Comp & Network Security Chapter Quiz 5,6,7
Which of the following is an authentication method that supports smart cards, biometrics, and credit cards, and is a fully scalable architecture?
802.1x Explanation: 802.1x can support RADIUS, TACACS, Kerberos, certificates, passwords, smart cards, biometrics, special access codes, and even credit cards as means of authentication.
Passive threats are those you must act upon to be harmed, such as clicking a link and downloading infected content. An active threat, such as a hacker, seeks out vulnerable targets. Which of the following is least effective against passive threats?
A door lock
Which of the following can affect the confidentiality of documents stored on a server?
A server breach
Which of the following best describes a network chokepoint?
A specialized kind of gateway that focuses on traffic to a single concentrated pathway to streamline the process of filtering
In preserving the confidentiality of users on a corporate network, which party is responsible for setting up security policies to guarantee users' privacy?
Administrator
Charles is an IT help desk technician. He gets a ticket from a branch office saying that they lost Internet connectivity. He investigates remotely over a backup maintenance link and determines that this was done by design; the office's firewall deliberately severed the connection. Which of the following does this functionality define?
Bastion host
Before an Internet user can access a demilitarized zone (DMZ), extranet, or private network resource, it first encounters an entity that is sturdy enough to withstand any sort of attack. What is this entity called?
Bastion host operating system Explanation: A bastion host operating system is designed, built, and deployed specifically to serve as a frontline defense for a network. A bastion host is the first (or nearly so) host accessed by external entities on their way to access DMZ, extranet, or private network resources. The bastion host must withstand the brunt of any attack attempt to provide protection for hosts behind it.
What is the basic service of a reverse proxy?
Hides the identity of a web server accessed by a client over the Internet Explanation: Reverse proxy is a firewall service that allows external users to access internally hosted web resources. This service takes the traditional proxy function and inverts it. Instead of hiding the identity of the client reaching out to the Internet, reverse proxy hides the identity of the web server accessed by the Internet (or external) client.
Which of the following is a protocol that allows web servers to complete secure transactions over the Internet?
Hypertext Transfer Protocol Secure (HTTPS)
Which of the following can be described as putting each resource on a dedicated subnet behind a demilitarized zone (DMZ) and separating it from the internal local area network (LAN)?
N-tier deployment Explanation: An aspect of defense in depth is to deploy multiple subnets in series to separate private resources from public, a strategy known as an N-tier deployment. "N" represents the number of subnets under private control. A common construction of a three-tiered deployment uses a DMZ, a database subnet, and a private LAN.
Marcus is studying networking with an emphasis on cybersecurity at a local university. As part of his research, he wants to visit certain hacker sites but is concerned that his laptop would be vulnerable to passive threats while visiting them. He doesn't have the funds for expensive security equipment. What is the least expensive option he has at hand?
Native firewall
A firewall allows you to restrict unauthorized access between the Internet and an internal network.
True Explanation: A firewall allows you to restrict unauthorized access between the Internet and an internal network.
Firewall implementation documentation should include every action taken from the moment the firewall arrives on site through the point of enabling the filtering of production traffic.
True Explanation: Firewall implementation documentation should include every action taken from the moment the firewall arrives on site through the point of enabling the filtering of production traffic.
In an N-tier deployment, multiple subnets are deployed in series to separate private resources from public.
True Explanation: In an N-tier deployment, multiple subnets are deployed in series to separate private resources from public.
In the fail-safe security stance, when any aspect of security fails, the best result of that failure is to fail into a state that supports or maintains essential security protections.
True Explanation: In the fail-safe security stance, when any aspect of security fails, the best result of that failure is to fail into a state that supports or maintains essential security protections.
Including photos of configuration screens in firewall procedures can speed up restoration after a network incident.
True Explanation: Including photos of configuration screens in firewall procedures can speed up restoration after a network incident.
Security systems configured by the same security administrator can potentially have the same misconfiguration or design weakness.
True Explanation: Security systems configured by the same security administrator can potentially have the same misconfiguration or design weakness.
Users with the minimum level of access to resources needed to complete their assigned tasks follow the principle of least privilege.
True Explanation: Users with the minimum level of access to resources needed to complete their assigned tasks follow the principle of least privilege.
You can check firewall connectivity using the ping and traceroute commands.
True Explanation: You can check firewall connectivity using the ping and traceroute commands.
The network infrastructure supervisor is designing a firewall placement strategy that will protect the organization's Internet-facing web and email servers and the internal network. Which design will provide the best protection?
