Security Pro Final Study Set - Part 2

hich of the following ports are used with TACACS? 22 49 50 and 51 1812 and 1813 3389

49 EXPLANATION Terminal Access Controller Access-Control System (TACACS) uses TCP and UDP ports 49. Port 22 is used by Secure Shell (SSH). Protocol numbers 50 and 51 are used by IPsec. Ports 1812 and 1813 are used by Remote Authentication Dial-In User Service (RADIUS). Port 3389 is used by Remote Desktop Protocol (RDP). REFERENCES LabSim for Security Pro, Section 6.11.

Which of the following describes a man-in-the-middle attack? A false server intercepts communications from a client by impersonating the intended server. An IP packet is constructed that is larger than the valid size. A person convinces an employee to reveal their login credentials over the phone . Malicious code is planted on a system, where it waits for a triggering event before activating.

A false server intercepts communications from a client by impersonating the intended server. EXPLANATION A false server intercepting communications from a client by impersonating the intended server is a form of a man-in-the-middle attack. Convincing an employee to reveal his logon credentials over the phone is an example of a social engineering attack. Constructing an IP packet that is larger than the valid size is a land attack (a form of DoS). Planting malicious code that waits for a triggering event before activating is a logic bomb. REFERENCES LabSim for Security Pro, Section 5.2.

A SYN attack or SYN flood exploits or alters which element of the TCP three-way handshake? SYN SYN/ACK ACK FIN or RES

ACK EXPLANATION A SYN attack or SYN flood exploits or attacks the ACK packet of the TCP three-way handshake. By not sending the final ACK packet, the server holds open an incomplete session, consuming system resources. If the attacker can cause the server to open numerous sessions in this manner, all system resources are consumed, and no legitimate connections are established. A SYN attack or SYN flood must send the initial SYN packet with no malicious content, other than the possibility of spoofing the source address to hide the attacker's identity or location. The SYN/ACK packet is sent by the server; therefore, the attacker cannot modify or alter this element of the handshake. The FIN or RES packet is not part of the handshake or part of the SYN flood or SYN attack process. These packets are often used legitimately to end communication sessions. However, they can be used in other forms of attack to disable communications maliciously. REFERENCES LabSim for Security Pro, Section 5.1.

Which of the following attacks tries to associate an incorrect MAC address with a known IP address? Hijacking Null session MAC flooding ARP poisoning

ARP poisoning EXPLANATION ARP spoofing/poisoning associates the attacker's MAC address with the IP address of victim devices. When computers send an ARP request to get the MAC address of a known IP address, the attacker's system responds with its MAC address. MAC flooding overloads the switch's MAC forwarding table to make the switch function like a hub. The attacker floods the switch with packets, each containing different source MAC addresses. The flood of packets fills up the forwarding table and consumes so much of the memory in the switch that it causes the switch to enter a state called failopen mode, in which all incoming packets are broadcast out all ports (as with a hub), instead of just to the correct ports. A null session is the ability to log on using a blank user name and password. With hijacking, an attacker steals an open session, inserting himself into the session in place of the original client. REFERENCES LabSim for Security Pro, Section 5.2.

Which of the following best describes the ping of death? An ICMP packet that is larger than 65,536 bytes Sending multiple spoofed ICMP packets to the victim Redirecting echo responses from an ICMP communication Partial IP packets with overlapping sequencing numbers

An ICMP packet that is larger than 65,536 bytes EXPLANATION The ping of death involves an ICMP packet that is larger than 65,536 bytes. The teardrop attack uses partial IP packets with overlapping sequencing numbers. The Smurf attack sends multiple spoofed ICMP packets to the victim. The ability to re-direct echo responses is a feature of ICMP that is often involved in malicious attacks (but is not part of the ping of death). REFERENCES LabSim for Security Pro, Section 5.1.

Which actions can a typical passive intrusion detection system (IDS) take when it detects an attack? (Select two.) The IDS configuration is changed dynamically, and the source IP address is banned. The IDS logs all pertinent data about the intrusion. LAN-side clients are halted and removed from the domain. An alert is generated and delivered via email, the console, or an SNMP trap.

An alert is generated and delivered via email, the console, or an SNMP trap. The IDS logs all pertinent data about the intrusion. EXPLANATION The main functions of a passive IDS are to log suspicious activity and generate alerts if an attack is deemed to be severe. Additional functionality can be achieved by using a more advanced type of IDS called an active IDS. An active IDS can automate responses that may include dynamic policy adjustment and reconfiguration of supporting network devices to block the offending traffic. REFERENCES LabSim for Security Pro, Section 6.8.

You are investigating the use of website and URL content filtering to prevent users from visiting certain websites. Which benefits are the result of implementing this technology in your organization? (Choose two.) An increase in bandwidth availability Identification and disposal of infected content Prevention of phishing attempts Prevention of emails containing threats Enforcement of the organization's internet usage policy

An increase in bandwidth availability Enforcement of the organization's internet usage policy EXPLANATION Website filtering can be used to enforce the organization's internet usage policy and usually results in an increase in bandwidth availability. Spam blockers are used to block emails containing threats. Virus blockers identify infected content and dispose of it. Anti-phishing software scans content to identify and dispose of phishing attempts, preventing outside attempts to access confidential information. REFERENCES LabSim for Security Pro, Section 5.8.

When a malicious user captures authentication traffic and replays it against the network later, what is the security problem you are most concerned about? Bandwidth consumption An unauthorized user gaining access to sensitive resources Spam Denial of service

An unauthorized user gaining access to sensitive resources EXPLANATION When a malicious user captures authentication traffic and replays it against the network later, the security problem you are most concerned about is an unauthorized user gaining access to sensitive resources. Once a replay attack has been successful, the attacker has the same access to the system as the user from whom the authentication traffic was captured. REFERENCES LabSim for Security Pro, Section 5.2.

RADIUS is primarily used for what purpose? Managing RAID fault-tolerant drive configurations Managing access to a network over a VPN Controlling entry gate access using proximity sensors Authenticating remote clients before access to the network is granted

Authenticating remote clients before access to the network is granted EXPLANATION RADIUS (Remote Authentication Dial-In User Service) is primarily used for authenticating remote clients before access to the network is granted. RADIUS is based on RFC 2865. RADIUS maintains client profiles in a centralized database. RADIUS offloads the authentication burden for dial-in users from the normal authentication of local network clients. For environments with a large number of dial-in clients, RADIUS provides improved security, easier administration, improved logging, and less performance impact on LAN security systems. REFERENCES LabSim for Security Pro, Section 6.11.

What are the most common network traffic packets captured and used in a replay attack? Session termination DNS query Authentication File transfer

Authentication' EXPLANATION Authentication traffic is the most commonly captured type of network traffic packets in replay attacks. If someone is able to replay the stream of authentication packets successfully, they can gain the same access to the system or network as the original user. Fortunately, many authentication security systems include time stamps or dynamic challenge response mechanisms to prevent authentication packets from being replayed. REFERENCES LabSim for Security Pro, Section 5.2.

While developing a network application, a programmer adds functionally that allows her to access the running program without authentication so she can capture debugging data. The programmer forgets to remove this functionality prior to finalizing the code and shipping the application. What type of security weakness does this represent? Privilege escalation Buffer overflow Weak passwords Backdoor

Backdoor EXPLANATION A backdoor is an unprotected access method or pathway. Backdoors may include hard-coded passwords or hidden service accounts. They are often added during development as a shortcut to circumvent security. If they are not removed, they present a security problem. Privilege escalation allows a user to take advantage of a software bug or design flaw in an application to gain access to system resources or additional privileges that would typically not be available to the user. Weak passwords are passwords that are blank, too short, dictionary words, or not complex enough, which allows them to be quickly identified using password-cracking tools. A buffer overflow occurs when the operating system or an application does not properly enforce boundaries for how much and what type of data can be inputted. REFERENCES LabSim for Security Pro, Section 6.2.

Network-based intrusion detection is most suited to detect and prevent which types of attacks? Application implementation flaw Buffer overflow exploitation of software Bandwidth-based denial of service Brute force password attack

Bandwidth-based denial of service EXPLANATION Network-based intrusion detection systems are best suited to detect and prevent bandwidth-based denial of service attacks. This type of attack manipulates network traffic in such a way that network-based IDS can easily detect it. The other forms of attack are content-specific and directed against a host. For this reason, they are not easily detected by network-based IDS. REFERENCES LabSim for Security Pro, Section 6.8.

Network-based intrusion detection is most suited to detect and prevent which types of attacks? Brute force password attack Buffer overflow exploitation of software Bandwidth-based denial of service Application implementation flaws

Bandwidth-based denial of service EXPLANATION Network-based intrusion detection systems are best suited to detect and prevent bandwidth-based denial of service attacks. This type of attack manipulates network traffic in such a way that network-based IDS can easily detect it. The other forms of attack are content-specific and directed at a host. For this reason. these attacks are not easily detected by a network-based IDS. REFERENCES LabSim for Security Pro, Section 6.8.

An attacker is conducting passive reconnaissance on a targeted company. Which of the following could he be doing? War driving Scanning ports Social engineering Browsing the organization's website War dialing

Browsing the organization's website EXPLANATION Browsing the organization's website is a form of passive reconnaissance. Other forms of passive reconnaissance include putting a sniffer on the wire or eavesdropping on employee conversations. Social engineering, war driving, war dialing, and scanning ports are all forms of active scanning. REFERENCES LabSim for Security Pro, Section 5.1.

Which remote access authentication protocol periodically and transparently re-authenticates during a logon session by default? EAP Certificates PAP CHAP

CHAP EXPLANATION CHAP is the only remote access authentication protocol that periodically and transparently re-authenticates during a logon session by default. PAP, EAP, and certificates do not re-authentication mid-session. REFERENCES LabSim for Security Pro, Section 6.11.

