CIST 1601 Information Security Chapter 5
When designing a firewall, what is the recommended approach for opening and closing ports? Close all ports. Close all ports; open ports 20, 21, 53, 80, and 443. Open all ports; close ports that show improper traffic or attacks in progress. Close all ports; open only ports required by applications inside the DMZ. Open all ports; close ports that expose common network attacks
Close all ports; open only ports required by applications inside the DMZ.
As the victim of a Smurf attack, what protection measure is the most effective during the attack? Turn off the connection to the ISP Communicate with your upstream provider Block all attack vectors with firewall filters Update your antivirus software
Communicate with your upstream provider
In a NAP system, which is the function of the System Health Validator?
Compare the statement of health submitted by the client to the health requirements
You want to connect your small company network to the internet. Your ISP provides with a single IP address that is to be shared between all hosts on your private network. You do not want external hosts to be able to initiate connection to internal hosts. What type of address translation (NAT) should you implement? Restricted Dynamic Static Shared
Dynamic (to share public addresses with multiple private hosts)
Which IPSec subprotocol provides data encryption? ESP AH AES SSL
ESP (Encapsulating Security Payload)
Which step is required to configure a NAP on a Remote Desktop (RD) gateway server?
Edit the properties for the server and select *Request clients to send a statement of health*
In addition to Authentication Header (AH), IPSec is comprised of what other service? Advanced Encryption Standard (AES) Encapsulating Security Payload (ESP) Encryption File System (EFS) Extended Authentication Protocol (EAP)
Encapsulating Security Payload (ESP)
Which of the following features are supplied by WPA2 on a wireless network?
Encryption
What is the goal of a TCP/IP hijacking attack? Preventing legitimate authorized access to a resource. Destroying data. Executing commands or accessing resources on a system the attacker does not otherwise have authorization to access. Establishing an encryption tunnel between two remote systems over an otherwise secured network.
Executing commands or accessing resources on a system the attacker does not otherwise have authorization to access.
Which of the following is a privately controlled portion of a network that is accessible to some specific external entities? Internet MAN Extranet Intranet
Extranet
Which of the following is likely to be located in a DMZ? Backup server Domain controller FTP server User workstations
FTP Server
Which of the following are functions of gateway email spam blockers? (Select two.)
Filters messages containing specific content Blocks email from specific senders
Which of the following is the best device to deploy to protect your private network from a public untrusted network? Gateway Firewall Router Hub
Firewall
Which of the following is not a benefit of NAT? Preventing traffic initiations from outside the private network Hiding the network infrastructure from external entities Using fewer public IP addresses Improving the throughput rate of traffic
Improving the throughput rate of traffic
Which of the following is the most effective protection against IP packet spoofing on a private network? Antivirus scanners Ingress and egress filters Host-based IDS Digital signatures
Ingress and egress filters
You would like to control Internet access based on users, time of day, and websites visited. How can you do this? >Configure the Local Security Policy of each system to add Internet restrictions. >Configure Internet zones using the Internet Options. >Install a proxy server. Allow Internet access only through the proxy server. >Enable Windows Firewall on each system. Add or remove exceptions to control access. >Configure a packet-filtering firewall. Add rules to allow or deny Internet access.
Install a proxy server. Allow Internet access only through the proxy server.
Which VPN protocol typically employs IPSec as its data encryption mechanism? L2TP PPTP L2F PPP
L2TP (Layer 2 Tunneling Protocol)
PPTP (Point-to-Point Tunneling Protocol) is quickly becoming obsolete because of which VPN protocol? L2TP (Layer 2 Tunneling Protocol) TACACS (Terminal Access Controller Access Control System) L2F (Layer 2 Forwarding Protocol) SLIP (Serial Line Interface Protocol)
L2TP (Layer 2 Tunneling Protocol)
A SYN packet is received by a server. The SYN packet has the exact same address for both the sender and receiver addresses, which is the address of the server. This is an example of what type of attack? SYN flood Teardrop attack Land attack Ping of death
Land attack
When a SYN flood is altered so that the SYN packets are spoofed in order to define the source and destination address as a single victim IP address, the attack is now called what? Fraggle attack Impersonation Analytic attack Land attack
Land attack (A land attack is a SYN flood where the source and destination address of the SYN packets are both defined as the victim's IP address.)