Using two firewalls to create a demilitarized zone (DMZ); one firewall is placed between the Internet and the servers, the other firewall is located behind the first firewall and the servers protecting the internal network
Joaquin is a senior network technician for a mid-sized company who has been assigned the task of improving security for the IT infrastructure. He has been given a limited budget and must increase security without redesigning the network or replacing all internetworking security devices. He focuses on an approach that will identify a single vulnerability. What does he recommend?
Weakest link
Which of the following is closely associated with maintaining data integrity?
Hash Explanation: Integrity methods verify that data has not changed. For example, hashing is often used to verify the integrity of messages.
A social networking website has been gathering a great deal of personal information on its users for years. This presents the potential danger of exposure if the site is hacked. In addition, the data could be sold by the social networking platform without the users' knowledge or consent. What technology does the social media company most likely use to gather data, such as users' buying preferences?
Data mining Explanation: Data mining methods are used to help build customer preference profiles. From the perspective of an organization selling products, this data is valuable for identifying an individual's buying habits and targeting advertising. However, it can be easily misused. If the databases containing this information are hacked, the confidential data of millions of customers could be sold to malicious parties for identity theft or other purposes.
What is an intrusion detection system/intrusion prevention system (IDS/IPS) that uses patterns of known malicious activity similar to how antivirus applications work?
Database-based detection
Which of the following is unlikely to support at-firewall authentication?
Demilitarized zone (DMZ) firewall Explanation: Most DMZ firewalls do not perform at-firewall authentication. Instead, the web servers hosted in the DMZ can provide both anonymous content and authenticated content to visitors.
Brianna is an IT technician. She is studying a threat that holds the communication channel open when a TCP handshake does not conclude. What kind of attack does this involve?
Denial of service (DoS) attack Explanation: Many different types of DoS attacks are possible, such as when a TCP handshake attack does not conclude and holds the communication channel open. Hundreds of these incomplete sessions in a short time can consume substantial resources on a server and even crash it.
Which of the following is a common firewall philosophy?
Deny by default
Which of the following is a firewall implementation best practice?
Different firewall products should be used depending on firewall placement, such as different products for border firewalls versus internal host firewalls.
What prevents firewall filtering?
Encryption
A software firewall can protect multiple hosts from malicious network activity.
False
Hashing does not verify the integrity of messages.
False
In intrusion detection, anomaly-based detection looks for differences from normal traffic based on a recording of real-world traffic that establishes a baseline.
False
Multiple firewalls in a series is considered diversity of defense but not defense in depth.
False
The pfSense firewall is a border firewall.
False
Hypertext Transfer Protocol Secure (HTTPS) does NOT encrypt private transactions made over the Internet.
False Explanation: HTTPS does encrypt private transactions made over the Internet.
The weakest link security strategy gains protection by using abnormal configurations.
False Explanation: Security through obscurity is the idea of gaining protection by using abnormal configurations.
All firewalls provide network perimeter security.
False Explanation: Some firewalls provide network perimeter security. Others, such as host firewalls, protect computers and servers.
The less complex a solution, the more room there is for mistakes, bugs, flaws, or oversights by security administrators.
False Explanation: The more complex a solution, the more room there is for mistakes, bugs, flaws, or oversights by security administrators.
pfSense can be installed on a local firewall only.
False Explanation: You can install pfSense on a local firewall, on a large-scale security device, or in the cloud.
Chang is a network engineer. He is revising the company's firewall implementation procedure. He is reviewing the procedural element requiring placement of network firewalls at chokepoints and mapping out the network structure to pinpoint the location where firewalls are to be placed. Which of the following is he focusing on?
Network design Explanation: The specifics of an implementation guide are different for each organization. However, every plan should have certain common elements. The network design element specifies the network design that the firewall will complement. To be effective, network firewalls (as opposed to host firewalls) must be placed at chokepoints or transition points. The design of the network is an essential element of effective firewall deployment.
What does a digital signature provide?
Nonrepudiation Explanation: A digital signature provides nonrepudiation, making it difficult or impossible for the signing party to later deny that they signed and sent the document to the source.
Werner is a security manager for a health insurance company. He is examining the organization's compliance with patient privacy. While investigating how staff handle verbal and email communications, he discovers that some staff members are lax about how well they protect details that, when combined, might be used to reveal sensitive details about some customers. What is the focus of his concern?
Personally identifiable information (PII)
Which of the following is a concern when considering the use of a demilitarized zone (DMZ) firewall solution to access high-value data on an internal network?
Poorly constructed firewall rules Explanation: A DMZ has some security but allows public access outside of the corporate network. It is important to ensure that application-level firewalls are restricting access properly prior to deployment of the DMZ. This is especially important if external people will access high-value information, such as customers accessing inventory available for purchase. Once access is granted, poorly constructed firewall rules may allow access to data that should have been restricted.