You've just deployed a new Cisco router so you can connect a new segment to your organization's network. The router is physically located in a server room that can only be accessed with an ID card. You've backed up the the router configuration to a remote location in an encrypted file. You access the router configuration from your notebook computer by connecting it to the console port on the router. The web-based management interface uses the default user name of cusadmin and a password of highspeed. What should you do to increase the security of this device? Change the user name. Create a more complex password. Remove any backdoors that might have been created by a programmer. Change the user name and create a more complex password.

Change the user name and create a more complex password. EXPLANATION You should change the user name and create a more complex password. The default user name and password for Cisco routers and other routers can be found on the internet, so they should both be changed when the router is put into production. REFERENCES LabSim for Security Pro, Section 6.2.

As the victim of a Smurf attack, what protection measure is the most effective during the attack? Block all attack vectors with firewall filters Turn off the connection to the ISP Update your anti-virus software Communicate with your upstream provider

Communicate with your upstream provider EXPLANATION The most effective protection measure the victim of a Smurf attack can perform during an attack is to communicate with upstream providers. A simple phone call to request filtering on your behalf can weaken the effectiveness of a Smurf attack. Turning off the connection to the ISP will result in the same effect of the Smurf attack itself - denial of service. Whether you disconnect or the attack disconnects you, your network will be unable to use its internet pipeline. Blocking all attack vectors with firewall filters will usually result in a self-imposed denial of service, since most Smurf attacks produce thousands of attack vectors for the inbound flooding packets. Updating your anti-virus software will have no effect on a Smurf attack. REFERENCES LabSim for Security Pro, Section 5.1.

Which of the following prevents access based on website ratings and classifications? DMZ Content filter Packet-filtering firewall NIDS

Content filler EXPLANATION An internet content filter is software used to monitor and restrict what content is delivered across the web to an end user. Companies, schools, libraries, and families commonly use content filters to restrict internet access, block specific websites, or block specific content. A packet-filtering firewall examines the packet header information to make forwarding decisions. The firewall can accept or reject packets based on IP address, but not individual websites. A network-based IDS (NIDS) is a dedicated device installed on the network. It analyzes all traffic on the network, looking for potential attacks. A demilitarized zone (DMZ) is a buffer network (or subnet) that sits between the private network and an untrusted network, such as the internet. REFERENCES LabSim for Security Pro, Section 5.8.

You notice that over the last few months more and more static systems, such as the office environment control system, the security system, and lighting controls, are connecting to your network. You know that these devices can be a security threat. Which of the following measures can you take to minimize the damage these devices can cause if they are compromised? Create a VLAN to use as a high-trust network zone for these static systems to connect to. Create a VLAN to use as a low-trust network zone for these static systems to connect to. Create a VLAN to use as a medium-trust network zone for these static systems to connect to. Create a VLAN to use as a no-trust network zone for these static systems to connect to.

Create a VLAN to use a low-trust network zone for these static system to connect to. EXPLANATION If your network has static systems, such as IoT devices, then you probably want to have them on their own network segment. This minimizes the damage they can cause to a single network segment and makes identifying issues with them much easier. The most common way to segment networks is to create VLANs for each network zone. You do have some control over static systems, but very little, so they would best be placed in a low-trust zone. The internet would be classified as a no-trust zone, since you have no control over it. REFERENCES LabSim for Security Pro, Section 6.1.

Which of the following is not a protection against session hijacking? Packet sequencing DHCP reservations Time stamps Anti-IP spoofing

DHCP reservations EXPLANATION DHCP reservations are not a protection against session hijacking. If a valid MAC address can be discovered, then an IP address is handed out freely to the spoofed client by the DHCP server. Packet sequencing and time stamps prevent session hijacking by disallowing packets that are out of order or have expired. Anti-IP spoofing checks the identity of the host before allowing communication to occur, even if the IP address is known. REFERENCES LabSim for Security Pro, Section 5.2.

While using the internet, you type the URL of one of your favorite sites in the browser. Instead of going to the correct site, however, the browser displays a completely different website. When you use the IP address of the web server, the correct site is displayed. Which type of attack has likely occurred? Spoofing Man-in-the-middle Hijacking DNS poisoning

DNS poisoning EXPLANATION Because the correct site shows when you use the IP address, you know that the main website is still functional and that the problem is likely caused by an incorrect domain name mapping. DNS poisoning occurs when a name server receives malicious or misleading data that incorrectly maps host names and IP addresses. In a DNS poisoning attack: - Incorrect DNS data is introduced into the cache of a primary DNS server. - The incorrect mapping is made available to client applications through the resolver. Spoofing is used to hide the true source of packets or redirect traffic to another location. Spoofing attacks use modified source and/or destination addresses in packets, and can include site spoofing that tricks users into revealing information. A man-in-the-middle attack is used to intercept information passing between two communication partners. TCP/IP hijacking is an extension of a man-in-the-middle attack where the attacker steals an open and active communication session from a legitimate user. With spoofing, man-in-the-middle, and hijacking, the attack would be successful regardless of whether the DNS name or the IP address were used. REFERENCES LabSim for Security Pro, Section 5.2.

Which attack form either exploits a software flaw or floods a system with traffic in order to prevent legitimate activities or transactions from occurring? Denial of service attack Man-in-the-middle attack Brute force attack Privilege escalation

Denial of service attack EXPLANATION A denial of service attack either exploits a software flaw or floods a system with traffic in order to prevent legitimate activities or transactions from occurring. A brute force attack tries every valid key or code sequenced in an attempt to discover a password or encryption key. Brute force attacks are always successful given enough time (although enough time could be millennia). A man-in-the-middle attack involves a third party placing themselves between two legitimate communication partners in order to intercept and possibly alter their transmissions. Privilege escalation is stealing or obtaining high-level privileges in a computer system. REFERENCES LabSim for Security Pro, Section 5.1.

What is the goal of a TCP/IP hijacking attack? Establishing an encryption tunnel between two remote systems over an otherwise secured network. Preventing legitimate authorized access to a resource. Executing commands or accessing resources on a system the attacker does not otherwise have authorization to access. Destroying data.

Executing commands or accessing resources on a system the attacker does not otherwise have authorization to access. EXPLANATION The goal of a TCP/IP hijacking attack is to execute commands or access resources on a system the attacker does not otherwise have authorization to access. When an attacker successfully performs TCP/IP hijacking, they take over control of the hijacked communication session. Whatever access the original user had, the attacker can now exploit. However, the attack only grants access within the confines of the hijacked session. Just because a hacker gains the victim's access to a server, it does not automatically grant the attacker the victim's access to a different server. A virus's goal is often to destroy data. A denial of service attack's goal is often to prevent legitimate access to a resource. An internal VPN's goal is often to establish an encryption tunnel between two remote systems over an otherwise secured network. REFERENCES LabSim for Security Pro, Section 5.2.

You have configured an NIDS to monitor network traffic. Which of the following describes harmless traffic that has been identified as a potential attack by the NIDS device? Positive Negative False positive False negative

False positive EXPLANATION False positive traffic assessment means that the system identified harmless traffic as offensive and generated an alarm or stopped the traffic. Negative traffic assessment means that the system deemed the traffic harmless and let it pass. False negative traffic assessment means that harmful traffic was allowed to pass without any alerts being generated or any actions being taken to prevent or stop it. This is the worst possible action by an IDS. Positive traffic assessment means that the system detected an attack and the appropriate alarms and notifications were generated or the correct actions were performed to prevent or stop the attack. REFERENCES LabSim for Security Pro, Section 6.8.

Which of the following are functions of gateway email spam blockers? (Select two.) Blocks email from specific senders Filters messages containing specific content Blocks phishing attempts, which try to access confidential information Helps enforce an organization's internet usage policy Blocks users from visiting websites with malicious content

Filters messages containing specific content Blocks email from specific senders EXPLANATION Gateway email spam blockers can be used to block the following: Messages from specific senders Email containing threats (such as false links) Messages containing specific content Web threat filtering prevents users from visiting websites with known malicious content. Website and content filtering can be used to enforce the organization's internet usage policy. Anti-phishing software scans content to identify and dispose of phishing attempts, preventing outsiders from accessing confidential information. REFERENCES LabSim for Security Pro, Section 5.8.

Which of the following identifies an operating system or network service based on its response to ICMP messages? Social engineering Port scanning Fingerprinting Firewalking

Fingerprinting EXPLANATION Fingerprinting identifies an operating system or network service based on its response to ICMP messages. Portions of the original ICMP request are repeated (or quoted) within the response. Each operating system quotes this information back in a slightly different manner. Port scanning pings every port on an external interface or attempts a connection in order to discover which ports are open and active, and which are not. Firewalking uses traceroute to discover which services can pass through a firewall or a router. Social engineering exploits human nature to obtain information, often by impersonating someone of authority and requesting data. REFERENCES LabSim for Security Pro, Section 6.13.

You are implementing a new application control solution. Prior to enforcing your application whitelist, you want to monitor user traffic for a period of time to discover user behaviors and log violations for later review. How should you configure the application control software to handle applications not contained in the whitelist? Block Flag Drop Tarpit

Flag EXPLANATION When using an application control solution, an application whitelist is defined centrally and applied to all network devices. Only applications contained in the whitelist are allowed. Applications not whitelisted can have several actions applied: - Blocked applications are not allowed. The session will be dropped if it uses UDP and reset if it uses TCP. - Flagged applications are allowed, but a violation is logged when they are identified. - Tarpitted applications are not allowed. However, the connection between hosts is kept alive while the application data itself is silently dropped. This makes it appear to both hosts that the other host is receiving the data, but is not responding. Note: Not all application control solutions support tarpitting application traffic. REFERENCES LabSim for Security Pro, Section 6.3.

