sec + set 2

अब Quizwiz के साथ अपने होमवर्क और परीक्षाओं को एस करें!

MSCHAPv2

When authenticating with PEAP, what is used to provide mutual authentication between peer computers?

13) What is Registration Authority

Responsible for accepting cert request from clients and validating the entity requesting the certificate - Follow security policy to validate employee - filling out application for cert presenting ID and reason for cert - Once RA validates request, it is passed to CA to create cert

Quarantine Portal

Redirects the user to a webpage with hyperlinks to fix parts of the system that aren't in compliance

How can you limit the range of WAP?

Reduce its power

Retroviruses

Retroviruses: These viruses attack or bypasses the antivirus software installed on a computer.

13) Review installing CA on windows server (exercise 13-1)

Review exercise 13-1

Risk Avoidance (RA)

Risk avoidance involves identifying a risk and making the decision not to engage any longer in the actions associated with that risk. For example, a company may decide that many risks are associated with email attachments and choose to forbid any email attachments from entering the network.

What is a smurf attack?

Spoofs the source address. Use direct broadcast to launch attacks through amplifying network

Implicit deny

Which of the following is likely to be the last rule contained within the ACLs of a firewall?

L2TP

Which of the following protocols creates an unencrypted tunnel?

Load balancing

Which of the following provides for the best application availability and can be easily expanded as an organization's demand grows?

Proxy server

Which of the following should a security administrator implement to limit web-based traffic that is based on the country of origin?

636

Which port number does the protocol LDAP use when it is secured?

SPA

Which protocol can be used to secure the e-mail login from an Outlook client using POP3 and SMTP?

Password complexity requirements

Which security measure should be included when implementing access control?

To find open ports on a server

Why would a security administrator use a vulnerability scanner?

Asymmetric Encryption

Using two mathematically related keys to perform the encryption and decryption process ex) public and private keys

ISOC

A professional membership group composed primarily of Internet experts. It oversees a number of committees and groups, including the Internet Engineering Task Force (IETF).

cryptographic algorthim

A symmetric algorithm, also known as a cipher, used to encrypt and decrypt data.

What is an OU?

A group of users or computers within Active Directory.

512

An SHA algorithm will have how many bits?

NAC Network Access Control

Evaluates system security status before allowing a connection to the network. NAC enforces policy.

What are the types of COOP?

Hot, cold, warm, and mobile

Secure FTP (SFTP)

Extension of SSH that allows secure transfer and management of files through SSH channel

What is a root kit

Has system-level or kernel-level access and can modify system files and access. They hide their running processes to avoid detection.

What is the encryption protocol used with VPN?

IPsec

What is ICMP?

Internet control message protocol - used for testing basic connectivity, diagnostics, control, and error messaging

The web server is showing a drop in CPU speed and hard disk speed.

Michael has just completed monitoring and analyzing a web server.What indicates that the server might have been compromised?

Multipartite

Multipartite: These viruses attack your system in multiple ways.

What defines the rules of what traffic is permissible and what traffic is to be blocked or denied?

Security policies

What is SaaS?

Software as a service

Perform a vulnerability assessment.

What is the best way for a person to find out what security holes exist on the network?

Ipsec

What is usually used with L2TP?

Windows socket

an api used to implement tcp/ip into programs

127.0.0.1

localhost loopback

18) Port Scanners

locate what network applications uses what ports - tell what ports are open on which system

intrusion detection system (IDS)

log suspicious activity and notifies administrator - detect based on signature - detect on anomaly based - activity outside normal activity

14) Proximity sensor

sensor emits a magnetic field. - when someone approaches, the motion of the intruder changes the field frequency - prone to many false alarms

transposition cipher

shifting characters in the message a certain number of places Plain text: Glen Cipher text: enGl

RAID, fail over clustering, UPSs, and generators remove ___

single points of failures

17) Acquisitions Tools

software that is forensically sound - will not alter the source drive in any way - Forensics Acquisition Util (FAU) - free software

16) cold spares

spare component that is not powered on and usually sitting on a shelf of server room. - must be connected and powered up before it can take over the failed device

17) Direct Evidence

testimony from a witness who has seen or experience the event firsthand

*Which of the following allows the deployment of a publicly accessible web server without compromising the security of the private network?* a. Intranet b. DMZ c. Extranet d. Switch

*DMZ* A DMZ provides a network segment where publicly accessible servers can be deployed without compromising the security of the private network.

*A network-based IDS is not suitable for detecting or protecting against which of the following?* a. Email spoofing b. Denial-of-service attacks c. Attacks against the network d. Attacks against an environment that produces significant traffic

*Email spoofing* Network-based IDSs aren't suitable for protecting against email spoofing.

Ideal HVAC settings

- 70-74 degree F - 40-60 humidity -low H ESD - high H corrode computer components

18) Scanning tools to know

- Backtrack - LANguard - MBSA - Nessus - Cain & Abel - John the Ripper

17) acquire forsenics from RAID

- Forensics software will allow you image the array of a single logical disk - ProDiscover - creates an image of each physical desk in RAID and create group file that ensure all disk images are loaded

Loop Protection Loops

- More than one layer 2 path between two endpoints (switches loop to each other) •Can bring down the network (broadcast storm)

ECC

- asymmetric encryption algorithm

PaaS

- platform as a service - operating systems

13) How digital Signature works

1. Bob generates message digest (hash value) 2. Bob encrypts message digest with his private key and send the message with the encrypted message digest to Sue. 3. Sue use Bob's public key to decrypt MD, proving that Bob sent message 4. Sue calculate a new MD digest on the message received, if same the message have not been tampered with

What type of server does enterprise mode require?

A 802.1x server (RADIUS)

What does WPA2 Enterprise require?

A RADIUS server to authenticate

Proxy Server

A border device used to protect security zones •Can be configured to improve performance by caching content locally. •Uses ACL to filter inbound outbound traffic •Packet Filtering Firewall •Filtering is based on sessions rather than content of packets. Works at layer 7.

The computer is missing the authentication agent.

A computer that is connected to an NAC-enabled network is not asked for the proper NAC credentials. What is a possible reason for this?

Use of a device as it was intended

A coworker has installed an SMTP server on your organization's database server. What security principle does this violate?

What's the difference between preventive controls and detective controls?

A detective control can't predict when an incident will occur and it can't prevent it.

If a private key is encrypting, what is it being used for?

A digital signature

What is a yagi?

A directional antenna.

Request for coments (rfc)

A document-creation process and a set of practices that originated in 1969 and is used for proposed changes to Internet standards.

What is stateful filtering?

A firewall knows and maintains the context of a conversation

Hierarchical Trust Model

A root CA at the top provides all the information. The intermediate CAs is next in the . hierarchy, and they only trust information provided from the root CAs. pg 35

What is a security baseline?

A secure starting point for an OS or application

TACACS+

AAA protocol used by cisco that supercedes TACACS/XTACACS - uses TCP and RADIUS - encrypts all information

(Annual Loss Expectancy)

ALE

What is VM Escaping?

Accessing the host system from within a virtual system

18) Action Item: Superscan starting 10.0.0.1 - 10.0.0.200

Action item: download Superscan

What are some corrective controls?

Active IDS, backups and system recovery

AES

Advanced Encryption Standard (AES) has replaced DES as the current standard, and it uses the Rijndael algorithm. It was developed by Joan Daemen and Vincent Rijmen. AES is the current product used by U.S. governmental agencies. It supports key sizes of 128, 192, and 256 bits, with 128 bits being the default.

Asymmetric Encryption Advantage/Disadvantages

Advantage - easier key management Disadvantage - slower performance than symmetric encryption

Single Authority Trust

All trust is established by one entity, highly centralized. How?: 1.3rd party central certifying authority signs a given key and authenticates owner of key. 2.User trusts the authority and by association, trust all keys issued by authority.

TCP sequence attack

An attack wherein an attacker intercepts and then responds with a sequence number similar to the one used in the original session. The attack can either disrupt a session or hijack a valid session.

Fuzzing

An attacker has identified and exploited several vulnerabilities in a closed-source application that your organization has developed. What did the attacker implement?

What is a replay attack?

An attacker replays data that was already part of a communication session. It uses data captured earlier with the intention of impersonating later

Recovery agent

An entity that has the ability to recover a key, key components, or plaintext messages as needed.

Ephemeral Key

An ephemeral key is simply a key that exists only for that session.

work factor

An estimate of the amount of time and effort that would be needed to break a system.

What is Diameter?

An improvement over RADIUS including secure transmissions with EAP

User rights

Ann has been asked by her boss to periodically ensure that a domain controller/DNS server maintains the proper security configuration. What should she review?

Armored virus

Armored: This type of virus is one that is designed to make itself difficult to detect or analyze.

TLDR wireless standards

As a simplified timeline useful for exam study, think of WEP as coming first. It was fraught with errors and WPA (with TKIP) was used as an intermediate solution, implementing a portion of the 802.11i standard. The ultimate solution, a full implementation of the 802.11i standard, is WPA2 (with CCMP).

What is a birthday attack?

Attacker replicates the hash by using a different password that has the same hash (hash collision)

What are preventative controls?

Attempt to prevent security incidents. Device hardening, security guards, change management.

What is DNS poisoning?

Attempts to corrupt DNS data. - can point to an alternate website

What does an IDS do?

Attempts to detect attacks and then modify the environment to block the attack from continuing. For example, they might modify the ACL to block traffic from an attacker.

(Business Process Automation)

BPA

Birthday Attack

Based on birthday paradox (chances are in a room of 23 two will have the same bday)

18) Penetration Test Benefits

Benefits 1) Verify if threat exist 2) Bypass and actvicely test security controls 3) Exploiting vulnerabilities

Blowfish/Twofish

Blowfish is an encryption system invented by a team led by Bruce Schneier that performs a 64-bit block cipher at very fast speeds. It is a symmetric block cipher that can use variable-length keys (from 32 bits to 448 bits). Twofish is quite similar and works on 128-bit blocks. The distinctive feature of the latter is that it has a complex key schedule.

How can you avoid a risk?

By not providing a service or not participating in risky activity.

CAST

CAST is an algorithm developed by Carlisle Adams and Stafford Tavares (hence the name). It's used in some products offered by Microsoft and IBM. CAST uses a 40-bit to 128-bit key, and it's very fast and efficient. Two additional versions, CAST-128 and CAST-256, also exist.

13) Public Certificate Authorities (Public CA)

CAs that are in the business of selling certs to other business so application can be used. - benefit - most applications trust certs that comes from common public PA (Entrust, Verisign, GoDaddy)

What is port security?

Capability provided by switches that allows you to control which devices and how many of them are allowed to connect via each port on a switch

LEAP is proprietary of who?

Cisco

Uses subnet mask 255.0.0.0 with first octet 1-126

Class A space

Uses subnet mask 255.255.0.0 with first octet 128-191

Class B space

volatile data

Collect data from volatile areas first RAM > swap file > HD > CD-Rom

Wireless Application Protocol

Commonly used in a small mobile devices such as cell phones that have a web browser functions equivalent to TCP/IP

18) Active Tool Scan

Communicates with the intended victim system and higher chance of being detected. - ex) port scanners

_____ ____ identifies alternate methods of communication, such as a war room or push to talk phones. It also identifies who must be contacted.

Communication plan

What is the first step of a CSR?

Create the RSA-based private key, which is then used to create the public key. Then the public key is put in the CSR for the CA to embed the public key in the certificate.

Secure Hash Algorithm (SHA)

Created by NSA - generates 160-bit hash value - different version SHA-0, SHA-1, SHA-2 - most common is SHA-1

Message Digest (MD) hashing algorithm

Created by Ron Rivest - generates 128-bit hash value - different version MD2, MD4, MD5 - MD5 most common

What type of attack allows attackers to capture user information such as cookies?

Cross-sit scripting (XSS)

What does a SYN flood attack do?

Disrupts the TCP initiation process by withholding the third packet of the three-way handshake

Load Balancers

Distributes workload across multiple computers or network links. Prevents single point of failure

17) disk to image benefit

Do not need to have a spare disk to capture image. send image to a target drive. original drive and initial image will not be touch during analysis

18) Passive Tool Scan

Does not try to connect to system when do scanning - ex) scanning DNS server, not the intended target, which is the web or FTP server

What wireless standard requires a certificate on the 802.1x server and the client?

EAP-TLS

Web of Trust Model

Each node trusts each neighboring node Decentralized, Transitive access, weakest link compromises all other links, p2p.

Transport vs tunneling mode

Encryption can be done in either tunneling or transport mode. In tunneling mode, the data or payload and message headers are encrypted. Transport mode encrypts only the payload.

EAP protocol variants

LEAP - light weight extensible authentication protocol - Cisco proprietary EAP solution PEAP - Protected extensible authentication protocol - encapsulate EAP message over a secure tunnel that use TLS

What is a honeynet?

Mimics the functionality of a live network

http://www.tech-faq.com/wp-content/uploads/2009/01/osimodel.png

OSI model

Perfect forward secrecy

Occurs when a process is unbreakable.

What is the OCSP

Online Certificate Status Protocol

18) OWASP

Open web application security protocol - Standardized Web Application Security testing procedures

Which provides authentication services and uses PPP?

PAP and CHAP

What is RAS?

Remote Access Service - provides access to an internal network from an outside source

Which version of SNMP adds cryptographic protections?

SNMP 3

A PKI requires a _____ model between CAs

Trust

What mode does IPsec use for VPN, and how is it identified?

Tunnel mode, ID 50 for ESP

19) Linux Audit Logs

Uses syslogd daemon

Incremental

What backup types, describes the backup of files that have changed since the last full or incremental backup?

CCTV

What is a detective security control?

Security Assertion Markup Language (SAML)

XML standard designed to exchange authentication and authorization info

Honeypot

You have implemented a technology that enables you to review logs from computers located on the DMZ. The information gathered is used to find out about new malware attacks. What have you implemented?

Rootkit

You investigate an executive's laptop and find a system-level kernel module that is modifying the operating system's functions. What is this an example of?

RA

a registration authority is used to verify requests for certificates from a certificate authority or multiple certificate authorities. In this scenario, your organization and a sister organization use multiple certificate authorities (CAs). Which component of PKI is necessary for one CA to know whether to accept or reject certificates from another CA?

Infrastructure and Connectivity *Which ports are, by default, reserved for use by FTP? (Choose all that apply.)* a. 20 and 21 TCP b. 20 and 21 UDP c. 22 and 23 TCP d. 22 and 23 UDP

a. *20 and 21 TCP* FTP uses TCP ports 20 and 21. FTP does not use UDP ports.

Access Control and Identity Management *Which of the three principles of security is supported by an iris biometric system?* a. Confidentiality b. Integrity c. Availability d. Vulnerability

a. *Confidentiality* Confidentiality involves protecting against unauthorized access, which biometric authentication systems support. Integrity is concerned with preventing unauthorized modification, making answer B incorrect. Answer C is not correct because availability is concerned with ensuring that access to services and data is protected against disruption. Answer D is incorrect because a vulnerability is a failure in one or more of the C-I-A principles.

*Certificates have what single purpose?* a. Proving identity b. Proving quality c. Providing encryption security d. Exchanging encryption keys

a. *Proving identity* Certificates have the single purpose of proving identity. They don't prove quality or provide encryption security, and they aren't used to exchange encryption keys.

*Which protocol is used to manage network equipment and is supported by most network equipment manufacturers?* a. Simple Network Management Protocol (SNMP) b. Internet Control Message Protocol (ICMP) c. Secure Copy Protocol (SCP) d. Transmission Control Protocol/Internet Protocol (TCP/IP)

a. *Simple Network Management Protocol (SNMP)* The Simple Network Management Protocol (SNMP) is a popular protocol used to manage network equipment and is supported by most network equipment manufacturers.

Protecting Networks *In intrusion detection system parlance, which account is responsible for setting the security policy for an organization?* a. Supervisor b. Administrator c. Root d. Director

b. *Administrator* The administrator is the person/account responsible for setting the security policy for an organization.

Threats and Vulnerabilities *As the security administrator for your organization, you must be aware of all types of attacks that can occur and plan for them. Which type of attack uses more than one computer to attack the victim?* a. DoS b. DDoS c. Worm d. UDP attack

b. *DDoS* A DDoS attack uses multiple computer systems to attack a server or host in the network.

Measuring and Weighing Risk *Which of the following policy statements may include an escalation contact, in the event that the person dealing with a situation needs to know whom to contact?* a. Scope b. Exception c. Overview d. Accountability

b. *Exception* The exception policy statement may include an escalation contact, in the event that the person dealing with a situation needs to know whom to contact.

*Which element of business continuity planning (BCP) is most concerned with hot-site/cold-site planning?* a. Network connectivity b. Facilities c. Clustering d. Fault tolerance

b. *Facilities* Facilities continuity planning is focused around alternative site management, hardware, and service contracts. Network connectivity BCP involves establishing alternative network access paths and dedicated recovery administrative connections, making answer A incorrect. High-availability clustered servers ensure that automatic failover occurs in the event that the primary service nodes are unable to perform normal service functions, making answer C incorrect. Fault tolerance, particularly in the area of storage devices, supports individual server operational continuity in the face of hardware device failure, making answer D incorrect. In SAN storage systems, redundant storage network connections similarly ensure continuous resource access for devices in the storage-area network.

Security and Vulnerability in the Network *Which of the following is a protection feature built into many firewalls that allow the administrator to tweak the tolerance for unanswered login attacks?* a. MAC filter b. Flood guard c. MAC limiter d. Security posture

b. *Flood guard* A flood guard is a protection feature built into many firewalls that allow the administrator to tweak the tolerance for unanswered login attacks. By reducing this tolerance, it is possible to reduce the likelihood of a successful DoS attack.

Measuring and Weighing Risk *What is the first step in performing a basic forensic analysis?* a. Ensure that the evidence is acceptable in a court of law b. Identify the evidence c. Extract, process, and interpret the evidence d. Determine how to preserve the evidence

b. *Identify the evidence* It is necessary to first identify the evidence that is available to be collected. Answer A is incorrect because protecting data's value as evidence must come after the type and form of evidence is known. Extraction, preservation, processing, and interpretation of evidence also follow the identification of data types and storage that must be collected, making answers C and D incorrect.

Disaster Recovery and Incident Response *You're trying to rearrange your backup procedures to reduce the amount of time they take each evening. You want the backups to finish as quickly as possible during the week. Which backup system backs up only the files that have changed since the last backup?* a. Full backup b. Incremental backup c. Differential backup d. Backup server

b. *Incremental backup* An incremental backup backs up files that have changed since the last full or partial backup.

*Which of the following is not a common quality of quantitative risk analysis?* a. Difficult for management to understand b. Less precise c. Labor intensive d. Time-consuming

b. *Less precise* Qualitative risk assessments tend to be less precise than quantitative assessments. Quantitative risk assessments tend to be more difficult for management to understand properly without additional explanation, require intensive labor to gather all of the necessary measurements, and are time-consuming to produce and keep up to date, making answers A, C, and D incorrect.

Infrastructure and Connectivity *Which service(s), by default, use TCP and UDP port 22? (Choose all that apply.)* a. SMTP b. SSH c. SCP d. IMAP

b. *SSH* c. *SCP* Port 22 is used by both SSH and SCP with TCP and UDP.

Educating and Protecting the User *The Clark-Wilson model must be accessed through applications that have predefined capabilities. This process prevents all except:* a. Modification b. Spam c. Errors d. Fraud

b. *Spam* The Clark-Wilson model must be accessed through applications that have predefined capabilities. This process prevents all the choices listed except spam.

14) what is Photoelectric sensor

beam of light is emitted from transmitter to receiver

*The _______________ is the expected monetary loss that can be expected for an asset due to a risk over a one-year period.* a. Single Loss Expectancy b. Annualized Rate of Occurrence c. Annualized Loss Expectancy d. Multiple Loss Expectancy

c. *Annualized Loss Expectancy* The Annualized Loss Expectancy (ALE) is the expected monetary loss that can be expected for an asset due to a risk over a one-year period.

Protecting Networks *You're the administrator for Acme Widgets. After attending a conference on buzzwords for management, your boss informs you that an IDS should be up and running on the network by the end of the week. Which of the following systems should be installed on a host to provide IDS capabilities?* a. Network sniffer b. NIDS c. HIDS d. VPN

c. *HIDS* A host-based IDS (HIDS) is installed on each host that needs IDS capabilities.

Cryptography Implementation *Which of the following is an attack against the algorithm?* a. Birthday attack b. Weak key attack c. Mathematical attack d. Registration attack

c. *Mathematical attack* A mathematical attack is an attack against the algorithm.

Cryptography Basics *MAC is an acronym for what as it relates to cryptography?* a. Media access control b. Mandatory access control c. Message authentication code d. Multiple advisory committees

c. *Message authentication code* A MAC as it relates to cryptography is a method of verifying the integrity of an encrypted message. The MAC is derived from the message and the key.

*Which of the following is the best measure to prevent divulging sensitive information through dumpster diving? (Select two correct answers.)* a. A firewall b. Antivirus software c. Proper disposal policy d. Training and awareness

c. *Proper disposal policy* d. *Training and awareness* Dumpster diving describes a physical means of acquiring sensitive data, often by digging through discarded material. A policy that clearly describes an organization's stance on proper disposal of data and equipment along with user training and awareness are key measures that should be taken to prevent the disclosure of sensitive data through dumpster diving. Answers A and B are incorrect and cannot prevent a physical attack on materials.

Protecting Networks *Which of the following is an active response in an IDS?* a. Sending an alert to a console b. Shunning c. Reconfiguring a router to block an IP address d. Making an entry in the security audit file

c. *Reconfiguring a router to block an IP address* Dynamically changing the system's configuration to protect the network or a system is an active response.

Threats and Vulnerabilities *You've discovered that an expired certificate is being used repeatedly to gain logon privileges. Which type of attack is this most likely to be?* a. Man-in-the-middle attack b. Backdoor attack c. Replay attack d. TCP/IP hijacking

c. *Replay attack* A replay attack attempts to replay the results of a previously successful session to gain access.

Security-Related Policies and Procedures *On a Linux-based system, which account is equivalent to the administrator account in Windows?* a. Auditor b. Supervisor c. Root d. Master

c. *Root* The root user in Linux is equivalent to the administrator user in Windows.

*The term _______________ refers to the average (mean) amount of time until a component fails, cannot be repaired, and must be replaced.* a. mean time to recovery b. failure in time c. mean time between failures d. mean time to failure

c. *mean time between failures* The term mean time between failures refers to the average (mean) amount of time until a component fails, cannot be repaired, and must be replaced.

Active IDS

can take actions

With passwords, what two features provide the best security?

complexity and length

Protecting Networks *Which IDS system uses algorithms to analyze the traffic passing through the network?* a. Arithmetical b. Algebraic c. Statistical d. Heuristic

d. *Heuristic* A heuristic system uses algorithms to analyze the traffic passing through the network.

Disaster Recovery and Incident Response *What is another name for working copies?* a. Functional copies b. Running copies c. Operating copies d. Shadow copies

d. *Shadow copies* Working copies are also known as shadow copies.

Disaster Recovery and Incident Response *Which risk management response is being implemented when a company purchases insurance to protect against service outage?* a. Acceptance b. Avoidance c. Mitigation d. Transference

d. *Transference* The liability of risk is transferred through insurance policies. Answer A is incorrect because accepting a risk is to do nothing in response. Risk avoidance involves simply terminating the operation that produces the risk, making answer B incorrect. Answer C is not correct because mitigation applies a solution that results in a reduced level of risk or exposure.

HMAC

faster than MAC and hashes

signature based IDS

few false positives - programmed specifically for the type of traffic that is considering to be suspicious traffic - capture activity and compare it with definition file (signatures)

packet-filter firewall

filter packet based on source/destination IP and port

screen-host firewall

firewall that has packet filter router placed in front of firewall. filters traffic based on layer-3 and layer-4

type b firextinguisher

flammable liquids

captive portal

force person to authenticate to the network via web page before access is allowed

replay attack

generate enough traffic to allow cracking tool to crack the encryption - capture traffic with sniffer and resent/replay the traffic

19) net share

list of shared resources

Intrusion Detection Systems (IDS)

monitoring system which collects and analyzes traffic.Detects attacks •IDS type: Network or Host

Class d

multicasting / class experimental

16) RAID 0

multiple disks are used to create a volume; when data is saved to the volume, the data is split up and spread across all disks in the volume - advantage - speed up performance - disadvantage - no duplication occurs

Polyalphabetic cipher

multiple keys in which a letter could be replaced

view account details command in windows

net user <username> /domain

18) TCP connect scan for port 21,25,80 for IP 10.0.0.3

nmap -sT 10.0.0.3 -p 21,25,80

14) Bump key

normal key that has been file down to fit into lock - once key is inserted into the lock and tapped, it cause pins in the lock to align and unlock door

smart card

once inserted PIN is needed - common access card (CAC) common in military

Zone transfer

one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers.

confidentiality

only authorized parties can read data

Routers

operate at layer 3.

qualitative

opinion-based and subjective

What's a protocol analyzer?

packet sniffer, network analyzer, network sniffer

17) Witness

people who might have insight - learning any normal or abnormal behavoir

RADIUS

performs authentication and accounting but uses UDP as the transport mechanism.

PPP

point to point protocol, used for establishing remote connections over a serial line or dial up connection

19,

port used by CHARGEN, the character generator . It is commonly used by a Fraggle attack.

161

port used by SNMP.

port 22

port used by SSH (SCP).

49

port used by TACACS+,

23

port used by Telnet

Teardrop DoS attacks

send many IP fragments with oversized payloads to a target.

bluejacking

send unsolicited message to bluetooth devicees

Cisco command to show access list

show ip access-lists

SNMP

simple network management protocol v3 is secure

What are some best practices for storing backups

storing a copy off site labeling the media performing test restores destroying the media when not in use

Raid 2

stripes data at the bit (rather than block) level, and uses a Hamming code forerror correction.

16) RAID 5

striping with parity because a RAID 5 volume acts as a RAID 0 volume but adds the parity information to create redundancy.

Extesible Authentication Protocol (EAP)

support multiple authentication methods - Kerberos, token cards, certificates, smart cards

RC4 is what type of cipher?

symmetric stream cipher

FTP File Transfer Protocol

transfers files between systems on the internet or to a centralized FTP server. Ports TCP 20 (data) TCP 21 (control)

Difference between type 1 and type 2 hypervisor

type 1 is its own operating system type 2 is dependant on an os

Personal identification verfication (PIV)

used to store information - authentication information - biometrics

Crosstalk

what is the most common problem associated with UTP cable?

Loop Protection (STP) Spanning Tree Protocol

which prevents loops in LAN. IEEE 802.1D STP

infrastructure mode

wireless clients are connected to a central access point

Type a firextinguisher

wood and paper

Telephony

word for streaming data Voip, Web conferencing ...

Digital Certificates

19) - linux failed log

/var/log/faillog - can use <faillog> to display

What size of key does DES use?

56 bit

What size of keys does 3DES use?

56, 112 168

Enrollment

Raid 0

- disk striping with no parity bit

19) path linux logs to system-related events

/var/log/messages

17) Bitmaps

42 4D

17) TIFF (tagged image file format) header

49 49 2A

Port-based Network Access Control

PNA

•Firewall Rules

allow permit accept deny or reject

*Which port does the Microsoft Terminal Server use?* a. 53 b. 143 c. 443 d. 3389

d. *3389* The Microsoft Terminal Server uses port 3389.

18) Enumerate purpose

collect more information about the system.

Steganography

hiding text information inside graphic image -

extended access list

same as standard access list but number start at 100 and above - can control traffic based on source/destination IP - also based on port information in packet

3389

remote access port

The replay attack

when valid data transmissions are maliciously repeated or delayed.

Network Design and Components

•Security Zones •DMZ: contains public facing servers

What is an IV attack?

Using injection on a wireless network using WEP. This increases the number of packets to be analyzed and can show the encryption key.

Multi-Alphabet Substitution

Using multiple ciphers to decode ie first letter cipher 1 second letter cipher 2

RC4

WEP improperly uses an encryption protocol and because of this is considered to be insecure. What encryption protocol does it use?

16) BCP testing

- Checklist review - tabletop exercise/structured walkthrough - simulation test - parallel test - full disruption test

authentication factors

-something you know - PIN/password -something you have - card/token -something you are - biometrics -somewhere you are - GPS / IP info -something you do - habits of user/typing patterns in conjunction with another factor

13) Common Certificate issues

1. Renewal - only valid for period of time before they need to be renewed. (benefits of creating on CA internally has no cost for renewal) 2. Issuing CA - Warning message pops up if certificate is "not trusted" or "unknown CA" 3. Subject Name - if subject name does not match url, warning message appears. (newer x.509 standards allow multiple alternative subject names)

13) Implement Revoke in 2012server

1. Server Manager>> Tools | Certification Authority. 2.Select the Issued Certificates folder. 3.Right-click the certificate you wish to revoke and choose All Tasks | Revoke Certificate. 4.Choose a reason for revoking the certificate from the drop-down lists and then choose Yes.

Chap 16 self test

1. a perform BIA 2. b,c,d 3. a 4. b 5. a raid 6. c load balancing 7. d rpo 8. a BIA 9. c incremental 10. b 11. a raid 12. d raid 0 13. b load balancing 14. a clustering 15. RPO - e mttf - c rto - b mtbf - a mttr - d

What transfers the risk to another entity?

Insurance

cryptanalysis

The study and practice of finding weaknesses in ciphers.

What is a proxy server?

It takes requests from a client system and forwards them to the destination server on behalf of the client. They can improve performance by caching, and restricting access by filtering content.

What is ICMP usually disabled?

It's used for ping, so it is disabled at the boundaries of a network (except in IPv6)

Forward each computer to a different RDP port.

Jennifer has been tasked with configuring multiple computers on the WLAN to use RDP on the same wireless router. What might be necessary to implement?

What is Kerberos?

Kerberos uses a ticket-granting ticket server for authentication. A network authentication protocol used with AD and Unix. It uses a database of objects to issue time stamped tickets that expire after a certain amount of time.

Diffie-Hellman

Key Agreement

Internet Protocol Security (IPSec)

Popular security protocol that encrypts all IP traffic - has two modes 1. Transport mode - only payload (data portion) is encrypted 2. tunnel mode - Header and data are encrypted

What is a common form of NAT?

Port Address Translation (PAT).

What is content protection?

Protection of the data portion of a packet

What is context protection?

Protection of the header information

What is LDAP?

Protocol used to identify objects and is used to query directories such as AD.

Related Key Attack

This is like a chosen-plaintext attack, except the attacker can obtain ciphertexts encrypted under two different keys. This is actually a very useful attack if you can obtain the plaintext and matching ciphertext.

BPO (Blanket purchase order)

This is usually applicable to government agencies. It is an agreement between a government agency and a private company for ongoing purchases of goods or services.

deny TCP any any port 53

This rule will apply to any computer's IP address initiating zone transfers on the inbound and outbound sides.

How do you mitigate a replay attack?

Timestamps and sequence numbers

What is an AAA protocol?

Provides authentication, authorization, and accounting

What does ESP do with regards to VPN?

Provides confidentiality, integrity, and authentication for VPN traffic

What are the parts of an IDS?

Traffic collector (or sensor) Analysis engine Signature database User interface and reporting

What does DNS do?

Translates names into IP addresses

ARP poisening

Tries to convince a network that the attacker's MAC address is the one associated with an IP address so that traffic sent to that IP address is wrongly sent to the attacker's machine.

What is a rainbow table attack?

Trying to discover a password from a hash by comparing it to a database of precomputed hashes

1) ICMP types

Type 8 - echo request Type 0 - echo reply

802.11i

WPA2 standard

What is stronger than WPA2/AES?

WPA2/CCMP

What is a WAF?

Web application firewall. Performs restrictions based on rules associated with HTTP/HTTPS

Clustering

What reduces the chances of a single point of failure on a server when it fails?

Secure Socket Layer (SSL)

created by netscape pg 62

Removal of PII data

What threats has the highest probability of being increased by the availability of devices such as USB flash drives on your network?

NIDS

What will identify a Smurf attack?

Implicit deny

What will stop network traffic when the traffic is not identified in the firewall ruleset?

Overhearing parts of a conversation

What would be an example of eavesdropping?

NOP instructions.

What would you most likely find in a buffer overflow attack?

Labels

When using the mandatory access control model, what component is needed?

Network and Sharing Center

Where would you turn off file sharing in Windows 7?

18) Covering tracks

Will find log file and delete entries for any hacker's activity -

encryption

converting plain text into cipher text - cipher text is an encrypted unreadable format - plain text is a readable format plain text > encryption algorithm > cipher text

Smurf attack

A smurf attack consists of spoofing the target machine's IP address and broadcasting to that machine's routers so that the routers think the target is sending out the broadcast. This causes every machine on the network to respond to the attack. The result is an overload of the target system.

What is FTPS

File transfer protocol secure - an extension of FTP and uses SSL or TLS

Private key

In a public key infrastructure setup, What should be used to encrypt the signature of an e-mail?

TACACS+ because it encrypts client-server negotiation dialogues.

In a secure environment, What authentication mechanism performs better TACACS+ or RADIUS?

OCSP Online Certificate Status Protocol

Quering protocol that checks a CAs CRL file for bad digital certificates Server responds with either: good, revoked, or unknown.

____ is an inexpensive method used to add fault tolerance and increase availabilty

RAID

Decentralized

Rick has a local computer that uses software to generate and store key pairs. What type of PKI implementation is this?

What is role-based access control?

Rights and permissions are given to users who perform the same job functions

Risk acceptance

Risk acceptance is often the choice you must make when the cost of implementing any of the other four choices exceeds the value of the harm that would occur if the risk came to fruition. To truly qualify as acceptance, it cannot be a risk where the administrator or manager is unaware of its existence; it has to be an identified risk for which those involved understand the potential cost or damage and agree to accept it.

13) Using SSL, web page contented is encrypted by

SSL uses a symmetric key. This is a randomly generated key used by the session to encrypt the communication between the client and server.

How does the TCP handshake work?

SYN packet, SYN/ACK packet, ACK packet

18) Code review

Ensure code review is performed to make sure there is no unsecured code in application for any business develops apps

algorithm

mathematical operation performed on the data to convert plain text to cipher

16) Succession Planning

process of ensuring that you have employees within the organization who can fill key leadership roles to ensure that the business can continue if you lose key personnel.

13) Key Escrow

process of handing cryptography key to a third party that can decrypt info within organization at any time - to gov or law enforcement for investigation

Key stretching

process of making something (key) longer so harder to attack. (salting) a password before encryption: (PBKDF2, Bcrypt() )

Block cipher

encrypt data in a block - More secure than stream cipher - more overhead, slower execution

In-Band key exchange

encryption key is exchanged between parties as part of the communication

Key space cryptography

encryption key using bits - larger key bit the hard to crack ex) 2-bit possibility 00,01,10,11 Common key spaces 64/128/256/512 bits

Block cipher

encrypts block at a time. Requires more processing and memory. Stronger than cipher but slower 64 bit block encrypts 8 bit block at a time

Secure Socket Layer (SSL) / Transport Layer Security (TLS)

encrypts traffic such as web and email - TLS is more secure

network-based IDS componenet

engine - analyzing traffic against the signatures

Message authentication code (mac)

ensures integrity in messages (checksum)

What is a design review?

ensures that systems and software are developed properly

Secure channel

established communication dialogue that encrypts traffic sent between the systems

stateful packet firewall

understands the state of conversation and what packet it should expect to receive

HMAC-based OTP (HOTP),

uses one-time passwords (OTP).

Rdp

"Which of the following protocols are you observing in the packet capture below? 16:42:01 - SRC 192.168.1.5:3389 - DST 10.254.254.57:8080 - SYN/ACK"

PAP

(Password Authentication Protocol) is an older system that is no longer used. PAP sends the username and password to the authentication server in plain text.

13) How SSL session is created

1. client send request for web page via https that make a 443 port connection 2. server send public key to client 3. client validate the cert is not expired or revoked 4. client create random symmetrical key (session key) to encrypt content. 5. encrypts symmetric key with server public key

DES and 3DES encrypt data in what size blocks?

64

Dictionary attack

A method of guessing passwords by using combination of known phrases and words

Watering hole attack

A watering hole attack can sound a lot more complicated than it really is. The strategy the attacker takes is simply to identify a site that is visited by those they are targeting, poisoning that site, and then waiting for the results.

DNS Zone

A zone is the DNS server's area of DNS namespace it has authority over

AES256

AES256 (also often written as AES-256) uses 256 bits instead of 128. This qualifies for U.S. government classification as Top Secret.

What does AH protect against, and what doesn't it protect?

AH protects against integrity, but does not provide privacy.

What is RADIUS?

AOL example - provides centralized authentiation

(Access Request Object)

ARO

What is ALE?

Annual loss expectancy. SLE x ARO

What is ARO?

Annual rate of occurrence - how many time a loss will occur in a year.

17) First Responders

Assess the situation and contain the incident - disconnecting any affect systems

Security-Related Policies and Procedures *Which audits help ensure that procedures and communications methods are working properly in the event of a problem or issue?* a. Communication b. Escalation c. Selection d. Preference

B. *Escalation* Escalation audits help ensure that procedures and communications methods are working properly in the event of a problem or issue.

Asymmetric Key Algorithms

Diffie-Hellman pg 28 El Gamal pg 29 DHE pg30 ECDHE pg 30 Supports perfect forward secrecy

Certificate Management

Enables the authentication of the parties involved in a secure transition.

Identification

In What phases of identification and authentication does proofing occur?

Risk elimination

In What ways can risk not be managed?

Hashing Attacks

Birthday Attack Brute Force Attack Dictionary Attack Rainbow Table Attack

___ ciphers encrypt data in a specific-sized block

Block

CIDR clasless-inter domain routing

Baed on variable length subnet mask. 10.10.42.20/29 Subnetting reduces broadcast traffic and divides hosts winth in a larger network into smaller broadcast domains, and it is also easier to troubleshoot

Brute-Force attacks

Brute-force attacks can be accomplished by applying every possible combination of characters that could be the key. For example, if you know that the key is three characters long, then you also know that there is a finite number of possibilities of what the key could be. Although it may take a long time to find the key, it can indeed be found.

CA certificate

CA Certificate: The CA certificate is issued by one CA to another CA. The second CA can, in turn, issue certificates to an end entity.

What are some deterrent controls?

Cable locks, hardware locks

17) password-craking tools

Cain, Abel, or Snadboy's Revelation

What is the most effective protection against unwanted aware?

Pop-up blockers

Wireless Networking

Carrier Sense Multiple Access with Collision Avoidance (wireless) (CSMA/CA) Carrier Sense Multiple Access with Collision Detection (wired) (CSMA/CD) 802.11 WAN 802.15 Wireless Personal Area Network WPAN 802.16 Wireless Metropolitan Area Network WMAN

Biometric Error Type ii

False acceptance rate (FAR) - Allows someone to access the system who is not authorized

Type 1 errors

False positives

What is isolation mode?

Feature used on hot spots to prevent connected clients from communicating with eachother

Asymmetric encryption requires a ____ and a ___

Certificate PKI

What is a CRL

Certificate revocation list

What is a CSR?

Certificate signing request

13) Trust path

Certificate that is validated with subordinate CA and root CA

What is CHAP?

Challenge handshake authentication protocol - not sent in cleartext

__ ___ defines the process and accounting structure for handling modifications and upgrades.

Change management

What is polymorphic malware?

Changes or mutates when it replicates or executes - can't be detected as the same type of malware

18) LANguard scanner

Commerical product created by GFI, scan entire network and reports missing patches, ports opened, system misconfigurations

Companion Virus

Companion: This type of virus attaches itself to legitimate programs and then creates a program with a different filename extension.

13) Private Certificate Authorities (Private CA)

Company owned and created their own PKI - generate cert for the company - benefit - do not need to pay for each cert that is created - drawback - application don't trust certs generate by your own CA by default (must be added to the trust CA list to change it)

Sandbox Security Model

Concept of isolating something from the rest of the environment

What does ESP protect for, and what doesn't it protect?

Confidentiality, but does not protect against the integrity of the packet.

17) Write blocker

Device that does not allow modification to any drives to static images - Connects by usually USB - have different interfaces to connect - IDE, SATA, SCSI

What is a pharming attack?

Directs users to a different website by modifying the host file on a user's system. DNS type of attack

Virtual LAN (VLAN)

Devices on the same physical network are divided into multiple virtual networks. Instead of breaking up a network with multiple, expensive, physical routers, the switch's operating system logically breaks up the network into multiple virtual networks

_______ is a secure method of sharing symmetric encryption keys over a public network.

Diffie-Hellman

What is in a DRP?

Disaster recovery plan.

Elliptic Curve Cryptography

Elliptic Curve Cryptography (ECC) provides similar functionality to RSA but uses smaller key sizes to obtain the same level of security. ECC encryption systems are based on the idea of using points on a curve combined with a point at infinity and the difficulty of solving discrete logarithm problems. Many vendors have implemented, or are implementing, the ECC system for security. The National Security Agency has also recommended several implementations of ECC. You can expect that ECC will be commonly implemented in cellular devices in the near future.

______ should be general to users while ____ should be detailed.

Errors Logs

17) JPG files header

FF D8 FF E0

17) JPG files with EXIF

FF D8 FF E1

What type of traffic can SSH encrypt?