Capturing packets as they travel from one host to another with the intent of altering the contents of the packets is a form of which attack type? Spamming Man-in-the-middle attack DDoS Passive logging
Man-in-the-middle attack
Members of the sales team use laptops to connect to the company network. While traveling, they connect their laptops to the internet through airport and hotel networks. You are concerned that these computers will pick up viruses that could spread to your private network. You would like to implement a solution that prevents the laptops from connecting to your network unless anti-virus software and the latest operating system patches are installed. Which solution should you use? DMZ NAC NAT NIDS
NAC (Network Access Control)
Which of the following networking devices or services prevents the use of IPSec in most cases? NAT Switch Firewall Router
NAT
Your organization's security policy requires you to restrict network access to allow only clients that have their firewall enabled. Which of the following is a collection of components that would allow you to meet this requirement?
Network access protection
You manage a small network at work. Users use workstations connected to your network No portable computers are allowed. As part of your security plan, you would like to implement scanning of e-mails for all users. You want to scan the e- mails and prevent any e-mails with malicious attachments from being received by users. Your solution should minimize administration, allowing you to centrally manage the scan settings. Which solution should you use? SMTP Host based firewall Network based firewall DMZ
Network based firewall
Your company has a connection to the internet that allows users to access the internet. You also have a web server and an email server that you want to make available to internet users. You want to create a DMZ for these two servers. Which type of device should you use to create the DMZ? Network-based firewall Host-based firewall VPN concentrator IDS IPS
Network-based firewall
Which type of active scan turns off all flags in a TCP header? Christmas tree Stealth Null FIN
Null (null scan turns off all flags in a TCP header, creating a lack of TCP flags that should never occur in the real world.)
Which of the following is a firewall function? Packet filtering FTP hosting Protocol conversion Frame filtering Encrypting
Packet filtering
A router on the border of your network detects a packet with a source address that is from an internal client, but the packet was received on the internet-facing interface. This is an example of what form of attack? Spamming Sniffing Snooping Spoofing
Spoofing
Which type of activity changes or falsifies information in order to mislead or re-direct traffic? Snooping Sniffing Spamming Spoofing
Spoofing
Which of the following are characteristics of a circuit-level gateway? (Select two.) Stateless Filters IP address and port Stateful Filters based on sessions Filters based on URL Stateful
Stateful Filters based on sessions (circuit-level gateway makes decisions about which traffic to allow based on virtual circuits or sessions.)
Which of the following are characteristics of a packet filtering firewall? (Select two.) Filters IP address and port Stateless Filters based on sessions Filters based on URL Stateful
Stateless Filters IP address and port
Which of the following is the main difference between a DOS attack and a DDoS attack? O The DDoS attack spoofs the source IP address.The DDoS attack uses zombie computers.The DDoS attack does not respond to SYN ACK packets in the threeway handshake process.The DDoS attack uses an amplification network
The DDoS attack uses zombie computers. (denial of service DoS, single atacker directs an attack at a single target.) (distributed of service attack DDoS, multiple PCs attack)
Which statement best describes IPSec when used in tunnel mode? The entire data packet, including headers, is encapsulated The identities of the communicating parties are not protected Packets are routed using the original headers, and only the payload is encrypted IPSec in tunnel mode may not be used for WAN traffic
The entire data packet, including headers, is encapsulated
Which of the following specifications identify security that can be added to wireless networks? (Select two.)
802.1x 802.11i
You need to configure a wireless network. You want to use WPA2 Enterprise. Which of the following components will be part of your design? (Select two.)