Which of the following are denial of service attacks? (Select two.) Smurf Hijacking Salami Fraggle

Fraggle Smurf EXPLANATION Smurf and Fraggle attacks are both denial of service attacks. A smurf attack spoofs the source address in ICMP packets and sends the ICMP packets to an amplification network (bounce site). The bounce site responds to the victim site with thousands of messages that he did not send. A Fraggle attack is similar to a Smurf attack, but uses UDP packets directed to port 7 (echo) and port 19 (chargen - character generation). A salami attack is not a denial of service attack. A salami attack is when a small amount of information, data, or valuables are taken over a period of time. The result is to construct or obtain data or property of great value. A common example of a salami attack is to deposit the fractions of cents from an accounting program into a numbered account. Eventually, the fraction deposits total a significant sum. Hijacking is an attack directed at authentication. Hijacking is stealing an open and active communication session from a legitimate user (an extension of a man-in-the-middle attack). The attacker takes over the session and cuts off the original source device. REFERENCES LabSim for Security Pro, Section 5.1.

When the TCP/IP session state is manipulated so that a third party is able to insert alternate packets into the communication stream, what type of attack has occurred? Replay Hijacking Spamming Masquerading

Hijacking EXPLANATION A hijacking attack is one where the TCP/IP session state is manipulated so that a third party is able to insert alternate packets into the communication stream. Session hijacking has become difficult to accomplish due to the use of time stamps and randomized packet sequencing rules employed by modern operating systems. REFERENCES LabSim for Security Pro, Section 5.2.

What do host-based intrusion detection systems often rely upon to perform detection activities? Remote monitoring tools Host system auditing capabilities Network traffic External sensors

Host system auditing capabilities EXPLANATION A host-based IDS often relies upon the host system's auditing capabilities to perform detection activities. The host-based IDS uses the logs of the local system to search for attack or intrusion activities. Host-based IDS does not analyze network traffic, use external sensors, or rely upon remote monitoring tools. REFERENCES LabSim for Security Pro, Section 6.8.

As a security precaution, you have implemented IPsec that is used between any two devices on your network. IPsec provides encryption for traffic between devices. You would like to implement a solution that can scan the contents of the encrypted traffic to prevent any malicious attacks. Which solution should you implement? Protocol analyzer VPN concentrator Port scanner Host-based IDS Network-based IDS

Host-based IDS EXPLANATION A host-based IDS is installed on a single host and monitors all traffic coming in to the host. A host-based IDS can analyze encrypted traffic because the host operating system decrypts that traffic as it is received. A network-based IDS is a dedicated device installed on the network. It analyzes all traffic on the network. It cannot analyze encrypted traffic because the packet contents are encrypted so that only the recipient can read the packet contents. A protocol analyzer examines packets on the network, but cannot look at the contents of encrypted packets. A port scanner probes a device to identify open protocol ports. A VPN concentrator is a device used to establish remote access VPN connections. REFERENCES LabSim for Security Pro, Section 6.8.

Which of the following devices can monitor a network and detect potential security attacks? CSU/DSU Proxy IDS Load balancer DNS server

IDS EXPLANATION An intrusion detection system (IDS) is a special network device that can detect attacks and suspicious activity. A proxy server is a type of firewall that can filter based on upper-layer data. A CSU/DSU is a device that converts the signal received from the WAN provider into a signal that can be used by equipment at the customer site. A DNS server provides IP address-to-host name resolution. Load balancing configures a group of servers in a logical group called a server farm. Incoming requests to the group are distributed to individual members within the group. REFERENCES LabSim for Security Pro, Section 6.8.

Which of the following are security devices that perform stateful inspection of packet data and look for patterns that indicate malicious code? (Select two.) ACL IDS IPS Firewall VPN

IDS IPS EXPLANATION An intrusion detection system (IDS) and an intrusion prevention system (IPS) are devices that scan packet contents looking for patterns that match known malicious attacks. Signature files identify the patterns of all known attacks. When a packet matches the pattern indicated in the signature file, the packet can be dropped or an alert can be sent. Firewalls use an access control list (ACL) to filter packets based on the packet header information. Firewalls can filter packets based on port, protocol, or IP address. A virtual private network (VPN) is an encrypted communication channel established between two entities to exchange data over an unsecured network. REFERENCES LabSim for Security Pro, Section 6.8.

Which of the following devices is capable of detecting and responding to security threats? DNS server Multi-layer switch IPS IDS

IPS EXPLANATION An intrusion prevention system (IPS) can detect and respond to security events. An IPS differs from an IDS because it can respond to security threats, not just detect them. A DNS server provides IP address-to-host name resolution. A multi-layer switch uses an ASIC module to switch packets based on packet or data content instead of using the CPU and software. REFERENCES LabSim for Security Pro, Section 6.8.

You are concerned about attacks directed at your network firewall. You want to be able to identify and be notified of any attacks. In addition, you want the system to take immediate action to stop or prevent the attack, if possible. Which tool should you use? IPS IDS Port scanner Packet sniffer

IPS EXPLANATION Use an intrusion prevention system (IPS) to both detect and respond to attacks. An intrusion detection system (IDS) can detect attacks and send notifications, but cannot respond to attacks. Use a port scanner to check for open ports on a system or a firewall. Use a packet sniffer to examine packets on the network. REFERENCES LabSim for Security Pro, Section 6.8.

Which of the following is the best countermeasure against man-in-the-middle attacks? MIME email IPsec PPP UDP

IPsec EXPLANATION IPsec is the best countermeasure against man-in-the middle attacks from the selections listed here. Use IPsec to encrypt data in a VPN tunnel as it passes between two communication partners. Even if someone intercepts the traffic, they will be unable to extract the contents of the messages because they are encrypted. All email is MIME email, so this is not a countermeasure against man-in-the middle attacks. REFERENCES LabSim for Security Pro, Section 5.2.

Your organization's security policy specifies that peer-to-peer file sharing is not allowed. Recently, you received an anonymous tip that an employee has been using a BitTorrent client to download copyrighted media while at work. You research BitTorrent and find that it uses TCP ports 6881-6889 by default. When you check your perimeter firewall configuration, only ports 80 and 443 are open. When you check your firewall logs, you find that no network traffic using ports 6881-6889 has been blocked. What should you do? Implement an application control solution. Block all outbound ports in the perimeter firewall. Call Human Resources and have the employee fired for violation of the security policy. Determine that the accused employee is innocent and being framed.

Implement an application control solution EXPLANATION In this scenario, the best solution would be to implement an application control solution. A firewall alone may be insufficient to block the use of network applications. Knowledgeable users can circumvent firewall ACLs by reconfiguring network applications to use ports commonly left open. In this scenario, if the accusations are founded, then the employee may have reconfigured his BitTorrent client to use port 80 or 443, allowing the traffic through the firewall unimpeded. An application control solution can be used to block unauthorized network applications. Application control implementations use application signatures to identify specific applications. The contents of packets are inspected and compared to these signatures to identify the associated application, regardless of which protocol or port is in use. Blocking all outbound ports would cut off legitimate web-based traffic for all users. No determination of the employee's guilt or innocence should be made until concrete evidence can be gathered. REFERENCES LabSim for Security Pro, Section 6.3.

Your organization uses a web server to host an e-commerce site. Because this web server handles financial transactions, you are concerned that it could become a prime target for exploits. You want to implement a network security control that will analyze the contents of each packet going to or from the web server. The security control must be able to identify malicious payloads and block them. What should you do? Implement an application-aware IDS in front of the web server Implement a stateful firewall in front of the web server Implement an application-aware IPS in front of the web server Install an anti-malware scanner on the web server Implement a packet-filtering firewall in front of the web server

Implement an application-aware IPS in front of the web server EXPLANATION You should implement an application-aware IPS in front of the Web server. Even though an application-aware IDS can analyze network packets to detect malicious payloads, only an application-aware IPS can both detect and block malicious packets. Because of this, an application-aware IPS would be the most appropriate choice. Installing an anti-malware scanner on the Web server itself is a good idea, but it can only detect malware after it has been installed on the server. Using a packet-filtering firewall or a stateful firewall is also a good security measure, but neither are capable of inspecting the contents of network packets. A packet-filtering firewall can only filter based on IP address, port, and protocol. A stateful firewall can only monitor the state of a TCP connection. These devices should be used in conjunction with an IDS or an IPS to protect a network. REFERENCES LabSim for Security Pro, Section 6.8.

You have decided to perform a double-blind penetration test. Which of the following actions would you perform first? Run system fingerprinting software Engage in social engineering Inform senior management Perform operational reconnaissance

Inform senior management EXPLANATION Before starting a penetration test (also called a pen test), it is important to define the Rules of Engagement (ROE), or the boundaries of the test. Important actions to take include: - Obtain a written and signed authorization from the highest possible senior management - Delegate personnel who are experts in the areas being tested - Gain approval from the internet provider to perform the penetration test - Make sure that all tools or programs used in the test are legal and ethical - Establish the scope and timeline - Identify systems that will not be included in the test Reconnaissance, social engineering, and system scanning are all actions performed during a penetration test. However, no actions should be taken before approval to conduct the test is obtained. REFERENCES LabSim for Security Pro, Section 6.13.