FTP (as SFTP), SCP, TCP Wrappers.

GOST

GOST is a symmetric cipher developed in the old Soviet Union that has been modified to work as a hash function. GOST processes a variable-length message into a fixed-length output of 256 bits.

____ verifies both the integrity and authenticity of a message with the use of a shared secret

HMAC Only the sender and the receiver know the key -

With regards to hashing, IPsec and TLS use what (name two).

HMAC-MD5 and HMAC-SHA1

HMAC-based One Time Password (HOTP)

HMAC-based algorithm used to generate password

What is HOTP and TOTP?

HOTP is a one time password that never expires. TOTP expires after 30 seconds.

14) HVAC system

Heating, ventilation, and AC - system to provide or reduce heat, humidity, and outdoor air - provide climate control to help maintain quality condition in the workplace

What is HIDS?

Host based IDS - examines activity on individual system, such as a mail server, web server, or individual PC

___ site provides the shortest recovery time, but also the most expensive

Hot

______ includes personnel, equipment, software, and communication capabilities of the primary site with all of the data up to date.

Hot site.

Exploiting human error

Human error is one of the major causes of encryption vulnerabilities. If an email is sent using an encryption scheme, someone else may send it in the clear (unencrypted). If a cryptanalyst gets ahold of both messages, the process of decoding future messages will be considerably simplified. A code key might wind up in the wrong hands, giving insights into what the key consists of. Many systems have been broken into as a result of these types of accidents.

False Negative

IDS fails to detect malicious network activity

13) Recovery Agent

Individual/group within org who can decrypt info in the case employee with key to decrypt info leaves org - Used with Microsoft Encrypting File System (EFS)

What is IaaS?

Infrastructure as a Service.

What is IKE?

Internet Key Exchange

What is a web security gateway? What's an example and what can it do?

It combines the function of a proxy and content-filtering. Cisco Web Security Appliance - threat defense, content inspection, malware protection, and data loss prevention (stopping PPI from leaving the network)

What is subnetting?

It divides a single range of IP addresses into two or more smaller ranges.

What is access control?

It ensures that only authenticated and authorized entities can access resources.

one-way hash values

It is impossible to do the reverse operation of taking the hash value and calculating the message (data) from the hash value.

How does the transport method of IPsec work?

It only encrypts the data portion of the packet, so an outsider can see the source and destination IP

What is baseline reporting?

It provides a report after comparing baselines with current systems.

13) certificate revocation list (CRL)

List of certs that been revoked - CA responsible for creating CRL - published to a websites regularly - applications download the CRL to verify if cert is revoked before using cert

Rainbow Table Attack

List of hashes for known passwords to combat rainbow attack add salt before or after hash

Dictionary Attack

List of words

19) net user

List user account on system

Single point of failure

Michael's company has a single web server that is connected to three other distribution servers. What is the greatest risk involved in this scenario?

13) M and N control

Min number of person required to recover a key. ex) 2 of 3 - (M) min number of employee - (N) possible number of employee

Intrusion Prevention System IPS

Monitors network traffic for malicious activity and can block, reject, or redirect traffic in realtime. IPS does everything IDS does and more.

NIDS

Monitors network traffic in real time. Cannot analyze encrypted traffic

•Circuit Level Proxy Firewall

Monitors traffic between trusted and untrusted hosts via virtual circuits or sessions

What is NAC?

Network Access Control. Form of security where the endpoints are managed on a case-by-case basis as they connect to the network. AKA, they can't do anything on the network until their system is verified to be secure: AV, patches, etc., as defined by the administrators

What is NAT?

Network address translation. Allows outside entities to communicate with an entity inside the firewall without truly knowing it's address.

What is NIDS

Network based IDS

SHA-256 and SHA-512

Newer version of SHA algorithm - generate 256/512-bit hash value - considered to not be susceptible of collision attacks

The new access point was not properly configured and is interfering with another access point.

One of the users in your organization informs you that her 802.11n network adapter is connecting and disconnecting to and from an access point that was recently installed. The user has Bluetooth enabled on the laptop. A neighboring company had its wireless network compromised last week. What is the most likely cause of the disconnections?

Multitenancy

One of the ways cloud computing is able to obtain cost efficiencies is by putting data from various clients on the same machines. This "multitenant" nature means that workloads from different clients can be on the same system, and a flaw in implementation could compromise security. In theory, a security incident could originate with another customer at the cloud provider and bleed over into your data. Because of this, data needs to be protected from other cloud consumers and from the cloud provider as well.

Protocol Analyzers

Packet Sniffers. Hardware or Software that Captures and analyzes network traffic.

A vulnerability scan is ____ and ____ and has little impact on a system

Passive and nonintrusive

Ron's Cipher

RC is an encryption family produced by RSA laboratories. RC stands for Ron's Cipher or Ron's Code. (Ron Rivest is the author of this algorithm.) The current levels are RC4, RC5, and RC6. RC5 uses a key size of up to 2048 bits. It's considered to be a strong system. RC4 is popular with wireless and WEP/WPA encryption. It is a streaming cipher that works with key sizes between 40 and 2048 bits, and it is used in SSL and TLS. It is also popular with utilities used for downloading BitTorrent files since many providers limit the download of these, and by using RC4 to obfuscate the header and the stream, it makes it more difficult for the service provider to realize that they are indeed BitTorrent files being moved about.

WEP

RC4 with a 24bit intiation vector vulnerable to an iv attack

Encryption algorithm

RC4, 3DES, AES

13) REVIEW: Create certificate request on Win8 and 2012server VM

REVIEW exercise 13-2: 1. create certificate request 2. submit certificate request 3. download issue cert from CA 4. Install cert on server 5. apply cert on web server 6. Force SSL use

CA cps

Remember that a CPS is a detailed document used to enforce policy at the CA; a certificate policy pertains not to the CA but to the certificate itself.

What is SSH used for? What type of cryptography does it use?

Remote connections to a server. Uses public-key cryptography

13) Cert Life cycle

Request > Cert creation > Renewal > Suspension/Revocation > Destruction

Symmetric key Encryption (aka Private, Same, Session, Secret Key)

Requires both ends of an encrypted message to have the same key and same algorithms - Must use out-of-band distribution - much faster and a smaller key size than asymmetric key cryptography - 1 key to encrypt and decrypt

What is 802.1x Port Security

Requires uses to authenticate in addition to using MAC filtering before passing traffic through the switch.

Logical control (Technical)

Responsible for controlling access to particular resource - ex) firewall, encryption, IDS, etc

Risk detterance

Risk deterrence involves understanding something about the enemy and letting them know the harm that can come their way if they cause harm to you. This can be as simple as posting prosecution policies on your login pages and convincing them that you have steps in place to identify intrusions and to act on them.

Risk mitigation

Risk mitigation is accomplished any time you take steps to reduce the risk. This category includes installing antivirus software, educating users about possible threats, monitoring the network traffic, adding a firewall, and so on. In Microsoft's Security Intelligence Report, Volume 13, the following suggestions for mitigating risk through user awareness training are listed: Keep security messages fresh and in circulation. Target new employees and current staff members. Set goals to ensure a high percentage of the staff is trained on security best practices. Repeat the information to raise awareness.

What is RBAC?

Role based access control

(Service Level Agreement)

SLA

SET

Secure Electronic Transaction (SET) provides encryption for credit card numbers that can be transmitted over the Internet. Visa and MasterCard developed it.

What is SCP?

Secure copy protocol. SSH enabled used to transfer files between systems

What is SKEMI?

Secure key exchange mechanism for internet

What is SCAP

Security Content Automation Protocol

DNS Domain Name Service

Servers resolve hostnames to IP addresses. Port 53 UDP DNS Queries. Port 53 TCP DNS zone transfer. IETF Standard.

SLA

Service level agreement

What is promiscuous mode?

Setting that tells a NIC to process every network packet it sees regardless of the intended destination

19) ps command (linux)

Show all processing running - linux equilavent to tasklist

What are the two detection methods for IDS?

Signature and anomaly

ALE calculation

Sle*aro

Spear phishing

Spear phishing is a unique form of phishing in which the message is made to look as if it came from someone you know and trust as opposed to an informal third party. For example, in a phishing attack, you would get a message that appears to be from Giant Bank XYZ telling you that there is a problem with your account and you need to log in to rectify this right away. Such a message from someone you've never heard of would run a high risk of raising suspicion and thus generate a lower than desired rate of return for the phishers. With spear phishing, you might get a message that appears to be from your boss telling you that there is a problem with your direct deposit account and you need to access this HR link right now to correct it.

What's the difference between phishing and spear phishing?

Spear phishing targets a single users (or only a few users)

Local Host File (static not dynamic)

Stores information about nodes in a network. Maps hostnames to IP add. Can be poisoned

Which are more efficient - stream or block ciphers?

Stream

_____ encryption uses the same key to encrypt and decrypt the data

Symmetric

What are the three types of security controls?

Technical (implemented with technology), management (using administrative methods), operational (for day-to-day operations)

What is the principle of least privilege?

Technical Control. Users are granted rights to do only what they need to be able to do. Granting access to one folder instead of all

Secure Shell (SSH)

Telnet replacement - provides authentication and encryption - used to create an encrypted channel

ephemeral key

Temporary key used to encrypt a single message within communication instead using same key to encrypt all messages

What is the best way to test the integrity of a company's backup data.

Test restores

Enigma Machine

The Enigma machine was essentially a typewriter that implemented a multi-alphabet substitution cipher. When each key was hit, a different substitution alphabet was used. The Enigma machine used 26 different substitution alphabets. Prior to computers, this was extremely hard to break.

FIPS

The Federal Information Processing Standard (FIPS) is a set of guidelines for the U.S. federal government information systems. FIPS is used when an existing commercial or government system doesn't meet federal security requirements. FIPS is issued by NIST.

HOTP

The HOTP (HMAC-Based One-Time Password) algorithm is based on using a Hash Message Authentication Code (HMAC) algorithm

x.500

The International Telecommunications Union (ITU) standard for directory services in the late 1980s. The standard was the basis for later models of the directory structure, such as Lightweight Directory Access Protocol (LDAP).

Message Digest Algorithm (MD)

The Message Digest Algorithm (MD) also creates a hash value and uses a one-way hash. The hash value is used to help maintain integrity. There are several versions of MD; the most common are MD5, MD4, and MD2. MD4 was used by NTLM (discussed in a moment) to compute the NT Hash. MD5 is the newest version of the algorithm. It produces a 128-bit hash, but the algorithm is more complex than its predecessors and offers greater security. Its biggest weakness is that it does not have strong collision resistance, and thus it is no longer recommended for use. SHA (1 or 2) are the recommended alternatives.

Lattice

The concept that access differs at different levels. Often used in discussion with the Biba and Bell-LaPadula models as well as with cryptography to differentiate between security levels based on user/group labels.

cryptography

The field of mathematics focused on encrypting and decrypting data.

MTTR

The mean time to restore (MTTR) is the measurement of how long it takes to repair a system or component once a failure occurs. (This is often also referenced as mean time to repair.) In the case of a computer system, if the MTTR is 24 hours, this tells you that it will typically take 24 hours to repair it when it breaks.

13) When digitally signing a message, which of the following is true?

The message digest is encrypted with the sender's private key.

End-Entity Certificate

The most common is the end-entity certificate, which is issued by a certificate authority (CA) to an end entity. An end entity is a system that doesn't issue certificates but merely uses them.

RSA

The most commonly used public-key algorithm, RSA is used for encryption and digital signatures.

RTO

The recovery time objective (RTO) is the maximum amount of time that a process or service is allowed to be down and the consequences still be considered acceptable. Beyond this time, the break in business continuity is considered to affect the business negatively. The RTO is agreed on during BIA creation.

Threat Vectors

The term threat vector is the way in which an attacker poses a threat.

Secure Shell SSH

The use of a session key protects the data. SSH encrypts the session before the username and password is transmitted

iv (initiation vector)

The use of an IV prevents repetition in data encryption, making it more difficult for a hacker using a dictionary attack to find patterns and break a cipher. For example, a sequence might appear twice or more within the body of a message. If there are repeated sequences in encrypted data, an attacker could assume that the corresponding sequences in the message were also identical. The IV prevents the appearance of corresponding duplicate character sequences in the ciphertext.

Why are proxies useful?

They have the ability to control and filter outbound requests

18) Linux DIG command

Windows equivalent to nslookup -dig <domain> mx finds mail servers -dig <domain> NS finds the dns servers -dig <domain> axfr attempts to view all DNS data

Arp spoofing / arp poisoning

With ARP spoofing (also known as ARP poisoning), the MAC (Media Access Control) address of the data is faked. By faking this value, it is possible to make it look as if the data came from a network that it did not. This can be used to gain access to the network, to fool the router into sending data here that was intended for another host, or to launch a DoS attack. In all cases, the address being faked is an address of a legitimate user, and that makes it possible to get around such measures as allow/deny lists.

WPA2-Enterprise

You are configuring an 802.11n wireless network. You need to have the best combination of encryption and authorization. What options should you select?

The computer is part of a botnet.

You are surprised to notice that a co-worker's computer is communicating with an unknown IRC server and is scanning other systems on the network. None of this was scheduled by anyone in your organization, and the user appears to be unknowing of what is transpiring. What is the most likely cause?

Watering Hole attack

a computer attack strategy, in which the victim is a particular group (organization, industry, or region).

GLB(Graham Leach Bliley)

a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals.

16) Business Continuity Plan (BCP)

a plan that helps ensure that business operations can continue when disaster strikes. - goal: reduce impact of disaster for the org - includes comprehensive document to identify procedures - includes risk to the business - how to mitigate risk

17) Documentary Evidence

a printed document - contracts - invoice - email - voice recording, video recording, photography

12) What does Secure MIME (S/MIME) do?

a protocol used to encrypt e-mail message on a network

16) BCP committee

a representative from each department so that essential business functions for each department can be identified

Banner grabbing

a technique used to find out information about web servers, FTP servers, and mail servers.

Zone file

a text file that describes a DNS zone. A DNS zone is a subset, often a single domain, of the hierarchical domain name structure of the DNS.

work factor

a value indicating the time it would take to break the encryption ex) 64bit would take less time than 128bit

Measuring and Weighing Risk *Refer to the scenario in question 2. Which of the following is the ARO for this scenario?* a. 0.0167 b. 1 c. 5 d. 16.7 e. 60

a. *0.0167* ARO (annualized rate of occurrence) is the frequency (in number of years) the event can be expected to happen. In this case, ARO is 1/60 or 0.0167.

Security-Related Policies and Procedures *Which ISO standard states: "Privileges should be allocated to individuals on a need-to-use basis and on an event-by-event basis, i.e. the minimum requirement for their functional role when needed"?* a. 27002 b. 27102 c. 20102 d. 20112

a. *27002* The ISO standard 27002 (which updates 17799) states: "Privileges should be allocated to individuals on a need-to-use basis and on an event-by-event basis, i.e. the minimum requirement for their functional role when needed."

Protecting Networks *It is suspected that some recent network compromises are originating from the use of RDP. Which of the following TCP port traffic should be monitored?* a. 3389 b. 139 c. 138 d. 443

a. *3389* TCP port 3389 is used by RDP. Answer B is incorrect because UDP uses port 139 for network sharing. Answer C is incorrect because port 138 is used to allow NetBIOS traffic for name resolution. Answer D is incorrect because port 443 is used for HTTPS.

*LDAP operates over what TCP ports?* a. 636 and 389 b. 110 and 25 c. 443 and 80 d. 20 and 21

a. *636 and 389* LDAP operates over TCP ports 636 and 389. POP3 and SMTP operate over TCP ports 110 and 25, respectively. TLS operates over TCP ports 443 and 80 (SSL operates only over TCP port 443; HTTP operates over TCP port 80). FTP operates over TCP ports 20 and 21.

Wireless Networking Security *Which protocol operates on 2.4GHz and has a bandwidth of 1 Mbps or 2 Mbps?* a. 802.11 b. 802.11a c. 802.11b d. 802.11g

a. *802.11* 802.11 operates on 2.4GHZ. This standard allows for bandwidths of 1 Mbps or 2 Mbps.

*Which of the following applications should be used to properly protect a host from malware? (Select two correct answers.)* a. Antispam software b. Antivirus software c. Content-filtering software d. Web-tracking software

a. *Antispam software* b. *Antivirus software* All host devices must have some type of malware protection. A necessary software program for protecting the user environment is antivirus software. Antivirus software is used to scan for malicious code in email and downloaded files. Antispam, antispyware software can add another layer of defense to the infrastructure. Answer C is incorrect because content filtering is done at the server level to keep host machines from accessing certain content. Answer D is incorrect because web tracking software merely tracks the sites a person visited.

*Diffie-Hellman is what type of cryptographic system?* a. Asymmetric b. Symmetric c. Hashing d. Certificate authority

a. *Asymmetric* Diffie-Hellman is an asymmetric cryptographic system. The Data Encryption Standard (DES) and the Advanced Encryption Standard (AES) are examples of symmetric cryptography. Message Digest 5 (MD5) and Secure Hash Algorithm version 1 (SHA-1) are examples of hashing. Certificate authorities issue certificates based on an implemented Public Key Infrastructure (PKI) solution.

*A physical security plan should include which of the following? (Select all correct answers.)* a. Description of the physical assets being protected b. The threats from which you are protecting against and their likelihood c. Location of a hard disk's physical blocks d. Description of the physical areas where assets are located

a. *Description of the physical assets being protected* b. *The threats from which you are protecting against and their likelihood* d. *Description of the physical areas where assets are located* A physical security plan should be a written plan that addresses your current physical security needs and future direction. With the exception of answer C, all the answers are correct and should be addressed in a physical security plan. A hard disk's physical blocks pertain to the file system.

Security-Related Policies and Procedures *The organization is concerned about vulnerabilities in commercial off-the-shelf (COTS) software. Which of the following might be the only means of reviewing the security quality of the program?* a. Fuzzing b. Cross-Site Scripting c. Input validation d. Cross-site request forgery

a. *Fuzzing* In some closed application instances, fuzzing might be the only means of reviewing the security quality of the program. Answer B is incorrect because Cross-Site Scripting (XSS) vulnerabilities can be used to hijack the user's session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A. Answer C is incorrect because input validation tests whether an application properly handles input from a source outside the application destined for internal processing. Answer D, Cross-site request forgery (XSRF), is an attack in which the end user executes unwanted actions on a web application while she is currently authenticated.

*Which of the following methods can be used to locate a device in the event it is lost or stolen?* a. GPS tracking b. Voice encryption c. Remote wipe d. Passcode policy

a. *GPS tracking* If a mobile device is lost, GPS tracking can be used to find the location. Answer B is incorrect because voice encryption can allow executives and employees alike to discuss sensitive information without having to travel to secure company locations. Answer C is incorrect because remote wipe allows the handheld's data to be remotely deleted if the device is lost or stolen. Answer D is incorrect because a screen lock or passcode is used to prevent access to the phone.

Physical and Hardware-Based Security *Due to growth beyond current capacity, a new server room is being built. As a manager, you want to make certain that all the necessary safety elements exist in the room when it's finished. Which fire-suppression system works best when used in an enclosed area by displacing the air around a fire?* a. Gas based b. Water based c. Fixed system d. Overhead sprinklers

a. *Gas based* Gas-based systems work by displacing the air around a fire. This eliminates one of the three necessary components of a fire: oxygen.

*_______________ is a proprietary EAP method developed by Cisco Systems and is based on the Microsoft implementation of Challenge Handshake Authentication Protocol (CHAP).* a. Lightweight EAP (LEAP) b. Advanced Encryption Standard (AES) c. Protected EAP (PEAP) d. Temporal Key Integrity Protocol (TKIP)

a. *Lightweight EAP (LEAP)* Lightweight EAP (LEAP) is a proprietary EAP method developed by Cisco Systems and is based on the Microsoft implementation of CHAP. It requires mutual authentication used for WLAN encryption using Cisco client software (there is no native support for LEAP in Microsoft Windows operating systems).

Security and Vulnerability in the Network *What is the name given to the activity that consists of collecting information that will be later used for monitoring and review purposes?* a. Logging b. Auditing c. Inspecting d. Vetting

a. *Logging* Logging is the process of collecting data to be used for monitoring and auditing purposes. Auditing is the process of verification that normally involves going through log files; therefore, answer B is incorrect. Typically, the log files are frequently inspected, and inspection is not the process of collecting the data; therefore, answer C is incorrect. Vetting is the process of thorough examination or evaluation; therefore, answer D is incorrect.

*Which of the following is not an example of multifactor authentication?* a. Logon and password b. Smart card and PIN c. RFID chip and thumbprint d. Gait and iris recognition e. Location and CAC

a. *Logon and password* Both logon and password represent a form of "what you know" authentication. Answers B, C, D, and E are all incorrect because they represent paired multifactor forms of authentication. A smart card and PIN represent what you have and know, and an RFID chip and thumbprint link what you have with what you are. Gait is a measure of what you do, and iris details are an example of what you are. Somewhere you are is a location, which could be based on GPS coordinates or IP address, and a common access card (CAC) is something you have.

WPA Personal

aka WPA-PSK - preshared key - configure access points with start key value used to encrypt traffic

Physical and Hardware-Based Security *Which of the following is a high-security installation that requires visual identification, as well as authentication, to gain access?* a. Mantrap b. Fencing c. Proximity reader d. Hot aisle

a. *Mantrap* High-security installations use a type of intermediate access control mechanism called a mantrap. Mantraps require visual identification, as well as authentication, to gain access. A mantrap makes it difficult for a facility to be accessed in number because it allows only one or two people into the facility at a time.

*NetBIOS (Network Basic Input/Output System) is a transport protocol used by _______________ systems to allow applications on separate computers to communicate over a LAN.* a. Microsoft Windows b. Linux c. Apple d. Unix

a. *Microsoft Windows* NetBIOS (Network Basic Input/Output System) is a transport protocol used by Microsoft Windows systems to allow applications on separate computers to communicate over a LAN.

17) Real Evidence

aka physical evidence - tangible object presented in court

Access Control and Identity Management *Which one of the following defines APIs for devices such as smart cards that contain cryptographic information?* a. PKCS #11 b. PKCS #13 c. PKCS #4 d. PKCS #2

a. *PKCS #11* PKCS #11, the Cryptographic Token Interface Standards, defines an API named Cryptoki for devices holding cryptographic information. Answer B is incorrect because PKCS #13 is the Elliptic Curve Cryptography (ECC) standard. Both answers C and D are incorrect because PKCS #4 and PKCS #2 no longer exist and have been integrated into PKCS #1, RSA Cryptography Standard.

Wireless Networking Security *If the interconnection between the WAP server and the Internet isn't encrypted, packets between the devices may be intercepted. What is this vulnerability known as?* a. Packet sniffing b. Minding the gap c. Middle man d. Broken promise

a. *Packet sniffing* If the interconnection between the WAP server and the Internet isn't encrypted, packets between the devices may be intercepted and this is known as packet sniffing.

Physical and Hardware-Based Security *Which component of physical security addresses outer-level access control?* a. Perimeter security b. Mantraps c. Security zones d. Locked doors

a. *Perimeter security* The first layer of access control is perimeter security. Perimeter security is intended to delay or deter entrance into a facility.

*When a subject or end user requests a certificate, they must provide which of the following items? (Choose all that apply.)* a. Proof of identity b. A hardware storage device c. A public key d. A private key

a. *Proof of identity* c. *A public key* Proof of identity and the subject's public key must be provided to the CA when the subject requests a certificate. The private key should never be revealed to anyone, not even the CA. A hardware storage device is used after a key or certificate has been issued, not as part of the requesting process.

Protecting Networks *Which of the following protocols supports DES, 3DES, RC2, and RSA2 encryption along with CHAP authentication, but was not widely adopted?* a. S-HTTP b. S/MIME c. HTTP d. PPTP

a. *S-HTTP* An alternative to HTTPS is the Secure Hypertext Transport Protocol (S-HTTP), which was developed to support connectivity for banking transactions and other secure web communications. S-HTTP was not adopted by the early web browser developers (for example, Netscape and Microsoft) and so remains less common than the HTTPS standard. Additionally, S-HTTP encrypts individual messages so it cannot be used for VPN security. Answer B is incorrect. S/MIME is used to encrypt electronic mail transmissions over public networks. Answer C is incorrect because HTTP is used for unsecured web-based communications. Answer D is incorrect because Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks.

*An authentication system relies on an RFID chip embedded in a plastic key together with the pattern of blood vessels in the back of an authorized user's hand. What types of authentication are being employed in this system?* a. Something you have and something you are b. Something you do and something you know c. Something you know and something you are d. Somewhere you are and something you have

a. *Something you have and something you are* The RFID-enabled key is a form of "something you have," and the blood vessel biometric signature is a form of "something you are." Answers B and C are incorrect because there are no "something you know" requirements, such as the input of a personal identification number (PIN) or password. Answer D is incorrect because the "somewhere you are," also known as geolocation, authentication factor is not mentioned in the question.

*Which of the following is an example of a Type 2 authentication factor?* a. Something you have, such as a smart card, an ATM card, a token device, or a memory card b. Something you are, such as fingerprints, voice print, retina pattern, iris pattern, face shape, palm topology, or hand geometry c. Something you do, such as type a passphrase, sign your name, or speak a sentence d. Something you know, such as a password, personal identification number (PIN), lock combination, passphrase, mother's maiden name, or favorite color

a. *Something you have, such as a smart card, an ATM card, a token device, or a memory card* A Type 2 authentication factor is something you have. This could be a smart card, an ATM card, a token device, or a memory card.

*Which term describes both an older TCP/IP protocol for text-based communication and a terminal emulation program?* a. Telnet b. File Transfer Protocol (FTP) c. Network Basic Input/Output System (NetBIOS) d. Secure Network Management Protocol (SNMP)

a. *Telnet* Telnet is an older TCP/IP protocol for text-based communication. In addition, Telnet is also an application. This application is a terminal emulation program that runs on a local computer that connects to a server on the network. Commands can be entered using the Telnet application to the remote server as if the user was at the server itself.

*The heart and soul of WPA is a newer encryption technology called _______________.* a. Temporal Key Integrity Protocol (TKIP) b. Advanced Encryption Standard (AES) c. Triple DES d. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)

a. *Temporal Key Integrity Protocol (TKIP)* The heart and soul of WPA is a newer encryption technology called Temporal Key Integrity Protocol (TKIP). TKIP functions as a "wrapper" around WEP by adding an additional layer of security but still preserving WEP's basic functionality.

Security-Related Policies and Procedures *A policy of mandatory vacations should be implemented in order to assist in:* a. The prevention of fraud b. Identifying employees no longer needed c. Reducing insurance expenses d. Enforcing privilege management

a. *The prevention of fraud* A policy of mandatory vacations should be implemented in order to assist in the prevention of fraud.

Educating and Protecting the User *Which of the following is the highest classification level in the government?* a. Top Secret b. Secret c. Classified d. Confidential

a. *Top Secret* Top Secret is the highest classification level in the government.

*What two key elements must be carefully balanced in an effective security policy?* a. Trust and control b. Due process and due care c. Due process and due diligence d. Privilege and threat

a. *Trust and control* An effective security policy must carefully balance two key elements: trust and control.

Mandatory Access Control (MAC) model

access to resources based on clearance levels and the data classification label assigned to the resource or subject

CONFIGURE EXTENDED ACCESS LIST - access list 157 - allow TCP 12.0.0.5 and 12.0.0.34 destination port 23 - deny TCP 12.0.0.0 network dest port 23 -allow any other IP traffic ASSIGN to interface 0

access-list 157 permit tcp 12.0.0.5 0.0.0.0. ANY eq 23 access-list 157 permit tcp 12.0.0.34 0.0.0.0 ANY eq 23 access-list 157 deny tcp 12.0.0.0 0.255.255.255 ANY eq 23 access-list 157 permit IP ANY ANY interface FastEthernet 0/0 ip access-group 157 in

dual-homed firewall

act as gateway between two networks - disable routing so firewall software application handles traffic management

Extensible Authentication Protocol (EAP)

allow multiple logon methods - smartcard/ certificates/ kerberos/ public key authentication - often used with RADIUS with RAS, wireless, or VPN solution

13) Cross-certificate

allows application to validate certs from other environment (vice versa)

•Port Address Translation (PAT)

allows many hosts to share a single IP address by multiplexing. Basically takes port number of user sent in network takes it to router which gives it an alternative public ip address with the port number address and sends request out

Standard Access List

assigned number from 1 to 99 list that can permit or deny traffic based on source IP Address

Role-based Access Control

assigning users into groups and having them the roles assigned the privileges to perform a task

What is LDAP injection?

attempts to access or modify data hosted on directory service servers.

Federation

authenticate and authorize users across organization and applications

*An asset is valued at $12,000, the threat exposure factor of a risk affecting that asset is 25%, and the annualized rate of occurrence is 50%. What is the SLE?* a. $1,500 b. $3,000 c. $4,000 d. $6,000

b. *$3,000* The single loss expectancy (SLE) is the product of the value ($12,000) and the threat exposure (.25), or $3,000. Answer A is incorrect because $1,500 represents the annualized loss expectancy (ALE), which is the product of the SLE and the annualized rate of occurrence (ARO). Answers C and D are incorrect calculated values.

Disaster Recovery and Incident Response *What is the maximum number of drive failures a RAID 5 array can survive from and still be able to function?* a. 0 b. 1 c. 2 d. More than 2

b. *1* A RAID 5 array can survive the failure of any one drive and still be able to function. It can't survive the failure of multiple drives.

*Which of the following best describes why a requesting device might believe that incoming ARP replies are from the correct devices?* a. ARP requires validation. b. ARP does not require validation. c. ARP is connection oriented. d. ARP is connectionless.

b. *ARP does not require validation.* ARP is a protocol used for mapping IP addresses to MAC addresses. It does not require validation, thus answer A is incorrect. Answers C and D are incorrect because connection oriented and connectionless are used to describe communications between two endpoints in which a message is sent with or without prior arrangement.

*What is an asset?* a. An item costing more than $10,000 b. Anything used in a work task c. A threat to the security of an organization d. An intangible resource

b. *Anything used in a work task* An asset is anything used in a work task.

Operating System and Application Security *If an attacker is able to gain access to restricted directories (such as the root directory) through HTTP, it is known as:* a. Cross-site forgery b. Directory traversal c. Root hardening d. Trusted platform corruption

b. *Directory traversal* If an attacker is able to gain access to restricted directories (such as the root directory) through HTTP, it is known as directory traversal.

Disaster Recovery and Incident Response *The only difference between mirroring and which of the following is the addition of one more controller card?* a. Additioning b. Duplexing c. Failing over d. Sanctifying

b. *Duplexing* The only difference between mirroring and duplexing is one more controller card.

Physical and Hardware-Based Security *Which of the following won't reduce EMI?* a. Physical shielding b. Humidity control c. Physical location d. Overhauling worn motors

b. *Humidity control* Electrical devices, such as motors, that generate magnetic fields cause EMI. Humidity control won't address EMI.

*Which risk reduction policy does not aid in identifying internal fraud?* a. Mandatory vacations b. Least privilege c. Separation of duties d. Job rotation

b. *Least privilege* Although least privilege can aid in protecting against internal fraud, it does not particularly aid in identifying it if occurring. Mandatory vacations, job rotation, and separation of duties such as monetary processing and validation all provide cross-checks that can aid in the identification of ongoing fraudulent operations, making answers A, C, and D incorrect.

*What technology provides an organization with the best control over BYOD equipment?* a. Encrypted removable storage b. Mobile device management c. Geo-tagging d. Application whitelisting

b. *Mobile device management* Mobile device management (MDM) is a software solution to the challenging task of managing the myriad mobile devices that employees use to access company resources. The goals of MDM are to improve security, provide monitoring, enable remote management, and support troubleshooting. Not all mobile devices support removable storage, and even fewer support encrypted removable storage. Geotagging is used to mark photos and social network posts, not for BYOD management. Application whitelisting may be an element of BYOD management, but is only part of a full MBM solution.

Cryptography Basics *During a training session, you want to impress upon users how serious security and, in particular, cryptography is. To accomplish this, you want to give them as much of an overview about the topic as possible. Which government agency should you mention is primarily responsible for establishing government standards involving cryptography for general-purpose government use?* a. NSA b. NIST c. IEEE d. ITU

b. *NIST* NIST is responsible for establishing the standards for general-purpose government encryption. NIST is also becoming involved in private-sector cryptography.

*In a MAC environment, when a user has clearance for assets but is still unable to access those assets, what other security feature is in force?* a. Principle of least privilege b. Need to know c. Privacy d. Service-level agreement

b. *Need to know* Need to know is the MAC environment's granular access-control method. The principle of least privilege is the DAC environment's concept of granular access control. Privacy and SLAs aren't forms of access control.

Wireless Networking Security *Which of the following is synonymous with MAC filtering?* a. TKIP b. Network lock c. EAP-TTLS d. MAC secure

b. *Network lock* The term network lock is synonymous with MAC filtering.

*An organization has had a rash of malware infections. Which of the following can help mitigate the number of successful attacks?* a. Application baselining b. Patch management c. Network monitoring d. Input validation

b. *Patch management* Proactive patch management is necessary to keep your technology environment secure and reliable. Answer A is incorrect because application baselining is similar to operating system baselining in that it provides a reference point for normal and abnormal activity. Answer C is incorrect because network monitoring is used to check network activity. Answer D is incorrect because input validation errors are a result of improper field checking in the code.

Cryptography Implementation *In a bridge trust model, a ______ to ______ relationship exists between the root CAs.* a. Parent, child b. Peer, peer c. Father, daughter d. Sister, parent

b. *Peer, peer* In a bridge trust model, a peer-to-peer relationship exists between the root CAs.

*Which of the following is considered best practice when formulating minimum standards for developing password policies?* a. Password length set to 6 characters b. Require password change at 90 days c. Maximum password age set to zero d. Account lockout threshold set to zero

b. *Require password change at 90 days* Require users to change passwords every 90 to 180 days, depending on how secure the environment needs to be. Remember that the more often users are required to change passwords, the greater the chance that they will write them down, potentially exposing them to unauthorized use. Answer A is incorrect because making the password length at least eight characters and requiring the use of combinations of uppercase and lowercase letters, numbers, and special characters is good practice. Answer C is incorrect because good policy is to set the maximum password age to a value between 30 and 90 days. Answer D is incorrect because if the lockout threshold is set to zero, accounts will not be locked out due to invalid logon attempts.

Security and Vulnerability in the Network *Which log visible in Event Viewer shows successful and unsuccessful login attempts in Windows 7?* a. System b. Security c. Audit d. Application

b. *Security* The Security log in Windows 7 (as well as in all versions of Windows) shows successful and unsuccessful login attempts and can be viewed with Event Viewer.

*In many fraud schemes, the perpetrator must be present every day in order to continue the fraud or keep it from being exposed. Many organizations require _______________ for all employees to counteract this.* a. job rotation b. mandatory vacations c. separation of duties d. least privilege

b. *mandatory vacations* In many fraud schemes, the perpetrator must be present every day in order to continue the fraud or keep it from being exposed. Many organizations require mandatory vacations for all employees to counteract this.

13) PKI trust

between two different CAs so that each CA trust the certificates that have been generated by the other CA.

17) Faraday bag

block any signal to devices - can block signal to mobile devices to prevent data from appearing or disappearing - help prevent remote wiping the device

Raid 4

block-level striping with a dedicated paritydisk.

Raid 5

block-level striping with distributed parity. Unlike in RAID 4, parity information is distributed among the drives.

WPS attack

brute force attack to discover WPS PIN

What type of attack includes NOP (non-operational) instructions (such as X90) followed by malicious code

buffer overflow

Input validation protects against what type of attacks?

buffer overflow, SQL injection, command injection, cross-site scripting

BIA

business impact analysis = provides an organization with an accurate picture of the situation facing it. It allows an organization to make intelligent decisions about how to respond to various scenarios.

BPA

business partner agreement

Raid 3

byte-level striping with a dedicatedparity disk. One of the characteristics of RAID 3 is that it generally cannot service multiple requests simultaneously

Security and Vulnerability in the Network *The goal of _____ is to minimize the possibility of exploitation by reducing the amount of code and limiting potential damage.* a. EAPOL b. EAP c. ASR d. 802.1X

c. *ASR* The goal of attack surface reduction (ASR) is to minimize the possibility of exploitation by reducing the amount of code and limiting potential damage.

Cryptography Basics *Which of the following terms refers to the prevention of unauthorized disclosure of keys?* a. Authentication b. Integrity c. Access control d. Non-repudiation

c. *Access control* Access control refers to the process of ensuring that sensitive keys aren't divulged to unauthorized personnel.

*Which of the following is not a way to prevent or protect against XSS?* a. Input validation b. Defensive coding c. Allowing script input d. Escaping metacharacters

c. *Allowing script input* A programmer can implement the most effective way to prevent XSS by validating input, coding defensively, escaping metacharacters, and rejecting all script-like input.

*Which of the following describes a type of algorithm where data is broken into several units of varying sizes (dependent on algorithm) and encryption is applied to those chunks of data?* a. Symmetric encryption algorithm b. Elliptic curve c. Block cipher d. All of the above

c. *Block cipher* When data that is going to be encrypted is broken into chunks of data and then encrypted, the type of encryption is called a block cipher. Although many symmetric algorithms use a block cipher, answer A is incorrect because block cipher is a more precise and accurate term for the given question. Answer B is incorrect because elliptic curve is a type of asymmetric encryption algorithm. Answer D is an incorrect choice because only one answer is correct.

Vigenere Cipher

cipher involve create a table to determine which cipher character to substitute for plain text when a key is used Message: hithere (row) Key: badbadb (column) Cipher: iiwieuf (result) Note: longer keys hard to crack

Cryptography Implementation *Which of the following is not one of the four main types of trust models used with PKI?* a. Hierarchical b. Bridge c. Custom d. Mesh e. Hybrid

c. *Custom* The four main types of trust models used with PKI are hierarchical, bridge, mesh, and hybrid. Custom is not one of the main PKI trust models.

*What is a potential concern to weaker encryption algorithms as time goes on? (Select the best answer.)* a. Performance of the algorithm worsens over time b. Keys generated by users start to repeat on other users' systems c. Hackers using distributed computing might be able to finally crack algorithms. d. All options are correct.

c. *Hackers using distributed computing might be able to finally crack algorithms.* As computers get faster, so does the ability for hackers to use distributed computing as a method of breaking encryption algorithms. With computer performance, in some cases, increasing by 30% to 50% a year on average, this could become a concern for some older algorithms. Answer A is incorrect because weak keys exhibit regularities, and the weakness has nothing to do with performance. Answer B is incorrect because the weakness in keys comes from a block cipher regularity in the encryption of secret keys. The keys do not repeat themselves on other machines. Answer D is incorrect because there is only one correct answer.

*Each firewall rule is essentially a separate instruction with a(n) _______________ construction.* a. FOR-EACH b. DO-UNTIL c. IF-THEN d. WHILE-DO

c. *IF-THEN* Firewall rules are essentially an IF-THEN construction. IF these rule conditions are met, THEN the action occurs.

* _______________ in access control means that if a condition is not explicitly met, the request for access is rejected.* a. Static allow b. Explicit allow c. Implicit deny d. Dynamic deny

c. *Implicit deny* Implicit deny in access control means that if a condition is not explicitly met, the request for access is rejected. (Implicit means that something is implied or indicated but not actually expressed.)

Network Security *Which option for installing a corporate spam filter is considered to be the most effective approach?* a. Install the spam filter on the Domain Name Server (DNS). b. Install the spam filter on the Post Office Protocol (POP3) server. c. Install the spam filter with the Simple Mail Transfer Protocol (SMTP) server. d. Contract with a third-party entity that filters out spam.

c. *Install the spam filter with the Simple Mail Transfer Protocol (SMTP) server.* Installing the spam filter with the SMTP serve is the simplest and most effective approach.

Disaster Recovery and Incident Response *Which of the following is the measure of the anticipated incidence of failure for a system or component?* a. CIBR b. AIFS c. MTBF d. MTTR

c. *MTBF* Mean time between failures (MTBF) is the measure of the anticipated incidence of failure for a system or component.

Cryptography Basics *What is the acronym for the de facto cryptographic message standards developed by RSA Laboratories?* a. PKIX b. X.509 c. PKCS d. Both A and C

c. *PKCS* The Public Key Cryptography Standards (PKCS) are the de facto cryptographic message standards developed and maintained by RSA Laboratories, the Security Division of EMC. PKIX describes the development of Internet standards for X.509-based digital certificates; therefore, answers A, B, and D are incorrect.

*A pirated movie-sharing service was discovered operating on company equipment. Administrators do not know who planted the service or who the users are. What technique could be used to attempt to trace the identity of the users?* a. Typo squatting b. Integer overflow c. Watering hole attack d. Ransomware

c. *Watering hole attack* A watering hole attack could be used to plant phone-home-to-identity malware on the systems of subsequent visitors.

Educating and Protecting the User *Which of the following is another name for social engineering?* a. Social disguise b. Social hacking c. Wetware d. Wetfire

c. *Wetware* Wetware is another name for social engineering.

