web server e. Implement a stateful firewall in front of the web server

Implement an application-aware IPS in front of the web server EXPLANATION You should implement an application-aware IPS in front of the Web server. Even though an application-aware IDS can analyze network packets to detect malicious payloads, only an application-aware IPS can both detect and block malicious packets. Because of this, an application-aware IPS would be the most appropriate choice. Installing an anti-malware scanner on the Web server itself is a good idea, but it can only detect malware after it has been installed on the server. Using a packet-filtering firewall or a stateful firewall is also a good security measure, but neither are capable of inspecting the contents of network packets. A packet-filtering firewall can only filter based on IP address, port, and protocol. A stateful firewall can only monitor the state of a TCP connection. These devices should be used in conjunction with an IDS or an IPS to protect a network.

You have decided to perform a double-blind penetration test. Which of the following actions would you perform first? Run system fingerprinting software Engage in social engineering Inform senior management Perform operational reconnaissance

Inform senior management EXPLANATION Before starting a penetration test (also called a pen test), it is important to define the Rules of Engagement (ROE), or the boundaries of the test. Important actions to take include: - Obtain a written and signed authorization from the highest possible senior management - Delegate personnel who are experts in the areas being tested - Gain approval from the internet provider to perform the penetration test - Make sure that all tools or programs used in the test are legal and ethical - Establish the scope and timeline - Identify systems that will not be included in the test Reconnaissance, social engineering, and system scanning are all actions performed during a penetration test. However, no actions should be taken before approval to conduct the test is obtained.

6.1.3) As a security professional, you need to understand your network on multiple levels. You should focus on the following areas: - Entry points - Inherent vulnerabilities - Documentation - Network baseline An older version of Windows that is used for a particular application.

Inherent vulnerabilities

6.1.3) As a security professional, you need to understand your network on multiple levels. You should focus on the following areas: - Entry points - Inherent vulnerabilities - Documentation - Network baseline IoT and SCADA devices.

Inherent vulnerabilities EXPLANATION Inherent vulnerabilities: Identify inherent vulnerabilities or systems that lack proper security controls.For example, if your organization needs to use an older version of Windows for a particular application, then you need to identify that system as a vulnerability. IoT and SCADA devices are both systems that lack proper security controls, and therefore must be dealt with appropriately.

You want to check a server for user accounts that have weak passwords. Which tool should you use?

John the Ripper EXPLANATION John the Ripper is a password cracking tool. Password crackers perform cryptographic attacks on passwords. Use a password cracker to identify weak passwords or passwords protected with weak encryption.

Which of the following protocols uses port 88? Kerberos L2TP PPTP LDAP TACACS

Kerberos EXPLANATION Kerberos uses port 88. Terminal Access Controller Access-Control System (TACACS) uses port 49. LDAP uses TCP and UDP ports 389. Secure LDAP uses SSL/TLS over port 636. Layer 2 tunneling protocol (L2TP) uses port 1701. Point-to-point tunneling protocol (PPTP) uses port 1723.

Which of the following authentication mechanisms is designed to protect a nine-character password from attacks by hashing the first seven characters into a single hash and then hashing the remaining two characters into another separate hash? NTLMv2 NTLM LANMAN LDAP

LANMAN EXPLANATION LANMAN divides passwords longer than seven characters into two separate hashes (meaning that characters one through seven are a single hash, and characters eight through 14 are a separate hash). LANMAN passwords are protected using a hashing method called LANMAN hash that uses DES and a proprietary algorithm. LANMAN passwords are limited to a total of 14 characters. LANMAN hash is very weak and can be easily broken. NT LAN Manager (NTLM) is the replacement for LANMAN on Microsoft networks and uses a stronger hashing method than LANMAN. NTLMv2 includes additional security enhancements and a stronger hashing method. The Lightweight Directory Access Protocol (LDAP) is a lightweight protocol that allows users and applications to read from and write to an LDAP-compliant directory service, such as Active Directory, eDirectory, and OpenLDAP.

Which of the following activities are considered passive in regards to the function of an intrusion detection system? (Choose two) Listening to network traffic Monitoring the audit trails on a server Disconnecting a port being used by a zombie Transmitting FIN or RES packets to an external host

Listening to network traffic Monitoring the audit trails on a server EXPLANATION Passive IDS is a form of IDS that takes no noticeable action on the network. Passive IDS systems are undetectable by intruders. Passive IDS systems can monitor audit trails or listen to network traffic in real time. Active IDS functions are those that interact with the network and generate detectible events. Such events can include disconnecting ports or transmitting FIN or RES packets to attackers.

Which of the following are included in an operations penetration test? (Select two.)

Looking through discarded papers or media for sensitive information. Eavesdropping or obtaining sensitive information from items that are not properly stored. EXPLANATION In an operations penetration test, the tester attempts to gain as much information as possible using the following methods: - In Dumpster diving, the attacker looks through discarded papers or media for sensitive information. - With over-the-shoulder reconnaissance, attackers eavesdrop or obtain sensitive information from items that are not properly stored. - Using social engineering, attackers act as imposters with the intent to gain access or information.

6.4.3) Which of the following attacks, if successful, causes a switch to function like a hub?

MAC flooding EXPLANATION MAC flooding overloads the switch's MAC forwarding table to make the switch function like a hub. The attacker floods the switch with packets, each containing different source MAC addresses. The flood of packets fills up the forwarding table and consumes so much of the memory in the switch that it causes the switch to enter a state called failopen mode, in which all incoming packets are broadcast out all ports (as with a hub), instead of just to the correct ports, as per normal operation.

You've just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a cubicle near your office. You've backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer using an SSH client with the user name admin01 and the password P@ssW0rd. You have used the MD5 hashing algorithm to protect the password. What should you do to increase the security of this device?

Move the router to a secure server room. EXPLANATION In this scenario, the router is not physically secure. Anyone with access to the area could gain access to the router and manipulate its configuration by plugging in to the console port. The device should be moved to a secure location, such as a server room, that requires an ID badge for access.