Which of the following is the most effective protection against IP packet spoofing on a private network? Digital signatures Antivirus scanners Host-based IDS Ingress and egress filters

Ingress and egress filters EXPLANATION Ingress and egress filters are the most effective protection against IP packet spoofing. Ingress filters examine packets coming into the network, while egress filters examine packets going out of the network. These filters examine packets based on rules that identify any spoofed packets. Any packet suspected of being spoofed on its way into or out of your network is dropped. Antivirus scanners are useful against viruses. Host-based IDSs are good at detecting host intrusions and security violations. Digital signatures are used to provide a recipient with proof of non-repudiation and integrity of communications. REFERENCES LabSim for Security Pro, Section 5.2.

As a security professional, you need to understand your network on multiple levels. You should focus on the following areas: - Entry points - Inherent vulnerabilities - Documentation - Network baseline Drag the area of focus on the left to the appropriate example on the right. (Areas of focus may be used once, more than once, or not at all.) Drag Entry points Inherent vulnerabilities Documentation Network baseline Drop IoT and SCADA devices. Used to identify a weak network architecture or design. Public-facing servers, workstations, Wi-Fi networks, and personal devices. An older version of Windows that is used for a particular application. What activity looks like in normal day-to-day usage.

IoT and SCADA devices. Inherent vulnerabilities Used to identify a weak network architecture or design. Documentation Public-facing servers, workstations, Wi-Fi networks, and personal devices. Entry points An older version of Windows that is used for a particular application. Inherent vulnerabilities What activity looks like in normal day-to-day usage. Network baseline EXPLANATION As a security professional, you need to understand your network on multiple levels. You should focus on the following: - Entry points: Recognize all vulnerabilities and entry points for possible attacks. This includes public-facing servers, workstations, Wi-Fi networks, and personal devices. Primarily, you must account for anything that connects to the network as a possible entry point. - Inherent vulnerabilities: Identify inherent vulnerabilities or systems that lack proper security controls. For example, if your organization needs to use an older version of Windows for a particular application, then you need to identify that system as a vulnerability. IoT and SCADA devices are both systems that lack proper security controls, and therefore must be dealt with appropriately. - Documentation: Document all network assets in your organization and create a suitable network diagram that you can use as a reference. This is probably one of the most important components of knowing your system. If you don't know the underlying infrastructure of your network, then you can't adequately secure it. Proper network documentation and diagrams will not only help you identify a weak network architecture or design, but it will also protect against system sprawl and unknown systems. - Network baseline: You need to know your systems' normal activity such as its regular traffic patterns, data usage, network activity, server load, et cetera. Mainly, you need to know what your network looks like in normal day-to-day usage. Knowing this allows you to identify unusual or atypical activity that can indicate an attack in progress or a compromised network. To identify a network baseline, you can use network tools that monitor network traffic and create a graphical representation of the collected data, such as Cisco's NetFlow tool. REFERENCES LabSim for Security Pro, Section 6.1.

When a SYN flood is altered so that the SYN packets are spoofed in order to define the source and destination address as a single victim IP address, the attack is now called what? Land attack Impersonation Analytic attack Fraggle attack

Land attack EXPLANATION A land attack is a SYN flood where the source and destination address of the SYN packets are both defined as the victim's IP address. A fraggle attack uses UDP packets, not SYN packets from TCP. An impersonation attack is not usually a protocol attack; it is simply taking on an authorized identity in order to gain entry into a secured environment. An analytic attack is an attack on the algorithm of a cryptography system. REFERENCES LabSim for Security Pro, Section 5.1.

A SYN packet is received by a server. The SYN packet has the exact same address for both the sender and receiver addresses, which is the address of the server. This is an example of what type of attack? SYN flood Ping of death Land attack Teardrop attack

Land attack EXPLANATION A land attack is when the SYN packet has the exact same address for both the sender and receiver addresses, which is the address of the server. The ping of death involves an ICMP packet that is larger than 65,536 bytes. The teardrop attack uses partial IP packets with overlapping sequencing numbers. A SYN flood exploits or attacks the ACK packet of the TCP three-way handshake. By not sending the final ACK packet, the server holds open an incomplete session, consuming system resources. If the attacker can cause the server to open numerous sessions in this manner, all system resources are consumed, and no legitimate connections are established. REFERENCES LabSim for Security Pro, Section 5.1.

Which of the following describes a false positive when using an IPS device? Malicious traffic not being identified Malicious traffic masquerading as legitimate traffic The source address identifying a non-existent host The source address matching the destination address Legitimate traffic being flagged as malicious

Legitimate traffic being flagged as malicious EXPLANATION On an intrusion prevention system (IPS), a positive match occurs when traffic matches the signature that identifies malicious traffic. A false positive occurs when legitimate traffic is identified as malicious traffic. This situation is undesirable, as it often results in legitimate traffic being rejected. Good IPS signature files result in low false positive rates. A false negative occurs when malicious traffic is not identified and is, therefore, allowed. Spoofing is the technique of falsifying the source address in a packet. REFERENCES LabSim for Security Pro, Section 6.8.

Which of the following activities are considered passive in regards to the function of an intrusion detection system? (Choose two.) Transmitting FIN or RES packets to an external host Disconnecting a port being used by a zombie Monitoring the audit trails on a server Listening to network traffic

Listening to network traffic Monitoring the audit trails on a server EXPLANATION Passive IDS is a form of IDS that takes no noticeable action on the network. Passive IDS systems are undetectable by intruders. Passive IDS systems can monitor audit trails or listen to network traffic in real time. Active IDS functions are those that interact with the network and generate detectible events. Such events can include disconnecting ports or transmitting FIN or RES packets to attackers. REFERENCES LabSim for Security Pro, Section 6.8.

Capturing packets as they travel from one host to another with the intent of altering the contents of the packets is a form of which attack type? Passive logging Man-in-the-middle attack Spamming DDoS

Man-in-the-middle attack EXPLANATION Capturing packets between two existing communication partners is a form of a man-in-the middle attack. As this attacks type's name implies, traffic is intercepted somewhere in the middle of the communicating partners. The best way to protect against man-in-the middle attacks is to use session encryption or line encryption solutions. Passive logging is a means of recording information about network traffic or operations in a system without affecting either in any way. REFERENCES

Your network devices are categorized into the following zone types: - No-trust zone - Low-trust zone - Medium-trust zone - High-trust zone Your network architecture employs multiple VLANs for each of these network zones. Each zone is separated by a firewall that ensures only specific traffic is allowed. Which of the following is the secure architecture concept that is being used on this network? Network segmentation Trust zone networking Virtual local area networking Network firewalling

Network segmentation EXPLANATION The secure network architecture concept that is being used in this example is network segmentation. The most common way to segment networks is to create multiple VLANs for each network zone. These zones can also be separated by firewalls to ensure only specific traffic is allowed. One way to segment a network is to categorize systems into different zones (for example, a no-trust zone, low-trust zone, medium-trust zone, high-trust zone, and highest-trust zone). REFERENCES LabSim for Security Pro, Section 6.1.

Which type of active scan turns off all flags in a TCP header? FIN Stealth Null Christmas tree

Null EXPLANATION A null scan turns off all flags in a TCP header, creating a lack of TCP flags that should never occur in the real world. A FIN scan sends TCP packets to a device without first going through the normal TCP handshaking, thus preventing non-active TCP sessions from being formally closed. A stealth scan sends a single frame to a TCP port without any TCP handshaking or additional packet transfers with the expectation of receiving a single response. A Christmas tree scan sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set. REFERENCES LabSim for Security Pro, Section 5.1.

Which of the following identifies standards and XML formats for reporting and analyzing system vulnerabilities? OVAL OSSTMM MBSA Retina

OVAL EXPLANATION The Open Vulnerability and Assessment Language (OVAL) is an international standard for testing, analyzing, and reporting the security vulnerabilities of a system. OVAL is sponsored by the National Cyber Security division of the US Department of Homeland Security. OVAL identifies the XML format for identifying and reporting system vulnerabilities. Each vulnerability, configuration issue, program, or patch that might be present on a system is identified as a definition. OVAL repositories are like libraries or databases that contain multiple definitions. Microsoft Baseline Security Analyzer (MBSA) and Retina Vulnerability Assessment Scanner are vulnerability scanning tools. The Open Source Security Testing Methodology Manual (OSSTMM) is a manual of a peer-reviewed methodology for performing security tests and metrics. REFERENCES LabSim for Security Pro, Section 6.9.

Which of the following authentication protocols transmits passwords in cleartext, and is, therefore, considered too insecure for modern networks? CHAP RADIUS PAP EAP

PAP EXPLANATION The password authentication protocol (PAP) is considered insecure because it transmits password information in clear text. Anyone who sniffs PAP traffic from a network can view the password information from a PAP packet with a simple traffic analyzer. The challenge handshake protocol (CHAP) uses a three-way handshake to authenticate users. During this handshake, a hashed value is used to authenticate the connection. The extensible authentication protocol (EAP) is an enhanced authentication protocol that can use a variety of authentication methods, including digital certificates and smart cards. The Remote Authentication Dial-In User Service (RADIUS) is an authentication system that allows the centralization of remote user account management. REFERENCES LabSim for Security Pro, Section 6.11.

You are configuring a dial-up connection to a remote access server. Which protocols would you choose to establish the connection and authenticate, providing the most secure connection possible? (Select two.) PPP PAP SLIP PPPoE CHAP

PPP CHAP EXPLANATION Choose PPP and CHAP for the connection. Choose point-to-point protocol (PPP) for the connection. PPP is preferred over serial line interface protocol (SLIP) because it can negotiate encryption protocols to use for the connection. Point-to-point protocol over Ethernet (PPPoE) is similar to PPP, but is used for a cable (not a dial-up) connection. Choose challenge handshake authentication protocol (CHAP) for authentication. CHAP uses hashing to protect the passwords and allows re-authentication. Avoid using password authentication protocol (PAP) because it transmits credentials in the clear (unencrypted). REFERENCES LabSim for Security Pro, Section 6.11.

