Security+
Measuring and Weighing Risk *If you calculate SLE to be $25,000 and that there will be one occurrence every four years (ARO), then what is the ALE?* a. $6,250 b. $12,500 c. $25,000 d. $100,000
a. *$6,250* If you calculate SLE to be $25,000 and that there will be one occurrence every four years (ARO), then the ALE is $6,250 ($25,000 × .25).
Measuring and Weighing Risk *Refer to the scenario in question 2. Which of the following is the ARO for this scenario?* a. 0.0167 b. 1 c. 5 d. 16.7 e. 60
a. *0.0167* ARO (annualized rate of occurrence) is the frequency (in number of years) the event can be expected to happen. In this case, ARO is 1/60 or 0.0167.
Infrastructure and Connectivity *Which ports are, by default, reserved for use by FTP? (Choose all that apply.)* a. 20 and 21 TCP b. 20 and 21 UDP c. 22 and 23 TCP d. 22 and 23 UDP
a. *20 and 21 TCP* FTP uses TCP ports 20 and 21. FTP does not use UDP ports.
Infrastructure and Connectivity *How many bits are used for addressing with IPv4 and IPv6, respectively?* a. 32, 128 b. 16, 64 c. 8, 32 d. 4, 16
a. *32, 128* IPv4 uses 32 bits for the host address, while IPv6 uses 128 bits for this.
Threats and Vulnerabilities *Internal users are reporting repeated attempts to infect their systems as reported to them by pop-up messages from their virus-scanning software. According to the pop-up messages, the virus seems to be the same in every case. What is the most likely culprit?* a. A server is acting as a carrier for a virus. b. You have a worm virus. c. Your antivirus software has malfunctioned. d. A DoS attack is under way.
a. *A server is acting as a carrier for a virus.* Some viruses won't damage a system in an attempt to spread into all the other systems in a network. These viruses use that system as the carrier of the virus.
Access Control and Identity Management *A newly hired junior administrator will assume your position temporarily while you attend a conference. You're trying to explain the basics of security to her in as short a period of time as possible. Which of the following best describes an ACL?* a. ACLs provide individual access control to resources. b. ACLs aren't used in modern systems. c. The ACL process is dynamic in nature. d. ACLs are used to authenticate users.
a. *ACLs provide individual access control to resources.* Access control lists allow individual and highly controllable access to resources in a network. An ACL can also be used to exclude a particular system, IP address, or user.
Threats and Vulnerabilities *You're explaining the basics of security to upper management in an attempt to obtain an increase in the networking budget. One of the members of the management team mentions that they've heard of a threat from a virus that attempts to mask itself by hiding code from antivirus software. What type of virus is he referring to?* a. Armored virus b. Polymorphic virus c. Worm d. Stealth virus
a. *Armored virus* An armored virus is designed to hide the signature of the virus behind code that confuses the antivirus software or blocks it from detecting the virus.
Access Control and Identity Management *The present method of requiring access to be strictly defined on every object is proving too cumbersome for your environment. The edict has come down from upper management that access requirements should be reduced slightly. Which access model allows users some flexibility for information-sharing purposes?* a. DAC b. MAC c. RBAC d. MLAC
a. *DAC* DAC allows some flexibility in information-sharing capabilities within the network.
Access Control and Identity Management *LDAP is an example of which of the following?* a. Directory access protocol b. IDS c. Tiered model application development environment d. File server
a. *Directory access protocol* Lightweight Directory Access Protocol (LDAP) is a directory access protocol used to publish information about users. This is the computer equivalent of a phone book.
Threats and Vulnerabilities *Which type of attack denies authorized users access to network resources?* a. DoS b. Worm c. Logic bomb d. Social engineering
a. *DoS* A DoS attack is intended to prevent access to network resources by overwhelming or flooding a service or network.
Protecting Networks *What is a system that is intended or designed to be broken into by an attacker called?* a. Honeypot b. Honeybucket c. Decoy d. Spoofing system
a. *Honeypot* A honeypot is a system that is intended to be sacrificed in the name of knowledge. Honeypot systems allow investigators to evaluate and analyze the attack strategies used. Law enforcement agencies use honeypots to gather evidence for prosecution.
Infrastructure and Connectivity *Which protocol is primarily used for network maintenance and destination information?* a. ICMP b. SMTP c. IGMP d. Router
a. *ICMP* ICMP is used for destination and error reporting functions in TCP/IP. ICMP is routable and is used by programs such as Ping and Traceroute.