Which of the following is a feature of MS-CHAP v2 that is not included in CHAP? Three-way handshake Hashed shared secret Mutual authentication Certificate-based authentication

Mutual authentication EXPLANATION MS-CHAP v2 allows for mutual authentication, where the server authenticates to the client. Both CHAP and MS-CHAP use a three-way handshake process for authenticating users with user names and passwords. The password (or shared secret) value is hashed. The hash is sent for authentication, not the shared secret.

6.1.3) Your network devices are categorized into the following zone types: * No-trust zone * Low-trust zone * Medium-trust zone * High-trust zone Your network architecture employs multiple VLANs for each of these network zones. Each zone is separated by a firewall that ensures only specific traffic is allowed. Which of the following is the secure architecture concept that is being used on this network?

Network Segmentation EXPLANATION The secure network architecture concept that is being used in this example is network segmentation. The most common way to segment networks is to create multiple VLANs for each network zone. These zones can also be separated by firewalls to ensure only specific traffic is allowed. One way to segment a network is to categorize systems into different zones (for example, a no-trust zone, low-trust zone, medium-trust zone, high-trust zone, and highest-trust zone).

6.1.3) As a security professional, you need to understand your network on multiple levels. You should focus on the following areas: - Entry points - Inherent vulnerabilities - Documentation - Network baseline What activity looks like in normal day-to-day usage.

Network baseline EXPLANATION Network baseline: You need to know your systems' normal activity such as its regular traffic patterns, data usage, network activity, server load, et cetera. Mainly, you need to know what your network looks like in normal day-to-day usage. Knowing this allows you to identify unusual or atypical activity that can indicate an attack in progress or a compromised network. To identify a network baseline, you can use network tools that monitor network traffic and create a graphical representation of the collected data, such as Cisco's NetFlow tool.

You want to identify all devices on a network along with a list of open ports on those devices. You want the results displayed in a graphical diagram. Which tool should you use?

Network mapper EXPLANATION A network mapper is a tool that can discover devices on the network and show those devices in a graphical representation. Network mappers typically use a ping scan to discover devices and a port scanner to identify open ports on those devices.

A security administrator needs to run a vulnerability scan that will analyze a system from the perspective of a hacker attacking the organization from the outside. What type of scan should he use?

Non-credentialed scan EXPLANATION In a non-credentialed scan, the security administrator does not authenticate to the system prior to running the scan. A TCP SYN scan is a common type of port scan. A non-credentialed scan can be valuable because it allows the scanner to see the system from the same perspective that an attacker would see it. However, a non-credentialed scan does not typically produce the same level of detail as a credentialed scan.

Which of the following can make passwords useless on a router?

Not controlling physical access to the router EXPLANATION If someone can gain access to the physical device, they can easily bypass any configured passwords. Passwords are useless if physical access is not controlled.

Which of the following identifies standards and XML formats for reporting and analyzing system vulnerabilities?

OVAL EXPLANATION The Open Vulnerability and Assessment Language (OVAL) is an international standard for testing, analyzing, and reporting the security vulnerabilities of a system. - OVAL is sponsored by the National Cyber Security division of the US Department of Homeland Security. - OVAL identifies the XML format for identifying and reporting system vulnerabilities. - Each vulnerability, configuration issue, program, or patch that might be present on a system is identified as a definition. - OVAL repositories are like libraries or databases that contain multiple definitions.

You have a network with three remote access servers, a RADIUS server used for authentication and authorization, and a second RADIUS server used for accounting. Where should you configure remote access policies?

On the RADIUS server used for authentication and authorization EXPLANATION Remote access policies are used for authorization for remote access clients. For larger deployments with multiple remote access servers, you can centralize the administration of remote access policies by using an AAA server (authentication, authorization, and accounting server). Configure remote access policies on the AAA server that is used for authorization. In a small implementation, user accounts and remote access policies are defined on the remote access server. With this configuration, if you have multiple remote access servers, you must define user accounts and policies on each remote access server. Accounting is an activity that tracks or logs the use of the remote access connection. Accounting is often used by ISPs to bill for services based on time or the amount of data downloaded.

Which of the following best describes the Platform as a Service (PaaS) cloud computing service model?

PaaS delivers everything a developer needs to build an application onto the cloud infrastructure. ...The deployment comes without the cost and complexity of buying and managing the underlying hardware and software layers.

You are concerned about attacks directed against the firewall on your network. You would like to examine the content of individual frames sent to the firewall. Which tool should you use? Throughput tester Load tester Event log System log Packet sniffer

Packet sniffer

You want to know which protocols are being used on your network. You'd like to monitor network traffic and sort traffic by protocol. Which tool should you use?

Packet sniffer EXPLANATION A packet sniffer is special software that captures (records) frames that are transmitted on the network. Use a packet sniffer to: Identify the types of traffic on a network. View the exchange of packets between communicating devices. For example, you can capture frames related to DNS and view the exact exchange of packets for a specific name resolution request. Analyze packets sent to and from a specific device. View packet contents.

6.1.3) Attempting to gather information without affecting the flow of information on the network.

Passive Attack EXPLANATION Passive attacks occur when perpetrators attempt to gather information without affecting the flow of that information on the network. Packet sniffing and port scanning are passive attacks.

A security administrator is conducting a penetration test on a network. She connects a notebook system to a mirror port on a network switch. She then uses a packet sniffer to monitor network traffic to try to determine which operating systems are running on network hosts. Which process did the administrator use in the penetration test in this scenario?

Passive fingerprinting Passive fingerprinting is a form of system enumeration that is designed to gain as much information about network computers as possible. It passively listens to network traffic generated by network hosts and attempts to identify which operating systems are in use based upon the ICMP message quoting characteristics they use. Portions of original ICMP requests are repeated (or quoted) within each response. Each operating system quotes this information back in a slightly different manner.

6.3.4) What common design feature among instant messaging clients make them less secure than other means of communicating over the internet?

Peer-to-peer networking EXPLANATION: The common design feature among instant messaging clients that makes them less secure than other means of communicating over the Internet is their use of peer-to-peer networking. Peer-to-peer networking is inherently less secure than traditional client/server communication or networking mechanisms. With peer-to-peer networking, there is no centralized access control authority, so any client on the system can introduce malicious code or perform malicious actions without restriction.