What common design feature among instant messaging clients make them less secure than other means of communicating over the internet? Freely available for use Peer-to-peer networking Real-time communication Transfer of text and files

Peer-to-Peer networking EXPLANATION The common design feature among instant messaging clients that makes them less secure than other means of communicating over the Internet is their use of peer-to-peer networking. Peer-to-peer networking is inherently less secure than traditional client/server communication or networking mechanisms. With peer-to-peer networking, there is no centralized access control authority, so any client on the system can introduce malicious code or perform malicious actions without restriction. The other design features listed here are typically seen as strengths of instant messaging clients, rather than as aspects of insecurity or vulnerability. REFERENCES LabSim for Security Pro, Section 6.3.

Which of the following uses hacking techniques to proactively discover internal vulnerabilities? Penetration testing Inbound scanning Reverse engineering Passive reconnaissance

Penetration testing EXPLANATION Penetration testing is the practice of proactively testing systems and policies for vulnerabilities. This approach seeks to identify vulnerabilities internally before a malicious individual can take advantage of them. Common techniques are identical to those used by hackers and include network/target enumeration and port scanning. REFERENCES LabSim for Security Pro, Section 6.13.

Drag the network attack technique on the left to the appropriate description or example on the right. (Each technique may be used once, more than once, or not at all.) Drag Active attack Passive attack External attack Inside attack Drop Perpetrators attempt to compromise or affect the operations of a system. Unauthorized individuals try to breach a network from off-site. Attempting to find the root password on a web server by brute force. Attempting to gather information without affecting the flow of information on the network. Sniffing network packets or performing a port scan.

Perpetrators attempt to compromise or affect the operations of a system Active Attack Unauthorized individuals try to breach a network from off-site. External Attack Attempting to find the root password on a web server by brute force. Active Attack Attempting to gather information without affecting the flow of information on the network. Passive Attack Sniffing network packets or performing a port scan. Passive Attack EXPLANATION Network attacks are classified as follows: - Active attack: Active attacks are when perpetrators attempt to compromise or affect the operations of a system in some way. For example, trying to brute force the root password on a web server is considered an active attack. A distributed denial of service (DDoS) attack is also an active attack. - Passive attack: Passive attacks occur when perpetrators attempt to gather information without affecting the flow of that information on the network. Packet sniffing and port scanning are passive attacks. - External attack: External attacks are when unauthorized individuals try to breach a network from off-site. Remember that perpetrators of external attacks are unauthorized for any level of access to the network. - Inside attack: Inside attacks are initiated by authorized individuals inside the network's security perimeter who attempt to access systems or resources to which they're not authorized. For example, an inside attack is a disgruntled employee accessing unauthorized company documents and leaking them to the public. REFERENCES LabSim for Security Pro, Section 6.1.

An attacker uses an exploit to push a modified hosts file to client systems. This hosts file redirects traffic from legitimate tax preparation sites to malicious sites to gather personal and financial information. What kind of exploit has been used in this scenario? (Choose two. Both responses are different names for the same exploit.) DNS poisoning Domain name kiting Pharming Man-in-the-middle Reconnaissance

Pharming DNS poisoning EXPLANATION DNS poisoning (also known as DNS cache poisoning) occurs when a name server receives malicious or misleading data that incorrectly maps host names and IP addresses. In a DNS poisoning attack: - Incorrect DNS data is introduced into the cache of a primary DNS server. - The incorrect mapping is made available to client applications. Pharming is a cyber attack intended to redirect a website's traffic to another, fake site. Pharming can be conducted by changing the hosts file on a victim's computer. Reconnaissance is used to gather information for an attack. The goal is to obtain DNS records that identify computer names and IP addresses in a network. Domain name kiting occurs when spammers exploit domain registration by taking advantage of the five-day grace period for a newly registered domain name to acquire domains and never pay for the registration of domain names. They accomplish this by unregistering a domain name just before the grace period is up and then immediately re-registering the domain name. Man-in-the-middle attacks are used to intercept information passing between two communication partners. REFERENCES LabSim for Security Pro, Section 5.2.

Which of the following denial of service (DoS) attacks uses ICMP packets and is only successful if the victim has less bandwidth than the attacker? Ping flood LAND Ping of death Fragmentation

Ping flood EXPLANATION A ping flood is where the attacker overwhelms the victim with ICMP Echo Request (ping) packets. In a ping flood, the attack succeeds only if the attacker has more bandwidth than the victim. The ping-of-death attack (also known as a long ICMP attack) uses the Ping program to send oversized ICMP packets. A LAND attack floods the victim's system with packets that have forged headers. Fragmentation attacks contaminate IP packet fragments that infiltrate the system. REFERENCES LabSim for Security Pro, Section 5.1.

Drag the web threat protection method on the left to the correct definition on the right. Drag URL content filtering Web threat filtering Gateway email spam blockers Virus blockers Anti-phishing software Drop Prevents users from visiting malicious websites Prevents outside attempts to access confidential information Identifies and disposes of infected content Prevents unwanted email from reaching your network Prevents users from visiting restricted websites

Prevents users from visiting malicious websites Web threat filtering Prevents outside attempts to access confidential information Anti-Phishing Software Identifies and disposes of infected content Virus Blockers Prevents unwanted email from reaching your network Gateway email spam blocker Prevents users from visiting restricted websites URL content filtering

Instant messaging does not provide which of the following? Ease of file transfers Privacy Indication of when you are online Real-time communications

Privacy EXPLANATION Instant messaging does not provide privacy. Many Instant messaging clients communicate in cleartext or use an easily broken basic encryption scheme to protect integrity rather than confidentiality. Because of this, a sniffing attack is most likely to succeed with communications between instant messaging clients. When you employ an instant messaging system, you should assume all of your communications are being intercepted and never discuss confidential, personal, or sensitive issues. REFERENCES LabSim for Security Pro, Section 6.3.

An attacker has obtained the logon credentials for a regular user on your network. Which type of security threat exists if this user account is used to perform administrative functions? Replay Privilege escalation Social engineering Impersonation

Privilege escalation EXPLANATION Privilege escalation allows a user to take advantage of a software bug or design flaw in an application to gain access to system resources or additional privileges that are typically not available to normal users. Examples of privilege escalation include: - A user accessing a system with a regular user account who is able to access functions reserved for higher-level user accounts (such as administrative features). - A user who is able to access content that should be accessible only to a different user. - A user who should have only administrative access being able to access content that should only be accessible to a regular user. Note: Privilege escalation does not occur when a user is able to steal or hack administrator credentials and is, therefore, able to access administrative functions. Privilege escalation refers to accessing features with an account that normally should not have access to those features. REFERENCES LabSim for Security Pro, Section 6.2.

A relatively new employee in the data entry cubical farm was assigned a user account similar to the other data entry employees' accounts. However, audit logs have shown that this user account has been used to change ACLs on several confidential files and has accessed data in restricted areas. This situation indicates which of the following has occurred? Smurf attack Privilege escalation Man-in-the-middle attack Social engineering

Privilege escalation EXPLANATION This situation describes the result of a successful privilege escalation attack. If a low-end user account is detected performing high-level activities, it is obvious that user account has somehow gained additional privileges. A man-in-the-middle attack involves a third party placing themselves between two legitimate communication partners in order to intercept and possibly alter their transmissions. Social engineering attacks involve stealing information or convincing someone to perform an inappropriate activity via email, phone, or in person. A smurf attack is a form of distributed reflective denial of service where spoofed ICMP packets are bounced and multiplied off another network to flood the victim's communication pipeline. REFERENCES LabSim for Security Pro, Section 6.2.

You want to set up a service to allow multiple users to dial in to the office server from modems on their home computers. What service should you implement? RAS PPP ISDN RIP

RAS EXPLANATION RAS stands for Remote Access Service, which enables users to dial in to a server from remote locations. ISDN is a digital communications network that uses existing phone lines. PPP is a remote access protocol. You will likely configure your RAS server to accept PPP connections. RIP stands for Routing Information Protocol and allows routers to share information. REFERENCES LabSim for Security Pro, Section 6.11.

Which of the following activities are typically associated with a penetration test? (Select two.) Interviewing employees to verify that the security policy is being followed Running a port scanner Attempting social engineering Running a vulnerability scanner on network servers Creating a performance baseline

Running a port scanner Attempting social engineering EXPLANATION Penetration testing is an organization's attempt to circumvent security controls to identify vulnerabilities in their information systems. It simulates an actual attack on the network and is conducted from outside the organization's security perimeter. Penetration testing helps assure the effectiveness of an organization's security policy, security mechanism implementations, and deployed countermeasures. Penetration testing typically uses tools and methods that are available to attackers. Penetration testing might start with attempts at social engineering or other reconnaissance activities followed by more active scans of systems and actual attempts to access secure systems. A vulnerability scanner checks a system for weaknesses. Vulnerability scanners typically require administrative access to a system and are performed internally to check for weaknesses, but not to test system security. Typically, penetration testers cannot run a vulnerability scanner unless they have gained authorized access to a system. A performance baseline is created by an administrator to identify normal network and system performance. Auditing might include interviewing employees to make sure that security policies are being followed. REFERENCES LabSim for Security Pro, Section 6.13.