Protecting Networks *Security has become the utmost priority at your organization. You're no longer content to act reactively to incidents when they occur—you want to start acting more proactively. Which system performs active network monitoring and analysis and can take proactive steps to protect a network?* a. IDS b. Sniffer c. Router d. Switch
a. *IDS* An IDS is used to protect and report network abnormalities to a network administrator or system. It works with audit files and rule-based processing to determine how to act in the event of an unusual situation on the network.
Access Control and Identity Management *You've been given notice that you'll soon be transferred to another site. Before you leave, you're to audit the network and document everything in use and the reason why it's in use. The next administrator will use this documentation to keep the network running. Which of the following protocols isn't a tunneling protocol but is probably used at your site by tunneling protocols for network security?* a. IPSec b. PPTP c. L2TP d. L2F
a. *IPSec* IPSec provides network security for tunneling protocols. IPSec can be used with many different protocols besides TCP/IP, and it has two modes of security.
Infrastructure and Connectivity *You've been given notice that you'll soon be transferred to another site. Before you leave, you're to audit the network and document everything in use and the reason why it's in use. The next administrator will use this documentation to keep the network running. Which of the following protocols isn't a tunneling protocol but is probably used at your site by tunneling protocols for network security?* a. IPSec b. PPTP c. L2TP d. L2F
a. *IPSec* IPSec provides network security for tunneling protocols. IPSec can be used with many different protocols besides TCP/IP, and it has two modes of security.
Access Control and Identity Management *What is invoked when a person claims they are the user but cannot be authenticated—such as when they lose their password?* a. Identity proofing b. Social engineering c. Directory traversal d. Cross-site requesting
a. *Identity proofing* Identity proofing is invoked when a person claims they are the user but cannot be authenticated, such as when they lose their password.
Threats and Vulnerabilities *Your system has just stopped responding to keyboard commands. You noticed that this occurred when a spreadsheet was open and you dialed in to the Internet. Which kind of attack has probably occurred?* a. Logic bomb b. Worm c. Virus d. ACK attack
a. *Logic bomb* A logic bomb notifies an attacker when a certain set of circumstances has occurred. This may in turn trigger an attack on your system.
Access Control and Identity Management *Upper management has suddenly become concerned about security. As the senior network administrator, you are asked to suggest changes that should be implemented. Which of the following access methods should you recommend if the method is to be one that is primarily based on preestablished access and can't be changed by users?* a. MAC b. DAC c. RBAC d. Kerberos
a. *MAC* Mandatory Access Control (MAC) is oriented toward preestablished access. This access is typically established by network administrators and can't be changed by users.
Protecting Networks *A junior administrator bursts into your office with a report in his hand. He claims that he has found documentation proving that an intruder has been entering the network on a regular basis. Which of the following implementations of IDS detects intrusions based on previously established rules that are in place on your network?* a. MD-IDS b. AD-IDS c. HIDS d. NIDS
a. *MD-IDS* By comparing attack signatures and audit trails, a misuse-detection IDS determines whether an attack is occurring.
Threats and Vulnerabilities *An administrator at a sister company calls to report a new threat that is making the rounds. According to him, the latest danger is an attack that attempts to intervene in a communications session by inserting a computer between the two systems that are communicating. Which of the following types of attacks does this constitute?* a. Man-in-the-middle attack b. Backdoor attack c. Worm d. TCP/IP hijacking
a. *Man-in-the-middle attack* A man-in-the-middle attack attempts to fool both ends of a communications session into believing the system in the middle is the other end.
Protecting Networks *The IDS console is known as what?* a. Manager b. Window c. Dashboard d. Screen
a. *Manager* The IDS console is known as the manager.
Access Control and Identity Management *After a careful risk analysis, the value of your company's data has been increased. Accordingly, you're expected to implement authentication solutions that reflect the increased value of the data. Which of the following authentication methods uses more than one authentication process for a logon?* a. Multifactor b. Biometrics c. Smart card d. Kerberos
a. *Multifactor* A multifactor authentication method uses two or more processes for logon. A two-factor method might use smart cards and biometrics for logon.
Protecting Networks *Which of the following can be used to monitor a network for unauthorized activity? (Choose two.)* a. Network sniffer b. NIDS c. HIDS d. VPN
a. *Network sniffer* b. *NIDS* Network sniffers and NIDSs are used to monitor network traffic. Network sniffers are manually oriented, whereas an NIDS can be automated.
Infrastructure and Connectivity *Which protocol is unsuitable for WAN VPN connections?* a. PPP b. PPTP c. L2TP d. IPSec
a. *PPP* PPP provides no security, and all activities are unsecure. PPP is primarily intended for dial-up connections and should never be used for VPN connections.