Which of the following uses hacking techniques to proactively discover internal vulnerabilities? Penetration testing Inbound scanning Reverse engineering Passive reconnaissance

Penetration testing EXPLANATION Penetration testing is the practice of proactively testing systems and policies for vulnerabilities. This approach seeks to identify vulnerabilities internally before a malicious individual can take advantage of them. Common techniques are identical to those used by hackers and include network/target enumeration and port scanning.

CHAP performs which of the following security functions?

Periodically verifies the identity of a peer using a three-way handshake EXPLANATION CHAP periodically verifies the identity of a peer using a three-way handshake. CHAP ensures that the same client or system exists throughout a communication session by repeatedly and randomly re-testing the validated system. This test involves the security server sending a challenge message to the client. The client then performs a one-way hash function on the challenge and returns the result to the security server. The security server performs its own function on the challenge and compares its result with the result received from the client. If they don't match, the session is terminated.

6.5.8) You manage a network that uses switches. In the lobby of your building are three RJ-45 ports connected to a switch. You want to make sure that visitors cannot plug in their computers to the free network jacks and connect to the network. However, employees who plug into those same jacks should be able to connect to the network. What feature should you configure?

Port authentication EXPLANATION Use port authentication to prevent unauthorized access through switch ports. Port authentication is provided by the 802.1x protocol, and allows only authenticated devices to connect to the LAN through the switch. Authentication uses usernames and passwords, smart cards, or other authentication methods. - When a device first connects, the port is set to an unauthorized state. Ports in unauthorized states can only be used for 802.1x authentication traffic. - After the server authenticates the device or the user, the switch port is placed in an authorized state, and access to other LAN devices is allowed.

You decide to use a packet sniffer to identify the type of traffic sent to a router. You run the packet sniffing software on a device that is connected to a hub with three other computers. The hub is connected to a switch that is connected to the router. When you run the software, you see frames addressed to the four workstations, but not to the router. Which feature should you configure on the switch? Port mirroring Promiscuous mode Spanning tree Bonding

Port mirroring EXPLANATION A switch will only forward packets to the switch port that holds a destination device. This means that when your packet sniffer is connected to a switch port, it will not see traffic sent to other switch ports. To configure the switch to send all frames to the packet sniffing device, configure port mirroring on the switch. With port mirroring, all frames sent to all other switch ports will be forwarded on the mirrored port. Promiscuous mode configures a network adapter to process every frame it sees, not just the frames addressed to that network adapter. In this scenario, you know that the packet sniffer is running in promiscuous mode because it can already see frames sent to other devices. Bonding logically groups two or more network adapters to be used at the same time for a single logical network connection. Spanning tree runs on a switch and ensures that there is only one active path between switches, allowing for backup redundant paths.

You want to make sure that a set of servers will only accept traffic for specific network services. You have verified that the servers are only running the necessary services, but you also want to make sure that the servers will not accept packets sent to those services. Which tool should you use? System logs Packet sniffer IDS Port scanner IPS

Port scanner EXPLANATION Use a port scanner to check for open ports on a system or a firewall. Compare the list of opened ports with the list of ports allowed by your network design and security policy. Typically, a port is opened when a service starts or is configured on a device. Open ports for unused services expose the server to attacks directed at that port. Use a packet sniffer to examine packets on the network. With a packet sniffer, you can identify packets directed towards specific ports, but you won't be able to tell if those ports are open. Examine system logs to look for events that have happened on a system, which might include a service starting, but would not likely reflect open ports. An intrusion detection system (IDS) is a special network device that can detect attacks and suspicious activity. A passive IDS monitors, logs, and detects security breaches, but takes no action to stop or prevent the attack. An active IDS (also called an intrusion protection system or IPS) performs the functions of an IDS, but can also react when security breaches occur.

6.2.6) An attacker has obtained the logon credentials for a regular user on your network. Which type of security threat exists if this user account is used to perform administrative functions?

Privilege escalation EXPLANATION Privilege escalation allows a user to take advantage of a software bug or design flaw in an application to gain access to system resources or additional privileges that are typically not available to normal users. Examples of privilege escalation include: - A user accessing a system with a regular user account who is able to access functions reserved for higher-level user accounts (such as administrative features). - A user who is able to access content that should be accessible only to a different user. - A user who should have only administrative access being able to access content that should only be accessible to a regular user. Note: Privilege escalation does not occur when a user is able to steal or hack administrator credentials and is, therefore, able to access administrative functions. Privilege escalation refers to accessing features with an account that normally should not have access to those features.

6.2.6) A relatively new employee in the data entry cubical farm was assigned a user account similar to the other data entry employees' accounts. However, audit logs have shown that this user account has been used to change ACLs on several confidential files and has accessed data in restricted areas. This situation indicates which of the following has occurred?

Privilege escalation EXPLANATION This situation describes the result of a successful privilege escalation attack. If a low-end user account is detected performing high-level activities, it is obvious that user account has somehow gained additional privileges.

You decide to use a packet sniffer to identify the type of traffic sent to a router. You run the packet sniffing software on a device, which is connected to the same hub that is connected to the router. When you run the software, you only see frames addressed to the workstation, not to other devices. Which feature should you configure? Bonding Spanning tree Mirroring Promiscuous mode

Promiscuous mode EXPLANATION By default, a NIC only accepts frames addressed to that NIC. To enable the packet sniffer to capture frames sent to other devices, configure the NIC in promiscuous mode (sometimes called p-mode). In p-mode, the NIC will process every frame it sees. When devices are connected to a switch, the switch only forwards frames to the destination port. To see frames addressed to any device on any port, use port mirroring. In this scenario, the workstation and the router are connected with a hub, so the hub already sends all packets for all devices to all ports. Bonding logically groups two or more network adapters to be used at the same time for a single logical network connection. Spanning tree runs on a switch and ensures that there is only one active path between switches, allowing backup redundant paths.