Which of the following is a form of denial of service attack that uses spoofed ICMP packets to flood a victim with echo requests using a bounce/amplification network? Fraggle Session hijacking Smurf Fingerprinting

Smurf EXPLANATION Smurf is a form of denial of service attack that uses spoofed ICMP packets to flood a victim with echo requests using a bounce/amplification network. Fingerprinting is the act of identifying an operating system or network service based upon its ICMP message quoting characteristics. A fraggle attack uses spoofed UDP packets to flood a victim with echo requests using a bounce network, which makes it similar to Smurf. Session hijacking is the act of taking over a login session from a legitimate client, impersonating the user and taking advantage of their established communication link. REFERENCES LabSim for Security Pro, Section 5.1.

What type of attack is most likely to succeed with communications between instant messaging clients? Brute force password attack Sniffing Denial of service DNS poisoning

Sniffing EXPLANATION A sniffing attack is most likely to succeed for communications between instant messaging clients. Many instant messaging clients communicate in cleartext or use an easily broken basic encryption scheme to protect integrity, rather than confidentiality. When you employ an instant messaging system, you should assume all of your communications are being intercepted and never discuss confidential, personal, or sensitive issues. Denial of service and DNS poisoning attacks may be successful with a single target or a few targets using a common network routing path, but these types of attacks are not successful with instant messaging systems as a whole. Brute force password attacks are pointless for instant messaging. REFERENCES LabSim for Security Pro, Section 6.3.

What is modified in the most common form of spoofing on a typical IP packet? Hash total Source address Protocol type field value Destination address

Source address EXPLANATION The most common form of spoofing on a typical IP packet is modification of the source address. In this way, the correct source device address is hidden. Modifications of the destination address would be pointless because the packets would not be sent to the intended victim or target. Modification of the protocol type field value is not typical, but doing so would cause the recipient to process the contents of the packet under different protocol rules than what the actual contents should be processed under, such as processing the packet as a UDP packet when it is actually an IGMP packet. Modification of the hash total would cause the packet to be dropped when it reached its destination because the target's computation of the hash would not match the stated hash in the header. This indicates that packet's integrity was compromised. REFERENCES LabSim for Security Pro, Section 5.2.

Which type of activity changes or falsifies information in order to mislead or re-direct traffic? Spamming Snooping Spoofing Sniffing

Spoofing EXPLANATION Spoofing changes or falsifies information in order to mislead or re-direct traffic. Snooping is the act of spying into private information or communications. One type of snooping is sniffing. Sniffing captures network packets to examine the contents of communications. Spamming is sending a victim unwanted and unrequested email messages. REFERENCES LabSim for Security Pro, Section 5.2.

A router on the border of your network detects a packet with a source address that is from an internal client, but the packet was received on the internet-facing interface. This is an example of what form of attack? Spoofing Snooping Sniffing Spamming

Spoofing EXPLANATION This is an example of spoofing. Spoofing is the act of changing or falsifying information in order to mislead or re-direct traffic. In this scenario, a packet received on the inbound interface cannot receive a valid packet with a stated source that is from the internal network. Snooping is the act of spying into private information or communications. One type of snooping is sniffing. Sniffing is the act of capturing network packets in order to examine the contents of communications. Spamming is sending a victim unwanted and unrequested email messages. REFERENCES LabSim for Security Pro, Section 5.2.

Which of the following are methods for providing centralized authentication, authorization, and accounting for remote access? (Select two.) TACACS+ EAP PKI RADIUS 802.1x AAA

TACAS+ RADIUS EXPLANATION Both RADIUS and TACACS+ are protocols used for centralized authentication, authorization, and accounting with remote access. Remote access clients send authentication credentials to remote access servers. Remote access servers are configured as clients to the RADIUS or TACACS+ servers and forward the authentication credentials to the servers. The servers maintain a database of users and policies that control access for multiple remote access servers. AAA stands for authentication, authorization, and accounting, and is a generic term that describes the functions performed by RADIUS/TACACS+ servers. A public key infrastructure (PKI) is a system of certificate authorities that issue certificates. 802.1x is an authentication mechanism for controlling port access. 802.1x uses RADIUS/TACACS+ servers. EAP is an authentication protocol that enables the use of customized authentication methods. REFERENCES LabSim for Security Pro, Section 6.11.

Which of the following is the type of port scan that does not complete the full three-way TCP handshake, but rather listens only for either SYN/ACK or RST/ACK packets? TCP FIN scan TCP SYN scan TCP ACK scan TCP connect scan

TCP SYN Scan EXPLANATION A TCP SYN scan is the type of port scan that does not complete the full three-way TCP handshake, but rather listens only for either SYN/ACK packets (which indicate that a port is listening) or RST/ACK packets (which indicate that a port is not listening). A TCP connect scan uses a full TCP three-way handshake and establishes a session with each port. A TCP FIN scan sends FIN packets to ports and listens for RST responses for closed ports, which indicate which ports are open. A TCP ACK scan is used to map out a firewall's filtering rules. REFERENCES LabSim for Security Pro, Section 6.9.

In which of the following denial of service (DoS) attacks does the victim's system rebuild invalid UDP packets, causing the system to crash or reboot? Teardrop NACK Deauth Banana

Teardrop EXPLANATION In a Teardrop attack, fragmented UDP packets with overlapping offsets are sent. Then, when the victim system re-builds the packets, an invalid UDP packet is created, causing the system to crash or reboot. A Negative Acknowledgment (NACK) attack denies a LAN/WAN client access to resources. A Banana attack uses a router to change the destination address of a frame. A deauthentication (Deauth) attack denies wireless clients access to resources. REFERENCES LabSim for Security Pro, Section 5.1.

What is the primary purpose of penetration testing? Test the effectiveness of your security perimeter Assess the skill level of new IT security staff Infiltrate a competitor's network Evaluate newly deployed firewalls

Test the effectiveness of your security perimeter EXPLANATION The primary purpose of penetration testing is to test the effectiveness of your security perimeter. Only by attempting to break into your own secured network can you be assured that your security policy, security mechanism implementations, and deployed countermeasures are effective. It is important to obtain senior management approval before starting a penetration testing or vulnerability scanning project. Often, penetration testing or vulnerability scanning is performed by an external consultant or security outsourcing agency that is hired by your organization. REFERENCES LabSim for Security Pro, Section 6.13.

Which of the following is the main difference between a DoS attack and a DDoS attack? The DDoS attack does not respond to SYN ACK packets in the three-way handshake process. The DDoS attack uses an amplification network. The DDoS attack uses zombie computers. The DDoS attack spoofs the source IP address.

The DDoS attack uses zombie computers. EXPLANATION The term denial of service (DoS) is a generic term that includes many types of attacks. In a DoS attack, a single attacker directs an attack at a single target, sending packets directly to the target. In a distributed DoS attack (DDoS), multiple PCs attack a victim simultaneously. DDoS compromises a series of computers by scanning computers to find vulnerabilities and capitalizing on the most vulnerable systems. In a DDoS attack: - The attacker identifies one of the computers as the master (also known as zombie master or bot herder) . - The master uses zombies/bots (compromised machines) to attack. - The master directs the zombies to attack the same target. A distributed reflective denial of service (DRDoS) uses an amplification network to increase the severity of the attack. Packets are sent to the amplification network addressed as coming from the target. The amplification network responds back to the target system. Spoofed source addresses can be used with both DoS and DDoS attacks. A SYN flood is a form of DoS attack that does not complete the three-way handshake process. DDoS and even DRDoS attacks could use this method to overload the target system. REFERENCES LabSim for Security Pro, Section 5.1.

Which of the following describes the worst possible action by an IDS? The system identified harmless traffic as offensive and generated an alarm. The system detected a valid attack and the appropriate alarms and notifications were generated. The system correctly deemed harmless traffic as inoffensive and let it pass. The system identified harmful traffic as harmless and allowed it to pass without generating any alerts.

The system identified harmful traffic as harmless and allowed it to pass without generating any alerts. EXPLANATION The worst possible action an IDS can perform is identifying harmful traffic as harmless and allowing it to pass without generating any alerts. This condition is known as a false negative. Positive traffic assessment means that the system detected a valid attack and the appropriate alarms and notifications were generated. Negative traffic assessment means that the system correctly deemed harmless traffic as inoffensive and let it pass. False positive traffic assessment means that the system identified harmless traffic as offensive and triggered an alarm. REFERENCES LabSim for Security Pro, Section 6.8.

You suspect that an Xmas tree attack is occurring on a system. Which of the following could result if you do not stop the attack? (Select two.) The system will become a zombie. The system will be unavailable to respond to legitimate requests. The threat agent will obtain information about open ports on the system. The system will send packets directed with spoofed source addresses.

The system will be unavailable to respond to legitimate requests. The threat agent will obtain information about open ports on the system. EXPLANATION A Christmas (Xmas) tree attack (also known as a Christmas tree scan, nastygram, kamikaze, or lamp test segment) conducts reconnaissance by scanning for open ports. It also conducts a DoS attack if sent in large amounts. - When it is sent to a target host, the TCP header of a Christmas tree packet has the flags FIN, URG, and PSH. By default, closed ports on the host are required to reply with a TCP connection reset flag (RST). Open ports must ignore the packets, informing the attacker which ports are open. - Christmas tree packets require much more processing by network devices compared to typical packets, producing DoS attacks when large amounts are sent to the target host. A Fraggle attack sends a large amount of UDP packets with spoofed source addresses. A Distributed DoS (DDoS) attack compromises many computers and turns them into zombies for a concentrated attack. REFERENCES LabSim for Security Pro, Section 5.1.