*Which of the following is a common storage networking standard chosen by businesses for ease of installation, cost, and utilization of current Ethernet networks?* a. Fibre Channel b. FTP c. iSCSI d. HTTPS

c. *iSCSI* Businesses choose Internet Small Computer System Interface (iSCSI) due to ease of installation, cost, and utilization of current Ethernet networks. Answer A is incorrect. Fibre Channel infrastructure generally is more costly and complex to manage due to the separate network switching infrastructure. Answer B is incorrect. FTP servers provide user access to upload or download files between client systems and a networked FTP server. Answer D is incorrect because HTTPS is used for secured web-based communications.

*A _______________ cloud offers the highest level of security and control.* a. public b. community c. private d. hybrid

c. *private* A private cloud is created and maintained on a private network. Although this type offers the highest level of security and control (because the company must purchase and maintain all the software and hardware), it also reduces any cost savings.

*Networks are usually segmented by using _______________ to divide the network into a hierarchy.* a. hubs b. routers c. switches d. proxies

c. *switches* Networks are usually segmented by using switches to divide the network into a hierarchy.

data emanation

collect electronic componment emission and piece them together into readable data

Web Security Gateway

combines various security solutions into one

14) Class D fire

combustible metals such as magnesium and sodium - requires suppression that uses dry chemicals

Telnet

command line interface that provides remote administration works in clear text. TCP 23. Application layer Protocol

Trusted Platfrom Module (TPM)

computer chip on system that is used to store cryptographic keys used to encrypt data - TPM has a dictionary attack prevention built in - Windows bitlocker support TPM - system must be TPM-support BIOS

Cert

computer emergency response team

Business MAC classification labels

confidential - can cause grave danger private - can cause serious damage sensitive - can cause undersirable outcome public - suitable to public release

Encryption provides ______ and helps ensure that the data is only viewable by authorized users

confidentiality

*Consider a building with a value of $10,000,000 (AV) of which 75 percent of it is likely to be destroyed by a tornado (EF). The SLE is _______________.* a. $7,500 b. $75,000 c. $750,000 d. $7,500,000

d. *$7,500,000* Consider a building with a value of $10,000,000 (AV) of which 75 percent of it is likely to be destroyed by a tornado (EF). The SLE would be calculated as follows: $7,500,000 = $10,000,000 x 0.75

*Which port does the Post Office Protocol v3 (POP3) use?* a. 22 b. 25 c. 80 d. 110

d. *110* The Post Office Protocol v3 (POP3) uses port 110.

Security and Vulnerability in the Network *Which IEEE standard is often referred to as EAP over LAN?* a. 802.1E b. 802.1Z c. 802.1Y d. 802.1X

d. *802.1X* The IEEE standard 802.1X is often referred to as EAP over LAN. It defines port-based security for wireless network access control.

*Which statement describes a limitation of Secure Copy Protocol (SCP)?* a. SCP can only operate in the Windows environment. b. SCP cannot encrypt commands. c. SCP is being replaced by Remote Copy Protocol (RCP). d. A file transfer cannot be interrupted and then resumed in the same session.

d. *A file transfer cannot be interrupted and then resumed in the same session.* Secure Copy Protocol (SCP) encrypts files and commands, yet has limitations. For example, a file transfer cannot be interrupted and then resumed in the same session; the session must be completely terminated and then restarted.

*Which of the following is a security control type that is not usually associated with or assigned to a security guard?* a. Preventive b. Detective c. Corrective d. Administrative

d. *Administrative* A security guard is not an administrative control. A security guard can be considered a preventive, detective, and/or corrective control.

*Which one of the following is an indication that a system might contain spyware?* a. The system is slow, especially when browsing the Internet. b. It takes a long time for the Windows desktop to come up. c. Clicking a link does nothing or goes to an unexpected website. d. All of the above.

d. *All of the above.* Each of these represents common symptoms of a computer that has had spyware installed.

Wireless Networking Security *Which of the following authentication levels with WAP allows virtually anyone to connect to the wireless portal?* a. Relaxed b. Two-way c. Server d. Anonymous

d. *Anonymous* Anonymous authentication allows virtually anyone to connect to the wireless portal.

*_______________ was created as a more secure alternative than the weak Challenge Handshake Authentication Protocol (CHAP) and Password Authentication Protocol (PAP).* a. Temporal Key Integrity Protocol (TKIP) b. Advanced Encryption Standard (AES) c. Protected EAP (PEAP) d. Extensible Authentication Protocol (EAP)

d. *Extensible Authentication Protocol (EAP)* A framework for transporting the authentication protocols is known as the Extensible Authentication Protocol (EAP). EAP was created as a more secure alternative than the weak Challenge Handshake Authentication Protocol (CHAP) and Password Authentication Protocol (PAP). Despite its name, EAP is a framework for transporting authentication protocols instead of the authentication protocol itself.

Cryptography Implementation *A registration authority (RA) can do all the following except:* a. Distribute keys b. Accept registrations for the CA c. Validate identities d. Give recommendations

d. *Give recommendations* A registration authority (RA) can distribute keys, accept registrations for the CA, and validate identities. It cannot give recommendations.

*What type of virus is able to regenerate itself if a single element of its infection is not removed from a compromised system?* a. Polymorphic b. Armored c. Retro d. Phage

d. *Phage* A phage virus is able to regenerate itself from any of its remaining parts.

Measuring and Weighing Risk *Which of the following is information that is unlikely to result in a high-level financial loss or serious damage to the organization but still should be protected?* a. Public data b. Confidential data c. Sensitive data d. Private data

d. *Private data* Private data is information that is unlikely to result in a high-level financial loss or serious damage to the organization but still should be protected. Answer A is incorrect because the unauthorized disclosure, alteration, or destruction of public data would result in little or no risk to the organization. Answer B is incorrect because confidential data is internal information that defines the way in which the organization operates. Security should be high. Answer C is incorrect because sensitive data is considered confidential data.

Operating System and Application Security *What is it known as when an attacker manipulates the database code to take advantage of a weakness in it?* a. SQL tearing b. SQL manipulation c. SQL cracking d. SQL injection

d. *SQL injection* SQL injection occurs when an attacker manipulates the database code to take advantage of a weakness in it.

*Which protocol is used for file transfers?* a. Internet Small Computer System Interface (iSCSI) b. Network Basic Input/Output System (NetBIOS) c. Secure Network Management Protocol (SNMP) d. Secure Copy Protocol (SCP)

d. *Secure Copy Protocol (SCP)* Secure Copy Protocol (SCP) is used for file transfers. SCP is an enhanced version of Remote Copy Protocol (RCP). SCP encrypts files and commands.

Wireless Networking Security *Which of the following is a primary vulnerability of a wireless environment?* a. Decryption software b. IP spoofing c. A gap in the WAP d. Site survey

d. *Site survey* A site survey is the process of monitoring a wireless network using a computer, wireless controller, and analysis software. Site surveys are easily accomplished and hard to detect.

*What two encryption modes are supported by Internet Protocol Security (IPsec)?* a. Electronic code book (ECB) and cipher block chaining (CBC) b. Kerberos and Secure Shell (SSH) c. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) d. Transport and tunnel

d. *Transport and tunnel* IPsec supports two encryption modes: transport and tunnel.

Internet Security Association and Key Management Protocol (ISAKMP)

defines procedures and packet formats to establish, negotiate, modify, and delete security associations. UDP 500.

The Biba Integrity Model

describes rules for the protection of data integrity.

15) Qualitative risk

determines the risk and mitigation technique (not dollar figures) - threat based on scale - Risk = probability x loss - quick assessment

19) last command (linux)

display a list of all users and the last time they logged on

19) net session command

display the computer that are connected to your system thru windows file sharing

19) net statistics server/workstations

displays info such as - number of session - password violations - permission violations workstation will view info about client software and request made for network resources -

17) Chain of custody

document that records where the evidence is at all times: 1. When documenting evidence 2. Record what the item is 3. Where the item was discovered 4. the label ID number 5. date and time evidence was collected 6. who collected the evidence

Measuring and Weighing Risk *Which of the following strategies involves sharing some of the burden of the risk with someone else such as an insurance company?* a. Risk acceptance b. Risk avoidance c. Risk deterrence d. Risk mitigation e. Risk transference

e. *Risk transference* Risk transference involves sharing some of the burden of the risk with someone else such as an insurance company.

type c firextinguisher

electrical fires

14) cipher locks

electronic combination locks

13) Certificates

electronic file that is used to store public key and associates the public key with an entity (person/company)

CONFIGURE 1. standard access list 23 to deny source IP 192.168.10.7, 10.0.0.0 network, permit all other traffic 2. assign standard access list to interface 0

enable configure terminal access-list 23 deny 192.198.10.7 0.0.0.0 access-list 23 deny 10.0.0.0 0.255.255.255 access-list 23 permit 0.0.0.0 255.255.255.255 interface fastethernet 0/0 ip access-group 23 in

Point to point tunneling protocol PPTP

encapsulates and encrypts PPP over IP packets. Layer 2. TCP port 1723

14) Faraday cage

enclosure that is designed to shield its contents from electronic fields or signals from each the components inside the cage

bluesnarfing

exploiting a bluetooth device by copy data from it

Time-based OTP (TOTP)

extends OTP by supporting a time-based moving factor that must be changed each time a new password is generated.

Raid 6

extends RAID 5 by adding another parity block; thus, it uses block-level striping with two parity blocks distributed across all member disks.

______ is a method of server redundancy and provides high availability for servers

failover clusters If a node fails, the other one (which was previously inactive) takes over without an interruption.

Type 2 errors

false negatives

biometrics error type i

false reject rate (FRR) - false to authenticate someone who is authorized to access the system

Pretty Good Privacy (PGP)

generate keys and share public key with other using email in a secure fashion - encrypt email message and files, and digitally sign a message - GnuPG replaced GNU

Time-based One Time Password (TOTP)

gerenates password based on current time

Rot13

his simple algorithm rotates every letter 13 places in the alphabet. Thus an A becomes an N, a B becomes an O, and so forth. The same rotation of 13 letters that is used to encrypt the message is also used to decrypt the message.

16) Recovery point objective (RPO)

how much of a system/data is expected to be recovered.

application-proxy firewall

inspects data at layer 7 of the OSI model. These types of firewalls are also known as application-level gateways, or ALGs. They apply security mechanisms to applications such as FTP.

ISA

interconnection security agreement ( The ISA is a security document that specifies the technical and security requirements for establishing, operating, and maintaining the interconnection.)

•Intranet

internal network to include systems and workstations you do not want

17) Demonstrative evidence

involves presenting a physical object that display the results or some form of event occurring. - ex) medical exhibit to display malpratice, or model of intersection where model cars show the location

strongest biometric available

iris scan - scans the color part of the eyes that surround the pupil

SHA-1

is 160-bit hash.

RADIUS

is RADIUS or TACACS+ used to provide centralized administration of dial-up VPN and wireless authentication.

RADIUS

is a client-server system that provides authentication, authorization, and accounting services.

One-Time Pad (OTP)

key is same or longer than message wrote. Random and only used once. Pad of random bits where plaintext is XOred. Impossible to Crack Issues: out of band distribution (not in line of the secure communication. Physically walking to person to give data), sender and receiver must be synchronized with each others pad

Perfect Forward Secrecy (PFS)

keys captured now, but not yet cracked, can't be later cracked and used to decrypt all other encrypted keys. uses Ephemeral keys: each conversation will have its own key instead of a static key.

19) taskkill command

kill a process running in memory that may be the cause of performance issue ex) virus - ie) taskkill /IM notepad.exe /f (IM - image name)

16) RAID 1

known as disk mirroring. Disk mirroring uses two hard drives and duplicates the data from one drive to another. - More fault tolerant than RAID 0 -

In digital signatures Senders ____ key ____ Senders __ key _____

private key encrypts (or signs) public key decrypts

VPN virtual private network

private network connection that travels through a public network Lan through wan back to Lan. EX PPTP, L2TP

Which key is used when UserA wants to encrypt message and send to UserB

recipient's public key - UserA has access to UserB public key - UserB can decrypt message with their own private key that they only have access to

A captive portal

redirects people in an effort to authenticate them. It will often do this within a web browser, and might use TCP (HTTPS), but does not perform accounting services.

DIAMETER

replaces RADIUS - TCP based, more secure and scalable

Stream cipher

requires little to no resources minimal processing. RC4. bit by bit encryption plaintext mixed with a keystream controlled by a key.

17) Computer Incident Response Team (CIRT)

responsible for knowing how to handle security incidents that occur within the organization and correcting and documenting the security in a timely manner

What is a code review?

review software line-by-line for vulnerabilities

Microsoft CHAP v2

stronger than MS-CHAP and CHAP - uses stronger encyrption keys

Frequency analysis

study of commonly used characters in letter cypher

substitution cipher

substituting one character for another ex) 1. caesar cipher - every character is incremented by certain number of character (ex. a become d) 2. ROT13 cipher - increments by 13

RADIUS uses ___ encryption

symmetric

Hashing (= integrity)

takes a variable length input and generates a fixed length output, establish integrity, and used for authentication with passwords. public , one way function (you can't take the hash and reverse it to guess the password)

out-band key exchange

two parties must exchange keys in a separate communication channel other than communication channel that is exchange data between parties

Whaling

type of spear phishing that targets senior executives such as CFOs

What is bluesnarfing?

unauthorized access to or theaft of information from a bluetooth device

•Internet

unsecured security zone

Lattice-based access control

used for more complex determinations of object access by subjects; this is done with advanced mathematics that creates sets of objects and subjects and defines how the two interact.

ICMP (internet control message protocol)

used in Layer 3 (Network) for trouble shooting, announce network errors, announces network congestion, and uses TTL. Ping and Traceroute 0-echo reply 3-Destination unreachable 8-Echo 30-Traceroute

integrity

verifying form has not been altered in an undesirable way

Tunneling

virtual dedicated connection between two system networks. Encapsulation within a routable protocol Can send private network data across a public network nu encapsulating data into other packets

What is a zero-day exploit?

vulnerability that is not known by trusted sources, such as operating system and antivirus vendors

Infrastructure and Connectivity *A socket is a combination of which components?* a. TCP and port number b. UDP and port number c. IP and session number d. IP and port number

d. *IP and port number* A socket is a combination of IP address and port number. The socket identifies which application will respond to the network request.

Certificate Revocation List (CRL)

A list housed by the CA that contains serial numbers of digital certificates that have been revoked.

Bollards

- short vertical posts

Cryptography core services

1. encryption 2. hashing 3. authentication

What is SSO?

Single Sign On. Login once to access multiple systems.

What is L2TP?

a VPN tunneling protocol commonly combined with IPsec

17) Big Data analysis

possible that data is so large that typical data management tools can handle. - ex, meteorlogy, finance, internet search

jamming/interference

potential interference with cordless phones - can make network go down

Gray-box

Your organization's servers and applications are being audited. One of the external IT auditors tests an application as an authenticated user. What testing methods is being used?

MD5

Your organization has a policy that states that user passwords must be at least 16 characters. Your computers use NTLM2 authentication for clients. What hash algorithms will be used for password authentication?

WPA2

WPA2 requires Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). CCMP uses 128-bit AES encryption with a 48-bit initialization vector. With the larger initialization vector, it increases the difficulty in cracking and minimizes the risk of a replay attack.

TACACS+

What is an authentication and accounting service that uses TCP as its transport mechanism when connecting to routers and switches?

Developers copying data from production to test environments with USB sticks

What is most likely to result in data loss?

Biometrics

What is not a logical method of access control?

Application log

What is not a record of the tracked actions of users?

HIDS

What is not considered to be an inline device?

Non-repudiation

What is not one of the steps of the incident response process?

Tracking cookie

What is often misused by spyware to collect and report a user's activities?

Patch management

What is one example of verifying new software changes on a test system?

Organize data based on severity and asset value

What is the best action to take when you conduct a corporate vulnerability assessment?

Copy the log files to a server in a remote location.

What is the best practice to secure log files?

WPA

Tkip (adds a 128 bit padding) and RC4 encryption still vulnerable to attack.

18)Scanning purpose

To find out what services are running by finding open ports -

Change management strategy

To prevent ad hoc configuration issues on your wireless network, what method should you implement?

What are the goals of change management?

To reduce risks related to unintended outages and provide documentation for all changes

To determine the impact of a threat against your network

What is the best reason to perform a penetration test?

What is the primary goal of security awareness training

To reinforce user compliance with security policies and help reduce risk

Update the Voice over IP system.

What is the best way to protect a Voice over IP PBX from man-in-the-middle attacks?

FTPS

What is the best way to utilize FTP sessions securely?

Install a pop-up blocker.

What is the most effective way of preventing adware?

SMTP

TCP port 25. Works in plain text vulnerable to spam. SMTP relay blacklisting (deny) and whitelisting (allow)

What replaced SSL?

TLS (Transport layer security)

Encrypt, sign, decrypt, and verify

What is the proper order of functions for asymmetric keys?

Symmetric scheme

What is used by PGP to encrypt the session key before it is sent?

17) Acquire

Taking image of the evidence so you do your investigation from a copy of the evidence. - critical to acquire bit-level copy of the drives

What does whaling do?

Targets high-level executives

L2TP

What is used to implement an unencrypted tunnel between two networks?

SYN attack

What kind of attack would a flood guard protect a network from?

To decrypt the hash of a digital signature

What might a public key be used to accomplish?

System State

What needs to be backed up on a domain controller to recover Active Directory?

16) IT contingency planning

preparation of a recovery plan for when something goes wrong with the IT systems and infrastructure.

Kerberos

What network authentication protocols uses symmetric key cryptography, stores a shared key for each network resource, and uses a Key Distribution Center (KDC)?

802.1X

What protocol permits or denies access to resources through the use of ports?

AES

What protocols does the 802.11i standard support?

Stealth virus

Stealth: These viruses attempt to avoid detection by masking themselves from applications.

14) Pressure mat sensor

pressure mat that activated after hours

Recovery Agent

Someone within the organization has access to the keys

What is STP?

Spanning Tree Protocol. Allows for multiple redundant paths while breaking loops. Operates at Data Link

What is trunking?

Spanning a single VLAN across multiple switches

Federation

a collection of computer networks that agree on standards of operation, such as security standards. Normally, these are networks that are related in some way. In some cases, it could be an industry association that establishes such standards.

Polymorphic virus

a complicated computer virus that affects data types and functions. It is a self-encrypted virus designed to avoid detection by a scanner. Upon infection, the polymorphic virusduplicates itself by creating usable, albeit slightly modified, copies of itself.

Disaster Recovery and Incident Response *Which redundancy strategy has one spare part for every component in use?* a. 1+1 b. JWDO c. JIT d. Rollovers

a. *1+1* The redundancy strategy 1+1 has one spare part for every component in use.

Access Control and Identity Management *Which type of authorization provides no mechanism for unique logon identification?* a. Anonymous b. Kerberos c. TACACS d. TACACS+

a. *Anonymous* During anonymous access, such as requests to a public FTP server, unique identify of the requester is not determined and so cannot be used for personalized logon identification. Answers B, C, and D are incorrect because authorization services such as Kerberos, TACACS, and its replacement TACACS+ all verify access requests against a list of authorized credentials and so can log individual visits and identify access request logons.

Operating System and Application Security *LDAP is an example of which of the following?* a. Directory access protocol b. IDS c. Tiered model application development environment d. File server

a. *Directory access protocol* Lightweight Directory Access Protocol (LDAP) is a directory access protocol used to publish information about users. This is the computer equivalent of a phone book.

*The IEEE 802.1x standard provides the highest degree of port security by implementing port-based _______________.* a. encryption b. authentication c. auditing d. integrity

b. *authentication* The IEEE 802.1x standard provides the highest degree of port security by implementing port-based authentication.

Disaster Recovery and Incident Response *You're a consultant brought in to advise MTS on its backup procedures. One of the first problems you notice is that the company doesn't utilize a good tape-rotation scheme. Which backup method uses a rotating schedule of backup media to ensure long-term information storage?* a. Grandfather, Father, Son method b. Full Archival method c. Backup Server method d. Differential Backup method

a. *Grandfather, Father, Son method* The Grandfather, Father, Son backup method is designed to provide a rotating schedule of backup processes. It allows for a minimum usage of backup media, and it still allows for long-term archiving.

*Which term describes the concept of using a data based IP network to add digital voice clients and new voice applications onto the IP network?* a. IP telephony b. Virtualization c. Loop protection d. Captive portals

a. *IP telephony* Using Internet Protocol (IP), various services such as voice, video, and data can be combined (multiplexed) and transported under a universal format. IP telephony is using a data based IP network to add digital voice clients and new voice applications onto the IP network.

Cryptography Implementation *A Certificate Practice Statement (CPS) is a detailed statement the CA uses to issue certificates and ______ of the CA.* a. Implement policies b. Control processes c. Regulate actions d. Complete processes

a. *Implement policies* A Certificate Practice Statement (CPS) is a detailed statement the CA uses to issue certificates and implement policies of the CA.

*Which one of the following is a holding area between two entry points that gives security personnel time to view a person before allowing him into the internal building?* a. Mantrap b. Biometric c. Honeypot d. Honeynet

a. *Mantrap* A mantrap is a physical security control that is a holding area between two entry points that gives security personnel time to view a person before allowing him into the internal building. Biometrics typically incorporate something about the person, such as retina scan or fingerprint, to allow access, and so Answer B is incorrect. Answers C and D are also incorrect as these describe controls not related to physical security.

*A rootkit has been discovered on your mission-critical database server. What is the best step to take to return this system to production?* a. Reconstitute it. b. Run an antivirus tool. c. Install an HIDS. d. Apply vendor patches.

a. *Reconstitute it.* The only real option to return a system to a secure state after a rootkit is reconstitution.

Physical and Hardware-Based Security *Which of the following methods is the most effective way to physically secure laptops that are used in an environment such as an office?* a. Security cables b. Server cages c. Locked cabinet d. Hardware dongle

a. *Security cables* Security cables with combination locks can provide such security and are easy to use. They are used mostly to secure laptops and leave the equipment exposed. Answer B is incorrect because PC Safe tower and server cages are designed to bolt to the floor and are meant to be in an environment that is static. Answer C is incorrect because a locked cabinet is an alternative for equipment that is not used or does not have to be physically accessed on a regular, daily basis. Vendors provide solutions such as a security cabinet locker that secures CPU towers. The housing is made of durable, heavy-duty steel for strength. Answer D is incorrect because a hardware dongle is used for license enforcement.

Physical and Hardware-Based Security *The process of reducing or eliminating susceptibility to outside interference is called what?* a. Shielding b. EMI c. TEMPEST d. Desensitization

a. *Shielding* Shielding keeps external electronic signals from disrupting operations.

Network Security *Which type of firewall packet filtering looks at the incoming packet and permits or denies it based on the conditions that have been set by the administrator?* a. Stateless packet filtering b. Stateful packet filtering c. Switched packet filtering d. Secure packet filtering

a. *Stateless packet filtering* Packets can be filtered by a firewall in one of two ways. Stateless packet filtering looks at the incoming packet and permits or denies it based on the conditions that have been set by the administrator. Stateful packet filtering keeps a record of the state of a connection between an internal computer and an external device and then makes decisions based on the connection as well as the conditions.

Disaster Recovery and Incident Response *Which of the following outlines those internal to the organization who have the ability to step into positions when they open?* a. Succession planning b. Progression planning c. Emergency planning d. Eventuality planning

a. *Succession planning* Succession planning outlines those internal to the organization who have the ability to step into positions when they open.

*What is the most common protocol used today for both local area networks (LANs) and the Internet?* a. Transmission Control Protocol/Internet Protocol (TCP/IP) b. Secure Sockets Layer (SSL) c. Hypertext Transport Protocol Secure (HTTPS) d. Domain Name System (DNS)

a. *Transmission Control Protocol/Internet Protocol (TCP/IP)* Computer networks also have protocols, or rules for communication. These protocols are essential for proper communication to take place between network devices. The most common protocol used today for both local area networks (LANs) and the Internet is Transmission Control Protocol/Internet Protocol (TCP/IP).

Cryptography Basics *Which of the following is similar to Blowfish but works on 128-bit blocks?* a. Twofish b. IDEA c. CCITT d. AES

a. *Twofish* Twofish was created by the same creator of Blowfish. It performs a similar function on 128-bit blocks instead of 64-bit blocks.

*You are setting up an FTP server that needs to be accessed by both the employees and external contractors. What type of architecture should you implement?* a. VLAN b. DMZ c. NAT d. VPN

a. *VLAN* b. *DMZ* c. *NAT* All except answers D and E are advantages of honeypots and honeynets. Currently, the legal implications of using such systems are not that well defined, and the use of these systems typically requires more administrative resources.

IPsec Security Association (SA)

agreement between two machines on security services such as confidentiality, integrity, and authentication. Security association tied to one connection in one direction meaning there are two security associations for each direction

17) Mean time to failure (MTTF)

amount of time a device is expected to last in production before it fails. MTTF is usually a value reported by the manufacturer on hardware, which you can use as evaluation criteria when selecting hardware

16) Recovery time objective (RTO)

amount of time allowable before a business function must be restored to a functional state after a failure.

Educating and Protecting the User *You have recently had security breaches in the network. You suspect they might be coming from a telecommuter's home network. Which of the following devices would you use to require a secure method for employees to access corporate resources while working from home?* a. A router b. A VPN concentrator c. A firewall d. A network-based IDS

b. *A VPN concentrator* A VPN concentrator is used to allow multiple users to access network resources using secure features that are built in to the device and are deployed where the requirement is for a single device to handle a very large number of VPN tunnels. Answer A is incorrect because a router forwards information to its destination on the network or the Internet. A firewall protects computers and networks from undesired access by the outside world; therefore, answer C is incorrect. Answer D is incorrect because network-based intrusion-detection systems monitor the packet flow and try to locate packets that are not allowed for one reason or another and might have gotten through the firewall.

*Which of the following is most directly associated with providing or supporting perfect forward secrecy?* a. PBKDF2 b. ECDHE c. HMAC d. OCSP

b. *ECDHE* Elliptic Curve Diffie-Hellman Ephemeral or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE) implements perfect forward secrecy through the use of elliptic curve cryptography (ECC). PBKDF2 is an example of a key-stretching technology not directly supporting perfect forward secrecy. HMAC is a hashing function. OCSP is used to check for certificate revocation.

*Which protocol is the standard protocol for Internet usage?* a. Internet Control Message Protocol (ICMP) b. Hypertext Transport Protocol (HTTP) c. Network Basic Input/Output System (NetBIOS) d. Secure Network Management Protocol (SNMP)

b. *Hypertext Transport Protocol (HTTP)* Hypertext Transport Protocol (HTTP), which is the standard protocol for Internet usage.

*Which of the following is not true in regards to NoSQL?* a. Can support SQL expressions b. It is a relational database c. Supports hierarchies or multilevel nesting/referencing d. Does not support ACID

b. *It is a relational database* NoSQL is not a relational database structure. NoSQL can support SQL expressions, supports hierarchies or multilevel nesting/referencing, and does not support ACID.

*The most effective means to reduce the risk of losing the data on a mobile device, such as a notebook computer, is _____.* a. Encrypt the hard drive. b. Minimize sensitive data stored on the mobile device. c. Use a cable lock. d. Define a strong logon password.

b. *Minimize sensitive data stored on the mobile device.* The risk of a lost or stolen notebook is the data loss, not the loss of the system itself. Thus, keeping minimal sensitive data on the system is the only way to reduce the risk. Hard-drive encryption, cable locks, and strong passwords, although good ideas, are preventative tools, not means of reducing risk. They don't keep intentional and malicious data compromise from occurring; instead, they encourage honest people to stay honest.

CHAP

is more secure than PAP because it encrypts usernames and passwords.

*In which of the following types of fuzzing are forged packets sent to the tested application and then replayed?* a. Application fuzzing b. Protocol fuzzing c. File format fuzzing d. Web page fuzzing

b. *Protocol fuzzing* In protocol fuzzing, forged packets are sent to the tested application, which can act as a proxy and modify requests on the fly and then replay them. Answer A is incorrect because in an application fuzzing attack vectors are within its I/O, such as the user interface, the command-line options, URLs, forms, user-generated content, and RPC requests. Answer C is incorrect because in file format fuzzing, multiple malformed samples are generated and then opened sequentially. Answer D is incorrect because web page fuzzing is not a real term.

Operating System and Application Security *Your company is growing at a tremendous rate, and the need to hire specialists in various areas of IT is becoming apparent. You're helping to write the newspaper ads that will be used to recruit new employees, and you want to make certain that applicants possess the skills you need. One knowledge area in which your organization is weak is database intelligence. What is the primary type of database used in applications today that you can mention in the ads?* a. Hierarchical b. Relational c. Network d. Archival

b. *Relational* Relational database systems are the most frequently installed database environments in use today.

127.0.0.1

is the IPv4 loopback address.

ICMP

is the Internet Control Message Protocol, which is used by ping and other commands.

*Which of the following is not a certificate trust model for the arranging of certificate authorities?* a. Bridge CA architecture b. Sub-CA architecture c. Single-CA architecture d. Hierarchical CA architecture

b. *Sub-CA architecture* Sub-CA architecture does not represent a valid trust model. Answers A, C, and D, however, all represent legitimate trust models. Another common model also exists, called cross-certification; however, it usually makes more sense to implement a bridge architecture over this type of model.

Security-Related Policies and Procedures *On a NetWare-based system, which account is equivalent to the administrator account in Windows?* a. Auditor b. Supervisor c. Root d. Master

b. *Supervisor* The supervisor user in NetWare is equivalent to the administrator user in Windows.

*Which of the following is the best choice for encrypting large amounts of data?* a. Asymmetric encryption b. Symmetric encryption c. Elliptical curve encryption d. RSA encryption

b. *Symmetric encryption* Public key encryption is not usually used to encrypt large amounts of data, but it is does provide an effective and efficient means of sending a secret key from which to do symmetric encryption thereafter, which provides the best method for efficiently encrypting large amounts of data. Therefore, answers A, C, and D are incorrect.

*A _______________ cloud is a combination of public and private clouds.* a. community b. hybrid c. mixed d. connected

b. *hybrid* A hybrid cloud is a combination of public and private clouds.

*Which port does the Hypertext Transfer Protocol (HTTP) use?* a. 20 b. 21 c. 80 d. 443

c. *80* The Hypertext Transfer Protocol (HTTP) uses port 80.

*Which of the three principles of security is supported by an offsite tape backup system?* a. Confidentiality b. Integrity c. Availability d. Sanitization

c. *Availability* Availability is concerned with ensuring that access to services and data is protected against disruption, including disasters and other events that could require recovering from offsite backup media. Answer A is incorrect because confidentiality involves protecting against unauthorized access. Integrity is concerned with preventing unauthorized modification, making Answer B incorrect. Answer D is incorrect because sanitization involves the destruction or overwriting of data to protect confidentiality.

*What communications technique can a hacker use to identity the product that is running on an open port facing the Internet?* a. Credentialed penetration test b. Intrusive vulnerability scan c. Banner grabbing d. Port scanning

c. *Banner grabbing* Banner grabbing is the communications technique a hacker can use to identify the product that is running on an open port facing the Internet.

Security and Vulnerability in the Network *During what process do you look at all custom written applications for holes that may exist (in the form of the finished application, configuration files, libraries, and so on)?* a. Network bridging b. Design review c. Code review d. Remediation

c. *Code review* During a code review, you look at all custom written applications for holes that may exist (in the form of the finished application, configuration files, libraries, and the like).

*llegal or unauthorized zone transfers are a significant and direct threat to what type of network server?* a. Web b. DHCP c. DNS d. Database

c. *DNS* Illegal or unauthorized zone transfers are a significant and direct threat to DNS servers.

VPN Concentrator

is the single device that terminates a large number of VPN tunnels coming from the internet. Device that handles vpn tunnels.

*Which type of biometric authentication system is not subject to false rejection due to illness or minor injury?* a. Fingerprint b. Voiceprint c. Facial recognition d. Retina

c. *Facial recognition* Facial recognition systems measure relative spacing between underlying features such as the bone structure and eye placement, requiring more than a minor injury to modify this biometric signature. Fingerprint signatures can be modified by minor cuts, abrasions, and exposure to chemicals, making answer A incorrect. Both voiceprint and retinal signatures can be modified due to illness and injury, making answers B and D incorrect.

Disaster Recovery and Incident Response *The process of automatically switching from a malfunctioning system to another system is called what?* a. Fail safe b. Redundancy c. Fail-over d. Hot site

c. *Fail-over* Fail-over occurs when a system that is developing a malfunction automatically switches processes to another system to continue operations.

*You have been tasked with mitigating the risk of password-based attacks. Which of the following should you consider to provide a control beyond just what someone knows?* a. Enforce complex passwords b. Prevent the user from entering more than three incorrect passwords c. Implement use of a one-time use token d. A and B

c. *Implement use of a one-time use token* Although both A and B provide controls for passwords, they are still both based on something the user knows: a password. A one-time use token can be a dedicated hardware token or may be a software token or text message on a mobile device. This would be an example of something the user has (for example, a hardware token or registered mobile device). Answer D is incorrect.

What is a configuration baseline?

it identifies the configuration settings for a system.

*_______________ is a protocol suite for securing Internet Protocol (IP) communications.* a. Internet Small Computer System Interface (iSCSI) b. Internet Control Message Protocol (ICMP) c. Internet Protocol Security (IPsec) d. Hypertext Transport Protocol Secure (HTTPS)

c. *Internet Protocol Security (IPsec)* Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications.

*When should a key or certificate be renewed?* a. Every year b. Every quarter c. Just before it expires d. Just after it expires

c. *Just before it expires* Keys and certificates should be renewed just before they expire. All the other choices are incorrect.

Cryptography Basics *What is the primary organization for maintaining certificates called?* a. CA b. RA c. LRA d. CRL

c. *LRA* A Certificate Revocation List (CRL) is created and distributed to all CAs to revoke a certificate or key.

*Which of the following is an example of role-based access control criteria?* a. GPS coordinates b. Trusted OS c. Members of the Administrators group d. Time of day

c. *Members of the Administrators group* Role-based access control involves assignment of access rights to groups associated with specific roles, with accounts inheriting rights based on group membership. Answers A and B are incorrect, as requirements for access only from specific locations or only from systems running a trusted OS are examples of rule-based access controls. Time of day restrictions are also rule-based access controls, making answer D incorrect.

*What method of access control is best suited for environments with a high rate of employee turnover?* a. MAC b DAC c. RBAC d. ACL

c. *RBAC* Role-based access control (RBAC) is best suited for environments with a high rate of employee turnover because access is defined against static job descriptions rather than transitive user accounts (DAC and ACL) or assigned clearances (MAC).

*Which type of biometric authentication involves identification of the unique patterns of blood-vessels at the back of the eye?* a. Facial recognition b. Iris c. Retina d. Signature

c. *Retina* Retinal biometric systems identify unique patterns of blood vessels in the back of the eye. Facial recognition systems identify fixed spacing of key features of the face such as bones, eyes, and chin shape, making answer A incorrect. Answer B is incorrect because iris scanning involves identification of unique patterns in the outer colored part of the eye. Answer D is incorrect because signature analysis is a form of what you do biometric authentication recording the speed, shape, and unique kinematics of a personal written signature.

Security-Related Policies and Procedures *Which of the following is one of the most common certificates in use today?* a. X.733 b. X.50 c. X.509 d. X.500

c. *X.509* One of the most common certificates in use today is the X.509 certificate. It includes encryption, authentication, and a reasonable level of validity.

*Which of the following risk-assessment formulas represents the total potential loss a company may experience within a single year due to a specific risk to an asset?* a. EF b. SLE c. ARO d. ALE

d. *ALE* The annualized loss expectancy (ALE) represents the total potential loss a company may experience within a single year due to a specific risk to an asset. EF is the percentage of asset value loss that would occur if a risk was realized. SLE is the potential dollar value loss from a single risk-realization incident. ARO is the statistical probability that a specific risk may be realized a certain number of times in a year.

*Which of the following is not an example of the principles of influence used in social engineering attacks?* a. Authority b. Intimidation c. Scarcity and urgency d. Authenticity and authorization e. Trust

d. *Authenticity and authorization* Authenticity and authorization both relate to identity and access control and are not principle reasons for effectiveness as related to social engineering. Answers, A, B, C, and E are all legitimate principles and so are incorrect answers.

Cryptography Implementation *Certificate revocation is the process of revoking a certificate before it:* a. Is renewed b. Becomes public c. Reuses a value d. Expires

d. *Expires* Certificate revocation is the process of revoking a certificate before it expires.

*Which term refers to the expansion and contraction of random access memory (RAM) or hard drive space as needed?* a. On-demand computing b. Host computing c. Host availability d. Host elasticity

d. *Host elasticity* Virtualization has several advantages. First, new virtual server machines can be quickly made available (host availability), and resources such as the amount of Random Access Memory (RAM) or hard drive space can easily be expanded or contracted as needed (host elasticity).

*Which one of the following best identifies the system of digital certificates and certification authorities used in public key technology?* a. Certificate practice system (CPS) b. Public key exchange (PKE) c. Certificate practice statement (CPS) d. Public key infrastructure (PKI)

d. *Public key infrastructure (PKI)* PKI represents the system of digital certificates and certificate authorities. Answers A, B, and C are incorrect. A CPS is a document created and published by a CA that provides for the general practices followed by the CA. Answers A and B are fictitious terms.

135

port used by RPC ,

*If user awareness is overlooked, what attack is more likely to succeed?* a. Man-in-the-middle b. Reverse hash matching c. Physical intrusion d. Social engineering

d. *Social engineering* Social engineering is more likely to occur if users aren't properly trained to detect and prevent it. The lack of user awareness training won't have as much impact on man-in-the-middle, reverse hash-matching, or physical intrusion attacks.

25

port used by SMTP

Physical and Hardware-Based Security *You work for an electronics company that has just created a device that emits less RF than any competitor's product. Given the enormous importance of this invention and of the marketing benefits it could offer, you want to have the product certified. Which certification is used to indicate minimal electronic emissions?* a. EMI b. RFI c. CC EAL 4 d. TEMPEST

d. *TEMPEST* TEMPEST is the certification given to electronic devices that emit minimal RF. The TEMPEST certification is difficult to acquire, and it significantly increases the cost of systems.

*_______________ is a cryptographic transport algorithm.* a. Secure Shell (SSH) b. Data Encryption Standard (DES) c. Advanced Encryption Standard (AES) d. Transport Layer Security (TLS)

d. *Transport Layer Security (TLS)* Transport Layer Security (TLS) is a cryptographic transport algorithm.

Operating System and Application Security *Which of the following involves unauthorized commands coming from a trusted user to the website?* a. ZDT b. HSM c. TT3 d. XSRF

d. *XSRF* XSRF involves unauthorized commands coming from a trusted user to the website. This is often done without the user's knowledge and employs some type of social networking to pull it off.

Advantages

produce smaller file size, allows for faster transmissions, less computationally intensive Disadvantage: Key distribution, how to share to all necessary parties Lacks non-repudiation if someone else with the key shares their key and no one can tell who sent the data between the two

16) BCP Lead

project leader, who is responsible for ensuring the planning, development, and testing of the BCP.

HTTP secure (HTTPS)

protocol to secure http traffic (80) - port 443 - use SSL to encrypt communication

What is a host software baseline?

provides a list of approved software and a list of software installed on systems. It is used to identify unauthorized software

In e-mail encryption the recipients ___ key ____ The recipients ____ key ___

public key encrypts Private key decrypts

19) netstat command

shows any protocol information - netstat -n (show tcp connections to your system in numerical format) - netstat -na -o (show all listenting port and process id)

SLE

single loss expectancy - is the single loss expectancy. This is another monetary value, and represents how much you expect to lose at any one time. SLE can be divided into two components: • AV (asset value) • EF (exposure factor)

rights

someone's privilege to perform a task

Educating and Protecting the User *For which U.S. organization was the Bell-LaPadula model designed?* a. Military b. Census Bureau c. Office of Management and Budget d. Executive Office of the President

a. *Military* The Bell-LaPadula model was originally designed for use by the military.

Operating System and Application Security *The flexibility of relational databases in use today is a result of which of the following?* a. SQL b. Hard-coded queries c. Forward projection d. Mixed model access

a. *SQL* SQL is a powerful database access language used by most relational database systems.

implicit deny

anything not on ACL forbid access - can be placed in router ACL, NTFS permission, Firewalls

Wireless Networking Security *Which type of encryption does CCMP use?* a. EAP b. DES c. AES d. IV

c. *AES* CCMP uses 128-bit AES encryption.

Owner's symmetric key

What does not apply to an X.509 certificate?

Kiting

What enables a hacker to float a domain registration for a maximum of five days?

Kerberos

- Default on AD environments - uses LDAP standard - uses Key Distribution Center (KDC) server

SaaS

- software as a service

00 CF 11 E0 A1 B1 1A E1

17) Header values of office documents

P2P software is often blocked at the

Firewall

Type of authentication algorithm

RSA, DSA, ECSDA

What is SLE?

Single loss expectancy - the amount of each loss

TOTP

The TOTP (Time-Based One-Time Password) algorithm uses a time-based factor to create unique passwords.

Mandatory access control

A security administrator implements access controls based on the security classification of the data and need-to-know information. What would best describe this level of access control?