You want to identify traffic that is generated and sent through the network by a specific application running on a device. Which tool should you use? Toner probe Certifier Protocol analyzer TDR Multimeter

Protocol analyzer EXPLANATION Use a protocol analyzer (also called a packet sniffer) to examine network traffic. You can capture or filter packets from a specific device or packets that use a specific protocol. Use a time domain reflector (TDR) to measure the length of a cable or to identify the location of a fault in the cable. A toner probe is two devices used together to trace the end of a wire from a known endpoint into the termination point in the wiring closet. A cable certifier is a multi-function tool that verifies that a cable or an installation meets the requirements for a specific architecture implementation. A multimeter is a device that tests various electrical properties, such as voltage, amps, and ohms.

You have recently reconfigured FTP to require encryption of both passwords and data transfers. You would like to check network traffic to verify that all FTP passwords and data are encrypted. Which tool should you use? Systems monitor Protocol analyzer Vulnerability scanner Performance monitor

Protocol analyzer EXPLANATION Use a protocol analyzer to examine network traffic. With the protocol analyzer, you can examine the contents of each packet. Plaintext communications can be read using the protocol analyzer, while encrypted packets cannot. Use a performance monitor or system monitor tool to gather statistics about system and network performance and loads. Use a vulnerability scanner to check systems for vulnerabilities. A vulnerability scanner might reveal that FTP is configured to accept clear text communications, but it does not examine the actual packets sent on the network.

Match each description on the left with the appropriate cloud technology on the right. Public cloud Private cloud Community Cloud Hybrid Cloud

Public cloud Provides cloud services to just about anyone. Private cloud Provides cloud services to a single organization. Community cloud Allows cloud services to be shared by several organizations. Hybrid cloud Integrates one cloud service with other cloud services.

Which of the following are differences between RADIUS and TACACS+?

RADIUS combines authentication and authorization into a single function; TACACS+ allows these services to be split between different servers. EXPLANATION TACACS+ provides three protocols, one each for authentication, authorization, and accounting. This allows each service to be provided by a different server. In addition, TACACS+: Uses TCP Encrypts the entire packet contents Supports more protocol suites than RADIUS

You want to set up a service to allow multiple users to dial in to the office server from modems on their home computers. What service should you implement? RAS ISDN PPP RIP

RAS EXPLANATION RAS stands for Remote Access Service, which enables users to dial in to a server from remote locations. ISDN is a digital communications network that uses existing phone lines. PPP is a remote access protocol. You will likely configure your RAS server to accept PPP connections. RIP stands for Routing Information Protocol and allows routers to share information.

Which phase or step of a security assessment is a passive activity? Enumeration Vulnerability mapping Privilege escalation Reconnaissance

Reconnaissance EXPLANATION Reconnaissance is the only step of a security assessment (penetration testing) that is passive. Enumeration, vulnerability mapping, and privilege escalation are all active events in a security assessment.

You often travel away from the office. While traveling, you would like to use a modem on your laptop computer to connect directly to a server in your office and access files. You want the connection to be as secure as possible. Which type of connection will you need? Virtual private network Remote access Internet Intranet

Remote access EXPLANATION Use a remote access connection to connect directly to a server at a remote location. You could use a VPN connection through the internet to connect to the server security. However, the connection would involve connecting first to the internet through a local ISP, then establishing a VPN connection to the server. While the VPN connection through the internet is secure, it is not as secure as a direct remote connection to the server. An intranet is an internal network that only internal users can access.

You have run a vulnerability scanning tool and identified several patches that need to be applied to a system. What should you do next after applying the patches?

Run the vulnerability assessment again EXPLANATION After fixing an identified vulnerability, you should re-run the vulnerability scan to verify that everything has been fixed and that additional issues are not present. You should updated definition files before you run the first scan. Using a port scanner is unnecessary because most vulnerability scanners include a check of open ports. Documenting your actions should occur after you have finished all necessary actions.

You want to use Kerberos to protect LDAP authentication. Which authentication mode should you choose? EAP Mutual SASL Simple

SASL EXPLANATION Choose SASL (Simple Authentication and Security Layer) authentication mode to use Kerberos with LDAP. SASL is extensible and lets you use a wide variety of protection methods. LDAP authentication modes include Anonymous, Simple, and SASL. EAP is an extensible authentication protocol for remote access, not LDAP.

Which of the following is a disadvantage of software-defined networking (SDN)?

SDN standards are still being developed EXPLANATION Some of the disadvantages of SDN include: - Still a newer technology - Lack of vendor support - Standards are still being developed - Centralized control opens a new target for security threats Some of the advantages of SDN include: - Centralized management - More granular control - Lower overall cost and labor - Give new life to old networking hardware - Gather network information and statistics - Facilitate communication between hardware from different vendors

Which of the following cloud computing solutions delivers software applications to a client either over the internet or on a local area network?

SaaS EXPLANATION Software as a Service (SaaS) delivers software applications to the client either over the internet or on a local area network. Infrastructure as a Service (IaaS) delivers infrastructure to the client, such as processing, storage, networks, and virtualized environments. The client deploys and runs software without purchasing servers, data center space, or network equipment. Platform as a Service (PaaS) delivers everything a developer needs to build an application onto the cloud infrastructure. The deployment comes without the cost and complexity of buying and managing the underlying hardware and software layers. Data as a Service (DaaS) stores and provides data from a centralized location without the need for local collection and storage.

6.4.3) Drag the description on the left to the appropriate switch attack type shown on the right. Dynamic Trunking Protocol

Should be disabled on the switch's end user (access) ports before implementing the switch configuration into the network.

6.3.4) What type of attack is most likely to succeed with communications between instant messaging clients? a. Sniffing b. Denial of service c. Brute force password attack d. DNS poisoning

Sniffing EXPLANATION A sniffing attack is most likely to succeed for communications between instant messaging clients. Many instant messaging clients communicate in cleartext or use an easily broken basic encryption scheme to protect integrity, rather than confidentiality. When you employ an instant messaging system, you should assume all of your communications are being intercepted and never discuss confidential, personal, or sensitive issues.