A honeypot is used for which purpose? To entrap intruders To disable an intruder's system To prevent sensitive data from being accessed To delay intruders in order to gather auditing data

To delay intruders in order to gather auditing EXPLANATION A honeypot is used to delay intruders in order to gather auditing data. A honeypot is a fake network or system that hosts false information but responds as a real system should. Honeypots usually entice intruders to spend considerable time on the system and allows extensive logging of the intruder's activities. A honeypot often allows companies to discover and even prosecute intruders. Honeypots should not be used to entrap intruders. Entrapment is an illegal activity. Honeypots are not direct countermeasures to preventing unwanted access. Rather, they are an enticement to prevent intruders from getting into the private network in the first place. Honeypots rarely take offensive action against intruders. They may prevent malicious activities from being launched by an intruder, but they do not direct attacks at the intruder. REFERENCES LabSim for Security Pro, Section 6.8.

You've just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a server room that requires an ID card to gain access. You've backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer by connecting it to the console port on the router. You configured the management interface with a user name of admin and a password of password. What should you do to increase the security of this device? Use an SSH client to access the router configuration. Use a web browser to access the router configuration using an HTTP connection. Move the device to a secure data center. Use a stronger administrative password.

Use a stronger administrative password EXPLANATION In this scenario, the password assigned to the device is weak and easily guessed. It should be replaced with a strong password that is at least eight characters long, uses upper- and lower-case letters, and uses numbers or symbols. Using HTTP to manage the router configuration could expose sensitive information to sniffers, as it transmits data in cleartext. Using the console port to access the device creates a dedicated connection, making the use of SSH unnecessary. Because the device has been installed in a secured room, it's not necessary to move it to a data center. REFERENCES LabSim for Security Pro, Section 6.2.

Which of the following is a valid security measure to protect email from viruses? Use PGP to sign outbound email Use reverse DNS lookup Use blockers on email gateways Limit attachment size to a maximum of 1 MB

Use blockers on email gateways EXPLANATION The only effective security measure against email viruses is to use virus blockers on email gateways. Reverse DNS lookup protects against source address spoofing. Using PGP to sign outbound email does not affect inbound email that could contain viruses. Limiting attachment size is ineffective as well, because many viruses are simple scripts that are very small. REFERENCES LabSim for Security Pro, Section 5.8.

Your organization has started receiving phishing emails. You suspect that an attacker is attempting to find an employee workstation they can compromise. You know that a workstation can be used as a pivot point to gain access to more sensitive systems. Which of the following is the most important aspect of maintaining network security against this type of attack? Documenting all network assets in your organization Identifying inherent vulnerabilities Network segmentation Identifying a network baseline User education and training

User Education and Training EXPLANATION User education and training is the most important aspect of maintaining network security against an email phishing attack. REFERENCES LabSim for Security Pro, Section 6.1.

What is the main difference between vulnerability scanning and penetration testing? Vulnerability scanning is performed within the security perimeter; penetration testing is performed outside of the security perimeter. Vulnerability scanning uses approved methods and tools; penetration testing uses hacking tools. The goal of vulnerability scanning is to identify potential weaknesses; the goal of penetration testing is to attack a system. Vulnerability scanning is performed with a detailed knowledge of the system; penetration testing begins with no knowledge of the system.

Vulnerability scanning is performed within the security perimeter; penetration testing is performed outside of the security perimeter. EXPLANATION Penetration testing simulates an actual attack on the network and is conducted from outside the organization's security perimeter. Vulnerability scanning is typically performed internally by users with administrative access to the system. The goal of both vulnerability scanning and penetration testing is to identify the effectiveness of security measures and weaknesses that can be fixed. While some penetration testing is performed with no knowledge of the network, penetration testing could be performed by testers with detailed information about the systems. Both vulnerability scanning and penetration testing can use similar tools, although illegal tools should be avoided in both activities. REFERENCES LabSim for Security Pro, Section 6.13.

Which of the following is the best example of remote access authentication? A user connects to a computer on the LAN using Remote Desktop. A user establishes a dial-up connection to a server to gain access to shared resources. A user logs on to an e-commerce site that use SSL. A user accesses a shared folder on a server.

a user establishes a dial-up connection to a server to gain access to shared resources EXPLANATION Remote access allows a host to connect remotely to a private server or a network to access resources on that server or network. Remote access connections are typically used to connect remotely to servers at your office, but can also describe the type of connections used to connect to an internet service provider (ISP) for internet access. A remote access server (RAS) is a server configured to allow remote access connections. REFERENCES LabSim for Security Pro, Section 6.11.

Which of the following are characteristics of TACACS+? (Select two.) Uses UDP Allows three different servers, one each for authentication, authorization, and accounting Uses TCP Allows of two different servers, one for authentication and authorization, and another for accounting

allow three different servers, one each for authentication, authorization, and accounting uses TCP EXPLANATION TACACS+ was originally developed by Cisco for centralized remote access administration. TACACS+: - Provides three protocols, one each for authentication, authorization, and accounting. This allows each service to be provided by a different server. - Uses TCP. - Encrypts the entire packet contents. - Supports more protocol suites than RADIUS. RADIUS is used by Microsoft servers for centralized remote access administration. RADIUS: - Combines authentication and authorization using policies to grant access. - Uses UDP. - Encrypts only the password. - Often uses vendor-specific extensions. RADIUS solutions from different vendors might not be compatible. REFERENCES LabSim for Security Pro, Section 6.11.

Which of the following are performed by the Microsoft Baseline Security Analyzer (MBSA) tool? (Select three.) Check for open ports Gather performance statistics for setting a baseline Check user accounts for weak passwords Check for missing patches Analyze packets for evidence of an attack

check for missing patches check for open ports check user accounts for weak passwords EXPLANATION Microsoft Baseline Security Analyzer (MBSA) is a vulnerability scanner that can check for the following weaknesses: - Open ports - Active IP addresses - Running applications or services - Missing critical patches - Default user accounts that have not been disabled - Default, blank, or common passwords Vulnerability scanners typically do not include password cracking tools, but MBSA can perform simple checks for weak passwords. Use a protocol analyzer to check packets for characteristics that might indicate an attack. Use a performance monitoring tool to gather information about system or network performance to identify a performance baseline. REFERENCES LabSim for Security Pro, Section 6.9.

A security administrator logs on to a Windows server on her organization's network. She then runs a vulnerability scan on that server. What type of scan was conducted in this scenario? Credentialed scan TCP SYN scan Non-credentialed scan Ping scan

credentialed scan EXPLANATION In a credentialed scan, the security administrator authenticates to the system prior to starting the scan. A credentialed scan usually provides detailed information about potential vulnerabilities. For example, a credentialed scan of a Windows workstation allows you to probe the registry for security vulnerabilities. In a non-credentialed scan, the security administrator does not authenticate to the system prior to running the scan. A TCP SYN scan is a common type of port scan. A ping scan sends ICMP echo/request packets to one or multiple IP addresses. REFERENCES LabSim for Security Pro, Section 6.9.

You are using a vulnerability scanner that conforms to the OVAL specifications. Which of the following items contains a specific vulnerability or security issue that could be present on a system? Asset risk Repository Definition Threat agent Library

definition EXPLANATION The Open Vulnerability and Assessment Language (OVAL) is an international standard for testing, analyzing, and reporting the security vulnerabilities of a system. Each vulnerability, configuration issue, program, or patch that might be present on a system is identified as a definition. OVAL repositories are like libraries or databases that contain multiple definitions. REFERENCES LabSim for Security Pro, Section 6.9.

Which of the following functions can a port scanner provide? (Select two.) Determining which ports are open on a firewall Auditing IPsec encryption algorithm configuration Discovering unadvertised servers Testing virus definition design for false positives

discovering unadvertised servers determining which ports are open on a firewall EXPLANATION Port scanners can determine which TCP/UDP ports are open on a firewall and identify servers that may be unauthorized or running in a test environment. Many port scanners provide additional information, including the host operating system and version, of any detected servers. Hackers use port scanners to gather valuable information about a target, and system administrators should use the same tools for proactive penetration testing and ensuring compliance with all corporate security policies. REFERENCES LabSim for Security Pro, Section 6.9.

Which of the following is a characteristic of TACACS+? Uses UDP ports 1812 and 1813 Encrypts the entire packet, not just authentication packets Supports only TCP/IP Requires that authentication and authorization are combined in a single server

encrypts the entire packet, not just authentication packets EXPLANATION TACACS+ was originally developed by Cisco for centralized remote access administration. TACACS+: - Provides three protocols, one each for authentication, authorization, and accounting. This allows each service to be provided by a different server. - Uses TCP port 49. - Encrypts the entire packet contents, not just authentication packets. - Supports more protocol suites than RADIUS. RADIUS is used by Microsoft servers for centralized remote access administration. RADIUS: - Combines authentication and authorization using policies to grant access. - Allows for the separation of accounting to different servers. However, authentication and authorization remain combined on a single server. - Uses UDP ports 1812 and 1813. - Uses a challenge/response method for authentication. RADIUS encrypts only the password using MD5. REFERENCES LabSim for Security Pro, Section 6.11.

You want to check a server for user accounts that have weak passwords. Which tool should you use? Retina John the Ripper OVAL Nessus

john the ripper EXPLANATION John the Ripper is a password cracking tool. Password crackers perform cryptographic attacks on passwords. Use a password cracker to identify weak passwords or passwords protected with weak encryption. Nessus and Retina are vulnerability scanners. While vulnerability scanners check for default user accounts and often check for accounts with blank passwords, they typically do not include password cracking features to test for weak passwords. The Open Vulnerability and Assessment Language (OVAL) is an international standard for testing, analyzing, and reporting the security vulnerabilities of a system. REFERENCES LabSim for Security Pro, Section 6.9.