802.1x AES encryption
Which of the following is the best countermeasure against man-in-the-middle attacks? UDP IPsec MIME email PPP
IPsec
Which of the following is a form of denial of service attack that uses spoofed ICMP packets to flood a victim with echo requests using a bounce/amplification network? Session hijacking Fraggle Smurf Fingerprinting
Smurf
What are the most common network traffic packets captured and used in a replay attack? Session termination File transfer DNS query Authentication
Authentication
Which of the following terms describes a network device that is exposed to attacks and has been hardened against those attacks? Kernel proxy Bastion or sacrificial host Multi-homed Circuit proxy
Bastion or sacrificial host (it describes any device fortified against attack,firewall)
Which of the following are features of an application-level gateway? (select two). >The entire messages are reassembled. >Allow only valid packets within approved sessions. > Verifies that packets are properly sequenced. >Stops each packet at the firewall and inspects it. > Uses access control lists.
>The entire messages are reassembled. >Stops each packet at the firewall and inspects it.
What is modified in the most common form of spoofing on a typical IP packet? Protocol type field value Source address Hash total Destination address
Source address (modify source address cause the correct source device address is hidden)
An attacker is conducting passive reconnaissance on a targeted company. Which of the following could he be doing? Social engineering Scanning ports Browsing the organization's website War driving War dialing
Browsing the organization's website
You want to install a firewall that can reject packets that are not part of an active session. Which type of firewall should you use? Packet filtering VPN concentrator Application level Circuit-level
Circuit-level
How does IPSec NAP enforcement differ from other NAP enforcement methods?
Clients must be issued a valid certificate before a connection to the private network is allowed
When a malicious user captures authentication traffic and replays it against the network later, what is the security problem you are most concerned about? Denial of service An unauthorized user gaining access to sensitive resources Spam Bandwidth consumption
An unauthorized user gaining access to sensitive resources
Which of the following is not one of the IP address ranges defined in RFC 1918 that are commonly used behind a NAT server? 169.254.0.0- 169.254.255.255 172.16.0.0 -172.31.255.255 192.168.0.0 -192.168.255.255 10.0.0.0- 10.255.255.255
169.254.0.0 - 169.254.255.255 (is the range of IP addresses assigned to Windows DHCP clients if a DHCP server does not assign the client an IP address. )
5.1 Recon and Denial
5.1 Recon and Denial
5.2 Spoofing and Poisoning
5.2 Spoofing and Poisoning
5.3 Security Appliances
5.3 Security Appliances
5.4 Demilitarized Zones (DMZ)
5.4 Demilitarized Zones (DMZ)
5.5 Firewalls
5.5 Firewalls
5.6 Network Address Translation (NAT)
5.6 Network Address Translation (NAT)
5.7 Virtual Private Networks (VPN)
5.7 Virtual Private Networks (VPN)
5.8 Web Threat Protection
5.8 Web Threat Protection
Which of the following describes a man-in-the-middle attack? O Malicious code is planted on a system, where it waits for a triggering event before activating. O A false server intercepts communications from a client by impersonating the intended server. O An IP packet is constructed that is larger than the valid size. O A person convinces an employee to reveal their login credentials over the phone
A false server intercepts communications from a client by impersonating the intended server.
A SYN attack or SYN flood exploits or alters which element of the TCP three-way handshake? FIN or RES SYN SYN/ACK ACK
ACK (SYN flood exploits of attacks the ACK packet of the TCP three-way handshake.)
Which of the following does a router acting as a firewall use to control which packets are forwarded or dropped? IPsec PPP ACL VNC RDP
ACL (access control list)
Which of the following are typically used for encrypting data on a wireless network? (Select two.)