Baseline reporting

A security assessment of an existing application has never been made.What is the best assessment technique to use to identify an application's security posture?

What is a GPO?

A setting is configured in a GPO and them applied to users or computers within a domain.

Message digest

A signature area within a message.

Dual-Homed Proxy Firewall

Uses two network cards to improve security

OSI layers

All. Application. 7 Pizza. Presentation 6 Sausages. Session 5 Taste. Transport 4 Not. Network 3 Delicious. Data-link 2 Peter. Physical 1

Which is faster, AES-256 or Blowfish?

Blowfish

110

port used by pop3

What is spim?

spam using instant message.

What is heuristic-based AV?

Detects previously unknown malware based on behavior

What helps ensure personnel apply the proper security controls to protect information

Data classifications and labeling

What is EAP?

Extensible Authentication Protocol

What is RPO

Recovery point objective - amount of data you can afford to lose

17) key issue with mobile device forsenics

1. maintaining power 2. synchronization - may remove data 3. prevent remote wipe

quantitative

cost-based and objective

Nac

network admission control

Data loss prevention

(DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data. DLP systems share commonality with network intrusion prevention systems. One of the best-known DLP systems is MyDLP, an open source solution that runs on most Windows platforms and can be found at www.mydlp.org. Also, a large number of commercial programs are available for purchase, including Microsoft Forefront: www.microsoft.com/forefront.

Key Distribution Center (KDC) components

- Authentication server (AS) - gives the client ticket-granting ticket - Ticket-granting ticket (TST) - give client permission to request a service - ticket granting system (TGS) - grants the ticket to client so it can access the server on network

Hashing key points

- hash value have fixed length that depends on hash algorithm - hash value is know as message digest - hashing is based on the data, not the header of file - unlikely but possible to for two different piece of data generate the same hash value - collision - when two pieces of different data calculate the same hash value

14) fail-safe vs sail-secure

- if lock fails it will default to be unlock - if lock fails it will default to being locked

IaaS

- infrastructure as a service - provider clouds

17) Live acquistion

- Capture contents of memory - Capture contents of encrypted drive

Symmetric Encrypt Algorithms

- Data Encryption Standard (DES) - 56-bit encyrption - Blowfish - replaced DES, vraible 1 to 448-bit encyrption - Twofish - 128-bit encryption - Tripe DES - run 3 mathematical operation, 168-bit encryption - Rivest Cipher (RC4/RC5) - stream cipher used in SSL and WEP - Advance Encryption Standard (AES) - block cipher encryption 128/192/256-bit encyrption - AES256 - 256 AES encryption

17) Acquire Image (options)

- Disk-to-image - create image of disk and save as image file - Disk-to-disk - low-level copy (sector level) from one disk to another - Image-to-disk -

15) practices to help mitigate risk

- Enforce technology security controls - change management - incident management - user right/permission review - enforce routine audits - enforce policy and procedures

14) Physical security components

- Exit signs - Escape route - Escape plan - Drills - Testing controls - ex) test fire alarm/extinguishers

18) Lookup mail server dns

- Linux - DIG <ip / hostname> -mx - Windows - > nslookup >set type=mx > <hostname / ip>

18) 2 methods of performing vulnerability scan

- Null scan - not authenticated to the network - admin scan - scan under admin account - to ensure what a "nobody sees" and what an admin see

17) popular mobile device data

- ROM - read only memory -EEPROM - electronically erasable programmable Read-only memory - SIM card - store routing information and authentication information - memory -

How is non-repudiation implemented on asymmetric encryption

- Receiver receives sender digitally signed message with his private key - receiver can compare the key with all the public keys and find its mathematically related to receiver public keys

Type of Asymmetric Encryption Algorithm

- Rivest Shamir Adleman (RSA) - first asymmetric algorithm that implemented signing and encryption - Diffie-Hellman - exchange keys in a secure fashion - Elliptic curve - based on Diffie Hellman adding digital signature Algorithm (DSA)

Access Tokens

- Security identifier (SID) - group security identifiers - primary group identifiers - access rights

17) Documenting you steps

- Take photo of where evidence is - take photo of evidence before touching anything or seizing - document and photograph anything connected to computer wall -

17) CIRT team

- Team Leader - Technical specialist - documentation specialist - legal advisor

14) Sprinkler systems

- Wet-pipe - water sitting at hose - dry-pipe - water sitting at reservoir - pre-action - head link need melted down before water is released

RPO

- a business goal for system restoration and acceptable data loss?

What is Wired Equivalent Privacy (WEP) and encryption method

- connect using shared key/passphrase - used RC4 64/128 encryption - can be cracked in minutues

DLP

- data loss prevention

17) FAU command line

- dd to execute the command - if - input file - of - output file ex) dd.exe if=\\. \F: of=e:\case20111.img conv=noerror -localwrt

13) Suggested RA policy

- define who can request a cert - forms that need to be filled out - type of validation needed need to performed by RA personnel

Raid 1

- disk mirroring

Network Access Control (NAC)

- gain access control to wire/wireless network based on state of connecting system - ex) must have most current patches, virus updates, accept terms and condition,

Best practices monitoring account access

- group-based privileges - user-assigned priviledges - user access reviews - continuous monitoring

18) Penetration Test Process

- initial Meeting - Draft Legal Document - create pen-test plan - Test pen-test plan - Perform penetration test - Create a report on findings - Present report results - Destroy and copies of reports

Group policies configurations

- install software - configure password policy - configure auditing - configure user rights - restricted group - disable services and configure event logs - file system permission - software restrictions - lock down the system by disable features

17) Report on Findings

- item of interest - email, files, images, movies, deleted files - Log of actions taken - log each action - Result of investigation - summary concluding evidence found

types of group policies

- local - site - domain - organization unit (OU)

17) Analyze evidence

- look through email, internet history, deleted files

15) Risk Mitigation Strategies

- mitigate the risk (mitigation) - accept the risk (acceptance) - transfer the risk (transference) - Avoid the risk (risk avoidance) - Deter the risk (deterrence)

Account Policy Enforcements

- no shared accounts - Credential management - Group policy - password complexity - expiration - recovery - disablement - lockout - password history - password reuse - password length - generic account prohibition

18) TCP connect scan

- perform 3 way handshake with each port to determine if the port is open ex) nmap -sT 192.168.2.0/24 (scan on the entire network)

Classes of control

- preventative - corrective - deterrent - compensating

13) Information certificates contains

- public key - algorithm - asymmetric algortihm used - serial number - assigned to cert - subject - company/entity who owns cert - issuer - company/entity that create the cert - valid from/to - thumbprint algorithm - used to create hash of cert - thumbprint - hash value of cert

What are common Secure Network Principles?

- rule based management - firewall rules - VLAN management - secure router configuration - ACL - port security - 802.1x - flood guard - loop protection - implicit deny - network segmentation - log analysis - unified threat management

17) Forensic evidence conditions

- sufficient - prove a fact by itself - competent - must been legally obtain - relevant - be related to and have meaning to the case

RC4, Rijndael, 3DES

- symmetric encryption algorithms

Military MAC classification levels

- top secret - can cause grave damage - secret - cause serious damage - confidential - can cause damage - restricted - cause undesirable outcome - unclassified - suitable to public release

Administrative Control (Management)

- written policy, procedure, or guidelines - ex) password policy, hiring policy, employee screening

19) Other popular places to audit

-Security applications -DNS -Performance -Access -Firewall -Antivirus -Proxy server -Wireless Access Point -User access and rights review -storage and retention policies -group policies

HSM

-Which device is used to encrypt the authentication process?

19) Windows Audit Logs

-application logs -system logs -security logs -DNS logs others: -event logs -audit logs -access logs

19) linux authentication logs

/var/log/auth.log

19) - linux display of list of users and when they last logged on

/var/log/lastlog - can use <lastlog> to display

19) - linux display who have logged onto system

/var/log/wtmp - can use <last> to display

1.) Address classes A

1 - 127 / 16,777,214 host

17) Common Incident Response Procedures

1) Preparation 2) Incident identification 3) Escalation and notification 4. Mitigation steps 5) lesson learn 6) reporting 7) recovery/reconstitution procedures 8) incident isolation 9) quarantine 10) data breach 11) damage and loss control

18) ACTION ITEM: download LANguard and do vulnerability scan

1. Download LANguard from www.gfi.com. Check your e-mail and copy or write down your license key.

Types of Account Restrictions

1. Account Expiration 2. Time of day restriction 3. account lockout

IPSec's protocol for cryptography services

1. Authentication Header (AH) - authenticates sender with IPSec 2. Encapsulating Security Payload (ESP) - responsible for encrypting the data packet to provide confidentially

repeating key (word/phrase)

1. Convert the characters in the message to a number based on the position in the alphabet. 2. Convert the characters in the key to a number based on its position in the alphabet. 3. Add the two numbers together to get a new value. 4. Convert the new value to its corresponding letter in the alphabet (for example, 3 becomes C).

13) Configuring SSL

1. Create request (certificate signing request CSR) Typically on web site of CA to fill web form. Once request is made, it is stored in text file 2. Submit request - submit the request on CA website (text file) 3. Download cert - download the resulting certificate 4. Install the certificate

Block cipher methods

1. Electronic Codebook (ECB) 2. Cipher block chaining (CBC) 3. Cipher feedback mode (CFB) 4. Output feedback mode (OFB)

13) Implement Recovery Agents

1. In the Certification Authority console, right click-the server and choose Properties. 2. Choose the Recovery Agents page tab and select "Archive the key" 3. Specify the number of recovery agents allowed. 4. Choose Add to add the certificates of the recovery agents and then choose OK

18) Self test

1. b penetration test 2. d code review 3. c vulnerability assessment 4. a. risk assessment 5. b. legal document 6. c. port scanner 7. d enable logging 8. a john the ripper 9. d passive tool 10. b. nmap -sS 192.168.2.0/24 -p 1433 11. c passive scan 12. a cain & abel 13. d honeynet 14. b black box testing 15. c backtrack 16 vulnerability scan - passive, nontrusive, identify misconfig 17) penetration test - bypass security control, active, intrusive

18) port scan programs

1.) nmap (command line linux) 2.) Superscan (windows-based) ex) nmap -sT 10.0.0.1 (does port scan on 10.0.0.1) ex) nmap -sV 10.0.0.1 (find version of software running)

13) Implement Publish the CRL (certificate revoke list)

1.Within the Certification Authority console, right-click Revoked Certificates and choose All Tasks | Publish. 2.Choose the type of CRL to publish: ■New CRL Choose this to publish a new, complete version of the CRL. ■Delta CRL Choose this to publish just the updates to the existing CRL. 3.Choose OK.

What are the private IP address ranges?

10.x.y.z 172.16.y.x - 172.31.y.z 192.168.y.x

1.) Address class B

128 - 191 / 65,634 host

What's the address space for IPv6 and IPv4?

128 and 32

Twofish is what type of cipher

128 bit block

What key sizes does AES use?

128, 192, and 256 bit keys

APIPA Automatic Private Internet Protocol Address

169.254.X.X assigned by own operating system when a static or dynamic IP address has not been assigned. Non routable IP (private)

1.) Address class C

192 - 223 / 254 host

Digital Signatures

3 ingredients to a digital signature: Data to be signed Hashing algorithm Sender's Asymmetric Private Key

RAID __ can survive the failure of one disc, Raid __ can survive the failure of two discs

5 and 6

Blowfish is what type of cipher?

64-bit block

TCP/IP protocol suite

7 Application - Main interface between network and application 6 Presentation - Puts into a format all computers can understand. Encryption, translation, compression 5 Session - No Security. Connection establishment between applications 4 Transport - Keeps track of segments. Handles error recovery and flow control 3 Network - Creates packets. End-to-end communication across one or more subnetworks. 2 Data-link - Transmission of frames over a single network connection 1 Physical - Converts bits into voltage. DATA is ENCAPSULATED as it goes down the layers

14) Recommended fence height for determined intruder

8 feet with barbed wire on top facing the intruder 45-degree angle

What can stop a SYN attack?

A HIDS

Phage virus

A computer virus that rewrites the executable file it targets rather than attaching itself to the file and running along with it.

Cryptographic system

A cryptographic system is a system, method, or process that is used to provide encryption and decryption. It may be a hardware, software, or manually performed process. Cryptographic systems exist for the same reasons that security exists: to provide confidentiality, integrity, authentication, non-repudiation, and access control.

NTFS

A customer's computer uses FAT16 as its file system. What file system can you upgrade it to when using the convert command?

Symmetric key tip

A few basic facts to know about symmetric cryptography for the test are that symmetric cryptographic algorithms are always faster than asymmetric, and they can be just as secure with a smaller key size. For example, RSA (an asymmetric algorithm) uses keys of a minimum length of 2048 bits, whereas AES (a symmetric algorithm) uses key sizes of 128, 192, or 256 bits.

Flood Gaurds

A flood guard is a network device, such as firewall or router, which has the ability to prevent some flooding DDoS attack.

Header Manipulation attack

A header manipulation attack uses other methods discussed in this chapter (hijacking, cross-site forgery, and so forth) to change values in HTTP headers and falsify access. When used with XSRF, the attacker can even change a user's cookie. Internet Explorer 8 and above include InPrivate Filtering to help prevent some of this. By default, your browser sends information to sites as they need it-think of requesting a map from a site; it needs to know your location in order to give directions. With InPrivate Filtering, you can configure the browser not to share information that can be captured and manipulated.

cryptographer

A person who participates in the study of cryptographic algorithms.

link control protocol (lcp)

A protocol used to establish, configure, and test the link between a client and PPP host.

registration authority (RA)

A registration authority (RA) offloads some of the work from a CA. An RA system operates as a middleman in the process: It can distribute keys, accept registrations for the CA, and validate identities. The RA doesn't issue certificates; that responsibility remains with the CA

Replay attack

A replay attack is a kind of access or modification attack. In a distributed environment, logon and password information is sent between the client and the authentication system. The attacker can capture the information and replay it later. This can also occur with security certificates from systems such as Kerberos: The attacker resubmits the certificate, hoping to be validated by the authentication system and circumvent any time sensitivity.

What is a captive portal?

A technological solution that forces clients to complete a process before accessing the network. (think hotel wi-fi)

Trojan

A thumb drive has been used to compromise systems and enable unauthorized access. What kind of malware was most likely installed to the thumb drive?

Transposition Cipher

A transposition cipher involves transposing or scrambling the letters in a certain manner. Typically, a message is broken into blocks of equal size, and each block is then scrambled. In the simple example shown in Figure 8.1, the characters are transposed by changing the order of the group. In this case, the letters are rotated three places in the message. You could change the way Block 1 is transposed from Block 2 and make it a little more difficult, but it would still be relatively easy to decrypt.

SPIM

A type of spam that targets users over instant messaging.

15) Annual loss expectancy formula

ALE = SLE x ARO ALE = annual loss expectancy SLE = single loss expectancy ARO = annual rate of occurrence

What is ARP?

Address Resolution Protocol - resolves IPV4 address to MAC addresses

1) What does ARP do

Address routing protocol - converts IP (Layer 3) to MAC address (Layer 2)

Message digest algorithm

An algorithm that creates a hash value. The hash value is also used to help maintain integrity. There are several versions of MD; the most common are MD5, MD4, and MD2.

Repudiation attack

An attack in which an intruder modifies information in a system.

Birthday attack

An easy way to think of a birthday attack is to think about how the hashing process works. It is possible for two different values to be hashed and give the same result, even though they differ from what was originally used.

14) Closed-circuit sensor

An electrical circuit exist that when it is broken, it will trigger an alarm.

Serial line internet protocol (slip)

An older protocol designed to connect Unix systems together in a dial-up environment, and supports only serial communications.

SAML

An open standard based on XML used for authenticating and authorizing data.

Elliptic curve

An option to RSA that uses less computing power than RSA and is popular in smaller devices like smart phones.

What is DLP?

Data loss prevention - used to prevent the disclosure of PII. Can be network based (managing e-mail) or endpoint (preventing copying or printing of sensitive info).

17) Damage and Loss Control

Assess damage during a security incident and try to control the losses due to the security incident - control the loss

Hybrid Cryptography

Asymmetric Cryptography provides authentication and non-repudiation Key exchange Digital signature Symmetric Cryptography provides Data encryption after both parties have shared session key Hashing can be used for data integrity Example on pg 33

Asymmetric algorithms

Asymmetric algorithms use two keys to encrypt and decrypt data. These asymmetric keys are referred to as the public key and the private key. The sender uses the public key to encrypt a message, and the receiver uses the private key to decrypt the message; what one key does, the other one undoes. As you may recall, symmetrical systems require the key to be private between the two parties. With asymmetric systems, each circuit has one key.

Message Authentication Code (MAC)

Authenticates both the source of a message and integrity of a message. Unlike digital signatures MACs are computed and verified with the same secret key (symmetric), can only be verified by intended recipient: Message is sent as well as encryption (mac) reciever obtains the message and encrypts with symmetric key if MACS are same message has been validated

Terminal Access controller Access Control system (TACACS)

Authentication service that ran in Unix System - TCP/UDP on port 49 - XTACACS - cisco proprietary authentication services for cisco devices

What is AH?

Authenticity Header - ensures the integrity of the data and the authenticity of the data's origin.

13) Key Archiving

Backing up cryptography keys to a secure location - to plan for lost keys - create key recovery policy (procedure to recover keys)

18) Vulnerability Scan

Base the decision on vulnerability database that is constantly updated - verify system configurations - verify software patches

Bcrypt

Bcrypt is used with passwords, and it essentially uses a derivation of the Blowfish algorithm, converted to a hashing algorithm, to hash a password and add Salt to it.

What are the four types of IDS?

Behavior based Signature based Anomaly based - looks outside of "normal" patterns of normal network behavior. Aka, linux commands sent to Windows computers. Heuristic - uses AI to determine if something odd is happening

bluesnarfing

Bluesnarfing is the gaining of unauthorized access through a Bluetooth connection. This access can be gained through a smartphone or any Bluetooth device. Once access has been achieved, the attacker can copy any data in the same way they would with any other unauthorized access.

CHAP

CHAP (Challenge Handshake Authentication Protocol) was designed to stop man-in the-middle attacks. During the initial authentication, the connecting machine is asked to generate a random number (usually a hash) and send it to the server. Periodically the server will challenge the client machine, demanding to see that number again. If an attacker has taken over the session, they won't know that number and won't be able to authenticate.

18) Protocol Analyzer/Packet Sniffer tool

Capture traffic traveling the network in order to view or analyze traffic - purpose to see if possible to capture sensitive information in clear text (acct num, SSN, passwords) - passive tools

Uses subnet mask 255.255.255.0 with first octet 192-223

Class C space

____ sites are the least expensive but the hardest to test

Cold

18) Banner grab

Connecting to open ports and collecting the response from the server. - to figure out if they can exploit that software

When the ___ of the controls exceeds the ____ of the risk, an organization ______ the remaining, or _____ risk>

Cost, Cost, accepts, residual.

Arbitrary code execution/remote code execution

Creates a means by which a program that they write can remotely accept commands and execute them.

What is XSRF

Cross Site request forgery - causes users to perform action son web sites such as making purchases without their knowledge

What is the difference between DoS and DDoS?

DDoS is an attack from two or more computers

Symmetric Algorithms (1 key) pg25/26

DES 3DES AES Blowfish Twofish CAST Rivest Cipher IDEA Skipjack Safer C32BRAIDES

Disaster Recovery Plan

DRP

What contains a list of critical systems and prioritizes services to restore after an outage

DRP

Worm

Dan is a network administrator. One day he notices that his DHCP server is flooded with information. He analyzes it and finds that the information is coming from more than 50 computers on the network. What is the most likely reason?

Data Encryption Standard (DES)

Data Encryption Standard: The Data Encryption Standard (DES) has been used since the mid-1970s. It was the primary standard used in government and industry until it was replaced by AES. It's based on a 56-bit key and has several modes that offer security and integrity. It is now considered insecure because of the small key size.

What is an IDS?

Designed to detect, log, and respond to unauthorized network or host use, both in real time and after the fact

What does a vulnerability assessment do?

Determines the security posture of a system or network by identifying vulnerabilities and weaknesses.

All In One Appliance

Device that combines numerous security functions into one device to reduce costs.

What should you do when you harden a device?

Disable unnecessary services and protocols to reduce attack vectors and to improve its security posture

How do you mitigate a smurf attack?

Disabling direct broadcast on routers. It is important to disable it on routers bordering on the Internet

DAC

Discretionary Access Control (DAC): Incorporates some flexibility. (allows users to share information (think permissions on google docs))

What is DAC?

Discretionary Access Control - files and folders have an owner, and the owner determines who has access.

What are tabletop exercises

Discussion-based testing of BCP or DRP

19) whoami command

Display current username logged and system - whoami > <system>/<user> - whoami /loginid (display SID)

Evaluation assurance levels (eal levels)

EAL 1: EAL 1 is primarily used when the user wants assurance that the system will operate correctly but threats to security aren't viewed as serious. EAL 2: EAL 2 requires product developers to use good design practices. Security isn't considered a high priority in EAL 2 certification. EAL 3: EAL 3 requires conscientious development efforts to provide moderate levels of security. EAL 4: EAL 4 requires positive security engineering based on good commercial development practices. It is anticipated that EAL 4 will be the common benchmark for commercial systems. EAL 5: EAL 5 is intended to ensure that security engineering has been implemented in a product from the early design phases. It's intended for high levels of security assurance. The EAL documentation indicates that special design considerations will most likely be required to achieve this level of certification. EAL 6: EAL 6 provides high levels of assurance of specialized security engineering. This certification indicates high levels of protection against significant risks. Systems with EAL 6 certification will be highly secure from penetration attackers. EAL 7: EAL 7 is intended for extremely high levels of security. The certification requires extensive testing, measurement, and complete independent testing of every component.

Interference Issues

EMI external interference course, Crosstalk internal interference talk, Radio frequency interference: noise of RF transmissions interfering transmission Eavesdropping: Splicing Attack: intruder physically breaks into a cable to capture pulse of energy on wire Packet Sniffing: Protocol analyzer, Promiscuous mode

ElGamal

ElGamal was developed by Taher Elgamal in 1984. It is an asymmetric algorithm, and several variations of ElGamal have been created, including Elliptic Curve ElGamal. ElGamal and related algorithms use what is called an ephemeral key. An ephemeral key is simply a key that exists only for that session. Essentially, the algorithm creates a key to use for that single communication session and it is not used again.

14) Class C fire

Electrical components and equipment - Use gas (halon), Co2, or nonconductive extinguishing agent

Which option enables you to hide ntldr?

Enable Hide Protected Operating System Files

Internet Small Computer System Interface (iSCI)

Encapsulates SCSI commands into IP packets making it routable across networks (LANs, WANs, or internet). Uses CHAP for authentication, uses VLANs for Eavesdropping issues.

What is ESP?

Encapsulating security payload - provides security services for the higher-level protocol portion of the packet (but not the IP header).

Stream cipher

Encrypt data one bit at a time - not as secure as block cipher, but fast execution - less prone to errors (only effect a single bit)

Symmetric encryption

Encrypting/Decryption information with the same key - Shared/preshared key, Secret key, Session key, Private key - Advantage - Faster than asymmetric - Disadvantage 1. must be sent in a secure manner 2. number of keys required increase dramatically between people ex) # Keys = people × (people-1) / 2

How does the tunneling method of IPsec work?

Encrypts the source and destination IP as well as the data. Requires each router to be IPsec

How do you protect against switching loop problems?

Ensure that Spanning Tree Protocol or Rapid STP is installed and enabled

Brute Force Attack

Exhausting all options, always works

Internet Content Filters

Filtering software that blocks web content that isnt compliant with policy.

Reviewing lessons learned and updating the plan is the ____ phase of the _____

Final DRP

What's purpose is to enforce a set of network security policies across network connections?

Firewall

16) BCP Project Initation

First phase of BCP to identify - continued business - compliance - past scenario

Public key

For a user to obtain a certificate from a certificate authority, the user must present two items. The first is proof of identity. What is the second?

18) Microsoft based Security Analyzer (BSA) Scanner

Free vulnerability scanner that assesses the patch level and configuration of Microsoft products

Frequency analysis

Frequency analysis involves looking at blocks of an encrypted message to determine if any common patterns exist. Initially, the analyst doesn't try to break the code but looks at the patterns in the message. In the English language, the letters e and t and words like the, and, that, it, and is are very common. Single letters that stand alone in a sentence are usually limited to a and I.

With unlimited time and money ____ provides the fastest recovery time

Full backup

______ strategies reduce the ammount of time needed to restore backup

Full/differential

________ strategies reduce the time needed to perform backup.

Full/incremental

18) What is Active Reconnaissance

Hacker collected IP addresses in profile phase and moves to scanning phase.

What is a HSM?

Hardware security module - a removable or external device that can generate, store, and manage RSA keys used in asymmetric encryption. Many server based applications use HSM to protect keys.

13) Root Certificate Authority (root CA)

Has is own certificate that is used to digitally sign any certificates - have self-signed certificates

MD5

Hash that is 128-bit; 1024-bit keys are common in asymmetric encryption.

LANMAN (LM hash)

Hash used by old Microsoft OS to hash and store password - encrypts password with DES - unsecure method of storing password hashes

Branches of Cryptography

Hashing Private key cryptography, symmetric encryption Public Key encryption, asymmetric encryption Quantum Cryptography

13) Subordinate Certificate Authorities (Subordinate CAs)

Have their own certificate that is issued and signed by the root CA - Used to segment different locations - Security note: power off root CA when not needed to prevent it being compromised

17) Live analysis Tool

Helix - best-know live analysis tool - live analyst - monitor process running - locate graphical files

What is a key stretching technique

Helps prevent brute force and rainbow table attacks by salting the password

IETF Standard

Hierarchical naming system of resources on the internet. Translates FQDN (fully qualified domain name) to IP add. Publishes information about the domain and the name servers of any domains subordinate

Hierarchical storage management (hsm)

Hierarchical storage management (HSM) is a newer backup type. HSM provides continuous online backup by using optical or tape jukeboxes. It appears as an infinite disk to the system, and it can be configured to provide the closest version of an available real-time backup. So rather than using one of the three traditional backup strategies, you ensure that data is being continuously backed up.

Hierarchical storage management (HSM)

Hierarchical storage management (HSM) provides continuous online backup by using optical or tape jukeboxes. It appears as an infinite disk to the system, and you can configure it to provide the closest version of an available real-time backup.

____ ____ HVAC systems provide more cooling capacity, keeping server rooms at lower operating temps, fewer failures, and longer MTBF times

Higher-tonnage

18) Honeynet

Like honeypot, but instead a full network of fake systems

What's the difference between an IDS and an IPS?

IDS help detect attacks on systems and networks; IPS stop attacks in progress by detecting and blocking attacks (active IDS will detect and block attacks). An IPS is in-line with the traffic: all traffic passes through the IPS An active IDS can take steps to block an attack, but only after the attack has started. The in-line configuration of an IPS allows it to prevent the attack in the first place.

IDS heuristic analysis

IDS identifies suspicious events based on past experience

HIDS

IDS is installed on host and monitors all traffic coming into the host (ie Antivirus)

False Positive

IDS reports legitimate activity as an intrusion

WPA2

IEEE 802.11i Personal (WPA-PSK) PreShared key grants access to WLAN Residential WLANs Enterprise (WPA-803.1X) Centralized key Mgmnt W.509 Digital Certificate Installed on Authentication server

Transitive trust

IF compA trust compB IF compB trust compC compA trust CompC (via compB)

What does IPsec use to authenticate clients in the IPsec conversation?

IKE over port 500

What's one special thing about IPv6 and IPsec?

IPsec is built into IPv6

1) How bit does IPv6 has

IPv6 is 128bit - Uses hexademical address format ex) 0:0:0:0:0:0:0:1 ( ::1) loopback

14) Class B fire

Liquid fire and includes burning of gas, oil, tars, solvents, and alcohol - Use CO2 or FM-200 extinguishers

What are detective controls?

Log monitoring, trend analysis, security auditing, surveillance

What is a baseline review?

Identifies changes from the standard configuration.

What does a BIA do?

Identifies the systems and components that are essential to the organization's success. It also identifies maximum downtime limits for these systems, various scenarios that could happen, and the potential losses from an incident.

16) business impact assessment

Identify critical business function and determine risk among those functions - identify critical business functions - identify resources used by function - determine allowable downtime - identify threats to function - determine mitigation technique

After ____ an incident, personnel attempt to ___ the problem

Identifying Isolate

Class C extinguisher

If a fire occurs in the server room, which device is the best method to put it out?

Directory Traversal Attack

If an attacker is able to gain access to restricted directories (such as the root directory) through HTTP, it is known as a directory traversal attack.

exclusive OR (XOR)

If one and only one, of the bits has the value of 1 then the result is 1. Else result value is 0 0+0=0 0+1=1 1+0=1 1+1=0

What does implicit deny mean?

If something is not specifically permitted then it is not allowed.

How do you mitigate risk?

Implementing controls.

Key Exchange

In Band: Out of Band:

Flattery and dumpster diving

In addition to bribery and forgery, What are the most common techniques that attackers use to socially engineer people?

Role-based access control (RBAC)

In an environment where administrators, the accounting department, and the marketing department all have different levels of access, What access control models is being used?

Where could a flood guard be implemented and against what?

In firewalls and IDS/IPS, and used to prevent against DoS and DDoS

Chosen Plaintext

In this attack, the attacker obtains the ciphertexts corresponding to a set of plaintexts of their own choosing. This allows the attacker to attempt to derive the key used and thus decrypt other messages encrypted with that key. This can be difficult, but it is not impossible. Advanced methods such as differential cryptanalysis are chosen plaintext attacks.

IPSs are always placed where?

Inline with traffic

How do you prevent against XSS attacks?

Input validation

How do you prevent SQL injection attacks?

Input validation and stored procedures

What is a recovery agent?

Recovers user messages and data when users lose access to their private keys. Sometimes they can recover the private key from escrow

IEEE

Institute of electrical and electronics engineers, An international organization that sets standards for various electrical and electronics issues.

Error and exception handling protects the ______ of an operating system

Integrity.

IDEA

International Data Encryption Algorithm (IDEA) was developed by a Swiss consortium. It's an algorithm that uses a 128-bit key. This product is similar in speed and capability to DES, but it's more secure. IDEA is used in Pretty Good Privacy (PGP), a public domain encryption system used by many for email. Currently, ASCOM AG holds the right to market IDEA.

IETF

Internet engineering task force, An international organization that works under the Internet Architecture Board to establish standards and protocols relating to the Internet.

Lightweight Directory Access Protocol

Internet protocol designed for access to directory services over TCP port 389

13) Online Certificate Status Protocol (OSCP)

Internet protocol that uses HTTP to communicate with CA and check status on cert

What is ISAKMP

Internet security association and key management protocol

Key Management

Key Length Crypto Period Centralized Key Management Decentralized Key Management

Key Stretching

Key stretching refers to processes used to take a key that might be a bit weak and make it stronger, usually by making it longer. The key (or password/passphrase) is input into an algorithm that will strengthen the key and make it longer, thus less susceptible to brute-force attacks.

What is Bcrypt and PBKDF2

Key stretching techniques

Your network uses an authentication service based on the X.500 specification. When encrypted, it uses TLS. Which authentication service is your network using?

LDAP

1) Switch

Layer 2 device - Filter traffic by layer-2 address

What layer does IPSEC operate?

Layer 3 (network)

1) Router

Layer 3 device - reponsible for routing or sending data to source and destination

Logic bomb

Logic bombs are programs or code snippets that execute when a certain predefined event occurs. A bomb may send a note to an attacker when a user is logged on to the Internet and is using a word processor. This message informs the attacker that the user is ready for an attack.

What is war driving?

Looking for a wireless network. Can be used as part of a wireless audit

Passive IDS

Looks for security breaches but does nothing

What are two popular hashing algorithms?

MD5 and SHA

Message authentication algorithm

MD5, SHA

Mean time between failure

MTBF

Mean Time to Recovery

MTTR

Macro Virus

Macro: This type of virus exploits enhancements made to many application programs, which are used by programmers to expand the capability of applications.

RACE Integrity Primitive Evaluation Message Digest (RIPEMD)

Main version is RIPEMD-160 bit hash - other version 128, 256, 320bit hash

Hashing

Maintain integrity of the information - verify data has not been changed - message digest - algorithm to generate hash value

Mandatory Access Control

Mandatory Access Control (MAC): All access is predefined. (think top secret, secret, etc)

What is MAC?

Mandatory Access Control - administrators assign labels to users and objects - when the labels match, the user can have access. Think need-to-know.

TRUE

Mandatory access control users cannot share resources dynamically.

______ ______ require employees to take time away from their job. These help ___ ___ and ____ _____ ____ while the employee is away

Mandatory vacations Deter fraud discover malicious activities

MTBF

Mean Time between failures = is the measure of the anticipated incidence of failure for a system or component. This measurement determines the component's anticipated lifetime. If the MTBF of a cooling system is one year, you can anticipate that the system will last for a one-year period; this means that you should be prepared to replace or rebuild the system once a year. If the system lasts longer than the MTBF, it's a bonus for your organization. MTBF is helpful in evaluating a system's reliability and life expectancy

What is MTBF?

Mean time between failure

OCSP

Mechanism used to verify immediately whether a certificate is valid.

A ______ __ _____ defines responsibilities of each party, but is not as strict as a ___ ____ ____ or a ____ ____ ___

Memorandum of Understanding Service level agreement Interconnection security agreement

MOU

Memorandum of understanding (less formal than BPA)

17) Where to find evidence

Memory - includes documents/recent password swap file - info dumped from ram to swap file Hard Drive - registry, email, file system DVD - mobile device -

NTLM

Microsoft replaced the LANMAN protocol with NTLM (NT LAN Manager) with the release of Windows NT. NTLM uses MD4/MD5 hashing algorithms. Several versions of this protocol exist (NTLMv1, NTLMv2), and it is still in widespread use despite the fact that Microsoft has pointed to Kerberos as being its preferred authentication protocol. Although LANMAN and NTLM both employ hashing, they are used primarily for the purpose of authentication. NTLM version 2 uses 128-bit encryption. It is the most secure form of challenge/response authentication. It is used when clients running Windows 2000 Professional connect to servers in a Windows NT domain, where all domain controllers have been upgraded to Windows NT 4.0 with Service Pack 4 or later. It is also used when clients running Windows 2000 connect to servers running Windows NT in a Windows 2000 domain

fuzzing

Most applications that are written to accept input expect a particular type of data—string values, numerical values, and so on. Sometimes, it is possible to enter unexpected values and cause the application to crash. When that happens, the user may be left with elevated privileges or access to values they should not have. Fuzzing is the technique of providing unexpected values as input to an application in order to make it crash. Those values can be random, invalid, or just unexpected. A common method is to flood the input with a stream of random bits.

When collecting data for forensic analysis, it should be collected from the ___ ___ to the __ ___

Most volatile Least volatile

Caesar cipher

Moves all characters 3 to the right

M of N control

Multiple Key Pairs: Two pairs of private/key pairs One pair for digitally signing the other for securely delivering the message

What is RTO

Recovery time objective - identifies the max amount of time it should take to restore a system after an outage.

What is NDP?

Neighbor Discovery Protocol. ARP (and others) but for IPv6

XMAS Attack

Network mapping allows you to see everything that is available. The best-known network mapper is Nmap, which can run on all operating systems and is found at http://nmap.org/. One of the most popular attacks that uses Nmap is known as the Xmas attack (also more appropriately known as the Xmas scan), or Christmas Tree attack. This is an advanced scan that tries to get around firewall detection and look for open ports

Secure Socket Transport Protocol (SSTP)

Newest of 3 VPN protocol - Uses SSL to encrypt VPN traffic - Advantage - less configuration on firewall - uses port 443 (HTTPS)

Non-repudiation

Non-repudiation prevents one party from denying actions they carried out. To use an analogy, imagine coming home to find your house's picture window broken. All three of your kids say they didn't do it, and the babysitter says it must have been broken when she arrived. All the parties who could be guilty are "repudiating" the fact that they did it, and it's their word against common sense. Now, imagine that you had a nanny-cam running and were able to review the video and see who actually broke it. The video cancels out their saying that they knew nothing about the broken window and offers "non-repudiation" of the facts.

Point-to-Point Tunneling Protocol (PPTP)

Old VPN protocol used to encrypt PPP traffic - uses Generic Routing Encapsulation (GRE) to transport PPP - Microsoft Point-to-Point Encryption (MPPE) protocol encrypt the traffic - Port 1723

Diffie-Hellman tip

On the Security+ exam, if you are asked about an algorithm for exchanging keys over an insecure medium, unless the context is IPSec, the answer is always Diffie-Hellman.

Change management

One of the developers for your company asks you what he should do before making a change to the code of a program's authentication. What processes should you instruct him to follow?

RAID

One of your database servers is mission-critical. You cannot afford any downtime. What is the best item to implement to ensure minimal downtime of the server and ensure fault tolerance of the data stored on the database server?

17) Secure Wipe (why)

Program that makes 3 passes to target drive wiping all previous data - important from a legal point that target device is clean so it does not contaminate suspect drive

One time pads

One-time pads are the only truly completely secure cryptographic implementations. They are so secure for two reasons. First, they use a key that is as long as a plaintext message. That means there is no pattern in the key application for an attacker to use. Also, one-time pad keys are used only once and then discarded. So even if you could break a one-time pad cipher, that same key would never be used again, so knowledge of the key would be useless.

18) OVAL security assessment

Open Vulnerability and Assessment Language - 3 stages 1. Represent system information 2. Asses Vulnerabilities 3. Report on vulnerabilities

18) OCTAVE security assessment

Operationally Critical Threat, Asset, Vulnerability Evaluation - Is a self-directed security assessment methodology (company resources) 1.) identify assets and threats 2.) identify vulnerabilities 3.) Mitigate threats and vulnerabilities

International telecommunications union

Organization responsible for communications standards, spectrum management, and the development of communications infrastructures in underdeveloped nations.

PBKDF2

PBKDF2 (Password-Based Key Derivation Function 2) is part of PKCS #5 v. 2.01. It applies some function (like a hash or HMAC) to the password or passphrase along with Salt to produce a derived key.

What wireless standard requires a certificate on the 802.1x server?

PEAP and EAP-TTLS

PKI (public key infrastructure)

PKI is a two-key, asymmetric system with four key components: Certificate Authority CA, Registration Authority RA, RSA, and digital certificate •A framework for creating, managing, issuing, distributing, and storing asymmetric private keys and X.509 digital certificates

Public key infrastructure (PKI)

PKI is a two-key, asymmetric system with four main components: certificate authority (CA), registration authority (RA), RSA (the encryption algorithm), and digital certificates. The latter two were addressed in the previous chapter, and this one focuses more on the former two. Messages are encrypted with a public key and decrypted with a private key. As an example, take the following scenario: You want to send an encrypted message to Jordan, so you request his public key. Jordan responds by sending you that key. You use the public key he sends you to encrypt the message. You send the message to him. Jordan uses his private key to decrypt the message. The main goal of PKI is to define an infrastructure that should work across multiple vendors, systems, and networks. It's important to emphasize that PKI is a framework and not a specific technology. Implementations of PKI are dependent on the perspective of the software manufacturers that implement it. This has been one of the major difficulties with PKI: Each vendor can interpret the documents about this infrastructure and implement it however they choose. Many of the existing PKI implementations aren't compatible with each other, but this situation should change over the next few years because customers demand compatibility.

Network Monitoring

Promiscuous Mode. Packet Capture and Analysis Network Intrusion Detection Systems (NIDS) / Network Intrusion Prevention Systems (NIPS). HostIDS (HIDS) HostIPS (HIPS). Pg 101

18) Vulnerability Assessment

Passive type of assessment - looking to identify weakness but not interested in testing weaknesses - better when management are against hacking tools - no risk of performing DOS on systems

What is PAP?

Password authentication protocol - uses a password or PIN. It sends information cleartext.

18) BackTrack

Penetration Test tool - Includes crack passwords, crack wireless encryption, do passive testing,

18) Manual Assessment

Performing configuration assessment and verifying configuration of the network and system - ensure best practices are being followed

With regards to Wireless, what is the difference between personal and enterprise mode?

Personal doesn't require authentication, it uses a pre-shared key. Enterprises forces them to authenticate prior to gaining network access.

Phage Virus

Phage: This type of virus is one that modifies and alters other programs and databases.

Exclusive-OR (XOR) Operations

Plaintext is XOred with random keystring to generate ciphertext. Used in parity checking. If value are same result is 0 if values are different result is 1 Plaintext: 0101 0001 Keystream: 0111 0011 OutputXOR: 0010 0010

18) Maintaining Access after gaining access

Plants a back door, such as creating a - creating admin account - planting rootkit - trojan virus

What is PaaS?

Platform as a service

What's the difference between PaaS and IaaS.

Platform is fully managed by the vendor; Infrastructure are updated by the customer

Polymorphic Virus

Polymorphic: These viruses change form in order to avoid detection.

18) Nessus scanner

Popular vulernability scanner that can used to scan network to identify vulnerabilities and patches missing

What is Xmas attack?

Port scan used to identify the underlying details of an operating system.