Access Control and Identity Management *Which protocol is unsuitable for WAN VPN connections?* a. PPP b. PPTP c. L2TP d. IPSec
a. *PPP* PPP provides no security, and all activities are unsecure. PPP is primarily intended for remote connections and should never be used for VPN connections.
Threats and Vulnerabilities *Your system log files report an ongoing attempt to gain access to a single account. This attempt has been unsuccessful to this point. What type of attack are you most likely experiencing?* a. Password-guessing attack b. Backdoor attack c. Worm attack d. TCP/IP hijacking
a. *Password-guessing attack* A password-guessing attack occurs when a user account is repeatedly attacked using a variety of different passwords.
Protecting Networks *Which of the following copies the traffic from all ports to a single port and disallows bidirectional traffic on that port?* a. Port spanning b. Socket blending c. Straddling d. Amalgamation
a. *Port spanning* Port spanning (also known as port mirroring) copies the traffic from all ports to a single port and disallows bidirectional traffic on that port.
Protecting Networks *Sockets are a combination of the IP address and which of the following?* a. Port b. MAC address c. NIC setting d. NetBIOS ID
a. *Port* Sockets are a combination of the IP address and the port.
Infrastructure and Connectivity *Upper management has decreed that a firewall must be put in place immediately, before your site suffers an attack similar to one that struck a sister company. Responding to this order, your boss instructs you to implement a packet filter by the end of the week. A packet filter performs which function?* a. Prevents unauthorized packets from entering the network b. Allows all packets to leave the network c. Allows all packets to enter the network d. Eliminates collisions in the network
a. *Prevents unauthorized packets from entering the network* Packet filters prevent unauthorized packets from entering or leaving a network. Packet filters are a type of firewall that blocks specified port traffic.
Measuring and Weighing Risk *Which of the following strategies necessitates an identified risk that those involved understand the potential cost/damage and agree to accept?* a. Risk acceptance b. Risk avoidance c. Risk deterrence d. Risk mitigation e. Risk transference
a. *Risk acceptance* Risk acceptance necessitates an identified risk that those involved understand the potential cost/damage and agree to accept.
Measuring and Weighing Risk *Which of the following policies are designed to reduce the risk of fraud and prevent other losses in an organization?* a. Separation of duties b. Acceptable use c. Least privilege d. Physical access control
a. *Separation of duties* The separation of duties policies are designed to reduce the risk of fraud and prevent other losses in an organization.
Protecting Networks *Which device monitors network traffic in a passive manner?* a. Sniffer b. IDS c. Firewall d. Web browser
a. *Sniffer* Sniffers monitor network traffic and display traffic in real time. Sniffers, also called network monitors, were originally designed for network maintenance and troubleshooting.
Educating and Protecting the User *As part of your training program, you're trying to educate users on the importance of security. You explain to them that not every attack depends on implementing advanced technological methods. Some attacks, you explain, take advantage of human shortcomings to gain access that should otherwise be denied. What term do you use to describe attacks of this type?* a. Social engineering b. IDS system c. Perimeter security d. Biometrics
a. *Social engineering* Social engineering uses the inherent trust in the human species, as opposed to technology, to gain access to your environment.
Threats and Vulnerabilities *You're the administrator for a large bottling company. At the end of each month, you routinely view all logs and look for discrepancies. This month, your email system error log reports a large number of unsuccessful attempts to log on. It's apparent that the email server is being targeted. Which type of attack is most likely occurring?* a. Software exploitation attack b. Backdoor attack c. Worm d. TCP/IP hijacking
a. *Software exploitation attack* A software exploitation attack attempts to exploit weaknesses in software. A common attack attempts to communicate with an established port to gain unauthorized access. Most email servers use port 25 for email connections using SMTP.
Infrastructure and Connectivity *Which of the following are multiport devices that improve network efficiency?* a. Switches b. Modems c. Gateways d. Concentrators
a. *Switches* Switches are multiport devices that improve network efficiency. A switch typically has a small amount of information about systems in a network.
Threats and Vulnerabilities *A server on your network will no longer accept connections using TCP. The server indicates that it has exceeded its session limit. Which type of attack is probably occurring?* a. TCP ACK attack b. Smurf attack c. Virus attack d. TCP/IP hijacking
a. *TCP ACK attack* A TCP ACK attack creates multiple incomplete sessions. Eventually, the TCP protocol hits a limit and refuses additional connections.