AES TKIP
Which of the following attacks tries to associate an incorrect MAC address with a known IP address? Null session Hijacking ARP poisoning MAC flooding
ARP poisoning
You are the office manager of a small financial credit business. Your company handles personal financial information for clients seeking small loans over the internet. You are aware of your obligation to secure clients records. Budget is an issue for your company. Which item would provide the best security for this situation? Network Access Control system Proxy server with access controls All-in-one security appliance Firewall on your gateway server to the Internet
All-in-one security appliance
Which of the following best describes the ping of death? O An ICMP packet that is larger than 65,536 bytes O Partial IP packets with overlapping sequencing numbers O Redirecting echo responses from an ICMP communication O Sending multiple spoofed ICMP packets to the victim
An ICMP packet that is larger than 65,536 bytes (ping of death involves an ICMP packet that is larger than 65,536 bytes )
Which of the following describes how access lists can be used to improve network security? An access list filters traffic based on the IP header information such as source or destination IP address, protocol, or socket numbers. An access list filters traffic based on the frame header such as source or destination MACaddress. An access list looks for patterns of traffic between multiple packets and takes action tostop detected attacks. An access list identifies traffic that must use authentication or encryption.
An access list filters traffic based on the IP header information such as source or destination IP address, protocol, or socket numbers.
You are investigating the use of website and URL content filtering to prevent users from visiting certain websites. Which benefits are the result of implementing this technology in your organization? (Choose two.)
An increase in bandwidth availability Enforcement of the organization's internet usage policy
Which of the following firewall types can be a proxy between servers and clients? (Select two.) Dynamic packet filtering firewall Stateful inspection firewall Kernel proxy filtering firewall Application layer firewall Circuit proxy filtering firewall
Application layer firewall Circuit proxy filtering firewall
You provide internet access for a local school. You want to control Internet access based on user, and prevent access to specific URLs. Which type of firewall should you install? Packet filtering IPS Application level Circuit-level
Application level
Match the application-aware network device on the right with the appropriate description on the left. Each description may be used once, more than once, or not at all. Application-aware proxy: Application-aware firewall Application-aware IDS: - Improves application performance - Enforces security rules based on the application that is generating network traffic instead of the traditional port and protocol - Analyzes network packets to detect malicious payloads targeted at application-layer services - Defines security measures that must be in place for a computer requesting access to the network
Application-aware proxy: - Improves application performance Application-aware firewall: - Enforces security rules based on the application that is generating network traffic instead of the traditional port and protocol Application-aware IDS: - Analyzes network packets to detect malicious payloads targeted at application-layer services
A salesperson in your organization spends most of her time traveling between customer sites. After a customer visit, she must complete various managerial tasks, such as updating your organization's order database. Because she rarely comes back to your home office, she usually accesses the network from her notebook computer using Wi-Fi access provided by hotels, restaurants, and airports. Many of these locations provide unencrypted public Wi-Fi access, and you are concerned that sensitive data could be exposed. To remedy this situation, you decide to configure her notebook to use a VPN when accessing the home network over an open wireless connection. Which key steps should you take when implementing this configuration? (Select two.) Configure the browser to send HTTPS requests directly to the WiFi network without going through the VPN connection Configure the VPN connection to use IPsec Configure the browser to send HTTPS requests through the VPN connection Configure the VPN connection to use PPTP Configure the VPN connection to use MSCHAPv2
Configure the browser to send HTTPS requests through the VPN connection Configure the VPN connection to use IPSec
You need to configure the wireless network card to connect to your network at work. The connection should use a user name and password for authentication with AES encryption. What should you do?
Configure the connection to use WPA2-Enterprise.