Network engineers have the option of using software to configure and intelligently control the network rather than relying on the individual static configuration files that are located on each network device. Which of the following is a relatively new technology that allows network and security professionals to use software to manage, control, and make changes to a network?

Software-defined networking EXPLANATION Software-defined networking (SDN) is a relatively new technology that allows network and security professionals to manage, control, and make changes to a network. Network engineers are able to use software to configure and intelligently control the network rather than relying on the individual static configuration files that are located on each network device.

6.5.8) Which of the following solutions would you like to implement to eliminate switching loops? a. CSMA/CD b. Spanning tree c. Inter-vlan routing d. Auto-duplex

Spanning tree EXPLANATION Run the spanning tree protocol to prevent switching loops. A switching loop occurs when there are multiple active paths between switches. The spanning tree protocol runs on each switch and is used to select a single path between any two switches. Switch ports that are part of that path are placed in a forwarding state. Switch ports that are part of redundant but unused paths are placed in a blocking (non-forwarding) state. Use inter-vlan routing to enable devices in different VLANs to communicate. The auto-duplex setting allows a switch port to detect the duplex setting of connected devices (either half or full-duplex). CSMA/CD is a method for detecting and recovering from collisions.

You manage a network that uses multiple switches. You want to provide multiple paths between switches so that if one link goes down, an alternate path is available. Which feature should your switch support?

Spanning tree EXPLANATION Spanning tree is a protocol on a switch that allows the switch to maintain multiple paths between switches within a subnet. The spanning tree protocol runs on each switch and is used to select a single path between any two switches.

6.5.8) You manage a single subnet with three switches. The switches are connected to provide redundant paths between the switches. Which feature prevents switching loops and ensures there is only a single active path between any two switches?

Spanning tree EXPLANATION Spanning tree is a protocol on a switch that allows the switch to maintain multiple paths between switches within a subnet. The spanning tree protocol runs on each switch and is used to select a single path between any two switches. - Without the spanning tree protocol, switches that are connected together with multiple links would form a switching loop, where frames are passed back and forth continuously. - Spanning tree provides only a single active path between switches. Switch ports that are part of that path are placed in a forwarding state. - Switch ports that are part of redundant but unused paths are placed in a blocking (non-forwarding) state. - When an active path goes down, the spanning tree protocol automatically recovers and activates the backup ports necessary to provide continued connection between devices.

6.5.8) A virtual LAN can be created using which of the following? a. switch b. hub c. router d. gateway

Switch EXPLANATION Use a switch to create virtual LANs (VLANs). The various ports on a switch can be assigned to a specific VLAN to create logically distinct networks on the same physical network topology. Routers, gateways, and hubs are common network devices, but they do not support the creation of VLANs.

6.5.8) When configuring VLANs on a switch, what is used to identify which VLAN a device belongs to? a. Switch port b. MAC address c. IP address d. Host name

Switch port EXPLANATION VLAN membership is configured by assigning a switch port to a VLAN. A switch can have multiple VLANs configured to it, but each switch port can only be a member of a single VLAN. All devices connected to a switch port are members of the same VLAN.

Which of the following protocols can be used to centralize remote access authentication?

TACACS EXPLANATION Centralized remote access authentication protocols include: Remote Authentication and Dial-In User Service (RADIUS) Terminal Access Controller Access Control System (TACACS)

Which of the following are methods for providing centralized authentication, authorization, and accounting for remote access? (Select two.) 802.1x TACACS+ EAP AAA RADIUS PKI

TACACS+ RADIUS EXPLANATION Both RADIUS and TACACS+ are protocols used for centralized authentication, authorization, and accounting with remote access. Remote access clients send authentication credentials to remote access servers. Remote access servers are configured as clients to the RADIUS or TACACS+ servers and forward the authentication credentials to the servers. The servers maintain a database of users and policies that control access for multiple remote access servers. AAA stands for authentication, authorization, and accounting, and is a generic term that describes the functions performed by RADIUS/TACACS+ servers. A public key infrastructure (PKI) is a system of certificate authorities that issue certificates. 802.1x is an authentication mechanism for controlling port access. 802.1x uses RADIUS/TACACS+ servers. EAP is an authentication protocol that enables the use of customized authentication methods.

Which of the following is the type of port scan that does not complete the full three-way TCP handshake, but rather listens only for either SYN/ACK or RST/ACK packets? a. TCP connect scan b. TCP FIN scan c. TCP SYN scan d. TCP ACK scan

TCP SYN scan EXPLANATION A TCP SYN scan is the type of port scan that does not complete the full three-way TCP handshake, but rather listens only for either SYN/ACK packets (which indicate that a port is listening) or RST/ACK packets (which indicate that a port is not listening). A TCP connect scan uses a full TCP three-way handshake and establishes a session with each port. A TCP FIN scan sends FIN packets to ports and listens for RST responses for closed ports, which indicate which ports are open. A TCP ACK scan is used to map out a firewall's filtering rules.

What is the primary purpose of penetration testing? Infiltrate a competitor's network Assess the skill level of new IT security staff Evaluate newly deployed firewalls Test the effectiveness of your security perimeter

Test the effectiveness of your security perimeter EXPLANATION The primary purpose of penetration testing is to test the effectiveness of your security perimeter. Only by attempting to break into your own secured network can you be assured that your security policy, security mechanism implementations, and deployed countermeasures are effective. It is important to obtain senior management approval before starting a penetration testing or vulnerability scanning project. Often, penetration testing or vulnerability scanning is performed by an external consultant or security outsourcing agency that is hired by your organization.

Which actions can a typical passive intrusion detection system (IDS) take when it detects an attack?

The IDS logs all pertinent data about the intrusion. An alert is generated and delivered via email, the console, or an SNMP trap. EXPLANATION The main functions of a passive IDS are to log suspicious activity and generate alerts if an attack is deemed to be severe. Additional functionality can be achieved by using a more advanced type of IDS called an active IDS. An active IDS can automate responses that may include dynamic policy adjustment and reconfiguration of supporting network devices to block the offending traffic.