Access Control and Identity Management *Your company provides medical data to doctors from a worldwide database. Because of the sensitive nature of the data you work with, it's imperative that authentication be established on each session and be valid only for that session. Which of the following authentication methods provides credentials that are valid only during a single session?* a. Tokens b. Certificate c. Smart card d. Kerberos
a. *Tokens* Tokens are created when a user or system successfully authenticates. The token is destroyed when the session is over.
Threats and Vulnerabilities *A mobile user calls you from the road and informs you that his laptop is exhibiting erratic behavior. He reports that there were no problems until he downloaded a tic-tac-toe program from a site that he had never visited before. Which of the following terms describes a program that enters a system disguised in another program?* a. Trojan horse virus b. Polymorphic virus c. Worm d. Armored virus
a. *Trojan horse virus* A Trojan horse enters with a legitimate program to accomplish its nefarious deeds.
Access Control and Identity Management *Which technology allows a connection to be made between two networks using a secure protocol?* a. Tunneling b. VLAN c. Internet d. Extranet
a. *Tunneling* Tunneling allows a network to make a secure connection to another network through the Internet or other network. Tunnels are usually secure and present themselves as extensions of both networks.
Access Control and Identity Management *You're the administrator for Mercury Technical. Due to several expansions, the network has grown exponentially in size within the past two years. Which of the following is a popular method for breaking a network into smaller private networks that can coexist on the same wiring and yet be unaware of each other?* a. VLAN b. NAT c. MAC d. Security zone
a. *VLAN* Virtual local area networks (VLANs) break a large network into smaller networks. These networks can coexist on the same wiring and be unaware of each other. A router or other routing-type device would be needed to connect these VLANs.
Measuring and Weighing Risk *Consider the following scenario: The asset value of your company's primary servers is $2 million and they are housed in a single office building in Anderson, Indiana. You have field offices scattered throughout the United States, so the servers in the main office account for approximately half the business. Tornados in this part of the country are not uncommon, and it is estimated one will level the building every 60 years.* *Which of the following is the SLE for this scenario?* a. $2 million b. $1 million c. $500,000 d. $33,333.33 e. $16,666.67
b. *$1 million* SLE (single loss expectancy) is equal to asset value (AV) times exposure factor (EF). In this case, asset value is $2 million and exposure factor is 1/2.
Threats and Vulnerabilities *You're working late one night, and you notice that the hard disk on your new computer is very active even though you aren't doing anything on the computer and it isn't connected to the Internet. What is the most likely suspect?* a. A disk failure is imminent. b. A virus is spreading in your system. c. Your system is under a DoS attack. d. TCP/IP hijacking is being attempted.
b. *A virus is spreading in your system.* A symptom of many viruses is unusual activity on the system disk. This is caused by the virus spreading to other files on your system.
Measuring and Weighing Risk *Which of the following policies describes how the employees in an organization can use company systems and resources, both software and hardware?* a. Separation of duties b. Acceptable use c. Least privilege d. Physical access control
b. *Acceptable use* The acceptable use policies describe how the employees in an organization can use company systems and resources, both software and hardware.
Protecting Networks *In intrusion detection system parlance, which account is responsible for setting the security policy for an organization?* a. Supervisor b. Administrator c. Root d. Director
b. *Administrator* The administrator is the person/account responsible for setting the security policy for an organization.
Threats and Vulnerabilities *As the security administrator for your organization, you must be aware of all types of attacks that can occur and plan for them. Which type of attack uses more than one computer to attack the victim?* a. DoS b. DDoS c. Worm d. UDP attack
b. *DDoS* A DDoS attack uses multiple computer systems to attack a server or host in the network.
Protecting Networks *Which of the following is the process in which a law enforcement officer or a government agent encourages or induces a person to commit a crime when the potential criminal expresses a desire not to go ahead?* a. Enticement b. Entrapment c. Deceit d. Sting
b. *Entrapment* Entrapment is the process in which a law enforcement officer or a government agent encourages or induces a person to commit a crime when the potential criminal expresses a desire not to go ahead.
Measuring and Weighing Risk *Which of the following policy statements may include an escalation contact, in the event that the person dealing with a situation needs to know whom to contact?* a. Scope b. Exception c. Overview d. Accountability
b. *Exception* The exception policy statement may include an escalation contact, in the event that the person dealing with a situation needs to know whom to contact.
Infrastructure and Connectivity *IPv6, in addition to having more bits allocated for each host address, also has mandatory requirements built in for which security protocol?* a. TFTP b. IPSec c. SFTP d. L2TP
b. *IPSec* The implementation of IPSec is mandatory with IPv6. While it is widely implemented with IPv4, it is not a requirement.