What is PPTP

Port to Port tunneling protocol - used by Microsoft, but has many vulnerabilities.

PGP

Pretty Good Privacy (PGP) is a freeware email system. As mentioned earlier in the chapter, PGP was introduced in the early 1990s, and it's considered to be a very good system. It's widely used for email security.

non-repudiation

Prevents one party from denying actions they carried out. Combination of integrity and authentication (provided via Sessions ID, DIgital SIgnature)

LANMAN

Prior to the release of Windows NT, Microsoft's operating systems used the LANMAN protocol for authentication. While functioning only as an authentication protocol, LANMAN used LM Hash and two DES keys. It was replaced by the NT LAN Manager (NTLM) with the release of Windows NT.

Private networks can use IP addresses anywhere in the following ranges: 192.168.0.0 - 192.168.255.255 (65,536 IP addresses) 172.16.0.0 - 172.31.255.255 (1,048,576 IP addresses) 10.0.0.0 - 10.255.255.255 (16,777,216 IP addresses)

Private IPv4 space

17) File filtering tools

ProDiscover, Encase, FTK - eliminate OS files and finds contraband files

17) Forsenic tools that can acquire image and perform analysis

ProDiscover, Encase, Forensics Toolkit

What is a site survey?

Process of examining the wireless environment to identify potential issues.

Authentication

Process of verifying the sender is who they say they are

Web Security Gateway

Proxy server with web protection built in.

What are some parts of a certificate?

Public key and details on the owner, along with the CA that issued the certificate

In Web site encryption: The web site's _____ key _____ The web site's _____ key ___ The ______ key _____ data in the web site session

Public key encrypts private key decrypts symmetric key encrypts

Key exchange algorithm

RSA, Diffie-Hellman, ECDH

type 3 errors

Recognizing something is wrong but realizing it for the wrong reason (noticing users cant log in rather than missing important data)

Risk Transference

Risk transference, contrary to what the name may imply, does not mean that you shift the risk completely to another entity. What you do instead is share some of the burden of the risk with someone else, such as an insurance company. A typical policy would pay you a cash amount if all the steps were in place to reduce risk and your system was still harmed.

Software RAID 1 and Hardware RAID 5

Robert has been asked to make sure that a server is highly available. He must ensure that hard drive failure will not affect the server. What methods allows for this?

RBAC

Role-Based Access Control (RBAC): Allows the user's role to dictate access capabilities.

___ ____ help an organization ensure they are following their policies.

Routine audits

•Access Control List (ACL)

Rule based access control configured on an interface to restrict access to resources. •Can be applied to inbound or outbound traffic •Implicit denies anything not in ACL

Rule-Based Access Control (RBAC)

Rule-Based Access Control (which also uses the RBAC acronym) is gaining in popularity and limits the user to make settings in preconfigured policies.

Secure Copy Protocol (SCP)

Run on top of SSH channel - encrypts the communication used to transfer file

15) single loss expectancy formula

SLE = value($) x EF(%) single loss expectancy (SLE) exposure factor (EF)

Mirroring Port

SPAN: Allows network monitoring across a switch.A copy of all frames traversing through the switch will be sent to mirroring port. Affects performance of switch.

SPAP

SPAP (Shiva Password Authentication Protocol) replaced PAP. The main difference is that SPAP encrypts the username and password.

Key Words

SPOOF MIMO Sandbox MAC address list ESSID

An attack that passes queries to back-end databases through web servers are called what?

SQL injection

Phrases that use ' or '1'='1' are used in what types of attacks

SQL injection

SSH suite

SSH, SCP, SFTP, Slogin used in TCP 22 Example: Putty, OpenSSH

NOTE

SSL IPsec

What does Secure LDAP use?

SSL or TLS for encryption

18) SYN scan (half open)

SYN scan - does not do complete 3 way handshake (generate too much traffic) - Send SYN > replies with SYN-ACK > connection is dropped ex) nmap -sS 192.168.2.0/24

Hash Hardening uses

Salt Clipping level: security measure to keep data secure

Salt

Salt, refers to the addition of bits at key locations, either before or after the hash. So if you type in the password letmein, bits are added by the operating system before it is hashed. Using Salt, should someone apply a rainbow table attack, the hash they search for will yield a letter combination other than what you actually typed in.

What is salting?

Salting passwords. Used to prevent against rainbow attacks by adding a set of random data to the password before hashing it.

What are two techniques social engineers use?

Scarcity and urgency

S/MIME

Secure Multipurpose Internet Mail Extensions (S/MIME) is a standard used for encrypting email. S/MIME contains signature data. It uses the PKCS #7 standard (Cryptographic Message Syntax Standard) and is the most widely supported standard used to secure email communications. MIME is the de facto standard for email messages. S/MIME, which is a secure version of MIME, was originally published to the Internet as a standard by RSA. It provides encryption, integrity, and authentication when used in conjunction with PKI. S/MIME version 3, the current version, is supported by IETF. Note S/MIME is defined by RFC 2633. For the exam, know that it's a secure version of MIME used for encrypting email. Know, as well, that it uses asymmetric encryption algorithms for confidentiality and digital certificates for authentication.

What are two advantages of imaging?

Secure starting point and reduced cost

What is SAML

Security Assertion Markup Language - is an XML based data format used for SSO on web browsers

__ ___ __ educate users about emerging threats and techniques attackers are currently using

Security awareness programs

___ ____ are management controls that identify a security plan

Security policies

Clipping Level

Security threshold. Number of times before security measure responds.

What can baseline reports be used for?

Security, OS, application, and software baselines

What is fuzzing?

Sending random strings of data to applications looking for vulnerabilities. Can be used in attacks and application testing

Security awareness training is dependent upon the support of

Senior management

MTTF

Similar to MTBF, the mean time to failure (MTTF) is the average time to failure for a nonrepairable system. If the system can be repaired, the MTBF is the measurement to focus on, but if it cannot, then MTTF is the number to look at. Sometimes, MTTF is improperly used in place of MTBF, but as an administrator you should know the difference between them and when to use one measurement or the other.

What is SNMP?

Simple Network Management Protocol. Standard for managing devices on IP-based networks

1) What does SNMP protocol do

Simple Network Management protocol - Collects information network device on IP network

Trust Models

Single Authority Trust Hierarchical Trust Bridge Trust Web of Trust

What is elliptic curve cryptography used with commonly?

Small wireless devices

Steganography

Steganography is the process of hiding a message in a medium such as a digital image, audio file, or other file. In theory, doing this prevents analysts from detecting the real message. You could encode your message in another file or message and use that file to hide your message. The most common way this is done today is called the least significant bit (lsb) method. As you know, everything on a computer is stored in bits that are organized into bytes. For example, a single pixel on a Windows computer screen is stored in 3 bytes/24 bits. If you changed the very last bit (the least significant bit in each byte), then that would not make a noticeable change in the image. In other words, you could not tell that anything had been changed. Using this fact, you can store data by putting it in the least significant bits of an image file. Someone observing the image would see nothing out of the ordinary.

What is a logic bomb?

String of code that executes in response to an event (like launching an application).

____ ensures that an organization can continue to thrive even if key leaders unexpectedly leave or are unavailable.

Succession planning

What is SPAN?

Switch port analyzer, or port mirroring. A port on a switch that will see all of the traffic passing through a switch or specific VLAN

What type of cipher is AES?

Symmetric block - it encrypts data in 128 bit blocks

Initialization vector (IV)

Synonyms (salt and noance), increases strength of cipher text by mitigating exploitable patterns, random values used in conjuction with algorithms.

18) Honeypot

System on network to attract hackers - buy time if hacker gain access to network - help detect zero day exploits

POP3

TCP 110 plaintext/ IMAP4 TCP 143 plaintext

What port does PPTP use?

TCP 1723

Secure LDAP

TCP port 636 - encrypt communication between client and LDAP system

RIPEMD

The RACE Integrity Primitives Evaluation Message Digest (RIPEMD) algorithm was based on MD4. There were questions regarding its security, and it has been replaced by RIPEMD-160, which uses 160 bits. There are versions in existence that use 256 and 320 bits (RIPEMD-256 and RIPEMD-320, respectively), but all versions of RIPEMD remain.

SHA

The Secure Hash Algorithm (SHA) was designed to ensure the integrity of a message. SHA is a one-way hash that provides a hash value that can be used with an encryption protocol. This algorithm produces a 160-bit hash value. SHA-2 has several sizes: 224, 256, 334, and 512 bit. SHA-2 is the most widely used, but SHA-3 has been released. Although SHA3 is now a standard, there simply are no known issues with SHA2, so it is still the most widely used and recommended hashing algorithm. The algorithm was originally named Keccak and designed by Guido Bertoni, Joan Daemen, Michael Peeters, and Gilles Van Assche.

Digital Signature Process pg 30

The Sender The Recipient

x.509

The X.509 standard defines the certificate formats and fields for public keys. It also defines the procedures that should be used to distribute public keys. The X.509 version 2 certificate is still used as the primary method of issuing Certificate Revocation List (CRL) certificates. The current version of X.509 certificates is version 3, and it comes in two basic types:

What is a SYN attack?

The attacker sends a SYN packet, and the host responds, but the attacker never acknowledges. It consumes resources

IPsec authentication headers

The authentication information is a keyed hash based on all the bytes in the packet.

What identifies the RTO

The maximum allowable outage identified in the BIA

RPO

The recovery point objective (RPO) is similar to RTO, but it defines the point at which the system needs to be restored. This could be where the system was two days before it crashed (whipped out the old backup tapes) or five minutes before it crashed (requiring complete redundancy). As a general rule, the closer the RPO matches the item of the crash, the more expensive it is to obtain.

Turn off.

The server room is on fire. What should the HVAC system do?

tkip

To strengthen WEP encryption, a Temporal Key Integrity Protocol (TKIP) was employed. This placed a 128-bit wrapper around the WEP encryption with a key that is based on things such as the MAC address of the destination device and the serial number of the packet. TKIP was designed as a backward-compatible replacement to WEP, and it could work with all existing hardware. Without the use of TKIP, WEP, as mentioned earlier in this chapter, was considered weak. It is worth noting, however, that even TKIP has been broken.

The NIPS is blocking web activity from those specific websites.

Tom is getting reports from several users that they are unable to download specific items from particular websites, although they can access other pages of those websites. Also, they can download information from other websites just fine. Tom's IDS is also sending him alarms about possible malicious traffic on the network. What is the most likely cause why the users cannot download the information they want?

How does a WPA attack work?

Traffic is captured, wait for a client to connect (so the four way authentication handshake can be captured), brute force

Examples of operational controls:

Training, awareness, change management, physical and environmental protection, media protection, contingency planning

A _____ attack attempts to access a back-end server through another server

Transitive (SQL is an example)

Network Address Translation (NAT)

Translates a private address into a public address •Types of NAT (PAT)

ElGamal term

Transmitting digital signatures and key exchanges.

3DES

Triple-DES (3DES) is a technological upgrade of DES. 3DES is still used, even though AES is the preferred choice for government applications. 3DES is considerably harder to break than many other systems, and it's more secure than DES. It increases the key length to 168 bits (using three 56-bit DES keys).

What is TFTP?

Trivial File Transfer Protocol - smaller amounts of data.

Typo Squatting / url hijacking

Typo squatting (also spelled typosquatting) and URL hijacking are one and the same. Difficult to describe as an attack, this is the act of registering domains that are similar to those for a known entity but based on a misspelling or typographical error. As an example, a reader wanting to go to Sybex.com to find out additional information about this book would be visiting the publisher's site (hosted beneath Wiley, incidentally), but someone intending on doing harm could register Sybecks.com in the hopes that the same reader would misspell the word. Instead of arriving at the safe site of the publisher, they would end up at the other site, which could download Trojans, worms, and viruses-oh my.

What prot does L2TP use?

UDP 1701

What is USGCB

US Government Configuration Baseline -

What is bluejacking?

Unauthorized sending of messages to a device

What is UTM?

Unified Threat Management. A marketing term to describe all-in-one devices employed in network security.

What is a flood guard?

Used to defend against flooding attacks, and flood guards manage traffic flows and block traffic

Quantum Cryptography

Used with fiber optics - send encrypted information as photons (particles of light) and then converted into binary - charge of state of photons will changed if someone listens to the communication channel - change is easily detected informing to change the cryptography key

Layer 2 Tunneling Protocol (L2TP)

User a more secure IPsec for encryption instead of MPPE. Uses the following port - UDP port 500 (for key exchange) - UDP port 5500 (for IPSec NAT) - UDP port 1701 on the firewall

Asymmetric Cryptography (public key / 2 key pair cryptography)

User is assigned a key pair. Public key is available to all. Private key is kept secret. Slower than symmetric Receiver public key can be used by sender to encrypt a message and receiver private key can be used by the receiver to decrypt the message You can also encrypt the message with your private key and receiver can decrypt with your public key El Gammal pg 29 RSA pg 29 both encryption and digital signature ECC pg 29 highest strength per bit of key length Whole Disk encryption: software or hardware that encrypts the disk or volume. WES is the algorithm of choice , crucial for mobile storage devised and databases. bitlocker or filevault

Password Authentication protocol

User on RAS or sercure VPN connection - sends credential in plain text and is very insecure

Kerberos

Users on your network are identified with tickets. What systems is being used?

What is dynamic NAT?

Uses multiple public IP addresses (while PAT uses one).

What is an armored virus?

Uses one or more techniques to make it difficult to reverse engineer. - complex code - encryption - hiding the location

Quantum Cryptography

Uses photons and qubits instead of bits Pulses of light, LED, and fiber optics One cannot look at the data without changing it. Untapable

What is vishing?

Uses the phone system to trick users into giving up information.

Hash-based Message Authentication Code (HMAC)

Using secret key combined with hashing algorithm to calculate message authetication code (MAC) - MAC is the resulting hash value

SIP and RTP protocols

VOIP protocols - common security to prative to create seperate VLAN for voip traffic

VoIP

Voice Over internet Protocol: uses SIP (session initiation protocol - port 5060plaintext application layer decentralized, peer to peer) to manage sessions Implement IEEE 802.1q Issues: Eavesdropping. SPIT (Unsolicitted Unwanted Telephone Calls)

What is an Evil Twin?

WAP with the same SSID

CHAP(Challenge Handshake Authentication Protocol)

Which authentication method completes the following in order: logon request, encrypts value response, server, challenge, compare encrypts results, and authorize or fail referred to?

HSM

Which device is used to encrypt the authentication process?

Network

Which layer of the OSI model does IPsec operate at?

Wireless Transport Layer Security

WTLS provides authentication, encryption, and data integrity for wireless devices. It's designed to utilize the relatively narrow bandwidth of these types of devices and is moderately secure. WTLS provides reasonable security for mobile devices, and it's being widely implemented in wireless devices. WTLS provides an encrypted and authenticated connection between a wireless client and a server. It is similar in function to TLS, but it uses a lower bandwidth and less processing power. WTLS used to support wireless devices, which don't yet have extremely powerful processors.

Whaling

Whaling is nothing more than phishing or spear phishing (both of which are discussed in Chapter 9, "Malware, Vulnerabilities, and Threats") but for big users. Instead of sending out a To Whom It May Concern message to thousands of users, the whaler identifies one person from whom they can gain all the data they want—usually a manager or owner—and targets the phishing campaign at them.

MS-CHAPv1 is capable of mutual authentication of the client and server.

What about authentication is false?

Rule-based access control

What access control methods uses rules to govern whether object access will be allowed?

Mandatory access control

What access control models, uses object labels?

MAC flooding

What activity will most likely enable an attacker to force a switch to function like a hub?

AES

What algorithms adhere to the requirement of 128 bits?

RSA

What algorithms is used by the protocol TLS to establish a session key?

One-to-one mapping and many-to-one mapping

What are certificate-based authentication mapping schemes?

TACACS+ separates authentication, authorization, and auditing capabilities.

What best describes the difference between RADIUS and TACACS+?

"Fingerprint" of the operating system

What can hackers accomplish using malicious port scanning?

Discretionary access control

What can restrict access to resources according to the identity of the user?

Java applets need to have virtual machine web browser support.

What characterizations best suits the term Java applet?

3) What is Acceptable Use Policy (AUP)

What company consider acceptable uses of its assets - Standards reivew and signed by all employees

External security testing is conducted from outside the organization's security perimeter.

What descriptions is true concerning external security testing?

Router

What device would most likely have a DMZ interface?

TKIP and AES

What encryption algorithms are supported by the IEEE 802.11i standard?

Shielding

What environmental controls is part of the TEMPEST standards?

Vulnerability scanning

What is a passive attempt at identifying weaknesses?

To segregate network services and roles

What is a security reason to implement virtualization in your network?

CAC (common access card)

What is a type of photo ID that is used by government officials to gain access to secure locations?

Identification and authentication

What security actions should be completed before a user is given access to the network?

DMZ

What should be placed between the LAN and the Internet?

A cipher can be reversed; a hash cannot.

What statement correctly describes the difference between a secure cipher and a secure hash?

Grandfather-father-son

What tape backup methods enables daily backups, weekly full backups, and monthly full backups?

PGP

What technologies uses a PSK?

VLAN

What technology was originally designed to decrease broadcast traffic and reduce the likelihood of having information compromised by network sniffers?

Access control lists

What would you use to control the traffic that is allowed in or out of a network?

16) Disk duplexing

When RAID 0 solution uses a disk controller on each hard disk connected to it

What is a hash collision?

When a hashing algorithm creates the same hash from different passwords.

Domain name kiting

When a new domain name is issued, there is a five-day grace period before you must technically pay for it. Those engaged in kiting can delete the account within the five days and re-register it—allowing them to have accounts that they never have to pay for.

What is a buffer overflow?

When an application receives more data than it can handle - it exposes system memory

TACACS+

When attempting to grant access to remote users, which protocol uses separate, multiple-challenge responses for each of the authentication, authorization, and audit processes?

Captive portal

When connecting to a wireless ap a splash screen to pay or accept t&c

AES

When encrypting credit card data, which would be the most secure algorithm with the least CPU utilization?

When testing to identify known potential security risks inherent to your design

When is it appropriate to use vulnerability scanners to identify any potential holes in your security design?

Class D

Which of the following fire extinguishers should be used to put out magnesium- or titanium-based metal fires?

WPA

WiFi Protected Access improves the encryption and authentication features of WEP (Wired Equivalent Privacy) Still uses RC4. Dynamic keys. Temporal key integrity protocol.

_____ _____ reduce the management burden associated with certificate

Wildcard certificates

Wireless Application Protocol (WAP)

Wireless Application Protocol (WAP) is a technology designed for use with wireless devices. WAP has become a data transmission standard adopted by many manufacturers, including Motorola and Nokia. WAP functions are equivalent to TCP/IP functions in that they're attempting to serve the same purpose for wireless devices. WAP uses a smaller version of HTML called Wireless Markup Language (WML), which is used for Internet displays. WAP-enabled devices can also respond to scripts using an environment called WMLScript. This scripting language is similar to the Java programming language. The ability to accept web pages and scripts allows malicious code and viruses to be transported to WAP-enabled devices.

DNS spoofing / DNS poisoning

With DNS spoofing, the DNS server is given information about a name server that it thinks is legitimate when it isn't. This can send users to a website other than the one they wanted to go to, reroute mail, or do any other type of redirection wherein data from a DNS server is used to determine a destination. Another name for this is DNS poisoning, and Fast flux is one of the most popular techniques.

Rainbow table

With a rainbow table, all of the possible hashes are computed in advance. In other words, you create a series of tables; each has all the possible two-letter, three-letter, four-letter, and so forth combinations and the hash of that combination, using a known hashing algorithm like SHA-2. Now if you search the table for a given hash, the letter combination in the table that produced the hash must be the password you are seeking.

PPPoE point to point over ethernet

Works at data link layer creates a direct, virtual, point to point connection to be created between two systems but within a multi access environment such as Ethernet

Risk assessment

You are implementing a new enterprise database server. After you evaluate the product with various vulnerability scans you determine that the product is not a threat in of itself but it has the potential to introduce new vulnerabilities to your network. Which assessment should you now take into consideration while you continue to evaluate the database server?

A two-factor authentication scheme and security awareness training

You are in charge of decreasing the chance of social engineering. What should you implement?

Kerberos

You are in charge of training a group of technicians on the authentication method their organization uses. The organization currently runs an Active Directory infrastructure. What best correlates to the host authentication protocol used within that organization's IT environment?

Back up data to removable media and store a copy offsite.

You are in charge of your organization's backup plan. You need to make sure that the data backups are available in case of a disaster. However, you need to keep the plan as inexpensive as possible. What solutions should you implement?

Security Log

You are setting up auditing on a Windows computer. If set up properly, which log should have entries?

TPM

You are tasked with implementing a solution that encrypts the CEO's laptop. However, you are not allowed to purchase additional hardware or software. What solutions should you implement?

Power levels

You are tasked with implementing an access point to gain more wireless coverage area. What should you look at first?

RADIUS

You are tasked with setting up a wireless network that uses 802.1X for authentication. You set up the wireless network using WPA2 and CCMP; however, you don't want to use a PSK for authentication. What options would support 802.1X authentication?

Install pop-up blockers

You are the security administrator for a multimedia development company. Users are constantly searching the Internet for media, information, graphics, and so on. You receive complaints from several users about unwanted windows appearing on their displays. What should you do?

Rootkit

You are the security administrator for your organization and have just completed a routine server audit. You did not notice any abnormal activity. However, another network security analyst finds connections to unauthorized ports from outside the organization's network. Using security tools, the analyst finds hidden processes that are running on the server. What has most likely been installed on the server?

anomaly-based IDS

You have been alerted to suspicious traffic without a specific signature. Under further investigation, you determine that the alert was a false indicator. Furthermore, the same alert has arrived at your workstation several times.

Disable unauthorized ActiveX controls.

You have been asked by an organization to help correct problems with users unknowingly downloading malicious code from websites. What should you do to fix this problem?

Role-based access control

You have been commissioned by a customer to implement a network access control model that limits remote users' network usage to normal business hours only. You create one policy that applies to all the remote users. What access control model are you implementing?

Separation of duties

You have been hired by an organization to design the security for its banking software. You need to implement a system where tasks involving the transfer of money require action by more than one user. Activities should be logged and audited often. What access control method should you implement?

RAID

You have been tasked with increasing the level of server fault tolerance. What should you implement to ensure that servers' data can withstand hardware failure?

SNMPv3

You have been tasked with providing daily network usage reports of layer 3 devices without compromising any data during the information gathering process. What technology should you select in this scenario?

Gray box

You have been tasked with running a penetration test on a server. You have been given limited knowledge about the inner workings of the server. What kind of test will you be performing?

VLAN

You have been tasked with segmenting internal traffic between layer 2 devices on the LAN. What network design elements would most likely be used?

Performance Monitor

You have established a baseline for your server. What is the best tool to use to monitor any changes to that baseline?

Vulnerability scan

You have received several reports from users of corrupted data. You patched the affected systems but are still getting reports of corrupted data. What methods should you use to help identify the problem?

Deploy a honeypot on the perimeter of the network.

You need to gather information about a network attacker but you want to prevent the attacker from knowing that their attempt has been detected.

SNMP

You need to protect passwords. What protocols is not recommended because it can supply passwords over the network?

LANMAN

You scan a computer for weak passwords and discover that you can figure out the password by cracking the first seven characters and then cracking the second part of the password separately. What type of hash is being used on the computer?

Mandatory vacations

Your boss speculates that an employee in a sensitive position is committing fraud. What is the best way to identify if this is true?

Private key

Your boss wants you to set up an authentication scheme in which employees will use smart cards to log in to the company network. What kind of key should be used to accomplish this?

Signature-based IDS

Your manager wants you to implement a type of intrusion detection system (IDS) that can be matched to certain types of traffic patterns. What kind of IDS is this?

*If an asset is valued at 100,000, the threat exposure factor of a risk affecting that asset is 25%, and the annualized rate of occurrence is 20%, what is the ALE?* a. $5,000 b. $20,000 c. $25,000 d. $45,000

a. *$5,000* The annualized loss expectancy (ALE) is the product of the SLE (value times exposure factor) and the ARO or $20% of 100,000 × 25% = $5,000. Answer B is incorrect because $20,000 represents the asset value times ARO. Answer C is incorrect because the value times the exposure factor represents the single loss expectancy (SLE) rather than the annual loss expectancy (ALE). Answer D is simply an incorrectly calculated value.

Fibre Channel over Ethernet (FCoE)

•Ethernet and fibre channel standards are modified to be compatible

*An Internet Protocol version 6 (IPv6) address is _______________ in length.* a. 128 bits b. 64 bytes c. 32 bytes d. 32 bits

a. *128 bits* IPv6 expands the length of source and destination IP addresses from IPv4's 32 bits to 128 bits.

Wireless Networking Security *What is the size of the wrapper TKIP places around the WEP encryption with a key that is based on such things as the MAC address of your machine and the serial number of the packet?* a. 128-bit b. 64-bit c. 56-bit d. 12-bit

a. *128-bit* TKIP places a 128-bit wrapper around the WEP encryption with a key that is based on such things as the MAC address of your machine and the serial number of the packet.

*Which port does the Simple Mail Transfer Protocol (SMTP) use?* a. 25 b. 53 c. 110 d. 143

a. *25* The Simple Mail Transfer Protocol (SMTP) uses port 25.

Wireless Networking Security *Which of the following 802.11 standards provides for bandwidths of up to 300 Mbps?* a. 802.11n b. 802.11i c. 802.11g d. 802.11b

a. *802.11n* The 802.11n standard provides for bandwidths of up to 300Mbps.

Cryptography Implementation *In a bridge trust model, each intermediate CA trusts only those CAs that are:* a. Above and below it b. Above it c. Below it d. On the same level

a. *Above and below it* In a bridge trust model, each intermediate CA trusts those CAs that are above and below it.

*When a user signs a(n) _____, it's a form of consent to the monitoring and auditing processes used by the organization.* a. Acceptable use policy b. Privacy policy c. Separation of duties policy d. Code of ethics policy

a. *Acceptable use policy* When a user signs an acceptable use policy, it's a form of consent to the monitoring and auditing processes used by the organization. A privacy policy usually explains that there is no privacy on company systems. A separation of duties policy indicates that administrative functions are divided among several people. The code of ethics policy describes decision-making processes to use when faced with ethical dilemmas.

Security-Related Policies and Procedures *Which rule of evidence within the United States involves Fourth Amendment protections?* a. Admissible b. Complete c. Reliable d. Believable

a. *Admissible* Admissibility involves collecting data in a manner that ensures its viability in court, including legal requirements such as the Fourth Amendment protections against unlawful search and seizure. Answers B and C are incorrect because data must be collected completely and protected against modification to ensure reliability, but these are not concerns of the Fourth Amendment. Answer D is incorrect because believability focuses on evidence being understandable, documented, and not subject to modification during transition.

*Which of the following are steps that can be taken to harden FTP services?* a. Anonymous access to shared files of questionable or undesirable content should be limited. b. Regular review of networks for unauthorized or rogue servers. c. Technologies that allow dynamic updates must also include access control and authentication. d. Unauthorized zone transfers should also be restricted.

a. *Anonymous access to shared files of questionable or undesirable content should be limited.* Anonymous access to shared files of questionable or undesirable content should be limited for proper FTP server security. Answer B is incorrect because it is a hardening practice for DHCP services. Answers C and D are incorrect because they are associated with hardening DNS service.

*Which of the following is the preferred type of encryption used in SaaS platforms?* a. Application level b. Database level c. Media level d. HSM level

a. *Application level* In a software-as-a-service (SaaS) environment, application-level encryption is preferred because the data is encrypted by the application before being stored in the database or file system. The advantage is that it protects the data from the user all the way to storage. Answer B is incorrect because in cloud implementations data should be encrypted at the application layer rather than within a database due to the complexity involved, and media encryption is managed at the storage layer. Answer C is incorrect because encryption of a complete virtual machine on infrastructure-as-a-service (IaaS) could be considered media encryption. Answer D is incorrect because a hardware security module (HSM) solution is mainly found in private datacenters that manage and offload cryptography with dedicated hardware appliances.

Security-Related Policies and Procedures *Which process inspects procedures and verifies that they're working?* a. Audit b. Business continuity plan c. Security review d. Group privilege management

a. *Audit* An audit is used to inspect and test procedures within an organization to verify that those procedures are working and up-to-date. The result of an audit is a report to management.

*Kerberos is used to perform what security service?* a. Authentication protection b. File encryption c. Secure communications d. Protected data transfer

a. *Authentication protection* Kerberos is a third-party authentication service; thus it provides authentication protection. Kerberos can't be used to encrypt files, secure non-authentication communications, or protect data transfer.

Security and Vulnerability in the Network *What checks to make sure that things are operating status quo and that change detection is used to alert when modifications are made?* a. Baseline reporting b. Code review c. Attack surfacing d. Risk analysis

a. *Baseline reporting* Baseline reporting checks to make sure that things are operating status quo and that change detection is used to alert when modifications are made.

Operating System and Application Security *Which of the following terms refers to the process of establishing a standard for security?* a. Baselining b. Security evaluation c. Hardening d. Methods research

a. *Baselining* Baselining is the process of establishing a standard for security.

Educating and Protecting the User *You've recently been hired by ACME to do a security audit. The managers of this company feel that their current security measures are inadequate. Which information access control model prevents users from writing information down to a lower level of security and prevents users from reading above their level of security?* a. Bell-LaPadula model b. Biba model c. Clark-Wilson model d. Noninterference model

a. *Bell-LaPadula model* The Bell-LaPadula model is intended to protect confidentiality of information. This is accomplished by prohibiting users from reading above their security level and preventing them from writing below their security level.

Physical and Hardware-Based Security *Which technology uses a physical characteristic to establish identity?* a. Biometrics b. Surveillance c. Smart card d. CHAP authenticator

a. *Biometrics* Biometrics is a technology that uses personal characteristics, such as a retinal pattern or fingerprint, to establish identity.

Operating System and Application Security *What tool is used in Windows to encrypt an entire volume?* a. BitLocker b. SysLock c. Drive Defender d. NLock

a. *BitLocker* BitLocker provides drive encryption and is available with Windows 7 and Windows Vista.

*You are conducting a penetration test on an application for a client. The client provides you with no details about the source code and development process. What type of test will you likely be conducting?* a. Black box b. White box c. Vulnerability d. Answers A and C

a. *Black box* Black box testing does not provide any information about the environment. Answer B is incorrect as white box testing is more transparent and would provide details around the particular application. A vulnerability test and penetration test are separate items, thus answer C is incorrect. Answer D is also incorrect.

Security and Vulnerability in the Network *In which type of testing do you begin with the premise that the attacker has no knowledge of the network?* a. Black box b. White box c. Gray box d. Green box

a. *Black box* With black box testing, you begin with the premise that the attacker has no knowledge of the network.

*A situation in which a program or process attempts to store more data in a temporary data storage area than it was intended to hold is known as which of the following?* a. Buffer overflow b. Denial of service c. Distributed denial of service d. Storage overrun

a. *Buffer overflow* A buffer overflow occurs when a program or process attempts to store more data in a buffer than the buffer was intended to hold. The overflow of data can flow over into other buffers, overwriting or deleting data. A denial of service is a type of attack in which too much traffic is sent to a host, preventing it from responding to legitimate traffic. A distributed denial of service is similar, but it is initiated through multiple hosts; therefore, answers B and C are incorrect. Although answer D sounds correct, it is not.

*Never inserting untrusted data except in allowed locations can be used to mitigate which of the following attacks? (Select two answers.)* a. Buffer overflow b. Cross-site request forgery (XSRF) c. Cross-Site Scripting (XSS) d. Input validation error

a. *Buffer overflow* d. *Input validation error* A buffer overflow is a direct result of poor or incorrect input validation or mishandled exceptions, and input validation errors are a result of improper field checking in the code. Answer B is incorrect because Cross-site request forgery (XSRF) is an attack in which the end user executes unwanted actions on a web application while they are currently authenticated. Answer C is incorrect because Cross-Site Scripting (XSS) vulnerabilities can be used to hijack the user's session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A.

Security-Related Policies and Procedures *Most CAs require what to define certificate issue processes, record keeping, and subscribers' legal acceptance of terms?* a. CPS b. DAC c. SRC d. GPM

a. *CPS* Most CAs require a Certificate Practice Statement (CPS), which defines certificate issue processes, record keeping, and subscribers' legal acceptance of the terms of the CPS.

*Which of the following is widely used as a controlled access measure in businesses that offer free Wi-Fi hotspots to Internet users such as hotels and restaurants?* a. Captive portal b. Site survey c. VPN (over open wireless) d. Omnidirectional antenna

a. *Captive portal* Captive portals are widely used in businesses that offer free Wi-Fi hotspots to Internet users such as hotels and restaurants. Answer B is incorrect because a site survey is conducted before implementing any WLAN solution to optimize network layout within each unique location. Answer C is incorrect because VPNs over open wireless are commonly used to securely connect employees to corporate networks when they are not in the office by using an Internet connection. Answer D is incorrect. Omnidirectional antennas provide a 360° radial pattern to provide the widest possible signal coverage for a wireless network.

Wireless Networking Security *What is the size of the initialization vector (IV) that WEP uses for encryption?* a. 6-bit b. 24-bit c. 56-bit d. 128-bit

b. *24-bit* The initialization vector (IV) that WEP uses for encryption is 24-bit.

Cryptography Implementation *Public Key Infrastructure (PKI) is a first attempt to provide all the aspects of security to messages and transactions that have been previously discussed. It contains four components including:* a. Certificate Authority (CA), Registration Authority (RA), RSA, and digital certificates b. Certificate Authority (CA), RSA, Document Authority (DA), and digital certificates c. Document Authority (DA), Certificate Authority (CA), and RSA d. Registration Authority (RA), RSA, and digital certificates

a. *Certificate Authority (CA), Registration Authority (RA), RSA, and digital certificates* Public Key Infrastructure (PKI) contains four components: certificate authority (CA), registration authority (RA), RSA, and digital certificates.

Cryptography Basics *What document describes how a CA issues certificates and what they are used for?* a. Certificate policies b. Certificate practices c. Revocation authority d. CRL

a. *Certificate policies* The certificate policies document defines what certificates can be used for.

Security-Related Policies and Procedures *Which policy dictates how an organization manages certificates and certificate acceptance?* a. Certificate policy b. Certificate access list c. CA accreditation d. CRL rule

a. *Certificate policy* A certificate policy dictates how an organization uses, manages, and validates certificates.

*When a certificate authority revokes a certificate, notice of the revocation is distributed via what?* a. Certificate revocation list b. Certificate policy c. Digital signature d. Certificate practice statement

a. *Certificate revocation list* Certificate revocation lists are used to identify revoked certificates; however, the Online Certificate Status Protocol (OCSP), which provides certificate status in real time, has been created as an alternative to CRLs. Answers B and D are both incorrect because these terms relate to the policies and practices of certificates and the issuing authorities. Answer C is incorrect because a digital signature is an electronic signature used for identity authentication.

Physical and Hardware-Based Security *Which of the following is an example of perimeter security?* a. Chain link fence b. Video camera c. Elevator d. Locked computer room

a. *Chain link fence* Perimeter security involves creating a perimeter or outer boundary for a physical space. Video surveillance systems wouldn't be considered a part of perimeter security, but they can be used to enhance physical security monitoring.

*Evidence is inadmissible in court if which of the following is violated or mismanaged?* a. Chain of custody b. Service-level agreement c. Privacy policy d. Change management

a. *Chain of custody* If the chain of custody is violated or mismanaged, evidence is inadmissible in court. Service-level agreements (SLAs), privacy policies, and change management aren't associated with evidence gathering or forensics.

Disaster Recovery and Incident Response *Your company is about to invest heavily in an application written by a new startup. Because it is such a sizable investment, you express your concerns about the longevity of the new company and the risk this organization is taking. You propose that the new company agree to store its source code for use by customers in the event that it ceases business. What is this model called?* a. Code escrow b. SLA c. BCP d. CA

a. *Code escrow* Code escrow allows customers to access the source code of installed systems under specific conditions, such as the bankruptcy of a vendor.

*Which of the following should be implemented if the organization wants to monitor unauthorized transfers of confidential information?* a. Content inspection b. Proxy server c. Protocol analyzer d. Packet-filtering firewall

a. *Content inspection* Content inspection appliances use access control filtering software on a dedicated filtering appliance. The device monitors every packet of traffic that passes over a network. Answer B is incorrect. When a proxy server receives a request for an Internet service, it passes through filtering requirements and checks its local cache of previously downloaded web pages. Because web pages are stored locally, response times for web pages are faster and traffic to the Internet is substantially reduced. Answer C is incorrect. Protocol analyzers help you troubleshoot network issues by gathering packet-level information across the network. These applications capture packets and decode the information into readable data for analysis. Answer D is incorrect; a packet-filtering firewall filters packets based on IP addresses, ports, or protocols and is a simple, good first line of defense.

Access Control and Identity Management *In a decentralized key management system, the user is responsible for which one of the following functions?* a. Creation of the private and public key b. Creation of the digital certificate c. Creation of the CRL d. Revocation of the digital certificate

a. *Creation of the private and public key* In a decentralized key system, the end user generates his or her own key pair. The other functions, such as creation of the certificate, CRL, and the revocation of the certificate, are still handled by the certificate authority; therefore, answers B, C, and D are incorrect.

Operating System and Application Security *Which systems monitor the contents of systems (workstations, servers, networks) to make sure key content is not deleted or removed?* a. DLP b. PKM c. XML d. GSP

a. *DLP* DLP systems monitor the contents of systems (workstations, servers, networks) to make sure key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data.

*In which of the following types of architecture is the user responsible for the creation of the private and public key?* a. Decentralized key management b. Centralized key management c. Revocation key management d. Multilevel key management

a. *Decentralized key management* In a decentralized key-management scheme, the user creates both the private and public key and then submits the public key to the CA to allow it to apply its digital signature after it has authenticated the user. Answer B is incorrect because centralized key management allows the organization to have complete control over the creation, distribution, modification, and revocation of the electronic credentials that it issues. Answers C and D are incorrect because they are nonexistent terms.

Disaster Recovery and Incident Response *Which plan or policy helps an organization determine how to relocate to an emergency site?* a. Disaster-recovery plan b. Backup site plan c. Privilege management policy d. Privacy plan

a. *Disaster-recovery plan* The disaster-recovery plan deals with site relocation in the event of an emergency, natural disaster, or service outage.

*Which one of the following best describes the type of attack designed to bring a network to a halt by flooding the systems with useless traffic?* a. DoS b. Ping of death c. Teardrop d. Social engineering

a. *DoS* A DoS attack is designed to bring down a network by flooding the system with an overabundance of useless traffic. Although answers B and C are both types of DoS attacks, they are incorrect because DoS more accurately describes "a type of attack." Answer D is incorrect because social engineering describes the nontechnical means of obtaining information.

*You manage a network on which there are mixed vendor devices and are required to implement a strong authentication solution for wireless communications. Which of the following would best meet your requirements? (Select two correct answers.)* a. EAP b. WEP c. LEAP d. PEAP

a. *EAP* d. *PEAP* The IEEE and IETF specify 802.1X and EAP as the standard for secure wireless networking, and Protected EAP (PEAP) is standards based. PEAP was jointly developed by Microsoft, RSA Security, and Cisco Systems. It is an IETF open standard. PEAP provides mutual authentication and uses a certificate for server authentication by the client, and users have the convenience of entering password-based credentials. Answer B is incorrect because WEP is the most basic form of encryption that can be used on 802.11-based wireless networks to provide privacy of data sent between a wireless client and its access point. Answer C is incorrect because LEAP is a Cisco-proprietary protocol.

Cryptography Basics *As the head of IT for MTS, you're explaining some security concerns to a junior administrator who has just been hired. You're trying to emphasize the need to know what is important and what isn't. Which of the following is not a consideration in key storage?* a. Environmental controls b. Physical security c. Hardened servers d. Administrative controls

a. *Environmental controls* Proper key storage requires that the keys be physically stored in a secure environment. This may include using locked cabinets, hardened servers, and effective physical and administrative controls.

*Which statement concerning virtualized environments is correct?* a. Existing security tools, such as antivirus, antispam, and IDS, are designed for single physical servers and do not always adapt well to multiple virtual machines. b. All hypervisors have the necessary security controls to keep out determined attackers. c. In a network with virtual machines, external devices such as firewalls and IDS reside between servers and can help prevent one from infecting another. d. A guest operating system that has remained dormant for a period of time can contain the latest patches and other security updates.

a. *Existing security tools, such as antivirus, antispam, and IDS, are designed for single physical servers and do not always adapt well to multiple virtual machines.* Existing security tools, such as antivirus, antispam, and IDS, were designed for single physical servers and do not always adapt well to multiple virtual machines.

Disaster Recovery and Incident Response *With high availability, the goal is to have key services available 99.999 percent of the time. What is this availability also known as?* a. Five nines b. Three nines c. Perfecta d. Trifecta

a. *Five nines* With high availability, the goal is to have key services available 99.999 percent of the time (also known as five nines availability).

Educating and Protecting the User *Which of the following is the best description of tailgating?* a. Following someone through a door they just unlocked b. Figuring out how to unlock a secured area c. Sitting close to someone in a meeting d. Stealing information from someone's desk

a. *Following someone through a door they just unlocked* Tailgating is best defined as following someone through a door they just unlocked.