Which of the following is a firewall, proxy, and routing service that does NOT support caching, encryption endpoint, or load balancing? Note that this service can be found on almost any service or device that supports network address translation.
Port forwarding Explanation: Port forwarding is a firewall, proxy, and routing service that can receive a resource request on an interface at one port and then forward the request to another address on the same or different port. Port forwarding does not support caching, encryption endpoint, or load balancing. Only a single internal machine can use a forwarded port at a time.
Which operating system (OS) for a bastion host runs on most appliance firewalls as well as many Internet service provider (ISP) connection devices?
Proprietary OS
Amy is a network engineering consultant. She is designing security for a small to medium-sized government contractor working on a project for the military. The government contractor's network is comprised of 30 workstations plus a wireless printer, and it needs remote authentication. Which of the following is a type of authentication solution she should deploy?
RADIUS Explanation: IEEE 802.1x is also known as PNAC. An 802.1x device establishes the initial electronic connection or virtual circuit between the requesting host and the device, but before communication to a host beyond the portal device takes place, remote authentication must occur. 802.1x can support RADIUS, TACACS, Kerberos, certificates, passwords, smart cards, biometrics, special access codes, and even credit cards as means of authentication.
Manuela has researched a third-party software firewall she wants to install on her PC since she believes it is a better quality than the operating system's onboard firewall. She has read the installation instructions. The firewall is compatible with her operating system and has gotten good customer reviews. After performing the installation last week, she notices that numerous malicious exploits are successfully hacking her computer. What went wrong?
She forgot to disable the native firewall when she installed the third-party firewall.
Landon is a network contractor. He has been hired to design security for the network of a small company. The company has a limited budget. Landon is asked to create a system that will protect the company's workstations and servers without undo expense. Landon decides to deploy one hardware firewall between the Internet and the local area network (LAN). What is this solution called?
Single defense Explanation: When designing security, consider the net result if any component of the security system were to fail. If the failure of a single component results in a compromise or intrusion, the environment has a single layer of protection. In this case, if the firewall were to fail, the LAN would be wide open to attack. A better strategy would be to implement multiple layers of protection, so that if any one system should fail, the others would still guard the network.
Demetrice is a network consultant. She has been hired to design security for a network that hosts 25 employees, many of whom need remote access. The client recently opened another small office in a neighboring community and wants to be able to routinely establish secure network connections between the two locations. The client often deals with customer bank information and requires a particularly secure solution. What is her response to these requirements?
Small office/home office (SOHO) virtual private network (VPN) Explanation: A SOHO VPN hardware firewall is the best solution when you already have a working network and want to provide remote access. For example, you may already connect your personal computers within your office. If you want to open a new office in another location, you could connect both offices with a SOHO VPN firewall at each office. It will create a secure connection to transfer sensitive data (bank information, customer information, or company-related information) from one office to the other.
Carl is a network engineer for a mid-sized company. He has been assigned the task of positioning hardware firewalls in the IT infrastructure based on common pathways of communication. After analyzing the problem, on which aspect of the network does he base his design?
Traffic patterns
Rachel is a network technician. She is writing a proposal that recommends which firewall type to purchase to replace an aging and failing unit. She wants to be able to protect two separate internal network segments with one hardware firewall. What is her recommendation?
Triple-homed
A firewall best practice is to document every action taken during troubleshooting.
True
A firewall serves as a clear and distinct boundary between one network area and another.
True
A firewall with two interfaces is known as a dual-homed firewall.
True
A next-generation firewall (NGFW) is a device that offers additional capabilities beyond traditional firewall functionality.
True
An intrusion detection system (IDS) serves as a companion mechanism to a firewall.
True
Content filtering can focus on domain name, URL, filename, file extension, or keywords in the content of a packet.
True
Firewall logging helps to ensure that defined filters or rules are sufficient and functioning as expected.
True
Firewalls should be considered a part of a security infrastructure, not the totality of security.
True
If a server has a public IP address, it is a potential target for hacker attacks.
True
Passive threats are those you must seek out to be harmed, such as visiting a malicious website.
True
When the defense in depth security strategy is followed, a single component failure does not result in compromise or intrusion.
True
Windows Defender Firewall is an example of a native firewall.
True
A small office/home office (SOHO) virtual private network (VPN) hardware firewall provides remote access.
True Explanation: A SOHO VPN hardware firewall provides remote access.
A drawback of multiple-vendor environments is the amount of network staff training that is typically needed.
True Explanation: A drawback of multiple-vendor environments is the amount of network staff training that is typically needed.