Software-defined networking (SDN) uses a controller to manage the devices. The controller is able to inventory hardware components in the network, gather network statistics, make routing decisions based on gathered data, and facilitate communication between devices from different vendors. It can also be used to make wide-spread configuration changes on just one device. Which of the following best describes an SDN controller?

The SDN controller is software.

You have opted to use software-defined networking (SDN) to manage, control, and make changes to your network. You want to be able to use software to configure and intelligently control the network, rather than relying on the individual static configuration files that are located on each network device. SDN consists of three layers: - Application layer - Control layer - Physical layer Which of the following describes what the SDN control layer does to networking devices that comprise the physical layer?

The control layer removes the control pane from networking devices and creates a single control plane EXPLANATION The control layer removes the control plane from the physical networking devices. In traditional networks, each of these devices would have an integrated control plane located on the device. However, SDN removes this from the devices and creates a single control plane. The individual networking devices use southbound APIs to communicate with the control plane and vice versa.

6.4.3) Drag the description on the left to the appropriate switch attack type shown on the right. ARP Spoofing/Poisoning

The source device sends frames to the attacker's MAC address instead of the correct device.

Which of the following describes the worst possible action by an IDS?

The system identified harmful traffic as harmless and allowed it to pass without generating any alerts.

Drag each penetration test characteristic on the left to the appropriate penetration test name on the right. White box test Grey box test Black box test Single blind test Double blind test

The tester has detailed information about the target system prior to starting the test. The tester has the same amount of information that would be available to a typical insider in the organization. The tester has no prior knowledge of the target system. Single blind test Either the attacker has prior knowledge about the target system, or the administrator knows that the test is being performed. The tester does not have prior information about the system and the administrator has no knowledge that the test is being performed.

When using Kerberos authentication, which of the following terms is used to describe the token that verifies the user's identity to the target system?

Ticket EXPLANATION The tokens used in Kerberos authentication are known as tickets. Tickets perform a number of functions, including notifying the network service of the user who has been granted access and authenticating the identity of the person when they attempt to use that network service.

A user has just authenticated using Kerberos. Which object is issued to the user immediately following login?

Ticket granting ticket EXPLANATION Kerberos works as follows: 1. The client sends an authentication request to the authentication server. 2. The authentication server validates the user identity and grants a ticket granting ticket (TGT). The TGT validates the user identity and is good for a specific ticket granting server. 3. When the client needs to access a resource, it submits its TGT to the TGS. The TGS validates that the user is allowed access and issues a client-to-server ticket. 4. The client connects to the service server and submits the client-to-server ticket as proof of access. 5. The SS accepts the ticket and allows access.

Which of the following are required when implementing Kerberos for authentication and authorization? (Select two.) RADIUS or TACACS+ server Time synchronization PPPoE Ticket granting server PPP

Time synchronization Ticket granting server EXPLANATION Kerberos grants tickets (also called a security token) to authenticated users and to authorized resources. A ticket granting server (TGS) grants tickets that are valid for specific resources on specific servers. Kerberos requires that all servers within the process have synchronized clocks to validate tickets, so a centralized time server or other method for time synchronization is required. Both RADIUS and TACACS+ are protocols used for centralized authentication, authorization, and accounting used with remote access. PPP and PPPoE are protocols used for remote access connections.

Which of the following are requirements to deploy Kerberos on a network? (Select two.)

Time synchronization between devices A centralized database of users and passwords EXPLANATION Kerberos requires that there be a centralized database of users and passwords, as well as time synchronization. The user database is usually maintained on the KDC itself or on a separate pre-authentication server system. Time synchronization is required to stamp a consistent expiration date within the ticket granting ticket (TGT). Kerberos can function across remote links. Therefore, remote connectivity does not need to be blocked. Kerberos is based on passwords, but can be deployed within an environment that employs tokens and one-time passwords. However, this is not a requirement of Kerberos. Kerberos is often deployed simultaneously with a directory service, such as Active Directory, but Kerberos does not require a directory service to be present. Kerberos can function as a stand-alone, single-sign on solution.

A honeypot is used for which purpose?

To delay intruders in order to gather auditing data EXPLANATION A honeypot is used to delay intruders in order to gather auditing data. A honeypot is a fake network or system that hosts false information but responds as a real system should. Honeypots usually entice intruders to spend considerable time on the system and allows extensive logging of the intruder's activities. A honeypot often allows companies to discover and even prosecute intruders. Honeypots should not be used to entrap intruders. Entrapment is an illegal activity. Honeypots are not direct countermeasures to preventing unwanted access. Rather, they are an enticement to prevent intruders from getting into the private network in the first place. Honeypots rarely take offensive action against intruders. They may prevent malicious activities from being launched by an intruder, but they do not direct attacks at the intruder.

6.5.8) When configuring VLANs on a switch, what type of switch ports are members of all VLANs defined on the switch? a. Trunk ports b. Uplink ports c. Gigabit and higher Ethernet ports d. Each port can only be a member of a single VLAN e. Any port not assigned to a VLAN

Trunk ports EXPLANATION A trunk port is a member of all VLANs defined on a switch, and carries traffic between the switches. When trunking is used, frames that are sent over a trunk port are tagged by the first switch with the VLAN ID so that the receiving switch knows to which VLAN the frame belongs to. Typically, uplink ports (that are faster than the other switch ports) are used for trunk ports, although any port can be designated as a trunking port. On an unconfigured switch, ports are members of a default VLAN (often designated VLAN 1). When you remove the VLAN membership of a port, it is reassigned back to the default VLAN, therefore the port is always a member of one VLAN.

You want to use a vulnerability scanner to check a system for known security risks. What should you do first?

Update the scanner definition files EXPLANATION Before using a vulnerability scanner, you should update the definition files. The definition files identify known security risks associated with the system. Some scanners update the definition files automatically, while others require you to download the latest definition files.

You've just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a locked server closet. You use an FTP client to regularly back up the router configuration to a remote server in an encrypted file. You access the router configuration interface from a notebook computer that is connected to the router's console port. You've configured the device with the user name admin01 and the password P@ssW0rd. You have used the MD5 hashing algorithm to protect the password. What should you do to increase the security of this device?