Which of the following is a feature of MS-CHAP v2 that is not included in CHAP? Hashed shared secret Three-way handshake Mutual authentication Certificate-based authentication

mutual authentication EXPLANATION MS-CHAP v2 allows for mutual authentication, where the server authenticates to the client. Both CHAP and MS-CHAP use a three-way handshake process for authenticating users with user names and passwords. The password (or shared secret) value is hashed. The hash is sent for authentication, not the shared secret, . REFERENCES LabSim for Security Pro, Section 6.11.

You want to use a tool to scan a system for vulnerabilities, including open ports, running services, and missing patches. Which tools should you use? (Select two.) OVAL Retina LC4 Wireshark Nessus

nessus retina EXPLANATION A vulnerability scanner is a software program that searches an application, computer, or network for weaknesses, such as open ports, running applications or services, missing critical patches, default user accounts that have not been disabled, and default or blank passwords. Vulnerability scanning tools include Nessus, Retina Vulnerability Assessment Scanner, and Microsoft Baseline Security Analyzer (MBSA). Wireshark is a protocol analyzer. LC4 is a password cracking tool that you can use to identify weak passwords. The Open Vulnerability and Assessment Language (OVAL) is an international standard for testing, analyzing, and reporting the security vulnerabilities of a system. REFERENCES LabSim for Security Pro, Section 6.9.

You want to identify all devices on a network along with a list of open ports on those devices. You want the results displayed in a graphical diagram. Which tool should you use? Port scanner Network mapper Ping scanner OVAL

network mapper EXPLANATION A network mapper is a tool that can discover devices on the network and show those devices in a graphical representation. Network mappers typically use a ping scan to discover devices and a port scanner to identify open ports on those devices. A ping scanner only identifies devices on the network, but does not probe for open ports. A port scanner finds open ports, but might not display devices in a graphical representation. The Open Vulnerability and Assessment Language (OVAL) is an international standard for testing, analyzing, and reporting the security vulnerabilities of a system. REFERENCES LabSim for Security Pro, Section 6.9.

You need to enumerate the devices on your network and display the network's configuration details. Which of the following utilities should you use? samspade nslookup nmap neotrace

nmap EXPLANATION Nmap is an open-source security scanner used for network enumeration and to the creation of network maps. Nmap sends specially-crafted packets to the target host and then analyzes the responses to create the map. Use neotrace or traceroute to trace the devices in a network path between two hosts. Use samspade to identify the source of spam emails. Use nslookup to submit name resolution requests to identify DNS name servers and IP addresses for hosts. REFERENCES LabSim for Security Pro, Section 5.1.

A security administrator needs to run a vulnerability scan that will analyze a system from the perspective of a hacker attacking the organization from the outside. What type of scan should he use? Credentialed scan Non-credentialed scan Network mapping scan Port scan

non-credentialed scan EXPLANATION In a non-credentialed scan, the security administrator does not authenticate to the system prior to running the scan. A non-credentialed scan can be valuable because it allows the scanner to see the system from the same perspective that an attacker would see it. However, a non-credentialed scan does not typically produce the same level of detail as a credentialed scan. In a credentialed scan, the security administrator authenticates to the system prior to starting the scan. A port scan probes systems for open ports, but does not run a full vulnerability assessment. A network mapping scan is a type of port scan that discovers devices on the network and then organizes those devices in a graphical display. REFERENCES LabSim for Security Pro, Section 6.9.

You have a network with three remote access servers, a RADIUS server used for authentication and authorization, and a second RADIUS server used for accounting. Where should you configure remote access policies? On each of the remote access servers On one of the remote access servers On the RADIUS server used for accounting On the RADIUS server used for authentication and authorization

on the radius server used for authentication and authorization EXPLANATION Remote access policies are used for authorization for remote access clients. For larger deployments with multiple remote access servers, you can centralize the administration of remote access policies by using an AAA server (authentication, authorization, and accounting server). Configure remote access policies on the AAA server that is used for authorization. In a small implementation, user accounts and remote access policies are defined on the remote access server. With this configuration, if you have multiple remote access servers, you must define user accounts and policies on each remote access server. Accounting is an activity that tracks or logs the use of the remote access connection. Accounting is often used by ISPs to bill for services based on time or the amount of data downloaded. REFERENCES LabSim for Security Pro, Section 6.11.

CHAP performs which of the following security functions? Protects user names Periodically verifies the identity of a peer using a three-way handshake Links remote systems together Allows the use of biometric devices

periodically verifies the identity of a peer using a three-way handshake EXPLANATION CHAP periodically verifies the identity of a peer using a three-way handshake. CHAP ensures that the same client or system exists throughout a communication session by repeatedly and randomly re-testing the validated system. This test involves the security server sending a challenge message to the client. The client then performs a one-way hash function on the challenge and returns the result to the security server. The security server performs its own function on the challenge and compares its result with the result received from the client. If they don't match, the session is terminated. CHAP does provide protection for both passwords and user names. However, stating that it only protects user names is incomplete and, therefore, not the best answer. CHAP does not link remote systems together--a VPN protocol is needed for that purpose. CHAP does not function as a device driver or interoperability mechanism for biometric devices. REFERENCES LabSim for Security Pro, Section 6.11.

You want to make sure that a set of servers will only accept traffic for specific network services. You have verified that the servers are only running the necessary services, but you also want to make sure that the servers will not accept packets sent to those services. Which tool should you use? IDS Port scanner System logs Packet sniffer IPS

port scanner EXPLANATION Use a port scanner to check for open ports on a system or a firewall. Compare the list of opened ports with the list of ports allowed by your network design and security policy. Typically, a port is opened when a service starts or is configured on a device. Open ports for unused services expose the server to attacks directed at that port. Use a packet sniffer to examine packets on the network. With a packet sniffer, you can identify packets directed towards specific ports, but you won't be able to tell if those ports are open. Examine system logs to look for events that have happened on a system, which might include a service starting, but would not likely reflect open ports. An intrusion detection system (IDS) is a special network device that can detect attacks and suspicious activity. A passive IDS monitors, logs, and detects security breaches, but takes no action to stop or prevent the attack. An active IDS (also called an intrusion protection system or IPS) performs the functions of an IDS, but can also react when security breaches occur. REFERENCES LabSim for Security Pro, Section 6.9.

Which of the following are differences between RADIUS and TACACS+? RADIUS uses TCP; TACACS+ uses UDP. RADIUS supports more protocols than TACACS+. RADIUS combines authentication and authorization into a single function; TACACS+ allows these services to be split between different servers. RADIUS encrypts the entire packet contents; TACACS+ only encrypts the password.

radius combines authentication and authorization into a single function' TACACS+ allows these services to be split between different servers EXPLANATION TACACS+ provides three protocols, one each for authentication, authorization, and accounting. This allows each service to be provided by a different server. In addition, TACACS+: - Uses TCP - Encrypts the entire packet contents - Supports more protocol suites than RADIUS REFERENCES LabSim for Security Pro, Section 6.11.

You often travel away from the office. While traveling, you would like to use a modem on your laptop computer to connect directly to a server in your office and access files. You want the connection to be as secure as possible. Which type of connection will you need? Internet Remote access Virtual private network Intranet

remote access EXPLANATION Use a remote access connection to connect directly to a server at a remote location. You could use a VPN connection through the internet to connect to the server security. However, the connection would involve connecting first to the internet through a local ISP, then establishing a VPN connection to the server. While the VPN connection through the internet is secure, it is not as secure as a direct remote connection to the server. An intranet is an internal network that only internal users can access. REFERENCES LabSim for Security Pro, Section 6.11.

You have run a vulnerability scanning tool and identified several patches that need to be applied to a system. What should you do next after applying the patches? Use a port scanner to check for open ports Document your actions Run the vulnerability assessment again Update the vulnerability scanner definition files

run the vulnerability assessment again EXPLANATION After fixing an identified vulnerability, you should re-run the vulnerability scan to verify that everything has been fixed and that additional issues are not present. You should updated definition files before you run the first scan. Using a port scanner is unnecessary because most vulnerability scanners include a check of open ports. Documenting your actions should occur after you have finished all necessary actions. REFERENCES LabSim for Security Pro, Section 6.9.

You want to use a vulnerability scanner to check a system for known security risks. What should you do first? Inform senior management of your actions Perform a port scan Apply all known patches to the system Update the scanner definition files

update the scanner definition files EXPLANATION Before using a vulnerability scanner, you should update the definition files. The definition files identify known security risks associated with the system. Some scanners update the definition files automatically, while others require you to download the latest definition files. Applying all known patches is not a best practice. You typically only apply the patches that are required or identified as important security patches. The vulnerability scanner typically identifies the patches you should apply. A port scan checks for open ports and is, typically, a test performed as part of the vulnerability scan. Senior management does not need to be notified when you run a vulnerability scan; they do need to be informed of penetration tests before they are executed. REFERENCES LabSim for Security Pro, Section 6.9.

You want to be able to identify the services running on a set of servers on your network. Which tool would best give you the information you need? Network mapper Port scanner Protocol analyzer Vulnerability scanner

vulnerability scanner EXPLANATION Use a vulnerability scanner to gather information about systems, such as the applications or services running on the system. The vulnerability scanner often combines functions found in other tools and can perform additional functions, such as identifying open firewall ports, missing patches, and default or blank passwords. A port scanner is a tool that probes systems for open ports. The port scanner will tell you which ports are opened in the firewall, but it cannot identify services running on a server if the firewall port has been closed. A network mapper is a tool that can discover devices on the network and shows those devices in a graphical representation. Network mappers typically use a ping scan to discover devices and a port scanner to identify open ports on those devices. Use a protocol analyzer to identify traffic that is sent on the network medium and traffic sources. Services could still be running on a server that do not generate network traffic a protocol analyzer can catch. REFERENCES LabSim for Security Pro, Section 6.9.