Access Control and Identity Management *You've been assigned to mentor a junior administrator and bring him up to speed quickly. The topic you're currently explaining is authentication. Which method uses a KDC to accomplish authentication for users, programs, or systems?* a. CHAP b. Kerberos c. Biometrics d. Smart cards
b. *Kerberos* Kerberos uses a key distribution center (KDC) to authenticate a principal. The KDC provides a credential that can be used by all Kerberos-enabled servers and applications.
Access Control and Identity Management *Which of the following security areas encompasses network access control (NAC)?* a. Physical security b. Operational security c. Management security d. Triad security
b. *Operational security* Operational security issues include network access control (NAC), authentication, and security topologies after the network installation is complete.
Infrastructure and Connectivity *Which device is used to connect voice, data, pagers, networks, and almost any other conceivable application into a single telecommunications system?* a. Router b. PBX c. Hub d. Server
b. *PBX* Many modern PBX (private branch exchange) systems integrate voice and data onto a single data connection to your phone service provider. In some cases, this allows an overall reduction in cost of operations. These connections are made using existing network connections such as a T1 or T3 network.
Infrastructure and Connectivity *Most of the sales force have been told that they should no longer report to the office on a daily basis. From now on, they're to spend the majority of their time on the road calling on customers. Each member of the sales force has been issued a laptop computer and told to connect to the network nightly through a dial-up connection. Which of the following protocols is widely used today as a transport protocol for Internet dial-up connections?* a. SMTP b. PPP c. PPTP d. L2TP
b. *PPP* PPP can pass multiple protocols and is widely used today as a transport protocol for dial-up connections.
Access Control and Identity Management *Most of your client's sales force have been told that they should no longer report to the office on a daily basis. From now on, they're to spend the majority of their time on the road calling on customers. Each member of the sales force has been issued a laptop computer and told to connect to the network nightly through a remote connection. Which of the following protocols is widely used today as a transport protocol for remote Internet connections?* a. SMTP b. PPP c. PPTP d. L2TP
b. *PPP* PPP can pass multiple protocols and is widely used today as a transport protocol for remote connections.
Threats and Vulnerabilities *You are the senior administrator for a bank. A user calls you on the telephone and says they were notified to contact you but couldn't find your information on the company website. Two days ago, an email told them there was something wrong with their account and they needed to click a link in the email to fix the problem. They clicked the link and filled in the information, but now their account is showing a large number of transactions that they did not authorize. They were likely the victims of what type of attack?* a. Spimming b. Phishing c. Pharming d. Escalating
b. *Phishing* Sending an email with a misleading link to collect information is a phishing attack.
Threats and Vulnerabilities *Your system has been acting strangely since you downloaded a file from a colleague. Upon examining your antivirus software, you notice that the virus definition file is missing. Which type of virus probably infected your system?* a. Polymorphic virus b. Retrovirus c. Worm d. Armored virus
b. *Retrovirus* Retroviruses are often referred to as anti-antiviruses. They can render your antivirus software unusable and leave you exposed to other, less-formidable viruses.
Measuring and Weighing Risk *Which of the following strategies involves identifying a risk and making the decision to no longer engage in the action?* a. Risk acceptance b. Risk avoidance c. Risk deterrence d. Risk mitigation e. Risk transference
b. *Risk avoidance* Risk avoidance involves identifying a risk and making the decision to no longer engage in the actions associated with that risk.
Infrastructure and Connectivity *Which service(s), by default, use TCP and UDP port 22? (Choose all that apply.)* a. SMTP b. SSH c. SCP d. IMAP
b. *SSH* c. *SCP* Port 22 is used by both SSH and SCP with TCP and UDP.
Threats and Vulnerabilities *What kind of virus could attach itself to the boot sector of your disk to avoid detection and report false information about file sizes?* a. Trojan horse virus b. Stealth virus c. Worm d. Polymorphic virus
b. *Stealth virus* A stealth virus reports false information to hide itself from antivirus software. Stealth viruses often attach themselves to the boot sector of an operating system.
Infrastructure and Connectivity *As more and more clients have been added to your network, the efficiency of the network has decreased significantly. You're preparing a budget for next year, and you specifically want to address this problem. Which of the following devices acts primarily as a tool to improve network efficiency?* a. Hub b. Switch c. Router d. PBX
b. *Switch* Switches create virtual circuits between systems in a network. These virtual circuits are somewhat private and reduce network traffic when used.
Access Control and Identity Management *Which of the following is a client-server-oriented environment that operates in a manner similar to RADIUS?* a. HSM b. TACACS c. TPM d. ACK
b. *TACACS* Terminal Access Controller Access-Control System (TACACS) is a client-server-oriented environment, and it operates in a manner similar to how RADIUS operates.