*Which of the following is the most useful when you're dealing with machines that are being taken on the road by traveling executives, sales managers, or insurance agents?* a. Full disk encryption b. File-level encryption c. Media-level encryption d. Application-level encryption

a. *Full disk encryption* Full disk encryption is most useful when you're dealing with machines that are being taken on the road by traveling executives, sales managers, or insurance agents. Answer B is incorrect because in file- or folder-level encryption, individual files or folders are encrypted by the file system itself. Answer C is incorrect because media encryption is used for USB flash drives, iPods, and other portable storage devices. Answer D is incorrect because application-level encryption does not protect the data stored on the machines.

Cryptography Basics *What is the process of deriving an encrypted value from a mathematical process called?* a. Hashing b. Asymmetric c. Symmetric d. Social engineering

a. *Hashing* Hashing algorithms are used to derive an encrypted value from a message or word.

Security and Vulnerability in the Network *Which of the following serves the purpose of trying to lure a malicious attacker into a system?* a. Honeypot b. Pot of gold c. DMZ d. Bear trap

a. *Honeypot* A honeypot is used to serve as a decoy and lure a malicious attacker. Answers B and D are incorrect answers and are not legitimate terms for testing purposes. Answer C is incorrect because a demilitarized zone (DMZ) is an area between the Internet and the internal network.

*Which of the following are types of updates applied to systems? (Select all correct answers.) * a. Hotfix b. Service packs c. Patches d. Coldfix

a. *Hotfix* b. *Service packs* c. *Patches* Each of these describes types of updates that can be applied to a system. Answer D is incorrect.

*Which is the best access control constraint to protect against accidental unauthorized access?* a. Implicit denial b. Least privilege c. Separation of duties d. Account expiration

a. *Implicit denial* The default assignment of an implicit denial, overridden by explicit grants of access aids in protecting resources against accidental access during normal network operations. Answer B is incorrect because least privilege is a principle of assigning only those rights necessary to perform assigned tasks. Answer C is incorrect because separation of duties is focused on ensuring that action and validation practices are performed separately. Answer D is incorrect because account expiration protocols ensure that individual accounts do not remain active past their designated lifespan, but they do nothing to protect against accidental resource availability for currently enabled accounts.

Disaster Recovery and Incident Response *Your organization is exploring data-loss prevention (DLP) solutions. The proposed solution is a software network solution that would be installed near the network perimeter to monitor for and flag policy violations. This solution is targeting which of the following data states?* a. In-transit b. At-rest c. In-use d. In-arrival

a. *In-transit* Protection of data in-transit is considered to be a network solution and either a hardware or software solution is installed near the network perimeter to monitor for and flag policy violations. Answer B is incorrect because protection of data at-rest is considered to be a storage solution and is generally a software solution that monitors how confidential data is stored. Answer C is incorrect because protection of data in-use is considered to be an endpoint solution and the application is run on end-user workstations or servers in the organization. Answer D is incorrect because there is no such data state.

Security and Vulnerability in the Network *Which Windows workstation feature is accused of—sometimes inadvertently—making network bridging possible and introducing security concerns?* a. Internet Connection Sharing b. Windows Firewall c. Network Address Translation d. Dynamic Naming Service

a. *Internet Connection Sharing* ICS—Internet Connection Sharing—is accused of (sometimes inadvertently) making network bridging possible and introducing security concerns.

*Communications between different IP devices on a network is handled by one of the core protocols of TCP/IP, namely, _______________.* a. Internet Control Message Protocol (ICMP) b. Network Basic Input/Output System (NetBIOS) c. Telnet d. Simple Network Management Protocol (SNMP)

a. *Internet Control Message Protocol (ICMP)* Different IP devices on a network often need to share between them specific information. However, IP does not have the capability for devices to exchange these low-level control messages. The communications between devices is handled by one of the core protocols of TCP/IP, namely, Internet Control Message Protocol (ICMP).

*_______________ is an IP-based storage networking standard for linking data storage facilities.* a. Internet Small Computer System Interface (iSCSI) b. Internet Control Message Protocol (ICMP) c. Simple Network Management Protocol (SNMP) d. Network Basic Input/Output System (NetBIOS)

a. *Internet Small Computer System Interface (iSCSI)* iSCSI (Internet Small Computer System Interface) is an IP-based storage networking standard for linking data storage facilities. Because it works over a standard IP network, iSCSI can transmit data over LANs, wide area networks (WANs), and the Internet.

Cryptography Implementation *Key destruction is the process of destroying keys that have become:* a. Invalid b. Expired c. Ruined d. Outdated

a. *Invalid* Key destruction is the process of destroying keys that have become invalid.

*What is the proper humidity level or range for IT environments?* a. Below 40 percent b. 40 percent to 60 percent c. Above 60 percent d. 20 percent to 80 percent

b. *40 percent to 60 percent* The proper humidity level or range for IT environments is 40% RH to 60% RH.

Educating and Protecting the User *at.allow is an access control that allows only specific users to use the service. What is at.deny?* a. It does not allow users named in the file to access the system. b. It ensures that no one will ever be able to use that part of your system. c. It opens up the server only to intranet users. d. It blocks access to Internet users.

a. *It does not allow users named in the file to access the system.* The at.deny file does not allow users named in the file to access the system.

Physical and Hardware-Based Security *In a hot and cold aisle system, what is the typical method of handling cold air?* a. It is pumped in from below raised floor tiles. b. It is pumped in from above through the ceiling tiles. c. Only hot air is extracted and cold air is the natural result. d. Cold air exists in each aisle.

a. *It is pumped in from below raised floor tiles.* With hot and cold aisles, cold air is pumped in from below raised floor tiles.

*Which of the following is true of Pretty Good Privacy (PGP)? (Select the two best answers.)* a. It uses a web of trust. b. It uses a hierarchical structure. c. It uses public key encryption. d. It uses private key encryption.

a. *It uses a web of trust.* c. *It uses public key encryption.* PGP uses a web of trust rather than the hierarchical structure. It also uses public key encryption. Based on this, answers B and D are incorrect.

*_______________ limits the amount of time that individuals have to manipulate security configurations.* a. Job rotation b. Mandatory vacation c. Separation of duties d. Least privilege

a. *Job rotation* Job rotation limits the amount of time that individuals are in a position to manipulate security configurations.

Cryptography Basics *After returning from a conference in Jamaica, your manager informs you that he has learned that law enforcement has the right, under subpoena, to conduct investigations using keys. He wants you to implement measures to make such an event run smoothly should it ever happen. What is the process of storing keys for use by law enforcement called?* a. Key escrow b. Key archival c. Key renewal d. Certificate rollover

a. *Key escrow* Key escrow is the process of storing keys or certificates for use by law enforcement. Law enforcement has the right, under subpoena, to conduct investigations using these keys.

*Which of the following is a denial-of-service attack that uses network packets that have been spoofed so that the source and destination address are that of the victim?* a. Land b. Teardrop c. Smurf d. Fraggle

a. *Land* A land DoS attack uses network packets that have been spoofed so that the source and destination address are that of the victim. A teardrop attack uses fragmented IP packets. Smurf and fraggle attacks use spoofed ICMP and UDP packets, respectively, against an amplification network.

*After a new switch was implemented, some sporadic connectivity issues on the network have occurred. The issues are suspected to be device related. Which of the following would the organization implement as a method for additional checks in order to prevent issues?* a. Loop protection b. Flood guard c. Implicit deny d. Port security

a. *Loop protection* The loop protection feature makes additional checks in Layer 2 switched networks. Answer B is incorrect because a flood guard is a firewall feature to control network activity associated with denial-of-service (DoS) attacks. Answer C is incorrect because implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access. Answer D is incorrect because port security is a Layer 2 traffic control feature on Cisco Catalyst switches. It enables individual switch ports to be configured to allow only a specified number of source MAC addresses coming in through the port.

*Which form of access control relies on labels for access control management?* a. MAC b. DAC c. Role-based (RBAC) d. Rule-based (RBAC)

a. *MAC* Mandatory access control (MAC) systems require assignment of labels such as Public, Secret, and Sensitive to provide resource access. Answer B is incorrect because discretionary access control (DAC) systems allow data owners to extend access rights to other logons based on explicit assignments or inherited group membership. Answers C and D are incorrect because both RBAC access control forms rely on conditional assignment of access rules either inherited (role based) or by environmental factors such as time of day or secured terminal location (rule based).

*Which one of the following controls are physical security measures? (Select all correct answers.)* a. Motion detector b. Antivirus software c. CCTV d. Fence

a. *Motion detector* c. *CCTV* d. *Fence* Motion detectors, CCTV, and fencing are all controls used for physical security. Antivirus is not a physical security control, but a control used to protect computer systems from malware, and therefore Answer B is incorrect.

*TCP/IP uses its own four-layer architecture that includes _______________ layers.* a. Network Interface, Internet, Transport, and Application b. Network Interface, Network, Transport, and Application c. Network Interface, Internet, Transport, and Authentication d. Network Interface, Network, Transport, and Authentication

a. *Network Interface, Internet, Transport, and Application* TCP/IP uses its own four-layer architecture that includes Network Interface, Internet, Transport, and Application layers.

*Which term describes a technique that allows private IP addresses to be used on the public Internet?* a. Network address translation (NAT) b. Port address translation (PAT) c. Network access control (NAC) d. Loop protection

a. *Network address translation (NAT)* Network address translation (NAT) is a technique that allows private IP addresses to be used on the public Internet.

Operating System and Application Security *Users are complaining about name resolution problems suddenly occurring that were never an issue before. You suspect that an intruder has compromised the integrity of the DNS server on your network. What is one of the primary ways in which an attacker uses DNS?* a. Network footprinting b. Network sniffing c. Database server lookup d. Registration counterfeiting

a. *Network footprinting* DNS records in a DNS server provide insights into the nature and structure of a network. DNS records should be kept to a minimum in public DNS servers. Network footprinting involves the attacker collecting data about the network to devise methods of intrusion.

Infrastructure and Connectivity *At which layer of the OSI model does the Internet Protocol Security protocol function?* a. Network layer b. Presentation layer c. Session layer d. Application layer

a. *Network layer* IPsec validation and encryption function at the network layer of the OSI model. Answers B, C, and D are incorrect because IPsec functions at a lower level of the OSI model.

Network Security *Which type of switch network monitoring is best suited for high-speed networks that have a large volume of traffic?* a. Network tapping b. Port mirroring c. Load balancing d. Packet filtering

a. *Network tapping* A network tap is generally best for high-speed networks that have a large volume of traffic, while port mirroring is better for networks with light traffic.

*The sender of data is provided with proof of delivery, and neither the sender nor receiver can deny either having sent or received the data. What is this called?* a. Nonrepudiation b. Repetition c. Nonrepetition d. Repudiation

a. *Nonrepudiation* Nonrepudiation means that neither party can deny either having sent or received the data in question. Both answers B and C are incorrect. And repudiation is defined as the act of refusal; therefore, answer D is incorrect.

*Which of the following are used to verify the status of a certificate? (Select two correct answers.)* a. OCSP b. CRL c. OSPF d. ACL

a. *OCSP* b. *CRL* The Online Certificate Status Protocol (OCSP) and the certificate revocation list (CRL) are used to verify the status of digital certificates. OSPF is a routing protocol; therefore, answer C is incorrect. An ACL is used to define access control; therefore, answer D is incorrect.

*What is a significant difference between vulnerability scanners and penetration testing?* a. One tests both the infrastructure and personnel. b. One only tests internal weaknesses. c. One only tests for configuration errors. d. One is used to find problems before hackers do.

a. *One tests both the infrastructure and personnel.* The primary difference between vulnerability assessment and penetration testing is that penetration testing tests both the infrastructure and the personnel. Vulnerability assessment is performed by a security administrator using an automated tool that is designed solely to test the configuration of target systems

*_______________ is designed to simplify the deployment of 802.1x by using Microsoft Windows logins and passwords.* a. Protected EAP (PEAP) b. Lightweight EAP (LEAP) c. Temporal Key Integrity Protocol (TKIP) d. PSK2-mixed mode

a. *Protected EAP (PEAP)* Protected EAP (PEAP) is designed to simplify the deployment of 802.1x by using Microsoft Windows logins and passwords. PEAP is considered a more flexible PEAP scheme because it creates an encrypted channel between the client and the authentication server, and the channel then protects the subsequent user authentication exchange.

Disaster Recovery and Incident Response *There have been some sporadic connectivity issues on the network. Which of the following is the best choice to investigate these issues?* a. Protocol analyzer b. Circuit-level gateway logs c. Spam filter appliance d. Web application firewall logs

a. *Protocol analyzer* Protocol analyzers help you troubleshoot network issues by gathering packet-level information across the network. These applications capture packets and can conduct protocol decoding, putting the information into readable data for analysis. Answer B is incorrect because a circuit-level gateway filters based on source and destination addresses. Answer C is incorrect because all-in-one spam filter appliances allow for checksum technology, which tracks the number of times a particular message has appeared, and message authenticity checking, which uses multiple algorithms to verify authenticity of a message. Answer D is incorrect because a web application firewall is software or a hardware appliance used to protect the organization's web server from attack.

Disaster Recovery and Incident Response *You've been brought in as a temporary for FRS, Inc. The head of IT assigns you the task of evaluating all servers and their disks and making a list of any data not stored redundantly. Which disk technology isn't fault tolerant?* a. RAID 0 b. RAID 1 c. RAID 3 d. RAID 5

a. *RAID 0* RAID 0 is a method of spreading data from a single disk over a number of disk drives. It's used primarily for performance purposes.

*Which of the following algorithms is now known as the Advanced Encryption Standard (AES)?* a. Rijndael b. 3DES c. RC6 d. Twofish e. CAST

a. *Rijndael* Rijndael was the winner of the new AES standard. Although RC6 and Twofish competed for selection, they were not chosen. 3DES and CAST did not participate; therefore, answers B, C, D, and E are incorrect.

Protecting Networks *Which of the following is most likely to use network segmentation as an alternate security method?* a. SCADA systems b. Mainframes c. Android d. Gaming consoles

a. *SCADA systems* Network segmentation is one of the most effective controls an organization can implement in order to mitigate the effect of a network intrusion. Due to the sensitive nature of supervisory control and data acquisition (SCADA) systems, they would most likely use network segmentation. Answer B is incorrect because mainframes would most likely use security layers. Answer C is incorrect because Android would most likely use security layers. Answer D is incorrect. Most gaming consoles use firmware version control as an alternative security method.

*In order to ensure that whole-drive encryption provides the best security possible, which of the following should not be performed?* a. Screen lock the system overnight. b. Require a boot password to unlock the drive. c. Lock the system in a safe when it is not in use. d. Power down the system after use.

a. *Screen lock the system overnight.* An attack can steal the encryption key from memory, so systems with whole-drive encryption that are only screen-locked are vulnerable. Requiring a boot password, locking the system, and powering down ensure the protection of whole drive encryption.

Security-Related Policies and Procedures *MTS is in the process of increasing all security for all resources. No longer will the legacy method of assigning rights to users as they're needed be accepted. From now on, all rights must be obtained for the network or system through group membership. Which of the following groups is used to manage access in a network?* a. Security group b. Single sign-on group c. Resource sharing group d. AD group

a. *Security group* A security group is used to manage user access to a network or system.

Operating System and Application Security *The administrator at MTS was recently fired, and it has come to light that he didn't install updates and fixes as they were released. As the newly hired administrator, your first priority is to bring all networked clients and servers up-to-date. What is a bundle of one or more system fixes in a single product called?* a. Service pack b. Hotfix c. Patch d. System install

a. *Service pack* A service pack is one or more repairs to system problems bundled into a single process or function.

*Which port does the Domain Name System (DNS) protocol use?* a. 25 b. 53 c. 80 d. 443

b. *53* The Domain Name System (DNS) protocol uses port 53.

*Which of the following is a non-proprietary protocol that provides authentication and authorization as well as accounting of access requests against a centralized service for authorization of access requests?* a. TACACS+ b. SAML c. Secure LDAP d. XTACACS

a. *TACACS+* TACACS+, released as an open standard, is a protocol that provides authentication and authorization as well as accounting of access requests against a centralized service for authorization of access requests. TACACS+ is similar to RADIUS but uses TCP instead of RADIUS's UDP transport. Answer B is incorrect because SAML (Security Assertion Markup Language) is an Extensible Markup Language (XML) framework for creating and exchanging security information between online partners. Answer C is incorrect because secure LDAP is a way to make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology. Answer D is incorrect because XTACACS is a proprietary version of the original TACACS protocol that was developed by Cisco.

*A man-in-the-middle attack takes advantage of which of the following?* a. TCP handshake b. UDP handshake c. Juggernaut d. All of the above

a. *TCP handshake* TCP is a connection-oriented protocol, which uses a three-way handshake to establish and close a connection. Answers B, C, and D are incorrect. A man-in-the-middle attack takes advantage of this handshake by inserting itself in the middle. UDP is a connectionless protocol and does not use a handshake to establish a connection. Juggernaut describes a program that helps make man-in-the-middle attacks easier.

Wireless Networking Security *Which encryption technology is associated with WPA?* a. TKIP b. CCMP c. WEP d. LDAP

a. *TKIP* The encryption technology associated with WPA is TKIP.

Cryptography Basics *Mercury Technical Solutions has been using SSL in a business-to-business environment for a number of years. Despite the fact that there have been no compromises in security, the new IT manager wants to use stronger security than SSL can offer. Which of the following protocols is similar to SSL but offers the ability to use additional security protocols?* a. TLS b. SSH c. RSH d. X.509

a. *TLS* TLS is a security protocol that uses SSL, and it allows the use of other security protocols.

*Which type of risk control involves enforcing technology to control risk, such as antivirus software, firewalls, and encryption?* a. Technical b. System c. Management d. Operational

a. *Technical* Technical risk control types involve enforcing technology to control risk, such as antivirus software, firewalls, and encryption.

*Which of the following is a cloud-based security solution mainly found in private data centers?* a. VPC b. HSM c. TPM d. PKI

a. *VPC* The HSM and cloud machines can both live on the same virtual private network through the use of a virtual private cloud (VPC) environment. This type of solution is mainly found in private datacenters that manage and offload cryptography with dedicated hardware appliances. Answer B is incorrect because traditionally HSMs have been used in the banking sector to secure numerous large, bulk transactions. Answer C is incorrect because TPM refers to a secure crypto-processor used to authenticate hardware devices such as a PC or laptop. Answer D is incorrect because public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

*Which one of the following is not considered a physical security component?* a. VPN tunnel b. Mantrap c. Fence d. CCTV

a. *VPN tunnel* A VPN tunnel is an example of data security, not physical security. Mantrap, fence, and CCTV are all components of physical security; therefore, answers B, C, and D are incorrect.

Network Security *What term refers to a technology that enables authorized users to use an unsecured public network, such as the Internet, as if it were a secure private network?* a. Virtual private network (VPN) b. Gateway c. Intrusion detection system (IDS) d. Port mirroring

a. *Virtual private network (VPN)* A virtual private network (VPN) is a technology that enables authorized users to use an unsecured public network, such as the Internet, as if it were a secure private network.

*Which of the following provide a "sandboxed" system that can be used to investigate malware?* a. Virtualization b. Network storage c. Host software baselining d. Application baselining

a. *Virtualization* A virtualized "sandboxed" guest system can help in computer-security research, which enables the study of the effects of some viruses or worms without the possibility of compromising the host system. Answer B is incorrect because network storage has nothing to do with desktop management. Answer C is incorrect because host software baselining can be done for a variety of reasons including malware monitoring and creating system images. Answer D is incorrect because application baselining is used to monitor changes in application behavior.

Security and Vulnerability in the Network *Nessus is a tool that performs which security function?* a. Vulnerability scanning b. Penetration testing c. Ethical hacking d. Loop protection

a. *Vulnerability scanning* Nessus is one of the better-known vulnerability scanners.

Wireless Networking Security *An IV attack is usually associated with which of the following wireless protocols?* a. WEP b. WAP c. WPA d. WPA2

a. *WEP* An IV attack is usually associated with the WEP wireless protocol.

*There are two modes for Wi-Fi Protected Access (WPA): _______________.* a. WPA Personal and WPA Enterprise b. WPA Private and WPA Public c. WPA Open and WPA Closed d. WPA Shortwave and WPA Longwave

a. *WPA Personal and WPA Enterprise* There are two modes of WPA. WPA Personal was designed for individuals or small office/home office (SOHO) settings, which typically have 10 or fewer employees. A more robust WPA Enterprise was intended for larger enterprises, schools, and government agencies. WPA addresses both encryption and authentication.

*Which of the following provides government-grade security by implementing the AES encryption algorithm and 802.1X-based authentication?* a. WPA2 b. WEP c. WPA d. WAP

a. *WPA2* WPA2 is based on the IEEE 802.11i standard and provides government-grade security by implementing the AES encryption algorithm and 802.1X-based authentication. Answer B is incorrect because the WEP standard was proven to be unsecure and has been replaced by the newer WPA standards. Answer C is incorrect because the early WPA standard has been superseded by the WPA2 standard, implementing the full 802.11i-2004 amendment. Answer D is incorrect because a WAP refers to a wireless access point, which is the wireless network hardware that functions in the place of a wired switch.

Wireless Networking Security *Which of the following manages the session information and connection between wireless devices?* a. WSP b. WPD c. WPT d. WMD

a. *WSP* WSP (Wireless Session Protocol) manages the session information and connection between wireless devices.

Cryptography Implementation *The mesh trust model is also known as what?* a. Web structure b. Car model c. Web redemption d. Corrupt system

a. *Web structure* The mesh trust model is also known as a web structure.

Security-Related Policies and Procedures *Which of the following is not a principal concern for first responders to a hacking incident within a corporation operating in the United States?* a. Whether EMI shielding is intact b. Whether data is gathered properly c. Whether data is protected from modification d. Whether collected data is complete

a. *Whether EMI shielding is intact* EMI shielding is important to protecting data and services against unauthorized interception as well as interference but is not a principal concern for first responders following an incident. First responders must ensure that data is collected correctly and protect it from modification using proper controls ensuring a clear chain of evidence, making answers B and C incorrect. Answer D is incorrect because a first responder might be the only agent able to ensure that all data is collected before being lost due to volatility of storage.

Cryptography Implementation *The most popular certificate used is version 3 of:* a. X.509 b. B.102 c. C.409 d. Z.602

a. *X.509* The most popular certificate used is version 3 of X.509.

Cryptography Basics *Which set of specifications is designed to allow XML-based programs access to PKI services?* a. XKMS b. XMLS c. PKXMS d. PKIXMLS

a. *XKMS* XML Key Management Specification (XKMS) is designed to allow XML-based programs access to PKI services.

Physical and Hardware-Based Security *You're the administrator for MTS. You're creating a team that will report to you, and you're attempting to divide the responsibilities for security among individual members. Similarly, which of the following access methods breaks a large area into smaller areas that can be monitored individually?* a. Zone b. Partition c. Perimeter d. Floor

a. *Zone* A security zone is a smaller part of a larger area. Security zones can be monitored individually if needed. Answers B, C, and D are examples of security zones.

*A(n) _______________ access point (AP) uses a standard web browser to provide information, and gives the wireless user the opportunity to agree to a policy or present valid login credentials, providing a higher degree of security.* a. captive portal b. open portal c. closed portal d. Internet portal

a. *captive portal* A captive portal AP uses a standard web browser to provide information, and gives the wireless user the opportunity to agree to a policy or present valid login credentials, providing a higher degree of security.

*A _______________ cloud is a cloud that is open only to specific organizations that have common concerns.* a. community b. public c. hybrid d. private

a. *community* A community cloud is a cloud that is open only to specific organizations that have common concerns.

*Risk _______________ involves understanding something about the attacker and then informing him of the harm that may come his way if he attacks an asset.* a. deterrence b. mitigation c. transference d. avoidance

a. *deterrence* Risk deterrence involves understanding something about the attacker and then informing him of the harm that may come his way if he attacks an asset.

*A _______________ is a feature that controls a device's tolerance for unanswered service requests and helps to prevent a denial of service (DoS) attack.* a. flood guard b. virtual local area network (VLAN) c. network intrusion detection system (NIDS) d. virtual private network (VPN) concentrator

a. *flood guard* One defense against DoS and DDoS SYN flood attacks is to use a flood guard. A flood guard is a feature that controls a device's tolerance for unanswered service requests and helps to prevent a DoS attack.

*In _______________ virtualization, an entire operating system environment is simulated.* a. host b. network c. application d. cloud

a. *host* One type of virtualization in which an entire operating system environment is simulated is known as host virtualization. Instead of using a physical computer, a virtual machine, which is a simulated software-based emulation of a computer, is created. The host system (the operating system installed on the computer's hardware) runs a hypervisor that manages the virtual machine operating systems and supports one or more guest systems (a foreign virtual operating system).

Security and Vulnerability in the Network *You want to implement MAC filtering on a small network but do not know the MAC address of a Linux-based workstation. Which command-line tool can you run on the workstation to find the MAC address?* a. ifconfig b. ifconfig /show c. ipconfig d. ipconfig /all

a. *ifconfig* The command ifconfig will show the MAC address on the Linux or Unix-based workstation.

*An advantage of _______________ is that it helps to expose any potential avenues for fraud by having multiple individuals with different perspectives learn about the job and uncover vulnerabilities that someone else may have overlooked.* a. job rotation b. mandatory vacation c. separation of duties d. least privilege

a. *job rotation* An advantage of job rotation is that it helps to expose any potential avenues for fraud by having multiple individuals with different perspectives learn about the job and uncover vulnerabilities that someone else may have overlooked.

Network Security *Using _______________, filters can assess if a webpage contains any malicious elements or exhibits any malicious behavior, and then flag questionable pages with a warning message.* a. malware inspection and filtering b. content inspection c. uniform resource locator (URL) filtering d. detailed reporting

a. *malware inspection and filtering* With malware inspection and filtering, filters can assess if a webpage contains any malicious elements or exhibits any malicious behavior, and then flag questionable pages with a warning message.

*In redundancy and fault tolerance, the term _______________ describes the average amount of time that it will take a device to recover from a failure that is not a terminal failure.* a. mean time to recovery b. failure In Time c. mean time between failures d. mean time to failure

a. *mean time to recovery* Mean time to recovery (MTTR) is the average amount of time that it will take a device to recover from a failure that is not a terminal failure.

*Ports can be secured through disabling unused interfaces, using _______________, and through IEEE 802.1x.* a. media access control (MAC) limiting and filtering b. virtual private network (VPN) tunneling c. packet sniffers d. virtual local area networks (VLANs)

a. *media access control (MAC) limiting and filtering* Ports can be secured through disabling unused interfaces, using MAC limiting and filtering, and through IEEE 802.1x.

*The goal of _______________ is to prevent computers with suboptimal security from potentially infecting other computers through the network.* a. network access control (NAC) b. virtualization c. captive portals d. port security

a. *network access control (NAC)* The goal of NAC is to prevent computers with suboptimal security from potentially infecting other computers through the network.

*A weakness of FTPS is that although the control port commands are encrypted, the data port (_______________) may or may not be encrypted.* a. port 20 b. port 21 c. port 25 d. port 80

a. *port 20* A weakness of FTPS is that although the control port commands are encrypted, the data port (port 20) may or may not be encrypted.

*By using _______________, instead of giving each outgoing packet a different IP address, each packet is given the same IP address but a different TCP port number.* a. port address translation (PAT) b. network access control (NAC) c. network address translation (NAT) d. port mirroring

a. *port address translation (PAT)* A variation of NAT is port address translation (PAT). Instead of giving each outgoing packet a different IP address, each packet is given the same IP address but a different TCP port number. This allows a single public IP address to be used by several users.

Network Security *A(n) _______________ captures packets to decode and analyzes their contents.* a. protocol analyzer b. load balancer c. Internet content filter d. spam filter

a. *protocol analyzer* A protocol analyzer captures packets to decode and analyzes their contents.

Network Security *A(n) _______________ is a computer or an application program that intercepts user requests from the internal secure network and then processes that request on behalf of the user.* a. proxy server b. load balancer c. network tap d. Internet content filter

a. *proxy server* A proxy server is a computer or an application program that intercepts user requests from the internal secure network and then processes that request on behalf of the user.

*Within a firewall rule, the _______________ describes the TCP/IP port number being used to send packets of data through.* a. source port b. destination port c. source address d. destination address

a. *source port* The source port is the TCP/IP port number being used to send packets of data through. Options for setting the source port often include a specific port number, a range of numbers, or Any (port).

*One way to provide network separation is to physically separate users by connecting them to different _______________.* a. switches and routers b. hubs c. mirrored ports d. operating systems

a. *switches and routers* One way to provide network separation is to physically separate users by connecting them to different switches and routers. This prevents bridging and even prevents a reconfigured device from allowing that connection to occur.

*Transferring files can be performed using the File Transfer Protocol (FTP), which is a(n) _______________ TCP/IP protocol.* a. unsecure b. secure c. open d. closed

a. *unsecure* Transferring files can be performed using the File Transfer Protocol (FTP), which is an unsecure TCP/IP protocol. FTP is used to connect to an FTP server, much in the same way that HTTP links to a web server.

WPA enterprise

aka WPA.802.1x - uses central authentication server such as RADIUS server for authentication and audit features

VLAN Trunking Protocol (VTP)

allows switches to see all the VLANs within the network IEEE 802.1q •QinQ attack a malicious frame is encapsulated to gain unauthorized access to VLAN

16) Mean time to restore (MTTR)

also known as mean time to recovery, is the average time for a system or device to recover from a failure.

ALE

annual loss expectancy- is the annualized loss expectancy value. This is a monetary measure of how much loss you could expect in a year.

ARO

annualized rate occourance - ARO is the annualized rate of occurrence. This is the likelihood, often drawn from historical data, of an event occurring within a year.

3) What is Personal Identifiable Information (PPI)

any information that can unique ID a person - SSN - Driver license

DNS servers

are the only types of servers listed that do zone transfers. The purpose of accessing the zone file is to find out what hosts are on the network.

nonrepudiation

authenticate the sender of the message - ensures the sender cannot say "they did not send the message"

Kerberos

authenticates only, and can use TCP and UDP.

RADIUS

authenticates users to a network and is sometimes used with a VPN.

Challenge Handshake Authentication Protocol (CHAP)

authentication protocol that uses 3way handshake where server sends a challenge to the client: 1. server send challenge key 2. client combine challenge with password 3. server use the same key to create hash with password to run thru MD5 hash verify authentication

*Which port does NetBIOS use?* a. 80 b. 139 c. 143 d. 443

b. *139* NetBIOS uses port 139.

*Which port does the Internet Message Access Protocol (IMAP) use?* a. 25 b. 143 c. 443 d. 3389

b. *143* The Internet Message Access Protocol (IMAP) uses port 143.

*If an organization takes a full backup every Sunday morning and a daily differential backup each morning, what is the fewest number of backups that must be restored following a disaster on Friday?* a. 1 b. 2 c. 5 d. 6

b. *2* With a differential backup scheme, only the last full and last differential backup need to be restored, making answer C incorrect as well. Daily full backups would require only the last full backup, making answer A incorrect in this configuration. Answer D would be correct in an incremental rather than a differential backup setting, where the last full and all intervening incremental backups must be restored for recovery.

*You want to be sure that the FTP ports that are required for a contract worker's functionality have been properly secured. Which of the following ports would you check?* a. 25/110/143 b. 20/21 c.137/138/139 d. 53

b. *20/21* Ports 20 and 21 are used for FTP. Answer A is incorrect because these ports are used for email. Answer C is incorrect because these NetBIOS ports are required for certain Windows network functions such as file sharing. Answer D is incorrect because this port is used for DNS.

*Which port does the File Transfer Protocol (FTP) use for commands?* a. 20 b. 21 c. 22 d. 25

b. *21* The File Transfer Protocol (FTP) uses port 21 for commands.

*Which port does the Secure Shell (SSH) protocol use?* a. 21 b. 22 c. 139 d. 443

b. *22* The Secure Shell (SSH) protocol uses port 22.

Network Security *What feature distinguishes a network intrusion prevention system (NIPS) from a network intrusion detection system (NIDS)?* a. A NIPS has sensors that monitor the traffic entering and leaving a firewall, and reports back to the central device for analysis. b. A NIPS is located "in line" on the firewall itself. c. A NIPS is designed to integrate with existing antivirus, antispyware, and firewalls that are installed on the local host computer. d. A NIPS can use a protocol stack verification technique.

b. *A NIPS is located "in line" on the firewall itself.* One of the major differences between a NIDS and a NIPS is its location. A NIDS has sensors that monitor the traffic entering and leaving a firewall, and reports back to the central device for analysis. A NIPS, on the other hand, would be located "in line" on the firewall itself. This can allow the NIPS to more quickly take action to block an attack.

*Which of the following statements best describes nonrepudiation?* a. A set of mathematical rules used in encryption b. A means of proving that a transaction occurred c. A method of hiding data in another message d. A drive technology used for redundancy and performance improvement

b. *A means of proving that a transaction occurred* Nonrepudiation means that neither a sender nor a receiver can deny sending or receiving a message or data. Answer A is incorrect because it describes an algorithm. Answer C is incorrect because it describes steganography. Answer D is incorrect because it describes RAID.

Physical and Hardware-Based Security *After a number of minor incidents at your company, physical security has suddenly increased in priority. No unauthorized personnel should be allowed access to the servers or workstations. The process of preventing access to computer systems in a building is called what?* a. Perimeter security b. Access control c. Security zones d. IDS systems

b. *Access control* Access control is the primary process of preventing access to physical systems.

*Which password standard provides the best opportunity to detect and react to a high-speed, brute-force password attack?* a. Password length b. Account lockout c. Password expiration d. Logon banner

b. *Account lockout* By locking an account after a limited number of failed attempts, administrative action is necessary to unlock the account and can raise awareness of repeated unauthorized access attempts while reducing the overall number of tests that can be attempted. Answers A and C are incorrect because both password length and password expiration can aid in complicating slow brute-force testing of sequential passwords if performed only a few times per day to avoid notice, but they provide only limited protection against high-bandwidth, brute-force attempts to guess passwords. Password complexity (including mixed-case letters, numbers, and symbols) provides more protection than length alone because the number of variations possible for each character rapidly expands the number of total tests that must be completed. Answer D is incorrect because logon banners detail legal repercussions following unauthorized access but provide no barrier against a brute-force attack.

*Which of the following are advantages of honeypots and honeynets? (Select all correct answers.)* a. Attackers are diverted to systems that they cannot damage. b. Administrators are allotted time to decide how to respond to an attack. c. Attackers' actions can more easily be monitored and resulting steps taken to improve system security. d. Well-defined legal implications. e. Provides a structure that requires fewer security administrators.

b. *Administrators are allotted time to decide how to respond to an attack.* On-boarding is a term describing the process of registering an asset and provisioning the asset so it can be used to access the corporate network. Answer A is incorrect because mobile application management (MAM) focuses on application management. Answer C is incorrect. Mobile device management (MDM) allows the enrollment of enterprise devices for management functions such as provisioning devices, tracking inventory, configuration changes, updates, managing applications, and enforcing policies. Answer D is incorrect because device access controls are used to control network access not manage devices.

Disaster Recovery and Incident Response *Your organization is exploring data-loss prevention (DLP) solutions. The proposed solution is a software storage solution that monitors how confidential data is stored. This solution is targeting which of the following data states?* a. In-transit b. At-rest c. In-use d. In-service

b. *At-rest* Protection of data at-rest is considered to be a storage solution and is generally a software solution that monitors how confidential data is stored. Answer A is incorrect because protection of data in-transit is considered to be a network solution and either a hardware or software solution is installed near the network perimeter to monitor for and flag policy violations. Answer C is incorrect because protection of data in-use is considered to be an endpoint solution and the application is run on end-user workstations or servers in the organization. Answer D is incorrect because there is no such data state.

Security and Vulnerability in the Network *Which of the following is the area of an application that is available to users—those who are authenticated and more importantly those who are not?* a. Exposed liability b. Attack surface c. Security weakness d. Susceptible claim

b. *Attack surface* The attack surface of an application is the area of an application that is available to users—those who are authenticated and more importantly those who are not.

Educating and Protecting the User *Which act mandates national standards and procedures for the storage, use, and transmission of personal medical information?* a. CFAA b. HIPAA c. GLBA d. FERPA

b. *HIPAA* HIPAA mandates national standards and procedures for the storage, use, and transmission of personal medical information.

Access Control and Identity Management *Which process involves verifying keys as being authentic?* a. Authorization b. Authentication c. Access control d. Verification

b. *Authentication* Authentication involves the presentation and verification of credentials of keys as being authentic. Answer A is incorrect because authorization involves checking authenticated credentials against a list of authorized security principles. Once checked, resource access is allowed or limited based on access control constraints, making Answer C incorrect. Answer D is incorrect because verification of credentials occurs during authentication (as being authentic) and authorization (as being authorized to request resource access) and is not a recognized access control process.

Security and Vulnerability in the Network *Your manager has purchased a program intended to be used to find problems during code review. The program will read the code and look for any possible bugs or holes. What type of assessment is this known as?* a. Mechanized b. Automated c. Programmed d. Manual

b. *Automated* Simply reading the code is known as manual assessment, while using tools to scan the code is known as automated assessment.

*Which risk management response is being implemented when a company decides to close a little-used legacy web application identified as vulnerable to SQL Injection?* a. Acceptance b. Avoidance c. Mitigation d. Transference

b. *Avoidance* Risk avoidance involves simply terminating the operation that produces the risk, such as when shutting down a vulnerable site. Answer A is incorrect because accepting a risk is to do nothing in response except document the risk-management decision and obtain senior management signoff. Answer C is not correct because mitigation applies a solution that results in a reduced level of risk or exposure. Answer D is incorrect because the liability or cost associated with a risk is transferred through insurance policies and other such legal means.

*Bluejacking and bluesnarfing make use of which wireless technology?* a. Wi-Fi b. Bluetooth c. Blu-Fi d. All of the above

b. *Bluetooth* Both bluejacking and bluesnarfing refer to types of attacks over short-range Bluetooth technology. Answers A, C, and D are incorrect.

Threats and Vulnerabilities *A collection of compromised computers running software installed by a Trojan horse or a worm is referred to as which of the following?* a. Zombie b. Botnet c. Herder d. Virus

b. *Botnet* Answers A and C are incorrect but are related to a botnet in that a zombie is one of many computer systems that make up a botnet, whereas a bot herder is the controller of the botnet. Answer D is incorrect. A virus is a program that infects a computer without the knowledge of the user.

*Which of the following makes it difficult for an eavesdropper to spot patterns and contains a message integrity method to ensure that messages have not been tampered with?* a. ICMP b. CCMP c. WEP d. LEAP

b. *CCMP* CCMP makes it difficult for an eavesdropper to spot patterns, and the CBC-MAC message integrity method ensures that messages have not been tampered with. Answer A is incorrect because ICMP is a network troubleshooting protocol. Answer C is incorrect because WEP is the most basic form of encryption that can be used on 802.11-based wireless networks. Answer D is incorrect because LEAP uses unencrypted challenges and responses and is vulnerable to dictionary attacks.

*What mechanism of wireless security is based on AES?* a. TKIP b. CCMP c. LEAP d. WEP

b. *CCMP* Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) is based on the AES encryption scheme.

*From a private corporate perspective, which of the following is most secure?* a. Decentralized key management b. Centralized key management c. Individual key management d. Distributed key management

b. *Centralized key management* Centralized key management is more secure, or at least more desirable, from a private corporate perspective. From a public or individual perspective, decentralized key management is more secure. Individual and distributed key management are nonstandard terms that could be used to refer to decentralized key management.

Cryptography Implementation *Which of the following is responsible for issuing certificates?* a. Registration authority (RA) b. Certificate authority (CA) c. Document authority (DA) d. Local registration authority (LRA)

b. *Certificate authority (CA)* The certificate authority (CA) is responsible for issuing certificates.

Access Control and Identity Management *Which of the following is not true regarding expiration dates of certificates?* a. Certificates may be issued for a week. b. Certificates are issued only at yearly intervals. c. Certificates may be issued for 20 years. d. Certificates must always have an expiration date.

b. *Certificates are issued only at yearly intervals.* Digital certificates contain a field indicating the date to which the certificate is valid. This date is mandatory, and the validity period can vary from a short period of time up to a number of years; therefore, answers A, C, and D are incorrect.

*Which of the following provides a clear record of the path evidence takes from acquisition to disposal?* a. Video capture b. Chain of custody c. Hashes d. Witness statements

b. *Chain of custody* The chain of custody provides a clear record of the path evidence takes from acquisition to disposal. Answer A is incorrect because videotaping the actual entrance of a forensics team into the area helps refute claims that evidence was planted at the scene. Answer C is incorrect because hashes allow validation that the forensic analysis itself has not produced unexpected modifications of evidentiary data. Answer D is incorrect because witnesses provide statements about what they saw, when, where, and how.

Educating and Protecting the User *Users should be educated in the correct way to close pop-up ads in the workplace. That method is to:* a. Click the word Close b. Click the "X" in the top right c. Press Ctrl+Alt+Del d. Call IT

b. *Click the "X" in the top right* Pop-up ads should be closed by clicking the "X" in the top right.