Which of the following prevents access based on website ratings and classifications? NIDS DMZ Content filter Packet filtering firewall
Content Filter
Which of the following is not a protection against session hijacking? DHCP reservations Packet sequencing Time stamps AntiIP spoofing
DHCP reservations
Of the following security zones, which one can serve as a buffer network between a private secured network and the untrusted internet? Intranet DMZ Padded cell Extranet
DMZ
While using the internet, you type the URL of one of your favorite sites in the browser. Instead of going to the correct site, however, the browser displays a completely different website. When you use the IP address of the web server, the correct site is displayed. Which type of attack has likely occurred? Man-in-the-middle Spoofing DNS poisoning Hijacking
DNS poisoning
Which attack form either exploits a software flaw or floods a system with traffic in order to prevent legitimate activities or transactions from occurring? Privilege escalation Brute force attack Man-in-the-middle attack Denial of service attack
Denial of service attack (it exploits a software flaw or floods a system with traffic in order to prevent legitimate activities or transactions from occurring)
Which of the following are denial of service attacks? (Select two.) Salami Smurf Fraggle Hijacking
Fraggle Smurf
When the TCP/IP session state is manipulated so that a third party is able to insert alternate packets into the communication stream, what type of attack has occurred? Replay Hijacking Masquerading Spamming
Hijacking
You have been given laptop to use for work. You connect the laptop to your company network, use it from home, and use it while traveling. You want to protect the laptop from Internet-based attacks. Which solution should you use? VPN concentrator Host based firewall Proxy server Network based firewall
Host based firewall
An attacker uses an exploit to push a modified hosts file to client systems. This hosts file redirects traffic from legitimate tax preparation sites to malicious sites to gather personal and financial information. What kind of exploit has been used in this scenario? (Choose two. Both responses are different names for the same exploit.) Man-in-the-middle Reconnaissance Domain name kiting Pharming DNS poisoning
Pharming DNS poisoning
Which of the following denial of service (DOS) attacks uses ICMP packets and is only successful if the victim has less bandwidth than the attacker? Ping flood Ping of death Fragmentation LAND
Ping flood (is where the attacker overwhelms the victim with ICMP Echo Request (ping) packets.)
Drag the web threat protection method on the left to the correct definition on the right. [Web threat filtering] [Anti-phishing software] [Virus blockers] [Gateway email spam blockers] [URL content filtering] Prevents users from visiting malicious Prevents outside attempts to access confidential information Identifies and disposes of infected content Prevents unwanted email from reaching your network Prevents users from visiting restricted websites
Prevents users from visiting malicious [Web threat filtering] Prevents outside attempts to access confidential information [Anti-phishing software] Identifies and disposes of infected content [Virus blockers] Prevents unwanted email from reaching your network [Gateway email spam blockers] Prevents users from visiting restricted websites [URL content filtering]
You have used firewalls to create a demilitarized zone. You have a web server that needs to be accessible to internet users. The web server must communicate with a database server for retrieving product, customer, and order information. How should you place devices on the network to best protect the servers? (Select two.) Put the web server inside the DMZ. Put the database server on the private network. Put the web server on the private network. Put the database server inside the DMZ.
Put the database server on the private network. Put the web server inside the DMZ.
You have a company network with a single switch. All devices connect to the network through the switch. You want to control which devices are able to connect to your rän.'ork. For devices that do not have the latest operating system patches, you want to prevent access to all network devices except for a special server that holds the patches that the computers need to download. Which of the following components will be part of your solution? (Select two.)
Remediation servers 802.1x authentication
You are implementing security at a local high school that is concerned with students accessing inappropriate material on the internet from the library's computers. The students Will use the computers to search the internet for research paper content. The school budget is limited. Which content filtering option would you choose? O Allow all content except for the content you have identified as restricted ORestrict content based on content categories OBlock specific DNS domain names OBlock all content except for content you have identified as permitted
Restrict content based on content categories
Match the wireless networking security standard on the left to its associated characteristics on the right. Each standard can be used more than once.