Protecting Networks *Which of the following utilities can be used in Linux to view a list of users' failed authentication attempts?* a. badlog b. faillog c. wronglog d. killlog
b. *faillog* Use the faillog utility in Linux to view a list of users' failed authentication attempts.
Measuring and Weighing Risk *If you calculate SLE to be $4,000 and that there will be 10 occurrences a year (ARO), then the ALE is:* a. $400 b. $4,000 c. $40,000 d. $400,000
c. *$40,000* If you calculate SLE to be $4,000 and that there will be 10 occurrences a year (ARO), then the ALE is $40,000 ($4,000 × 10).
Protecting Networks *Which of the following IDS types looks for things outside of the ordinary?* a. Incongruity-based b. Variance-based c. Anomaly-based d. Difference-based
c. *Anomaly-based* An anomaly-detection IDS (AD-IDS) looks for anomalies, meaning it looks for things outside of the ordinary.
Measuring and Weighing Risk *The risk-assessment component, in conjunction with the ________, provides the organization with an accurate picture of the situation facing it.* a. RAC b. ALE c. BIA d. RMG
c. *BIA* The risk-assessment component, in conjunction with the BIA (Business Impact Analysis), provides the organization with an accurate picture of the situation facing it.
Threats and Vulnerabilities *An alert signals you that a server in your network has a program running on it that bypasses authorization. Which type of attack has occurred?* a. DoS b. DDoS c. Backdoor d. Social engineering
c. *Backdoor* In a backdoor attack, a program or service is placed on a server to bypass normal security procedures.
Measuring and Weighing Risk *Which of the following is the structured approach that is followed to secure the company's assets?* a. Asset management b. Incident management c. Change management d. Skill management
c. *Change management* Change management is the structured approach that is followed to secure the company's assets.
Measuring and Weighing Risk *Separation of duties helps prevent an individual from embezzling money from a company. To successfully embezzle funds, an individual would need to recruit others to commit an act of ________ (an agreement between two or more parties established for the purpose of committing deception or fraud).* a. Misappropriation b. Misuse c. Collusion d. Fraud
c. *Collusion* Collusion is an agreement between two or more parties established for the purpose of committing deception or fraud. Collusion, when part of a crime, is also a criminal act in and of itself.
Protecting Networks *Which type of active response fools the attacker into thinking the attack is succeeding while the system monitors the activity and potentially redirects the attacker to a system that is designed to be broken?* a. Pretexting b. Shamming c. Deception d. Scamming
c. *Deception* A deception active response fools the attacker into thinking the attack is succeeding while the system monitors the activity and potentially redirects the attacker to a system that is designed to be broken.
Measuring and Weighing Risk *You're the chief security contact for MTS. One of your primary tasks is to document everything related to security and create a manual that can be used to manage the company in your absence. Which documents should be referenced in your manual as the ones that identify the methods used to accomplish a given task?* a. Policies b. Standards c. Guidelines d. BIA
c. *Guidelines* Guidelines help clarify processes to maintain standards. Guidelines tend to be less formal than policies or standards.
Protecting Networks *You're the administrator for Acme Widgets. After attending a conference on buzzwords for management, your boss informs you that an IDS should be up and running on the network by the end of the week. Which of the following systems should be installed on a host to provide IDS capabilities?* a. Network sniffer b. NIDS c. HIDS d. VPN
c. *HIDS* A host-based IDS (HIDS) is installed on each host that needs IDS capabilities.
Infrastructure and Connectivity *You're the administrator for Mercury Technical. A check of protocols in use on your server brings up one that you weren't aware was in use; you suspect that someone in HR is using it to send messages to multiple recipients. Which of the following protocols is used for group messages or multicast messaging?* a. SMTP b. SNMP c. IGMP d. L2TP
c. *IGMP* IGMP is used for group messaging and multicasting. IGMP maintains a list of systems that belong to a message group. When a message is sent to a particular group, each system receives an individual copy.
Infrastructure and Connectivity *You're explaining protocols to a junior administrator shortly before you leave for vacation. The topic of Internet mail applications comes up, and you explain how communications are done now as well as how you expect them to be done in the future. Which of the following protocols is becoming the newest standard for Internet mail applications?* a. SMTP b. POP c. IMAP d. IGMP
c. *IMAP* IMAP is becoming the most popular standard for email clients and is replacing POP protocols for mail systems. IMAP allows mail to be forwarded and stored in information areas called stores.