*Which term refers to a pay-per-use computing model in which customers pay only for the online computing resources they need?* a. Host computing b. Cloud computing c. Patch computing d. Server computing

b. *Cloud computing* Cloud computing, which is a pay-per-use computing model in which customers pay only for the online computing resources they need, has emerged as a revolutionary concept that can dramatically impact all areas of IT, including network design, applications, procedures, and even personnel.

16) Hot spares

spare component that is connected and powered on in case primary devices fails. - kicks in when primary devices fails - works immediately

*Which of the following best describes a host-based intrusion detection system (HIDS)?* a. Examines the information exchanged between machines b. Collects and analyzes data that originates on the local machine c. Controls the information coming in and out of the host machine d. Attempts to prevent network attacks in real time

b. *Collects and analyzes data that originates on the local machine* A host-based intrusion detection system (HIDS) collects and analyzes data that originates on the local machine. Answer A is incorrect; a network-based intrusion detection system (NIDS) tries to locate packets not allowed on the network that the firewall missed and looks at the information exchanged between machines. Answer C is incorrect because firewalls control the information that gets in and out of the host machine. Answer D is incorrect; intrusion prevention differs from intrusion detection in that it actually prevents attacks in real time instead of only detecting the occurrence.

Security-Related Policies and Procedures *The process of establishing boundaries for information sharing is called:* a. Disassociation b. Compartmentalization c. Isolation d. Segregation

b. *Compartmentalization* The process of establishing boundaries for information sharing is called compartmentalization.

*Firewalls provide security through what mechanism?* a. Watching for intrusions b. Controlling traffic entering and leaving a network c. Requiring strong passwords d.

b. *Controlling traffic entering and leaving a network* Firewalls provide protection by controlling traffic entering and leaving a network.

*_______________ switches reside at the top of the hierarchy and carry traffic between switches, while _______________ switches are connected directly to the devices on the network.* a. Workgroup; core b. Core; workgroup c. Public; private d. Private; public

b. *Core; workgroup* Core switches reside at the top of the hierarchy and carry traffic between switches, while workgroup switches are connected directly to the devices on the network.

Cryptography Implementation *The process of requiring interoperability is called:* a. Cross examination b. Cross certification c. Cross scoping d. Cross marking

b. *Cross certification* The process of requiring interoperability is called cross certification.

Threats and Vulnerabilities *Which of the following types of attacks can be done by either convincing the users to click on an HTML page the attacker has constructed or insert arbitrary HTML in a target website that the users visit?* a. Buffer overflow b. Cross-site request forgery (XSRF) c. Cross-Site Scripting (XSS) d. Input validation error

b. *Cross-site request forgery (XSRF)* The key element to understanding XSRF is that attackers are betting that users have a validated login cookie for the website already stored in their browsers. All they need to do is get the browsers to make a request to the website on their behalf. This can be done by either convincing the users to click on an HTML page the attacker has constructed or inserting arbitrary HTML in a target website that the users visit. Answer A is incorrect because a buffer overflow is a direct result of poor or incorrect input validation or mishandled exceptions. Answer C is incorrect because Cross-Site Scripting (XSS) vulnerabilities can be used to hijack the user's session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A. Answer D is incorrect because input validation errors are a result of improper field checking in the code.

Security and Vulnerability in the Network *Adding a token for every POST or GET request that is initiated from the browser to the server can be used to mitigate which of the following attacks?* a. Buffer overflow b. Cross-site request forgery (XSRF) c. Cross-Site Scripting (XSS) d. Input validation error

b. *Cross-site request forgery (XSRF)* To mitigate cross-site request forgery (XSRF) attacks, the most common solution is to add a token for every POST or GET request that is initiated from the browser to the server. Answer A is incorrect because buffer overflows are associated with input validation. Answer C is incorrect because setting the HTTPOnly flag on the session cookie is used to mitigate XSS attacks. Answer D is incorrect because input validation tests whether an application properly handles input from a source outside the application destined for internal processing.

Access Control and Identity Management *Which form of access control enables data owners to extend access rights to other logons?* a. MAC b. DAC c. Role-based (RBAC) d. Rule-based (RBAC)

b. *DAC* Discretionary access control (DAC) systems enable data owners to extend access rights to other logons. Mandatory access control (MAC) systems require assignment of labels to extend access, making answer A incorrect. Answers C and D are incorrect because both RBAC access control forms rely on conditional assignment of access rules either inherited (role-based) or by environmental factors such as time of day or secured terminal location (rule-based).

*Which of the following is included in a BYOD policy?* a. Key management b. Data ownership c. Credential management d. Transitive trusts

b. *Data ownership* When formulating a bring-your-own-device (BYOD) policy, the organization should clearly state who owns the data stored on the device, specifically addressing what data belongs to the organization. Answer A is incorrect because key management is intended to provide a single point of management for keys, enable users to manage the lifecycle of keys and to store them securely, and make key distribution easier. Answer C is incorrect because the use of credentials is to validate the identities of users, applications, and devices. Answer D is incorrect because transitive trusts enable decentralized authentication through trusted agents.

*Which of the following is the formal process of assessing risk involved in discarding particular information?* a. Sanitization b. Declassification c. Degaussing d. Overwriting

b. *Declassification* Declassification is a formal process of assessing the risk involved in discarding particular information. Answer A is incorrect because sanitization is the process of removing the contents from the media as fully as possible, making it extremely difficult to restore. Answer C is incorrect because degaussing uses an electrical device to reduce the magnetic flux density of the storage media to zero. Answer D is incorrect because overwriting is applicable to magnetic storage devices and writes over all data on the media, destroying what was originally recorded.

Physical and Hardware-Based Security *If RF levels become too high, it can cause the receivers in wireless units to become deaf. This process is called:* a. Clipping b. Desensitizing c. Distorting d. Crackling

b. *Desensitizing* If RF levels become too high, it can cause the receivers in wireless units to become deaf and is known as desensitizing. This occurs because of the volume of RF energy present.

*Which of the following is the most effective method that can be used to prevent data from being accessed in the event the device is lost or stolen?* a. GPS tracking b. Device encryption c. Remote wipe d. Passcode policy

b. *Device encryption* Just like the data on hard drives, the data on mobiles can be encrypted. Answer A is incorrect because in the event a mobile device is lost, GPS tracking can be used to find the location. Answer C is incorrect. A remote wipe allows the handheld's data to be remotely deleted in the event the device is lost or stolen. Answer D is incorrect because a screen lock or passcode is used to prevent access to the phone.

Cryptography Basics *Which of the following algorithms is not an example of a symmetric encryption algorithm?* a. Rijndael b. Diffie-Hellman c. RC6 d. AES

b. *Diffie-Hellman* Diffie-Hellman uses public and private keys, so it is considered an asymmetric encryption algorithm. Because Rijndael and Advanced Encryption Standard (AES) are now one in the same, they both can be called symmetric encryption algorithms; therefore, answers A and D are incorrect. Answer C is incorrect because RC6 is symmetric, too.

*What aspect of disaster recovery planning details training requirements for managers, administrators, and users?* a. Impact and risk assessment b. Disaster recovery plan c. Disaster recovery policies d. Service level agreements

b. *Disaster recovery plan* The disaster recovery plan documents how organizations will recover from a disaster. It includes risk evaluations, restoration procedures application, and training required. Answer A is incorrect because the impact and risk assessment details on recovery scope, priority, and order of restoration. Answer C is incorrect because the disaster recovery policies detail responsibilities and procedures to follow during disaster recovery events. Service level agreements are contracts with suppliers and vendors that detail minimum levels of support, making answer D incorrect.

*TEMPEST deals with which of the following forms of environmental control?* a. HVAC b. EMI shielding c. Humidity d. Cold-aisle

b. *EMI shielding* TEMPEST protections involve the hardening of equipment against EMI broadcast and sensitivity. Answers A and C are incorrect because HVAC controls include temperature and humidity management techniques to manage evolved heat in the data center and to minimize static charge buildup. Answer D is incorrect because hot-aisle/cold-aisle schemes provide thermal management for data centers by grouping air intakes on cold aisles and air exhausts on designated hot aisles, making HVAC more effective.

*What are the two major security areas of WLANs addressed by WPA2?* a. Access and integrity b. Encryption and authentication c. Encryption and access d. Authentication and access

b. *Encryption and authentication* WPA2 addresses the two major security areas of WLANs, namely, encryption and authentication.

Protecting Networks *Which of the following are not methods for minimizing a threat to a web server? (Choose the two best answers.)* a. Disable all nonweb services b. Ensure Telnet is running c. Disable nonessential services d. Enable logging

b. *Ensure Telnet is running* d. *Enable logging* Having Telnet enabled presents security issues and is not a primary method for minimizing threat. Logging is important for secure operations and is invaluable when recovering from a security incident. However, it is not a primary method for reducing threat. Answer A is incorrect because disabling all nonweb services might provide a secure solution for minimizing threats. Answer C is incorrect because each network service carries its own risks; therefore, it is important to disable all nonessential services.

*Which statement accurately describes a characteristic of FTP Secure (FTPS)?* a. FTPS is an entire protocol itself. b. FTPS is a combination of two technologies (FTP and SSL or TLS). c. FTPS uses a single TCP port. d. FTPS encrypts and compresses all data and commands.

b. *FTPS is a combination of two technologies (FTP and SSL or TLS).* There are several differences between SFTP and FTPS. First, FTPS is a combination of two technologies (FTP and SSL or TLS), whereas SFTP is an entire protocol itself and is not pieced together with multiple parts. Second, SFTP uses only a single TCP port instead of two ports like FTPS. Finally, SFTP encrypts and compresses all data and commands (FTPS may not encrypt data).

Security and Vulnerability in the Network *What are the two states that an application can fail in?* a. Dependable b. Failsafe c. Failopen d. Assured

b. *Failsafe* c. *Failopen* There are two states that an application can fail in. In a failsafe mode, the crash leaves the system secure. In a failopen state, the crash leaves the system exposed (not secure).

*What technique or method can be employed by hackers and researchers to discover unknown flaws or errors in software?* a. Dictionary attacks b. Fuzzing c. War dialing d. Cross-site request forgery

b. *Fuzzing* Fuzzing is a software-testing technique that generates input for targeted programs. The goal of fuzzing is to discover input sets that cause errors, failures, and crashes, or to discover other unknown defects in the targeted program.

Operating System and Application Security *Which of the following is the technique of providing unexpected values as input to an application to try to make it crash?* a. DLP b. Fuzzing c. TPM d. HSM

b. *Fuzzing* Fuzzing is the technique of providing unexpected values as input to an application to try to make it crash. Those values can be random, invalid, or just unexpected.

Educating and Protecting the User *The Cyberspace Security Enhancement Act gives law enforcement the right to:* a. Fine ISPs who host rogue sites b. Gain access to encryption keys c. Restrict information from public view d. Stop issuance of .gov domains

b. *Gain access to encryption keys* The Cyberspace Security Enhancement Act gives law enforcement the right to gain access to encryption keys.

Cryptography Implementation *Which of the following refers to the ability to manage individual resources in the CA network?* a. Regulation b. Granularity c. Management d. Restricting

b. *Granularity* Granularity refers to the ability to manage individual resources in the CA network.

*Which of the following is commonly used in the banking sector to secure numerous large bulk transactions?* a. Full disk encryption b. HSM c. TPM d. File-level encryption

b. *HSM* Traditionally, hardware security modules (HSMs) have been used in the banking sector to secure numerous large bulk transactions. Answer A is incorrect because full disk encryption is most useful when you're dealing with a machine that is being taken on the road by people such as traveling executives, sales managers, or insurance agents. Answer C is incorrect because trusted platform module (TPM) refers to a secure crypto-processor used to authenticate hardware devices such as PC or laptop. Answer D is incorrect because in file- or folder-level encryption, individual files or folders are encrypted by the file system itself.

Operating System and Application Security *You've been chosen to lead a team of administrators in an attempt to increase security. You're currently creating an outline of all the aspects of security that will need to be examined and acted upon. Which of the following terms describes the process of improving security in an NOS?* a. Common Criteria b. Hardening c. Encryption d. Networking

b. *Hardening* Hardening is the process of improving the security of an operating system or application. One of the primary methods of hardening an OS is to eliminate unneeded protocols.

*The process of making an operating system more secure by closing known vulnerabilities and addressing security issues is known as which of the following?* a. Handshaking b. Hardening c. Hotfixing d. All of the above

b. *Hardening* Hardening refers to the process of securing an operating system. Handshaking relates the agreement process before communication takes place; therefore, answer A is incorrect. A hotfix is just a security patch that gets applied to an operating system; therefore, answer C is incorrect. Hardening is the only correct answer; therefore, answer D is incorrect.

Cryptography Basics *Which of the following is the type of algorithm used by MD5?* a. Block cipher algorithm b. Hashing algorithm c. Asymmetric encryption algorithm d. Cryptographic algorithm

b. *Hashing algorithm* Although the message digest (MD) series of algorithms is classified globally as a symmetric key encryption algorithm, the correct answer is hashing algorithm, which is the method that the algorithm uses to encrypt data. Answer A in incorrect because a block cipher divides the message into blocks of bits. Answer C is incorrect because MD5 is a symmetric key algorithm, not an asymmetric encryption algorithm (examples of this include RC6, Twofish, and Rijndael). Answer D is incorrect because cryptographic algorithm is a bogus term.

Network Security *Which statement concerning heuristic monitoring is correct?* a. Heuristic monitoring operates by being adaptive and proactive. b. Heuristic monitoring is founded on experience-based techniques. c. Heuristic monitoring is designed for detecting statistical anomalies. d. Heuristic monitoring looks for well-known patterns.

b. *Heuristic monitoring is founded on experience-based techniques.* Heuristic monitoring is founded on experience-based techniques. It attempts to answer the question, "Will this do something harmful if it is allowed to execute?"

*A CA with multiple subordinate CAs would use which of the following PKI trust models?* a. Cross-certified b. Hierarchical c. Bridge d. Linked

b. *Hierarchical* A DMZ is a small network between the internal network and the Internet that provides a layer of security and privacy. Answer A is incorrect. The purpose of a VLAN is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. Answer C is incorrect because NAT acts as a liaison between an internal network and the Internet. Answer D is incorrect because a VPN is a network connection that allows you access via a secure tunnel created through an Internet connection.

*Which of the following describes a network of systems designed to lure an attacker away from another critical system?* a. Bastion host b. Honeynet c. Vulnerability system d. Intrusion-detection system

b. *Honeynet* Honeynets are collections of honeypot systems interconnected to create networks that appear to be functional and that can be used to study an attacker's behavior within the network. A bastion host is the first line of security that a company allows to be addressed directly from the Internet; therefore, answer A is incorrect. Answer C is incorrect because it is a made-up term. Answer D is incorrect because an IDS is used for intrusion detection.

Network Security *Load balancing that is used for distributing HTTP requests received is sometimes called _______________.* a. content filtering b. IP spraying c. content inspection d. port mirroring

b. *IP spraying* Load balancing that is used for distributing HTTP requests received is sometimes called IP spraying.

*Which statement accurately describes IP telephony?* a. IP telephony requires an increase in infrastructure requirements. b. IP telephony convergence provides the functionality of managing and supporting a single network for all applications. c. New IP telephony applications can take a long time to develop. d. The cost of convergence technologies is high in comparison to startup costs for new traditional telephone equipment.

b. *IP telephony convergence provides the functionality of managing and supporting a single network for all applications.* Instead of managing separate voice and data networks, convergence provides the functionality of managing and supporting a single network for all applications.

*Which of the fields included within a digital certificate identifies the directory name of the entity signing the certificate?* a. Signature algorithm identifier b. Issuer c. Subject name d. Subject public key information

b. *Issuer* The Issuer field identifies the name of the entity signing the certificate, which is usually a certificate authority. The Signature Algorithm Identifier identifies the cryptographic algorithm used by the CA to sign the certificate; therefore, answer A is incorrect. The Subject Name is the name of the end entity identified in the public key associated with the certificate; therefore, answer C is incorrect. The Subject Public Key Information field includes the public key of the entity named in the certificate, including a cryptographic algorithm identifier; therefore, answer D is incorrect.

Wireless Networking Security *Which of the following provides services similar to TCP and UDP for WAP?* a. WTLS b. WDP c. WTP d. WFMD

c. *WTP* The Wireless Transaction Protocol (WTP) provides services similar to TCP and UDP for WAP.

*Which type of authorization provides a mechanism for validation of both sender and receiver?* a. Anonymous b. Kerberos c. TACACS d. RADIUS

b. *Kerberos* Kerberos authentication enables validation of both endpoints and can help protect against interception attacks such as the "man-in-the-middle." Anonymous connections do not even allow verification of the access requestor, making answer A incorrect. Answers C and D are incorrect because neither TACACS or RADIUS services provide mutual endpoint validation.

Cryptography Implementation *Which of the following is one of the biggest challenges associated with database encryption?* a. Multitenancy b. Key management c. Weak authentication components d. Platform support

b. *Key management* One of the biggest challenges associated with database encryption is key management. Answer A is incorrect because multitenancy is a security issue related to cloud computing implementations. Answer C is incorrect because lack of management software and weak authentication components are associated with hardware hard drive encryption. Answer D is incorrect because cost and platform support are concerns with smartphone encryption products.

Cryptography Basics *You've been brought in as a security consultant for a small bicycle manufacturing firm. Immediately you notice that it's using a centralized key-generating process, and you make a note to dissuade them from that without delay. What problem is created by using a centralized key-generating process?* a. Network security b. Key transmission c. Certificate revocation d. Private key security

b. *Key transmission* Key transmission is the largest problem from among the choices given. Transmitting private keys is a major concern. Private keys are typically transported using out-of-band methods to ensure security.

Cryptography Basics *Which organization can be used to identify an individual for certificate issue in a PKI environment?* a. RA b. LRA c. PKE d. SHA

b. *LRA* A local registration authority (LRA) can establish an applicant's identity and verify that the applicant for a certificate is valid. The LRA sends verification to the CA that issues the certificate.

*Lynn needs access to the Accounting order-entry application but keeps getting an error that indicates inadequate access permissions. Bob assigns Lynn's account to the Administrator's group to overcome the error until he can work on the problem. Which access control constraint was violated by this action?* a. Implicit denial b. Least privilege c. Separation of duties d. Account expiration

b. *Least privilege* Least privilege is a principle of assigning only those rights necessary to perform assigned tasks. By making Lynn a member of the Administrators group, Bob not only bypassed the application's access control protocols but may also have granted Lynn access to additional application features or administrative-only tools that often lack the same safeguards as user-level APIs. Answer A is incorrect because the default assignment of an implicit denial is overridden by explicit grants of access aids in protecting resources against accidental access and is not directly violated by this action because Lynn's account now has full administrator rights assigned. Answer C is incorrect because separation of duties is focused on ensuring that action and validation practices are performed separately. Answer D is incorrect because account expiration protocols ensure that individual accounts do not remain active past their designated lifespan, but Lynn's account is current and enabled so is unaffected.

Physical and Hardware-Based Security *For physical security, what should you do with rack-mounted servers?* a. Run a cable from them to a desk. b. Lock each of them into the cabinet. c. Install them in safes. d. Use only Type D, which incorporates its own security.

b. *Lock each of them into the cabinet.* Server racks should lock the rack-mounted servers into the cabinets to prevent someone from simply pulling one and walking out the front door with it.

*Which of the following is not one of the vulnerabilities of LDAP authentication services?* a. Buffer overflow vulnerabilities can be used to enact arbitrary commands on the LDAP server. b. Loss of time synchronization between the service, client, and KDC prevents communication. c. Format string vulnerabilities might result in unauthorized access to enact commands on the LDAP server or impair its normal operation. d. Improperly formatted requests might be used to create an effective denial-of-service (DoS) attack against the LDAP server.

b. *Loss of time synchronization between the service, client, and KDC prevents communication.* Kerberos is a time-synchronized protocol that relies on a common time base for session ticket lifetime verification. LDAP is not a ticket-based or a lifetime-based protocol. Answers A, C, and D are incorrect because all three are vulnerabilities of some LDAP service variations.

Security and Vulnerability in the Network *An organization is looking for a filtering solution that will help eliminate some of the recent problems it has had with viruses and worms. Which of the following best meets this requirement?* a. Intrusion detection b. Malware inspection c. Load balancing d. Internet content filtering

b. *Malware inspection* A malware inspection filter is basically a web filter applied to traffic that uses HTTP. The body of all HTTP requests and responses is inspected. Malicious content is blocked, but legitimate content passes through unaltered. Answer A is incorrect because intrusion-detection systems are designed to analyze data, identify attacks, and respond to the intrusion. Answer C is incorrect because load balancers are servers configured in a cluster to provide scalability and high availability. Answer D is incorrect because Internet content filters use a collection of terms, words, and phrases that are compared to content from browsers and applications.

Access Control and Identity Management *Which category of authentication includes smart cards?* a. Something you know b. Something you have c. Something you are d. Something you do e. Somewhere you are

b. *Something you have* Something you have includes smart cards, tokens, and keys. Something you know includes account logons, passwords, and PINs, making answer A incorrect. Answers C and D are incorrect because both something you are and something you do involve measures of personal biological qualities and do not require an external device such as a smart card or key. Answer E is incorrect because somewhere you are is generally associated with either being in a trusted or less trusted location which could be based on GPS coordinates or IP address.

Operating System and Application Security *Which of the following is needed to establish effective security baselines for host systems? (Select two correct answers.)* a. Cable locks b. Mandatory settings c. Standard application suites d. Decentralized administration

b. *Mandatory settings* c. *Standard application suites* To establish effective security baselines, enterprise network security management requires a measure of commonality between the systems. Mandatory settings, standard application suites, and initial setup configuration details all factor into the security stance of an enterprise network. Answer A is incorrect because cable locks have nothing to do with effective security baselines. Answer D is incorrect because decentralized management does not have anything to do with security baselines.

*What is the most common type of wireless access control?* a. Electronic Access Control (EAC) b. Media Access Control (MAC) address filtering c. Extensible Authentication Protocol-Transport Layer Security (EAP/TLS) d. Port Based Access Control (PBAC)

b. *Media Access Control (MAC) address filtering* The most common type of wireless access control is Media Access Control (MAC) address filtering. The MAC address is a hardware address that uniquely identifies each node of a network.

*Which of the following is a term describing the process of registering an asset and provisioning the asset so it can be used to access the corporate network?* a. Mobile application management b. Onboarding c. Mobile device management d. Device access controls

b. *Onboarding* On-boarding is a term describing the process of registering an asset and provisioning the asset so it can be used to access the corporate network. Answer A is incorrect because mobile application management (MAM) focuses on application management. Answer C is incorrect. Mobile device management (MDM) allows the enrollment of enterprise devices for management functions such as provisioning devices, tracking inventory, configuration changes, updates, managing applications, and enforcing policies. Answer D is incorrect because device access controls are used to control network access not manage devices.

*Which is the strongest form of password?* a. More than eight characters b. One-time use c. Static d. Different types of keyboard characters

b. *One-time use* A one-time password is always the strongest form of password. A static password is always the weakest form of password. Passwords with more than eight characters and those that use different types of keyboard characters are usually strong, but these factors alone are unable to indicate their strength.

Physical and Hardware-Based Security *You're the administrator for MTS. You're creating a team that will report to you, and you're attempting to divide the responsibilities for security among individual members. Similarly, which of the following access methods breaks a large area into smaller areas that can be monitored individually?* a. Zone b. Partition c. Perimeter d. Floor

b. *Partition* Partitioning is the process of breaking a network into smaller components that can each be individually protected. This is analogous to building walls in an office building.

Physical and Hardware-Based Security *Which of the following is equivalent to building walls in an office building from a network perspective?* a. Perimeter security b. Partitioning c. Security zones d. IDS systems

b. *Partitioning* Access control is the primary process of preventing access to physical systems.

IKE Internet Key Exchange

standard automated method for negotiating shared secret key in IP sec.

Physical and Hardware-Based Security *Which of the following statements are true when discussing physical security? (Select all correct answers.)* a. Physical security attempts to control access to data from Internet users. b. Physical security attempts to control unwanted access to specified areas of a building. c. Physical security attempts to control the effect of natural disasters on facilities and equipment. d. Physical security attempts to control internal employee access into secure areas.

b. *Physical security attempts to control unwanted access to specified areas of a building.* c. *Physical security attempts to control the effect of natural disasters on facilities and equipment.* d. *Physical security attempts to control internal employee access into secure areas.* Natural disasters, unwanted access, and user restrictions are all physical security issues. Preventing Internet users from getting to data is data security, not physical security; therefore, answer A is incorrect.

Educating and Protecting the User *______ information is made available to either large public or specific individuals, while ______ information is intended for only those internal to the organization.* a. Private; Restricted b. Public; Private c. Limited distribution; Internal d. Public; Internal

b. *Public; Private* Public information is made available to either large public or specific individuals, while Private information is intended for only those internal to the organization.

*Which of the following technologies can be used to add an additional layer of protection between a directory services-based network and remote clients?* a. SMTP b. RADIUS c. PGP d. VLAN

b. *RADIUS* RADIUS is a centralized authentication solution that adds an additional layer of security between a network and remote clients. SMTP is the email-forwarding protocol used on the Internet and intranets. PGP is a security solution for email. VLANs are created by switches to logically divide a network into subnets.

*Which of the following should you deploy within your PKI to provide a method for initially verifying a user's identity so that a certificate may be issued?* a. Certificate authority (CA) b. Registration authority (RA) c. Certificate practice statement (CPS) d. Certificate registration list (CRL)

b. *Registration authority (RA)* A registration authority is used to first verify the user's identity before passing the request along to the certificate authority to issue a digital certificate. So, answer A is incorrect. Answer C is also incorrect because a CPS is a legal document created and published by the CA. Answer D is incorrect. A certificate registration list is a red herring. Within PKI, CRL refers to a certificate revocation list, which is a mechanism for disturbing information about revoked certificates.

*Which of the following are steps that can be taken to harden DHCP services?* a. Anonymous access to share files of questionable or undesirable content should be limited. b. Regular review of networks for unauthorized or rogue servers. c. Technologies that allow dynamic updates must also include access control and authentication. d. Unauthorized zone transfers should also be restricted.

b. *Regular review of networks for unauthorized or rogue servers.* Regular review of networks for unauthorized or rogue servers is a practice used to harden DHCP services. Answer A is incorrect because anonymous access to share files of questionable or undesirable content should be limited for proper FTP server security. Answers C and D are incorrect because they are associated with hardening DNS servers.

*You run a full backup every Monday. You also run a differential backup every other day of the week. You experience a drive failure on Friday. Which of the following restoration procedures should you use to restore data to the replacement drive?* a. Restore the full backup and then each differential backup. b. Restore the full backup and then the last differential backup. c. Restore the differential backup. d. Restore the full backup.

b. *Restore the full backup and then the last differential backup.* The proper procedure is to restore the full backup, and then the last differential backup. The other three options are incorrect or incomplete.

*A certificate authority discovers it has issued a digital certificate to the wrong person. What needs to be completed?* a. Certificate practice statement (CPS) b. Revocation c. Private key compromise d. Fraudulent practices statement (FPS)

b. *Revocation* A certificate might need to be revoked (including a certificate being issued to the incorrect person) for any number of reasons. A CPS is a published document from the CA describing their policies and procedures for issuing and revoking certificates; therefore, answer A is incorrect. A private key compromise is actually another reason to perform revocation of a certificate; therefore, answer C is incorrect. Answer D is incorrect because this is a bogus term.

*Which of the following statements is true about SSL?* a. SSL provides security for both the connection and the data after it is received. b. SSL only provides security for the connection, not the data after it is received. c. SSL only provides security for the data when it is received, not the connection. d. SSL does not provide security for either the connection or the data after it is received.

b. *SSL only provides security for the connection, not the data after it is received.* Secure Sockets Layer (SSL) provides security only for the connection, not the data after it is received. The data is encrypted while it is being transmitted, but when received by the computer, it is no longer encrypted. Therefore, answers A, C, and D are incorrect.

*The _______________ is the expected monetary loss every time a risk occurs.* a. Annualized Loss Expectancy b. Single Loss Expectancy c. Annualized Rate of Occurrence d. Multiple Loss Expectancy

b. *Single Loss Expectancy* The Single Loss Expectancy (SLE) is the expected monetary loss every time a risk occurs.

16) Disaster Recovery Plan (DRP)

step-by-step document that demonstrates the steps needed to recover systems from failures

*Why do experts recommend that access points (APs) be mounted as high as possible?* a. Antennas must hang upside down for best performance. b. The radio frequency (RF) signal may experience fewer obstructions. c. The air is "heavier" as it rises, providing better transmission of the radio frequency (RF) signal. d. Warm air rises and provides a better conductor for the radio frequency (RF) signal.

b. *The radio frequency (RF) signal may experience fewer obstructions.* Generally the AP can be secured to the ceiling or high on a wall. It is recommended that APs be mounted as high as possible for two reasons: there may be fewer obstructions for the RF signal, and to prevent thieves from stealing the device.

Access Control and Identity Management *Which of the following is true of digital signatures? (Choose the two best answers.)* a. They are the same as a hash function. b. They can be automatically time-stamped. c. They allow the sender to repudiate that the message was sent. d. They cannot be imitated by someone else.

b. *They can be automatically time-stamped.* d. *They cannot be imitated by someone else.* Digital signatures offer several features and capabilities. This includes being able to ensure the sender cannot repudiate that he or she used the signature. In addition, nonrepudiation schemes are capable of offering time stamps for the digital signature. Answer A is incorrect. Hashing algorithms are only used for integrity purposes and only confirm original content. Answer C is incorrect because a key feature of digital signatures is to provide for nonrepudiation.

*Your organization provides a secure web portal. You discover another portal that mimics your organization's portal look and feel. This portal has a similar URL but is different by one letter. Which of the following are most likely true? (Select two correct answers.)* a. This is an example of transitive access. b. This is typo squatting. c. The site is collecting usernames and passwords. d. The site is a result of a malicious insider.

b. *This is typo squatting.* c. *The site is collecting usernames and passwords.* Typo squatting takes advantage of mistyped domain names. Sometimes for advertising purposes, but it can also be for more malicious intent. The unauthorized site may be looking to collect usernames and passwords, then of course, allowing access. Transitive access describes a situation that can be exploited, but one that is normally by design that takes advantage of trust relationships, thus answer A is incorrect. Answer D is also incorrect. A malicious insider may have set up the rouge site, but there is no indication this was the case.

Network Security *What is the role of a router?* a. To inspect packets and either accept or deny entry b. To forward packets across different computer networks c. To intercept user requests from the internal secure network and then process that request on behalf of the user d. To connect networks together so that they function as a single network segment

b. *To forward packets across different computer networks* A router is a network device that can forward packets across different computer networks. When a router receives an incoming packet, it reads the destination address and then, using information in its routing table, sends the packet to the next network toward its destination.

*Your organization has organized a trade show in the United States. With the goal of increasing revenue, you decide to operate a Wi-Fi hotspot for a fee. Which of the following are reasons your organization could use wireless jamming? (Select all correct answers.)* a. To maximize revenue b. To prevent degraded service c. To prevent attendees from operating their own Wi-Fi hot spots d. To prevent attacks

b. *To prevent degraded service* d. *To prevent attacks* Wireless jamming may be a legal way to prevent degraded service or attacks. Answers A and C are incorrect. Wireless jamming may provide an effective means to ensure that no other Wi-Fi network may operating and may increase profits by interfering with the signal, but it is against FCC regulations and illegal to do this.

*Which of the following symmetric-encryption algorithms offers the strength of 168-bit keys?* a. Data Encryption Standard b. Triple DES c. Advanced Encryption Standard d. IDEA

b. *Triple DES* Triple DES (3DES) offers the strength of 168-bit keys. The Data Encryption Standard (DES) offers the strength of 56-bit keys. The Advanced Encryption Standard (AES) offers the strength of 128-, 192-, or 256-bit keys. The International Data Encryption Algorithm (IDEA) offers the strength of 128-bit keys.

Threats and Vulnerabilities *A user has downloaded trial software and subsequently downloads a key generator in order to unlock the trial software. The user's antivirus detection software now alerts the user that the system is infected. Which one of the following best describes the type of malware infecting the system?* a. Logic bomb b. Trojan c. Adware d. Worm

b. *Trojan* Trojans are programs disguised as something useful. In this instance, the user was likely illegally trying to crack software, and in the process infected the system with malware. Although answers A, C, and D are types of malware, they are not the best choices.

Cryptography Implementation *PKI (Public Key Infrastructure) is a key-asymmetric system utilizing how many keys?* a. One b. Two c. Three d. Four

b. *Two* PKI (Public Key Infrastructure) is a key-asymmetric system utilizing two keys.

Wireless Networking Security *Which of the following authentication levels with WAP requires both ends of the connection to authenticate to confirm validity?* a. Relaxed b. Two-way c. Server d. Anonymous

b. *Two-way* Two-way authentication requires both ends of the connection to authenticate to confirm validity.

Physical and Hardware-Based Security *Type K fire extinguishers are intended for use on cooking oil fires. This type is a subset of which other type of fire extinguisher?* a. Type A b. Type B c. Type C d. Type D

b. *Type B* Type K fire extinguishers are a subset of Type B fire extinguishers.

*The new biometric authentication system has been identified as having a high FAR. What does this mean?* a. Authorized users are being allowed access. b. Unauthorized users are being allowed access. c. Authorized users are being denied access. d. Unauthorized users are being denied access.

b. *Unauthorized users are being allowed access.* The false acceptance rate (FAR) is a measure of unauthorized biometric signatures being accepted as valid. Answers A and D are incorrect because they represent valid biometric operations. Answer C is incorrect because denial of authorized signatures is measured as the false rejection rate (FRR).

*Which term describes a means of managing and presenting computer resources by function without regard to their physical layout or location?* a. Port mirroring b. Virtualization c. Cloud computing d. Virtual LAN (VLAN) management

b. *Virtualization* Virtualization is a means of managing and presenting computer resources by function without regard to their physical layout or location.

*An organization is looking for a mobile solution that allows both executives and employees to discuss sensitive information without having to travel to secure company locations. Which of the following fulfills this requirement?* a. GPS tracking b. Voice encryption c. Remote wipe d. Passcode policy

b. *Voice encryption* Mobile voice encryption can allow executives and employees alike to discuss sensitive information without having to travel to secure company locations. Answer A is incorrect because in the event a mobile device is lost, GPS tracking can be used to find the location. answer C is incorrect because remote wipe allows a handheld's data to be remotely deleted in the event the device is lost or stolen. Answer D is incorrect because a screen lock or passcode is used to prevent access to the phone.

Disaster Recovery and Incident Response *Which site best provides limited capabilities for the restoration of services in a disaster?* a. Hot site b. Warm site c. Cold site d. Backup site

b. *Warm site* Warm sites provide some capabilities in the event of a recovery. The organization that wants to use a warm site will need to install, configure, and reestablish operations on systems that may already exist at the warm site.

*What is the minimal level of alternative site that includes live networking?* a. Cold b. Warm c. Hot d. Remote

b. *Warm* A warm site generally includes power, phone, and networking. It might include computers that are not yet set up or kept fully up to date. Cold sites generally have little more than space, restrooms, and electricity until activated, making answer A incorrect. Hot sites are locations that are fully operational and include all aspects of operational requirements, making answer C incorrect. Alternate sites (hot, warm, or cold) should be remote enough to be outside of the zone of involvement during a disaster event, making answer D incorrect.

Security-Related Policies and Procedures *Which of the following is the basic premise of least privilege?* a. Always assign responsibilities to the administrator who has the minimum permissions required. b. When assigning permissions, give users only the permissions they need to do their work and no more. c. Regularly review user permissions and take away one that they currently have to see if they will complain or even notice that it is missing. d. Do not give management more permissions than users.

b. *When assigning permissions, give users only the permissions they need to do their work and no more.* The basic premise of least privilege is: When assigning permissions, give users only the permissions they need to do their work and no more.

Security and Vulnerability in the Network *In which type of testing do you begin with the premise that the attacker has inside knowledge of the network?* a. Black box b. White box c. Gray box d. Green box

b. *White box* With white box testing, you begin with the premise that the attacker has inside knowledge of the network.

*Which security stance will be most successful at preventing malicious software execution?* a. Deny by exception b. Whitelisting c. Allow by default d. Blacklisting

b. *Whitelisting* Whitelisting is a security option that prohibits unauthorized software from being able to execute. Whitelisting is also known as deny by default or implicit deny. Blacklisting, also known as deny by exception or allow by default, is the least successful means of preventing malware execution.

Protecting Networks *Which of the following are examples of protocol analyzers? (Check all correct answers.)* a. Metasploit b. Wireshark c. OVAL d. Microsoft Message Analyzer

b. *Wireshark* d. *Microsoft Message Analyzer* Windows Server operating systems come with a protocol analyzer called by Microsoft Message Analyzer. Third-party programs such as Wireshark can also be used for network monitoring. Metasploit is a framework used for penetration testing, and OVAL is intended as an international language for representing vulnerability information using an XML schema for expression; therefore, answers A and C are incorrect.

Disaster Recovery and Incident Response *Although you're talking to her on the phone, the sound of the administrative assistant's screams of despair can be heard down the hallway. She has inadvertently deleted a file that the boss desperately needs. Which type of backup is used for the immediate recovery of a lost file?* a. Onsite storage b. Working copies c. Incremental backup d. Differential backup

b. *Working copies* Working copies are backups that are usually kept in the computer room for immediate use in recovering a system or lost file.

Operating System and Application Security *Which of the following statements is not true?* a. You should never share the root directory of a disk. b. You should share the root directory of a disk. c. You should apply the most restrictive access necessary for a shared directory. d. Filesystems are frequently based on hierarchical models.

b. *You should share the root directory of a disk.* Never share the root directory of a disk if at all possible. Doing so opens the entire disk to potential exploitation.

Network Security *A more "intelligent" firewall is a(n) _______________ firewall, sometimes called a next-generation firewall (NGFW).* a. rule-based b. application-aware c. hardware-based d. host-based

b. *application-aware* A more "intelligent" firewall is an application-aware firewall, sometimes called a next-generation firewall (NGFW).

Educating and Protecting the User *There are two types of implicit denies. One of these can be configured so that only users specifically named can use the service and is known as:* a. at.deny b. at.allow c. at.open d. at.closed

b. *at.allow* at.allow configurations allow only users specifically named to use the service.

Network Security *VPN transmissions are achieved through communicating with _______________.* a. network taps b. endpoints c. Internet content filters d. proxy servers

b. *endpoints* VPN transmissions are achieved through communicating with endpoints. An endpoint is the end of the tunnel between VPN devices. An endpoint can be software on a local computer, a dedicated hardware device such as a VPN concentrator (which aggregates hundreds or thousands of VPN connections), or integrated into another networking device such as a firewall.

*An event that, in the beginning, is considered to be a risk, yet turns out not to be one, is called a _______________.* a. false negative b. false positive c. negative-positive d. positive-negative

b. *false positive* An event that, in the beginning, is considered to be a risk yet turns out not to be one is called a false positive.

*Risk _______________ is the attempt to address risks by making risk less serious.* a. deterrence b. mitigation c. acceptance d. avoidance

b. *mitigation* Risk mitigation is the attempt to address the risks by making risk less serious.

*A(n) _______________ policy outlines how the organization uses the personal information it collects.* a. acceptable use b. privacy c. data acquisition d. data storage

b. *privacy* A privacy policy outlines how the organization uses personal information it collects.

*A _______________ cloud is one in which the services and infrastructure are offered to all users with access provided remotely through the Internet.* a. private b. public c. hybrid d. community

b. *public* A public cloud is one in which the services and infrastructure are offered to all users with access provided remotely through the Internet.

*The _______________ approach to calculating risk uses an "educated guess" based on observation.* a. cumulative b. qualitative c. technical d. quantitative

b. *qualitative* The qualitative approach to calculating risk uses an "educated guess" based on observation.

*The _______________ is the maximum length of time that an organization can tolerate between backups.* a. mean time to failure b. recovery point objective c. mean time to recovery d. recovery time objective

b. *recovery point objective* The recovery point objective (RPO) is the maximum length of time that an organization can tolerate between backups.

*A(n) _______________ is an in-depth examination and analysis of a wireless LAN site.* a. network log b. site survey c. captive portal d. threat vector

b. *site survey* Ensuring that a wireless LAN can provide its intended functionality and meet its required design goals can best be achieved through a site survey. A site survey is an in-depth examination and analysis of a wireless LAN site.

*An integrated device that combines several security functions is called a(n) _______________ security product.* a. demilitarized zone (DMZ) b. unified threat management (UTM) c. virtual private network (VPN) d. application-aware IPS

b. *unified threat management (UTM)* An integrated device that combines several security functions, called a Unified Threat Management (UTM) security product.

*Segmenting a network by separating devices into logical groups is known as creating a _______________.* a. cloud b. virtual LAN (VLAN) c. flood guard d. unified threat management (UTM) system

b. *virtual LAN (VLAN)* Segmenting a network by separating devices into logical groups is known as creating a virtual LAN (VLAN).