Use SCP to back up the router configuration to a remote location. EXPLANATION In this scenario, the router configuration is being copied to a remote location using an insecure protocol (FTP) that transfers data in cleartext. You should instead use the secure copy protocol (SCP) to transfer the backup from the router to the remote storage location.

Your LDAP directory services solution uses simple authentication. What should you always do when using simple authentication? Add SASL and use TLS Use SSL Use Kerberos Use IPsec and certificates

Use SSL EXPLANATION Protect LDAP simple authentication by using SSL to protect authentication traffic. LDAP simple authentication uses cleartext for user name and password exchange. Protect this exchange with SSL. While you can protect authentication using SASL, this requires changing the authentication mode of LDAP from simple to SASL. When using SASL, you can use a wide range of solutions, such as TLS, Kerberos, IPsec, or certificates.

6.6.7) In the VLAN configuration shown in the diagram above, workstations in VLAN1 are not able to communicate with workstations in VLAN2, even though they are connected to the same physical switch. Which of the following can you use to allow workstations in VLAN1 to communicate with the workstations in VLAN2? (Select two. Each correct answer is a complete solution.) Correct Answer:

Use a Layer 3 switch to route packets between VLAN1 and VLAN2 Use a router to route packets between VLAN1 and VLAN2. EXPLANATION In order for the workstations in VLAN1 and VLAN2 to communicate with each other, their packets need to be routed from one VLAN to the other. To route packets between separate VLANs, you can use either of the following: A router A Layer 3 switch Although each switch can be connected to multiple VLANs, each switch port can be assigned to only one VLAN at a time. The workstations can only belong to the VLAN that is assigned to the port that they are physically connected to.

6.2.6) You've just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a server room that requires an ID card to gain access. You've backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer by connecting it to the console port on the router. You configured the management interface with a user name of admin and a password of password. What should you do to increase the security of this device?

Use a stronger administrative password EXPLANATION In this scenario, the password assigned to the device is weak and easily guessed. It should be replaced with a strong password that is at least eight characters long, uses upper- and lower-case letters, and uses numbers or symbols.

6.7.8) You've just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a server room that requires an ID for access. You've backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer using a Telnet client with a user name of admin and a password of admin. You have used the MD5 hashing algorithm to protect the password. What should you do to increase the security of this device?

Use an SSH client to access the router configuration. Change the default administrative user name and password. EXPLANATION In this scenario, two key security issues need to be addressed: You should use an SSH client to access the router configuration. Telnet transfers data in cleartext over the network connection, exposing sensitive data to sniffing. You should change the default administrative user name and password. Default user names and passwords are readily available from web sites on the internet. Encrypted type 7 passwords on a Cisco device are less secure than those protected with MD5. Using HTTP and TFTP to manage the router configuration could expose sensitive information to sniffers as they transmit data in cleartext.

Which of the following are true concerning the Virtual Desktop Infrastructure (VDI)?

User desktop environments are centrally hosted on servers instead of on individual desktop systems. In the event of a widespread malware infection, the administrator can quickly reimage all user desktops on a few central servers. EXPLANATION Virtual Desktop Infrastructure (VDI) is a service that hosts user desktop environments on centralized servers. Users access their desktops from low-end systems over a network connection using a remote display protocol such as Remote Desktop or VNC. This allows users to access their desktop environment with their applications and data from any location and from any client device. Roaming profiles are not needed. VDI provides administrators with a centralized client environment that is easier and more efficient to manage. For example, if a widespread malware infection hits multiple user desktops, the affected systems can be quickly reimaged on the VDI server. There is no need to push large images down to client systems over the network.

6.1.3) Your organization has started receiving phishing emails. You suspect that an attacker is attempting to find an employee workstation they can compromise. You know that a workstation can be used as a pivot point to gain access to more sensitive systems. Which of the following is the most important aspect of maintaining network security against this type of attack?

User education and training EXPLANATION User education and training is the most important aspect of maintaining network security against an email phishing attack.

You can use a variety of methods to manage the configuration of a network router. Match the management option on the right with its corresponding description on the left. SSl HTTP SSH Telnet Console port

Uses public-key cryptography Transfers data in cleartext Uses public-key cryptography Transfers data in cleartext Cannot be sniffed

You run a small network for your business that has a single router connected to the Internet and a single switch. You keep sensitive documents on a computer that you would like to keep isolated from other computers on the network. Other hosts on the network should not be able to communicate with this computer through the switch, but you still need to access the network through the computer. What should you use for this situation?

VLAN EXPLANATION Define virtual LANs (VLANs) on the switch. With a VLAN, a port on the switch is associated with a VLAN. Only devices connected to ports that are members of the same VLAN can communicate with each other. Routers are used to allow communication between VLANs if necessary.

Your company is a small start-up company that has leased office space in a building shared by other businesses. All businesses share a common network infrastructure. A single switch connects all devices in the building to the router that provides Internet access. You would like to make sure that your computers are isolated from computers used by other companies. Which feature should you request to have implemented?

VLAN EXPLANATION Define virtual LANs (VLANs) on the switch. With a VLAN, a port on the switch is associated with a VLAN. Only devices connected to ports that are members of the same VLAN can communicate with each other. Routers are used to allow communication between VLANs if necessary.

6.5.8) You manage a network that uses a single switch. All ports within your building connect through the single switch. In the lobby of your building are three RJ-45 ports connected to the switch. You want to allow visitors to plug into these ports to gain Internet access, but they should not have access to any other devices on your private network. Employees connected throughout the rest of your building should have both private and Internet access. Which feature should you implement? a. Port authentication b. VLANs c. NAT d. DMZ

VLANs EXPLANATION Use VLANs to segregate hosts based on switch ports. You could define two VLANs: one for employees connected throughout the building, and another for the ports in the lobby. The ports in the lobby would have only Internet access, while devices connected to ports in the rest of the building could communicate with other devices within the same VLAN. Use port authentication to control access to the network based on things such as username and password. Port authentication would allow or deny access, but would not restrict access once authenticated, or provide any type of access if not authenticated. A demilitarized zone (DMZ) is a buffer network (or subnet) that sits between the private network and an untrusted network (such as the Internet). Network Address Translation (NAT) modifies the IP addresses in packets as they travel from one network (such as a private network) to another (such as the Internet). NAT allows you to connect a private network to the Internet without obtaining registered addresses for every host. Hosts on the private network share the registered IP addresses.