Access Control and Identity Management *What is implied at the end of each access control list?* a. Least privilege b. Separation of duties c. Implicit deny d. Explicit allow
c. *Implicit deny* An implicit deny clause is implied at the end of each ACL, and it means that if the proviso in question has not been explicitly granted, then it is denied.
Measuring and Weighing Risk *Which of the following policies should be used when assigning permissions, giving users only the permissions they need to do their work and no more?* a. Separation of duties b. Acceptable use c. Least privilege d. Physical access control
c. *Least privilege* The principle of least privilege should be used when assigning permissions. Give users only the permissions they need to do their work and no more.
Infrastructure and Connectivity *Which of the following can be implemented as a software or hardware solution and is usually associated with a device—a router, a firewall, NAT, and so on—and used to shift a load from one device to another?* a. Proxy b. Hub c. Load balancer d. Switch
c. *Load balancer* A load balancer can be implemented as a software or hardware solution, and is usually associated with a device—a router, a firewall, NAT, and so on. As the name implies, it is used to shift a load from one device to another.
Infrastructure and Connectivity *What protocol, running on top of TCP/IP, is often used for name registration and resolution with Windows-based clients?* a. Telnet b. SSL c. NetBIOS d. TLS
c. *NetBIOS* NetBIOS is used for name resolution and registration in Windows-based environments. It runs on top of TCP/IP.
Protecting Networks *In order for network monitoring to work properly, you need a PC and a network card running in what mode?* a. Launch b. Exposed c. Promiscuous d. Sweep
c. *Promiscuous* In order for network monitoring to work properly, you need a PC and a network card running in promiscuous mode.
Access Control and Identity Management *Your office administrator is being trained to perform server backups. Which authentication method would be ideal for this situation?* a. MAC b. DAC c. RBAC d. Security tokens
c. *RBAC* Role-Based Access Control (RBAC) allows specific people to be assigned to specific roles with specific privileges. A backup operator would need administrative privileges to back up a server. This privilege would be limited to the role and wouldn't be present during the employee's normal job functions.
Protecting Networks *Which of the following is an active response in an IDS?* a. Sending an alert to a console b. Shunning c. Reconfiguring a router to block an IP address d. Making an entry in the security audit file
c. *Reconfiguring a router to block an IP address* Dynamically changing the system's configuration to protect the network or a system is an active response.
Threats and Vulnerabilities *You've discovered that an expired certificate is being used repeatedly to gain logon privileges. Which type of attack is this most likely to be?* a. Man-in-the-middle attack b. Backdoor attack c. Replay attack d. TCP/IP hijacking
c. *Replay attack* A replay attack attempts to replay the results of a previously successful session to gain access.
Measuring and Weighing Risk *Which of the following strategies involves understanding something about the enemy and letting them know the harm that can come their way if they cause harm to you?* a. Risk acceptance b. Risk avoidance c. Risk deterrence d. Risk mitigation e. Risk transference
c. *Risk deterrence* Risk deterrence involves understanding something about the enemy and letting them know the harm that can come their way if they cause harm to you.
Infrastructure and Connectivity *Which of the following devices is the most capable of providing infrastructure security?* a. Hub b. Switch c. Router d. Modem
c. *Router* Routers can be configured in many instances to act as packet-filtering firewalls. When configured properly, they can prevent unauthorized ports from being opened.
Threats and Vulnerabilities *A user calls you in a panic. He is receiving emails from people indicating that he is inadvertently sending viruses to them. Over 200 such emails have arrived today. Which type of attack has most likely occurred?* a. SAINT b. Backdoor attack c. Worm d. TCP/IP hijacking
c. *Worm* A worm is a type of malicious code that attempts to replicate using whatever means are available. The worm may not have come from the user's system; rather, a system with the user's name in the address book has attacked these people.
Measuring and Weighing Risk *Which of the following policy statements should address who is responsible for ensuring that it is enforced?* a. Scope b. Exception c. Overview d. Accountability
d. *Accountability* The accountability policy statement should address who is responsible for ensuring that it is enforced.
Protecting Networks *Which IDS function evaluates data collected from sensors?* a. Operator b. Manager c. Alert d. Analyzer
d. *Analyzer* The analyzer function uses data sources from sensors to analyze and determine whether an attack is under way.
Access Control and Identity Management *Which of the following is a type of smart card issued by the Department of Defense as a general identification/authentication card for military personnel, contractors, and non-DoD employees?* a. PIV b. POV c. DLP d. CAC
d. *CAC* One type of smart card is the Common Access Card (CAC). These cards are issued by the Department of Defense as a general identification/authentication card for military personnel, contractors, and non-DoD employees.