Short initialization vector makes key vulnerable. [WEP] Uses AES for encryption. [WPA2] Uses RC4 for encryption. [WEP] Uses TKIP for encryption. [WPA] Uses CBC-MAC for data integrity. [WPA2] Uses CCMP for key rotation. [WPA2]
You are the administrator for a small company that implements NAT to access the internet. However, you recently acquired five servers that must be accessible from outside your network. Your ISP has provided you With five additional registered IP addresses to support these new servers, but you don't want the public to access these servers directly. You want to place these servers behind your firewall on the Inside network, yet still allow them to be accessible to the public from the outside. Which method of NAT translation should you implement for these servers? Static Overloading Restricted Dynamic
Static
You have a small network at home that is connected to the internet. On your home network, you have a server with the IP address of 192.168.55. 199/16. You have a Single public address that IS shared by all hosts on your private network. You want to configure the sewer as a web server and allow internet hosts to contact the server to browse a personal website. What should use to allow access? Static NAT DNS CNAME record Multicast DNS A record Dynamic NAT
Static NAT (is used to take a server on private network and make it available on internet)
A VPN is primarily used for what purpose? NIDS DMZ Content filter Packetfiltering firewall
Support secured communications over an untrusted network
What is the primary use of tunneling? Improving communication throughput Supporting private traffic through a public communication medium Deploying thin clients on a network Protecting passwords
Supporting private traffic through a public communication medium
What encryption method is used by WPA for wireless networks?
TKIP
In which of the following denial of service (DoS) attacks does the victim's system rebuild invalid UDP packets, causing the system to crash or reboot? Teardrop Deauth NACK Banana
Teardrop (fragmented UDP packets with overlapping offsets are sent. Then when the victim system re-builds the packets, an invalid UDP packet is created, causing the system to crash or reboot.)
You suspect that an Xmas tree attack is occurring on a system. Which of the following could result if you do not stop the attack? (Select two.) O The system will be unavailable to respond to legitimate requests. O The threat agent will obtain information about open ports on the system. O The system will send packets directed with spoofed source addresses. O The system will become a zombie.
The system will be unavailable to respond to legitimate requests. The threat agent will obtain information about open ports on the system.
Which of the following is a valid security measure to protect email from viruses? Use blockers on email gateways Use reverse DNS lookup Use PGP to sign outbound email Limit attachment size to a maximum of 1 MB
Use blockers on email gateways
You have a company network that is connected to the internet. You want all users to have internet access, but you need to protect your private network and users. You also need to make a web server publicly available to internet users. Which solution should you use? >Use firewalls to create a DMZ. Place the web server and the private network inside theDMZ. >Use firewalls to create a DMZ. Place the web server inside the DMZ and the privatenetwork behind the DMZ. >Use a single firewall. Put the web server in front of the firewall and the private networkbehind the firewall.Use a single firewall. >Put the web server and the private network behind the firewall.
Use firewalls to create a DMZ. Place the web server inside the DMZ and the private network behind the DMZ. (Demilitarized zone also called screened subnet, a buffer network)
Which is the best countermeasure for someone attempting to view your network traffic? VPN Antivirus software Access lists Firewall IPS
VPN (Virtual Private Network, best defense against someone viewin g your network traffic)
A group of salesmen would like to access your private network through the internet while they are traveling. You want to control access to the private network through a single server. Which solution should you implement? Use blockers on email gateways Use reverse DNS lookup Use PGP to sign outbound email Limit attachment size to a maximum of 1 MB
VPN concentrator
Which of the following are true of a circuit proxy filter firewall? (Select two.) >Examines the entire message contents. >Verifies sequencing of session packets. >Operates at the Session layer. >Operates at ring 0 of the operating system. >Operates at the Application layer. >Operates at the Network and Transport layers.
Verifies sequencing of session packets. Operates at the Session layer.
Which of the following offers the weakest form of encryption for an 802.11 wireless network?
WEP
Which of the following wireless security methods uses a common shared key configured on the wireless access point and all wireless clients?
WEP, WPA Personal, and WPA2 Personal
In which of the following situations would you most likely implement a demilitarized zone (DMZ)? You want internet users to see a single IP address when accessing your company network. You want to encrypt data sent between two hosts using the internet. You want to protect a public web server from attack. You want to detect and respond to attacks in real time.
You want to protect a public web server from attack.
You need to enumerate the devices on your network and display the network's configuration details. Which of the following utilities should you use? nmap samspade neotrace nslookup
nmap (is an opern-source security scanner used for network enumeration and to the creation of network maps.)