Which of the following devices facilitates communication between different virtual machines by checking data packets before moving them to a destination? Virtual firewall Virtual switch Virtual router Hypervisor

Virtual switch EXPLANATION A virtual switch is a software that facilitates the communication between different virtual machines. It does so by checking data packets before moving them to a destination. They may be already a part of software installed in the virtual machine, or they may be part of the server firmware.

What is the main difference between vulnerability scanning and penetration testing?

Vulnerability scanning is performed within the security perimeter; penetration testing is performed outside of the security perimeter. EXPLANATION Penetration testing simulates an actual attack on the network and is conducted from outside the organization's security perimeter. Vulnerability scanning is typically performed internally by users with administrative access to the system. The goal of both vulnerability scanning and penetration testing is to identify the effectiveness of security measures and weaknesses that can be fixed. While some penetration testing is performed with no knowledge of the network, penetration testing could be performed by testers with detailed information about the systems. Both vulnerability scanning and penetration testing can use similar tools, although illegal tools should be avoided in both activities.

You want to use a tool to see packets on a network, including the source and destination of each packet. Which tool should you use? Nessus Wireshark OVAL Nmap

Wireshark EXPLANATION A protocol analyzer, also called a packet sniffer, is special software that captures (records) frames that are transmitted on the network. A protocol analyzer is a passive device. It copies frames and allows you to view frame contents, but does not allow you to capture, modify, and retransmit frames (activities that are used to perform an attack). Wireshark is a popular protocol analyzer. Nmap is a tool that performs ping scans (finding devices on the network) as well as port scans (looking for open ports on the network). Nessus is a vulnerability scanning tool. While a protocol analyzer looks at packets on the network, a vulnerability scanner looks for weaknesses in systems, including open ports, running services, and missing patches. The Open Vulnerability and Assessment Language (OVAL) is an international standard for testing, analyzing, and reporting a system's security vulnerabilities.

6.6.7) Based on the VLAN configuration shown in the diagram above, which of the following is not true? a. This configuration create two broadcast domains. VLAN1 and VLAN2 are separate broadcast domains. b. FastEthernet ports 0/1 and 0/2 are members of VLAN1. FastEthernet ports 0/3 and 0/4 are members of VLAN2. c. Workstations in VLAN1 are able to communicate with workstations in VLAN2 because they are connected to the same physical switch. d. VLAN1 is one of the default VLANs on the switch. VLAN2 had to be manually configured.

Workstations in VLAN1 are able to communicate with workstations in VLAN2 because they are connected to the same physical switch. EXPLANATION Based on the VLAN configuration shown in the diagram, the workstations in VLAN1 are not able to communicate with workstations in VLAN2 even though they are connected to the same physical switch.

The IT manager has asked you to create a separate VLAN to be used exclusively for wireless guest devices to connect to. Which of the following is the primary benefit of creating this VLAN?

You can control security by isolating wireless guest devices within this VLAN. EXPLANATION The primary benefit of creating a VLAN for wireless guest devices to connect to is it allows you to control security by isolating wireless guest devices within this VLAN. Devices on this VLAN cannot communicate with other devices in other VLANs unless you allow traffic to get through with a router or Layer 3 switch. In this case, you would likely keep this wireless guest VLAN isolated from the rest of your network and only allow traffic from this VLAN to communicate with the internet. Following are also benefits of creating VLANs in general (but these are not the primary benefit of creating a wireless guest VLAN): - You can create virtual LANs based on criteria other than physical location (such as workgroup, protocol, or service). - You can simplify device moves (devices are moved to new VLANs by modifying the port assignment). - You can control broadcast traffic and create collision domains based on logical criteria. - You can load-balance network traffic (divide traffic logically rather than physically).

6.6.7) Which of the following is NOT an administrative benefit of implementing VLANs? a. You can manually load-balance network traffic. b. You can simplify routing traffic between separate networks. c. You can control broadcast traffic and create collision domains based on logical criteria. d. You can control security by isolating traffic within a VLAN. e. You can simplify device moves.

You can simplify routing traffic between separate networks. EXPLANATION Switches are used to create VLANs. Despite advances in switch technology, routers are still typically used to route traffic between separate networks. VLANs with switches offer the following administrative benefits: - You can create virtual LANs based on criteria other than physical location (such as workgroup, protocol, or service). - You can simplify device moves (devices are moved to new VLANs by modifying the port assignment). - You can control broadcast traffic and create collision domains based on logical criteria. - You can control security (isolate traffic within a VLAN). - You can load-balance network traffic (divide traffic logically rather than physically).

In which of the following situations would you use port security? a. You want to prevent sniffing attacks on the network. b. You want to prevent MAC address spoofing. c. You want to restrict the devices that could connect through a switch port. d. You want to control the packets sent and received by a router.

You want to restrict the devices that could connect through a switch port EXPLANATION Use port security on a switch to restrict the devices that can connect to a switch. Port security uses the MAC address to identify allowed and denied devices. When an incoming frame is received, the switch examines the source MAC address to decide whether to forward or drop the frame. Port security cannot prevent sniffing or MAC address spoofing attacks. Use an access list on a router to control sent and received packets.

Which of the following types of penetration test teams will provide you information that is most revealing of a real-world hacker attack? Split-knowledge team Full-knowledge team Partial-knowledge team Zero-knowledge team

Zero-Knowledge team EXPLANATION A zero-knowledge team is a penetration testing team which most closely simulates a real-world hacker attack as they must perform all of the initial blind reconnaissance. A full-knowledge team is least like a real-world hacker, as they already know everything about the environment. A partial-knowledge team is closer to a real-world hacker than a full-knowledge team, but not as close as a zero-knowledge team. A a split-knowledge team is not a generally-accepted standard penetration team. Split knowledge refers to a separation of duties concept.