Measuring and Weighing Risk *What is the term used for events that mistakenly were flagged and aren't truly events to be concerned with?* a. Fool's gold b. Non-incidents c. Error flags d. False positives
d. *False positives* False positives are events that mistakenly were flagged and aren't truly events to be concerned with.
Protecting Networks *Which IDS system uses algorithms to analyze the traffic passing through the network?* a. Arithmetical b. Algebraic c. Statistical d. Heuristic
d. *Heuristic* A heuristic system uses algorithms to analyze the traffic passing through the network.
Threats and Vulnerabilities *A smurf attack attempts to use a broadcast ping on a network; the return address of the ping may be a valid system in your network. Which protocol does a smurf attack use to conduct the attack?* a. TCP b. IP c. UDP d. ICMP
d. *ICMP* A smurf attack attempts to use a broadcast ping (ICMP) on a network. The return address of the ping may be a valid system in your network. This system will be flooded with responses in a large network.
Infrastructure and Connectivity *A socket is a combination of which components?* a. TCP and port number b. UDP and port number c. IP and session number d. IP and port number
d. *IP and port number* A socket is a combination of IP address and port number. The socket identifies which application will respond to the network request.
Measuring and Weighing Risk *Which of the following strategies is accomplished anytime you take steps to reduce the risk?* a. Risk acceptance b. Risk avoidance c. Risk deterrence d. Risk mitigation e. Risk transference
d. *Risk mitigation* Risk mitigation is accomplished anytime you take steps to reduce the risk.
Infrastructure and Connectivity *Which device stores information about destinations in a network?* a. Hub b. Modem c. Firewall d. Router
d. *Router* Routers store information about network destinations in routing tables. Routing tables contain information about known hosts on both sides of the router.
Infrastructure and Connectivity *Which of the following services use only TCP ports and not UDP? (Choose all that apply.)* a. IMAP b. LDAP c. FTPS d. SFTP
d. *SFTP* SFTP uses only TCP ports. IMAP, LDAP, and FTPS all use both TCP and UDP ports.
Protecting Networks *Which of the following implies ignoring an attack and is a common response?* a. Eschewing b. Spurning c. Shirking d. Shunning
d. *Shunning* Shunning, or ignoring an attack, is a common response.
Threats and Vulnerabilities *A user reports that he is receiving an error indicating that his TCP/IP address is already in use when he turns on his computer. A static IP address has been assigned to this user's computer, and you're certain this address was not inadvertently assigned to another computer. Which type of attack is most likely underway?* a. Man-in-the-middle attack b. Backdoor attack c. Worm d. TCP/IP hijacking
d. *TCP/IP hijacking* One of the symptoms of a TCP/IP hijacking attack may be the unavailability of a TCP/IP address when the system is started.
Threats and Vulnerabilities *A junior administrator comes to you in a panic. After looking at the log files, he has become convinced that an attacker is attempting to use an IP address to replace another system in the network to gain access. Which type of attack is this?* a. Man-in-the-middle attack b. Backdoor attack c. Worm d. TCP/IP hijacking
d. *TCP/IP hijacking* TCP/IP hijacking is an attempt to steal a valid IP address and use it to gain authorization or information from a network.
Access Control and Identity Management *You have added a new child domain to your network. As a result of this, the child has adopted all the trust relationships with other domains in the forest that existed for its parent domain. What is responsible for this?* a. LDAP access b. XML access c. Fuzzing access d. Transitive access
d. *Transitive access* Transitive access exists between the domains and creates this relationship.
Protecting Networks *Which Linux utility can show if there is more than one set of documentation on the system for a command you are trying to find information on?* a. Lookaround b. Howmany c. Whereall d. Whatis
d. *Whatis* In Linux, the whatis utility can show if there is more than one set of documentation on the system for a command you are trying to find information on.
Measuring and Weighing Risk *Refer to the scenario in question 2. Which of the following is the ALE for this scenario?* a. $2 million b.$1 million c. $500,000 d. $33,333.33 e. $16,666.67
e. *$16,666.67* ALE (annual loss expectancy) is equal to SLE times the annualized rate of occurrence. In this case, SLE is $1 million and the ARO is 1/60.
Measuring and Weighing Risk *Which of the following strategies involves sharing some of the burden of the risk with someone else such as an insurance company?* a. Risk acceptance b. Risk avoidance c. Risk deterrence d. Risk mitigation e. Risk transference
e. *Risk transference* Risk transference involves sharing some of the burden of the risk with someone else such as an insurance company.