*_______________ business partners refers to the start-up relationship between partners.* a. Enrolling b. On-boarding c. Unrolling d. Off-boarding

b.* On-boarding* On-boarding business partners refers to the start-up relationship between partners

16) Incremental Backup

backs up only the files that have changed or that were added since the last incremental or full backup

16) Differential Backup

backs up the files that have changed or that were added since the last full backup by looking for any files that have the archive bit set

anomaly based analyst (IDS)

baseline normal activity is determined and anything outside is consider suspicious - behavior-based system - large false positives - great for zero day exploits

Cryptography Basics *Assuming asymmetric encryption, if data is encoded with a value of 5, what would be used to decode it?* a. 5 b. 1 c. 1/5 d. 0

c. *1/5* With asymmetric encryption, two keys are used—one to encode and the other to decode. The two keys are mathematical reciprocals of each other.

Physical and Hardware-Based Security *Proximity readers work with which of the following? (Choose all that apply.)* a. 15.75 fob card b. 14.32 surveillance card c. 13.56 MHZ smart card d. 125 kHz proximity card

c. *13.56 MHZ smart card* d. *125 kHz proximity card* Proximity readers work with 13.56 MHz smart card and 125 kHz proximity cards.

*Fiber channel (FC) is a high-speed storage network protocol that can transmit up to _______________ per second.* a. 16 bits b. 16 megabits c. 16 gigabits d. 16 terabits

c. *16 gigabits* Fibre Channel (FC) is a high-speed storage network protocol that can transmit up to 16 gigabits per second.

*What is the minimum number of drives necessary to provide a RAID 5 redundant with distributed parity disk array?* a. 1 b. 2 c. 3 d. 5

c. *3* The minimum number of drives in a RAID 5 array is three, making answers B and D incorrect. A single drive does not provide fault tolerance, making Answer A incorrect.

What is perfect forward secrecy

system that generates random public key (ephemeral key) for each session

Infrastructure and Connectivity *What is the recommended range of humidity level according to the ASHRAE?* a. 10% to 20% b. 30% to 40% c. 40% to 55% d. 55% to 65%

c. *40% to 55%* The American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) recommends optimal humidity levels in the 40% to 55% range, making answers A, B, and D incorrect. Very low levels of humidity can promote the buildup of electrostatic charges that can harm sensitive electronic components. Very high levels of humidity can promote condensation on chilled surfaces and introduce liquid into operating equipment.

*Which port does the Hypertext Transfer Protocol Secure (HTTPS) use?* a. 53 b. 143 c. 443 d. 3389

c. *443* The Hypertext Transfer Protocol Secure (HTTPS) uses port 443.

Wireless Networking Security *Which of the following 802.11 standards is often referenced as WPA2?* a. 802.11a b. 802.11b c. 802.11i d. 802.11n

c. *802.11i* The WPA2 standard is also known as 802.11i.

*Which of the following is a description of a key-stretching technique?* a. Salting input before hashing b. Generating a random number, and then using a trapdoor one-way function to derive a related key c. Adding iterative computations that increase the effort involved in creating the improved result d. Using a challenge-response dialogue

c. *Adding iterative computations that increase the effort involved in creating the improved result* Often, key stretching involves adding iterative computations that increase the effort involved in creating the improved key result, usually by several orders of magnitude. Salting input before hashing is a means to increase password security against brute-force attacks. Generating a random number and then using a trapdoor one-way function to derive a related key is the process of creating an asymmetric key pair set. Using a challenge-response dialogue is the basis of CHAP authentication.

*Which of the following is an example of a false negative result?* a. An authorized user is granted access to a resource. b. An unauthorized user is granted access to a resource. c. An authorized user is refused access to a resource. d. An unauthorized user is refused access to a resource.

c. *An authorized user is refused access to a resource.* A false negative result involves access refusal for an authorized user, which makes answer D incorrect. Answers A and B are incorrect because they represent granted resource access.

*Which of the following describes a simple form of social engineering in which an unauthorized individual follows closely behind someone who has authorized physical access to an environment?* a. Tailgating b. Piggybacking c. Answers A and B d. None of the above

c. *Answers A and B* Both tailgating and piggybacking describe a simple method to gain unauthorized access to an environment by closely following behind someone with authorized access. Neither answer A nor B alone is correct. Answer D is incorrect.

Infrastructure and Connectivity *When troubleshooting SSL, which two layers of the OSI model are of most value?* a. Application layer and presentation layer b. Presentation layer and session layer c. Application layer and transport layer d. Physical layer and data link layer

c. *Application layer and transport layer* SSL connections occur between the application and transport layers. Answer A is incorrect because SSL operates at a deeper level. Answer B is incorrect because the Secure Sockets Layer transport effectively fills the same role as these OSI model layers. Answer D is incorrect because the data has been abstracted beyond the level at which SSL operates.

*Which of the following would be used to detect unauthorized or unintentional access or escalation of privileges?* a. Change management b. Incident management c. Auditing d. Data-loss prevention

c. *Auditing* Auditing is used to detect unauthorized or unintentional access or escalation of privileges. Answer A is incorrect because change management provides specific details when system changes are made, such as the files being replaced, the configuration being changed, or the machines or operating systems affected. Answer B is incorrect because incident management includes preparation, roles, rules, and procedures for incident response and how to maintain business continuity while defending against further attacks. Answer D is incorrect because DLP is a way of detecting and preventing confidential data from being exfiltrated physically or logically from an organization by accident or on purpose. Auditing is used to prevent unauthorized or unintentional access or escalation of privileges.

Educating and Protecting the User *An NDA (nondisclosure agreement) is typically signed by?* a. Alpha testers b. Customers c. Beta testers d. Focus groups

c. *Beta testers* An NDA (nondisclosure agreement) is typically signed by beta testers.

*Which type of power variation includes short-term decreases in voltage levels?* a. Spikes b. Surges c. Brownouts d. Blackouts

c. *Brownouts* A brownout is a short-term decrease in voltage, often occurring when motors are started or due to provider faults. Both spikes and surges are increases of voltage, making answers A and B incorrect. Blackouts involve a complete loss of power rather than simply a reduction of voltage, making answer D incorrect.

Cryptography Basics *Due to a breach, a certificate must be permanently revoked, and you don't want it to ever be used again. What is often used to revoke a certificate?* a. CRA b. CYA c. CRL d. PKI

c. *CRL* A Certificate Revocation List (CRL) is created and distributed to all CAs to revoke a certificate or key.

intrusion prevention system (IPS)_

takes corrective action to block suspicious traffic (turn off system)

Access Control and Identity Management *To check the validity of a digital certificate, which one of the following would be used?* a. Corporate security policy b. Certificate policy c. Certificate revocation list d. Expired domain names

c. *Certificate revocation list* A certificate revocation list (CRL) provides a detailed list of certificates that are no longer valid. A corporate security policy would not provide current information on the validity of issued certificates; therefore, answer A is incorrect. A certificate policy does not provide information on invalid issued certificates, either; therefore, answer B is incorrect. Finally, an expired domain name has no bearing on the validity of a digital certificate; therefore, answer D is incorrect.

Cryptography Implementation *A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing:* a. Tokens b. Licenses c. Certificates d. Tickets

c. *Certificates* A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates.

Educating and Protecting the User *Which concept does the Bell-LaPadula model deal most accurately with?* a. Integrity b. Trustworthiness c. Confidentiality d. Accuracy

c. *Confidentiality* The Bell-LaPadula model deals most accurately with confidentiality.

*What statement accurately describes a best practice for managing a virtual LAN (VLAN)?* a. Configure empty switch ports to connect to a used VLAN. b. Keep all default VLAN names. c. Configure the ports on the switch that pass tagged VLAN packets to explicitly forward specific tags. d. Configure VLANs so that public devices are on a private VLAN.

c. *Configure the ports on the switch that pass tagged VLAN packets to explicitly forward specific tags.* Some general principles for managing VLANs are: (1) Configure empty switch ports to connect to an unused VLAN (2) Change any default VLAN names (3) Configure the ports on the switch that pass tagged VLAN packets to explicitly forward specific tags (4) Configure VLANs so that public devices, such as a web application server, are not on a private VLAN, forcing users to have access to that VLAN.

Disaster Recovery and Incident Response *Which of the following would normally not be part of an incident response policy?* a. Outside agencies (that require status) b. Outside experts (to resolve the incident) c. Contingency plans d. Evidence collection procedures

c. *Contingency plans* A contingency plan wouldn't normally be part of an incident response policy. It would be part of a disaster-recovery plan.

*What is a security risk of an embedded system that is not commonly found in a standard PC?* a. Power loss b. Access to the Internet c. Control of a mechanism in the physical world d. Software flaws

c. *Control of a mechanism in the physical world* Because an embedded system is in control of a mechanism in the physical world, a security breach could cause harm to people and property. This typically is not true of a standard PC. Power loss, Internet access, and software flaws are security risks of both embedded systems and standard PCs.

*The encryption protocol used for WPA2 is the _______________.* a. Triple DES b. Advanced Encryption Standard (AES) c. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) d. Temporal Key Integrity Protocol (TKIP)

c. *Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)* The encryption protocol used for WPA2 is the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) and specifies the use of CCM (a general purpose cipher mode algorithm providing data privacy) with AES.

*Which of the following types of attacks is characterized by client-side vulnerabilities presented by ActiveX or JavaScript code running within the client's browser?* a. Buffer overflow b. Cross-site request forgery (XSRF) c. Cross-Site Scripting (XSS) d. Input validation error

c. *Cross-Site Scripting (XSS)* Cross-Site Scripting (XSS) attacks take advantage of vulnerabilities in ActiveX or JavaScript code running within the client's browser. The attack hijacks the user's session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A. Answer A is incorrect because a buffer overflow is a direct result of poor or incorrect input validation or mishandled exceptions. Answer B is incorrect. The key element to understanding XSRF is that attackers are betting that users have a validated login cookie for the website already stored in their browsers. Answer D is incorrect because input validation errors are a result of improper field checking in the code.

Threats and Vulnerabilities *Which of the following types of attacks is executed by placing malicious executable code on a website?* a. Buffer overflow b. Cross-site request forgery (XSRF) c. Cross-Site Scripting (XSS) d. Input validation error

c. *Cross-Site Scripting (XSS)* Cross-Site Scripting (XSS) vulnerabilities can be used to hijack the user's session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A. Answer A is incorrect because a buffer overflow is a direct result of poor or incorrect input validation or mishandled exceptions. Answer B is incorrect. The key element to understanding XSRF is that attackers are betting that users have a validated login cookie for the website already stored in their browsers. Answer D is incorrect because input validation errors are a result of improper field checking in the code.

Educating and Protecting the User *Which of the following is the best description of shoulder surfing?* a. Following someone through a door they just unlocked b. Figuring out how to unlock a secured area c. Watching someone enter important information d. Stealing information from someone's desk

c. *Watching someone enter important information* Shoulder surfing is best defined as watching someone enter important information.

Threats and Vulnerabilities *Which of the following is a coordinated effort in which multiple machines attack a single victim or host with the intent to prevent legitimate service?* a. DoS b. Masquerading c. DDoS d. Trojan horse

c. *DDoS* A distributed denial of service (DDoS) attack is similar to a denial-of-service (DoS) attack in that they both try to prevent legitimate access to services. However, a DDoS attack is a coordinated effort among many computer systems; therefore, answer A is incorrect. Masquerading involves using someone else's identity to access resources; therefore, answer B is incorrect. A Trojan horse is a program used to perform hidden functions; therefore, answer D is incorrect.

*Which form of media sanitization might be required for flash-based solid state drives to be considered fully sanitized?* a. Declassification b. Degaussing c. Destruction d. Overwriting

c. *Destruction* In some forms of nonferric solid-state storage devices, only destruction may provide full data sanitization. Answer A is incorrect because declassification is a formal process for assessing the risk associated with discarding information, rather than a sanitization process itself. Answer B is incorrect because nonferric solid-state data storage might not react to powerful magnetic fields used during degaussing. Answer D is incorrect because overwriting in a solid state device operates differently than in magnetic storage media and might not completely wipe all data.

Disaster Recovery and Incident Response *Which backup system backs up all the files that have changed since the last full backup?* a. Full backup b. Incremental backup c. Differential backup d. Archival backup

c. *Differential backup* A differential backup backs up all the files that have changed since the last full backup.

*Which protocol is a TCP/IP protocol that resolves (maps) a symbolic name (www.cengage.com) with its corresponding IP address (69.32.133.11)?* a. Internet protocol (IP) b. Internet Control Message Protocol (ICMP) c. Domain Name System (DNS) d. Hypertext Transport Protocol Secure (HTTPS)

c. *Domain Name System (DNS)* The Domain Name System (DNS) is a TCP/IP protocol that resolves (maps) a symbolic name (www.cengage.com) with its corresponding IP address (69.32.133.11).

Security-Related Policies and Procedures *Which type of policy would govern whether employees can engage in practices such as taking gifts from vendors?* a. Termination policy b. Endowment policy c. Ethics policy d. Benefit policy

c. *Ethics policy* An ethics policy is the written policy governing accepted organizational ethics.

Operating System and Application Security *Which filesystem was primarily intended for desktop system use and offers limited security?* a. NTFS b. NFS c. FAT d. AFS

c. *FAT* FAT technology offers limited security options.

Security and Vulnerability in the Network *In which type of testing do you begin with the premise that an outsider attacker is being fed some knowledge from someone inside the network?* a. Black box b. White box c. Gray box d. Green box

c. *Gray box* With gray box testing, you begin with the premise that an outsider attacker is being fed some knowledge from someone inside the network.

*What type of algorithm is SHA-1?* a. Asymmetric encryption algorithm b. Digital signature c. Hashing algorithm d. Certificate authority

c. *Hashing algorithm* SHA-1 is a cryptographic hash function and is an updated version of the original Secure Hash Algorithm (SHA). Answer A is incorrect because this is an algorithm that uses a public and private key pair and is not associated with SHA-1. Answer B is incorrect because a digital signature is not an encryption algorithm. Answer D is incorrect because a certificate authority accepts or revokes certificates.

Operating System and Application Security *Which of the following will help track changes to the environment when an organization needs to keep legacy machines?* a. Virtualization b. Network storage policies c. Host software baselining d. Roaming profiles

c. *Host software baselining* Host software baselining can be done for a variety of reasons including malware monitoring and creating system images. Generally, the environment needs of an organization will fall into a legacy, enterprise, or high-security client. Answer A is incorrect because virtualization adds a layer of security as well as improves enterprise desktop management and control with faster deployment of desktops and fewer support calls due to application conflicts. Answer B is incorrect because network storage policies have nothing to do with desktop management. Answer D is incorrect because roaming profiles do not add a layer of security.

Operating System and Application Security *Your company does electronic monitoring of individuals under house arrest around the world. Because of the sensitive nature of the business, you can't afford any unnecessary downtime. What is the process of applying a repair to an operating system while the system stays in operation called?* a. Upgrading b. Service pack installation c. Hotfix d. File update

c. *Hotfix* A hotfix is done while a system is operating. This reduces the necessity of taking a system out of service to fix a problem.

*Which protocol uses TLS and SSL to secure Hypertext Transport Protocol (HTTP) communications between a browser and a web server?* a. FTP Secure (FTPS) b. Secure Shell (SSH) c. Hypertext Transport Protocol Secure (HTTPS) d. Internet Protocol Security (IPsec)

c. *Hypertext Transport Protocol Secure (HTTPS)* One common use of TLS and SSL is to secure Hypertext Transport Protocol (HTTP) communications between a browser and a web server. This secure version is actually "plain" HTTP sent over SSL or TLS and is called Hypertext Transport Protocol Secure (HTTPS).

Registration Authority (RA) pg 38

*In a(n) _______________ attack, an Internet Control Message Protocol (ICMP) redirect packet is sent to the victim that asks the host to send its packets to another "router," which is actually a malicious device.* a. network discovery b. smurf c. ICMP redirect d. ping of death

c. *ICMP redirect* In an Internet Control Message Protocol (ICMP) redirect attack, an ICMP redirect packet is sent to the victim that asks the host to send its packets to another "router," which is actually a malicious device.

*An organization has an access control list implemented on the border router, but it appears that unauthorized traffic is still being accepted. Which of the following would the organization implement to improve the blocking of unauthorized traffic?* a. Loop protection b. Flood guard c. Implicit deny d. Port security

c. *Implicit deny* Implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access. Answer A is incorrect because the loop protection feature makes additional checks in Layer 2 switched networks. Answer B is incorrect because a flood guard is a firewall feature to control network activity associated with denial-of-service (DoS) attacks. Answer D is incorrect because port security is a Layer 2 traffic control feature on Cisco Catalyst switches. It enables individual switch ports to be configured to allow only a specified number of source MAC addresses coming in through the port.

Security and Vulnerability in the Network *Your organization is exploring endpoint data-loss prevention (DLP) solutions. This solution is targeting which of the following data states?* a. In-transit b. At-rest c. In-use d. In-flux

c. *In-use* Protection of data in-use is considered to be an endpoint solution and the application is run on end user workstations or servers in the organization. Answer A is incorrect because protection of data in-transit is considered to be a network solution and either a hardware or software solution is installed near the network perimeter to monitor for and flag policy violations. Answer B is incorrect because protection of data at-rest is considered to be a storage solution and is generally a software solution that monitors how confidential data is stored. Answer D is incorrect because there is no such data state.

*Buffer overflows, format string vulnerabilities, and utilization of shell-escape codes can be mitigated by which of the following practices?* a. Fuzzing b. Testing c. Input validation d. Browser initiated token request

c. *Input validation* Input validation tests whether an application properly handles input from a source outside the application destined for internal processing. Answer A is incorrect because fuzzing allows an attacker to inject random-looking data into a program to see if it can cause the program to crash. Answer B is incorrect because testing is too generic or a term. Answer D is incorrect because it is a method used to mitigate Cross-site request forgery (XSRF) attacks.

Network Security *Which statement concerning behavior-based monitoring is correct? * a. It is necessary to update signature files before monitoring can take place. b. It is necessary to compile a baseline of statistical behavior before monitoring can take place. c. It can more quickly stop new attacks as compared to anomaly- and behavior-based monitoring. d. Behavior-based monitoring operates in a reactive mode.

c. *It can more quickly stop new attacks as compared to anomaly- and behavior-based monitoring.* One of the advantages of behavior-based monitoring is that it is not necessary to update signature files or compile a baseline of statistical behavior before monitoring can take place. In addition, behavior-based monitoring can more quickly stop new attacks.

*Digital signatures can be created using all but which of the following?* a. Asymmetric cryptography b. Hashing c. Key escrow d. Symmetric cryptography

c. *Key escrow* Key escrow isn't used in digital signatures, but it's a fault-tolerance feature of certificate and key management. Asymmetric and symmetric cryptography along with hashing are used in digital signatures.

Cryptography Implementation *Key management includes all of the following stages/areas except:* a. Centralized versus decentralized key generation b. Key storage and distribution c. Key locking d. Key escrow e. Key expiration

c. *Key locking* Key management includes centralized versus decentralized key generation, key storage and distribution, key escrow, and key expiration. Key locking is not a part of key management.

15) Quantitative risk

calculate dollar figure for the risk - determine value of asset - determine impact of threat (exposure factor)

Physical and Hardware-Based Security *Which of the following methods would be the most effective method to physically secure computers that are used in a lab environment that operates on a part-time basis?* a. Security cables b. Server cages c. Locked cabinet d. Hardware dongle

c. *Locked cabinet* A locked cabinet is an alternative for equipment that is not used or does not have to be physically accessed on a regular, daily basis. Vendors provide solutions such as a security cabinet locker that secures CPU towers. The housing is made of durable, heavy-duty steel for strength. Answer A is incorrect because security cables with combination locks can provide such security and are easy to use but are used mostly to secure laptops and leave the equipment exposed. Answer B is incorrect because PC Safe tower and server cages are designed to bolt to the floor and are meant to be in an environment that is static. Answer D is incorrect because a hardware dongle is used for license enforcement.

*An organization has agreed to collaborate on a business project with another organization. Which of the following documents would outline the terms and details of an agreement between parties, including each party's requirements and responsibilities?* a. SLA b. BPA c. MOU d. ISA

c. *MOU* A memorandum of understanding (MOU) is a document that outlines the terms and details of an agreement between parties, including each party's requirements and responsibilities. Answer A is incorrect because a service level agreement (SLA) is a contract between a service provider and a customer that specifies the nature of the service to be provided and the level of service that the provider will offer to the customer. Answer B is incorrect because a business partners agreement (BPA) is a contract that establishes partner profit percentages, partner responsibilities, and exit strategies for partners. Answer D is incorrect because an interconnection security agreement (ISA) is an agreement between organizations that have connected IT systems.

*Which type of risk control is administrative in nature and includes the laws, regulations, policies, practices, and guidelines that govern overall requirements and controls?* a. Technical b. System c. Management d. Operational

c. *Management* Management risk control types are administrative in their nature and are the laws, regulations, policies, practices, and guidelines that govern the overall requirements and controls.

*Which of the following is not a benefit of single sign-on?* a. The ability to browse multiple systems b. Fewer usernames and passwords to memorize c. More granular access control d. Stronger passwords

c. *More granular access control* Single sign-on doesn't address access control and therefore doesn't provide granular or nongranular access control. Single sign-on provides the benefits of the ability to browse multiple systems, fewer credentials to memorize, and the use of stronger passwords.

Security-Related Policies and Procedures *People in an organization can withhold classified or sensitive information from others in the company when governed by what type of policy?* a. Nondisclosure b. Suppression c. Need-to-know d. Revelation

c. *Need-to-know* People in an organization can withhold classified or sensitive information from others in the company when governed by need-to-know policies.

*Which of the following would best mitigate the risks associated with allowing organizational network access required by the terms of a joint project with a business partner?* a. Captive portal b. Access control lists c. Network segmentation d. Log analysis

c. *Network segmentation* With interconnected networks, the potential for damage greatly increases because one compromised system on one network can easily spread to other networks. Networks that are shared by partners, vendors, or departments should have clear separation boundaries. Answer A is incorrect because a captive portal is used to block Internet access for users until some action is taken. Answer B is incorrect because access control generally refers to the process of making resources available to accounts that should have access, while limiting that access to only what is required. Answer D is incorrect because logging is the process of collecting data to be used for monitoring and auditing purposes.

*Which of the following is a security concern when implementing NoSQL databases?* a. NoSQL databases do not provide any authentication mechanisms. b. The NoSQL design uses server-side validation. c. NoSQL databases lack confidentiality and integrity. d. NoSQL databases are lacking in areas of scalability and performance.

c. *NoSQL databases lack confidentiality and integrity.* The NoSQL design does not place security as a high priority, lacking confidentiality and integrity. Answer A is incorrect because NoSQL databases such as MongoDB have added support for Kerberos authentication, more granular access controls, and SSL encryption. Answer B is incorrect because server-side validation helps protect against malicious attempts by a user to bypass validation or submit unsafe input and it is associated with web-based applications not databases. Answer D is incorrect because when compared to relational databases, NoSQL systems are more scalable and provide superior performance. Scalability and performance are not security concerns.

*The most commonly overlooked aspect of mobile phone eavesdropping is related to _____.* a. Wireless networking b. Storage device encryption c. Overhearing conversations d. Screen locks

c. *Overhearing conversations* The most commonly overlooked aspect of mobile phone eavesdropping is related to people in the vicinity overhearing conversations (at least one side of them). Organizations frequently consider and address issues of wireless networking, storage device encryption, and screen locks.

Operating System and Application Security *What is the process of applying manual changes to a program called?* a. Hotfix b. Service pack c. Patching d. Replacement

c. *Patching* A patch is a temporary workaround of a bug or problem in code that is applied manually. Complete programs usually replace patches at a later date.

*Security guards are a form of which specific type of control?* a. Management b. Technical c. Physical d. Access

c. *Physical* Physical controls include facility design details such as layout, door, locks, guards, and surveillance systems. Management controls include policies and procedures, whereas technical controls include access control systems, encryption, and data classification solutions, making answers A and B incorrect. Access controls include all three classifications (management, technical, and physical), making Answer D incorrect because the question asks for a specific type.

*Which utility allows the identification of all devices conducting network traffic both to and from a network segment?* a. Port scanner b. Vulnerability scanner c. Protocol analyzer d. Network mapper

c. *Protocol analyzer* Protocol analyzers examine network traffic and identify protocols and endpoint devices in the identified transactions. Port scanners check service ports on a single device, making answer A incorrect. Answer B is incorrect because vulnerability scanners look for vulnerabilities associated with particular versions of software or services. Answer D is incorrect because a network mapper identifies all devices within a network segment and would not identify endpoint devices beyond that address space.

Cryptography Basics *You're a member of a consortium wanting to create a new standard that will effectively end all spam. After years of meeting, the group has finally come across a solution and now wants to propose it. The process of proposing a new standard or method on the Internet is referred to by which acronym?* a. WBS b. X.509 c. RFC d. IEEE

c. *RFC* The Request for Comments (RFC) process allows all users and interested parties to comment on proposed standards for the Internet. The RFC editor manages the RFC process. The editor is responsible for cataloging, updating, and tracking RFCs through the process.

Disaster Recovery and Incident Response *Which of the following designates the amount of data loss that is sustainable and up to what point in time data recovery could happen before business is disrupted?* a. RTO b. MTBF c. RPO d. MTTF

c. *RPO* Recovery point objective (RPO) is the amount of time that can elapse during a disruption before the quantity of data lost during that period exceeds the BCP's maximum allowable threshold. Simply put, RPO specifies the allowable data loss. It determines up to what point in time data recovery could happen before business is disrupted. Answer A is incorrect because recovery time objective (RTO) is the amount of time within which a process must be restored after a disaster to meet business continuity. It defines how much time it takes to recover after notification of process disruption. Answer B is incorrect because mean time between failures (MTBF) is the average amount of time that passes between hardware component failures excluding time spent waiting for or being repaired. Answer D is incorrect because mean time to failure (MTTF) is the length of time a device or product is expected to last in operation.

Physical and Hardware-Based Security *RFI is the byproduct of electrical processes, similar to EMI. The major difference is that RFI is usually projected across which of the following?* a. Network medium b. Electrical wiring c. Radio spectrum d. Portable media

c. *Radio spectrum* RFI is the byproduct of electrical processes, similar to EMI. The major difference is that RFI is usually projected across a radio spectrum. Motors with defective brushes can generate RFI, as can a number of other devices.

*Which of the following is a method that can be used to prevent data from being accessed in the event the device is lost or stolen?* a. GPS tracking b. Voice encryption c. Remote wipe d. Asset tracking

c. *Remote wipe* A remote wipe allows the handheld's data to be remotely deleted in the event the device is lost or stolen. Answer A is incorrect because in the event a mobile device is lost, GPS tracking can be used to find the location. Answer B is incorrect because mobile voice encryption can allow executives and employees alike to discuss sensitive information without having to travel to secure company locations. Answer D is incorrect because asset tracking is used for management of assets in the field so that the device location is known at all times.

*A security template can be used to perform all but which of the following tasks?* a. Capture the security configuration of a master system b. Apply security settings to a target system c. Return a target system to its precompromised state d. Evaluate compliance with security of a target system

c. *Return a target system to its precompromised state* A security template alone cannot return a system to its precompromised state.

*What type of wireless antenna can be used to send or receive signals in any direction?* a. Cantenna b. Yagi c. Rubber duck d. Panel

c. *Rubber duck* A rubber duck antenna is an omnidirectional antenna.

applications layer firewall

can look up application data in packet and make decision to block - ex) can allow http get/disable http put

Captive Portal

captures or redirects the users initial traffic because something more is needed ie username

*An organization that relies heavily on cloud and SaaS service providers, such as Salesforce.com, WebEx, and Google, would have security concerns when implementing which of the following?* a. TACACS+ b. Secure LDAP c. SAML d. XTACACS

c. *SAML* SAML (Security Assertion Markup Language) is an Extensible Markup Language (XML) framework for creating and exchanging security information between online partners. The weakness in the SAML identity chain is the integrity of users. To mitigate risk, SAML systems need to use timed sessions, HTTPS, and SSL/TLS. Answer A is incorrect because TACACS+ protocol provides authentication and authorization in addition to accounting of access requests against a centralized service for authorization of access requests. Answer B is incorrect because secure LDAP is a way to make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology. Answer D is incorrect because XTACACS is a proprietary version of the original TACACS protocol that was developed by Cisco.

*What mechanism is used to support the exchange of authentication and authorization details between systems, services, and devices?* a. Biometric b. Two-factor authentication c. SAML d. LDAP

c. *SAML* SAML is an open standard data format based on XML for the purpose of supporting the exchange of authentication and authorization details between systems, services, and devices. A biometric is an authentication factor, not a means of exchanging authentication information. Two-factor authentication is the use of two authentication factors. LDAP is a protocol used by directory services, not directly related to authentication.

*Which statement accurately describes Secure FTP (SFTP)?* a. SFTP is a combination of two technologies (FTP and SSL or TLS). b. SFTP uses two ports. c. SFTP is an entire protocol itself. d. SFTP encrypts and compresses only data, not commands.

c. *SFTP is an entire protocol itself.* There are several differences between Secure FTP (SFTP) and FTP Secure (FTPS). First, FTPS is a combination of two technologies (FTP and SSL or TLS), whereas SFTP is an entire protocol itself and is not pieced together with multiple parts. Second, SFTP uses only a single TCP port instead of two ports like FTPS. Finally, SFTP encrypts and compresses all data and commands (FTPS may not encrypt data).

Disaster Recovery and Incident Response *Which agreement outlines performance requirements for a vendor?* a. MTBF b. MTTR c. SLA d. BCP

c. *SLA* A service-level agreement (SLA) specifies performance requirements for a vendor. This agreement may use MTBF and MTTR as performance measures in the SLA.

*Which of the following services/protocols operate on port 22?* a. DNS b. HTTPS c. SSH d. RDP

c. *SSH* Secure Shell (SSH) operates on port 22. Answer A is incorrect because Domain Name Service (DNS) uses port 53. Answer B is incorrect because HTTPS uses port 443. Answer D is incorrect because Remote Desktop Protocol (RDP) uses port 3389.

*Which of the following models is useful for individuals and businesses that want to have the right to access a certain application without having to purchase a full license?* a. PaaS b. IaaS c. SaaS d. DaaS

c. *SaaS* Software-as-a-service (SaaS) is the delivery of a licensed application to customers over the Internet for use as a service on demand. Answer A is incorrect. Platform-as-a-service (PaaS) is the delivery of a computing platform, often an operating system with associated services, that is delivered over the Internet without downloads or installation. Answer B is incorrect because infrastructure-as-a-service (IaaS) is the delivery of computer infrastructure in a hosted service model over the Internet. Answer D is incorrect because desktop-as-a-service (DaaS), also called virtual desktop or hosted desktop services, is the outsourcing of a virtual desktop infrastructure (VDI) to a third-party service provider.

*Which of the following would be implemented for secure communications when the organization is using an application that authenticates with Active Directory Domain Services (AD DS) through simple BIND?* a. TACACS+ b. SAML c. Secure LDAP d. XTACACS

c. *Secure LDAP* Reasons for enabling Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) / Transport Layer Security (TLS) also known as LDAPS, include protection of the authentication session when an application authenticates with Active Directory Domain Services (AD DS) through simple BIND. Answer A is incorrect because the TACACS+ protocol provides authentication and authorization as well as accounting of access requests against a centralized service for authorization of access requests. Answer B is incorrect because SAML (Security Assertion Markup Language) is an Extensible Markup Language (XML) framework for creating and exchanging security information between online partners. Answer D is incorrect because XTACACS is a proprietary version of the original TACACS protocol that was developed by Cisco.

* _______________ is an encrypted alternative to the Telnet protocol that is used to access remote computers.* a. Internet Control Message Protocol (ICMP) b. Internet Small Computer System Interface (iSCSI) c. Secure Shell (SSH) d. Secure Network Management Protocol (SNMP)

c. *Secure Shell (SSH)* Secure Shell (SSH) is an encrypted alternative to the Telnet protocol that is used to access remote computers.

*Which common cryptographic transport algorithm was developed by Netscape in 1994 in response to the growing concern over Internet security?* a. Hypertext Transport Protocol Secure (HTTPS) b. Secure Shell (SSH) c. Secure Sockets Layer (SSL) d. Transport Layer Security (TLS)

c. *Secure Sockets Layer (SSL)* One of the most common cryptographic transport algorithms is Secure Sockets Layer (SSL). This protocol was developed by Netscape in 1994 in response to the growing concern over Internet security.

*What is a written document that states how an organization plans to protect the company's information technology assets?* a. Privacy notice b. Acceptable use c. Security policy d. Data insurance

c. *Security policy* A security policy is a written document that states how an organization plans to protect the company's information technology assets.

Security and Vulnerability in the Network *The approach a business takes to security is known as its:* a. Rule-based management b. Network bridging c. Security posture d. Assessment technique

c. *Security posture* The security posture is the approach a business takes to security.

Physical and Hardware-Based Security *You're the leader of the security committee at ACME. After a move to a new facility, you're installing a new security monitoring system throughout. Which of the following best describes a motion detector mounted in the corner of a hallway?* a. Perimeter security b. Partitioning c. Security zone d. IDS system

c. *Security zone* A security zone is an area that is a smaller component of the entire facility. Security zones allow intrusions to be detected in specific parts of the building.

*Which of the following provides the output for an example of banner grabbing?* a. http://www.example.com/index.htm b. This is a government computer system. Authorized access only. c. Server Apache 2.0.46 (Red Hat Linux) d. Welcome to our FTP site

c. *Server Apache 2.0.46 (Red Hat Linux)* Banner grabbing is a technique used to discover information about a computer system. This information is used to further understand the underlying system. In this example, a vulnerability scanner can narrow down which vulnerabilities to test for. However, an attacker knows which exploits the system may be susceptible to. Answer A is simply a URL and is incorrect. Answers B and D are incorrect, and although they may be referred to as a "login banner," do not confuse these with banner grabbing.

Operating System and Application Security *What is the term used when the item used to validate a user's session, such as a cookie, is stolen and used by another to establish a session with a host that thinks it is still communicating with the first party?* a. Patch infiltration b. XML injection c. Session hijacking d. DTB exploitation

c. *Session hijacking* Session hijacking occurs when the item used to validate a user's session, such as a cookie, is stolen and used by another to establish a session with a host that thinks it is still communicating with the first party.

*An organization has a high-speed fiber Internet connection that it uses for most of its daily operations, as well as its offsite backup operations. This represents what security problem?* a. Single point of failure b. Redundant connections c. Backup generator d. Offsite backup storage

c. *Single point of failure* Having only a single high-speed fiber Internet connection represents the security problem of a single point of failure.

*Federation is a means to accomplish _____.* a. Accountability logging b. ACL verification c. Single sign-on d. Trusted OS hardening

c. *Single sign-on* Federation or federated identity is a means of linking a subject's accounts from several sites, services, or entities in a single account. Thus it is a means to accomplish single sign-on. Accountability logging is used to relate digital activities to humans. ACL verification is a means to verify that correct permissions are assigned to subjects. Trusted OS hardening is the removal of unneeded components and securing the remaining elements.

*In the _______________ model, the cloud computing vendor provides access to the vendor's software applications running on a cloud infrastructure.* a. Infrastructure as a Service (IaaS) b. Application as a Service (AaaS) c. Software as a Service (SaaS) d. Platform as a Service (PaaS)

c. *Software as a Service (SaaS)* In the Software as a Service (SaaS) model, the cloud computing vendor provides access to the vendor's software applications running on a cloud infrastructure. These applications, which can be accessed through a web browser, do not require any installation, configuration, upgrading, or management from the user.

Cryptography Basics *Kristin, from Payroll, has left the office on maternity leave and won't return for at least six weeks. You've been instructed to suspend her key. Which of the following statements is true?* a. In order to be used, suspended keys must be revoked. b. Suspended keys don't expire. c. Suspended keys can be reactivated. d. Suspending keys is a bad practice.

c. *Suspended keys can be reactivated.* Suspending keys is a good practice: It disables a key, making it unusable for a certain period of time. This can prevent the key from being used while someone is gone. The key can be reactivated when that person returns.

*Which of the following is a hardware solution typically attached to the circuit board of the system used for greater security protection for processes such as digital signing, mission-critical applications, and businesses where high security is required?* a. Full disk encryption b. HSM c. TPM d. File-level encryption

c. *TPM* At the most basic level, a trusted platform module (TPM) provides for the secure storage of keys, passwords, and digital certificates, and it is hardware based (typically attached to the circuit board of the system). Answer A is incorrect because full disk encryption is a software solution and is most useful when you're dealing with a machine that is being taken on the road by people such as traveling executives, sales managers, or insurance agents. Answer B is incorrect because a hardware security module (HSM) can be described as black box combination hardware and software/firmware that is attached or contained inside a computer used to provide cryptographic functions for tamper protection and increased performance. Answer D is incorrect because in file- or folder-level encryption, individual files or folders are encrypted by the file system itself.

Operating System and Application Security *Which of the following is the name assigned to a chip that can store cryptographic keys, passwords, or certificates?* a. ODI b. TLC c. TPM d. RDP

c. *TPM* TPM is the name assigned to a chip that can store cryptographic keys, passwords, or certificates. TPM can be used to protect cell phones and devices other than PCs as well.

*Which statement accurately describes an access control list characteristic?* a. Access control lists are efficient. b. Access control lists are simple to manage in an enterprise setting. c. The structure behind an access control list table can be complex. d. Access control lists are used extensively with UNIX systems but not on Windows operating systems.

c. *The structure behind an access control list table can be complex.* Although access control lists (ACLs) can be associated with any type of object, these lists are most often viewed in relation to files maintained by the operating system. ACLs have limitations. First, using ACLs is not efficient. Second, they can be difficult to manage in an enterprise setting where many users need to have different levels of access to many different resources. Note that the structure behind ACL tables can be complex.

Security-Related Policies and Procedures *You're giving hypothetical examples during a required security training session when the subject of certificates comes up. A member of the audience wants to know how a party is verified as genuine. Which party in a transaction is responsible for verifying the identity of a certificate holder?* a. Subscriber b. Relying party c. Third party d. Omni registrar

c. *Third party* The third party is responsible for assuring the relying party that the subscriber is genuine.

Wireless Networking Security *You're outlining your plans for implementing a wireless network to upper management. Suddenly, a paranoid vice president brings up the question of security. Which protocol was designed to provide security to a wireless network and can be considered equivalent to the security of a wired network?* a. WAP b. WTLS c. WPA2 d. IR

c. *WPA2* Wi-Fi Protected Access 2 (WPA2) was intended to provide security that's equivalent to the security on a wired network and implements elements of the 802.11i standard.

Threats and Vulnerabilities *_________ describes the potential that a weakness in hardware, software, process, or people will be identified and taken advantage of.* a. Vulnerability b. Exploit c. Threat d. Risk

c. *Threat* A threat is the potential that a vulnerability will be identified and exploited. Answer A is incorrect because a vulnerability is the weakness itself and not the likelihood that it will be identified and exploited. Answer B is incorrect because an exploit is the mechanism of taking advantage of a vulnerability rather than its likelihood of occurrence. Answer D is incorrect because risk is the likelihood that a threat will occur and the measure of its effect.

Operating System and Application Security *You're redesigning your network in preparation for putting the company up for sale. The network, like all aspects of the company, needs to perform the best that it possibly can in order to be an asset to the sale. Which model is used to provide an intermediary server between the end user and the database?* a. One-tiered b. Two-tiered c. Three-tiered d. Relational database

c. *Three-tiered* A three-tiered model puts a server between the client and the database.

*What mechanism of loop protection is based on an element in a protocol header?* a. Spanning Tree Protocol b. Ports c. Time to live d. Distance vector protocols

c. *Time to live* Time to live (TTL) is a value in the IP header used to prevent loops at Layer 3.

*Which of the following standards ensures privacy between communicating applications and clients on the Web and has been designed to replace SSL?* a. Secure Sockets Layer 4 b. Point-to-Point Tunneling Protocol c. Transport Layer Security d. Internet Protocol Security

c. *Transport Layer Security* Transport Layer Security (TLS) is a network protocol that replaces Secure Sockets Layer (SSL) to provide communication security over networks. Answer A is incorrect, as such a thing was never developed. Answers B and D are incorrect as these describe methods for implementing VPNs and are were not designed to replace SSL.

Cryptography Implementation *A hierarchical trust model is also known as a:* a. Bush b. Branch c. Tree d. Limb

c. *Tree* A hierarchical trust model is also known as a tree.

*Which protocol is often used for the automated transfer of configuration files between devices?* a. Hypertext Transfer Protocol (HTTP) b. Secure Copy Protocol (SCP) c. Trivial File Transfer Protocol (TFTP) d. Secure FTP (SFTP)

c. *Trivial File Transfer Protocol (TFTP)* A "light" version of File Transfer Protocol (FTP) known as Trivial File Transfer Protocol (TFTP) uses a small amount of memory but has limited functionality. It is often used for the automated transfer of configuration files between devices.

Physical and Hardware-Based Security *You've been drafted for the safety committee. One of your first tasks is to inventory all the fire extinguishers and make certain the correct types are in the correct locations throughout the building. Which of the following categories of fire extinguisher is intended for use on electrical fires?* a. Type A b. Type B c. Type C d. Type D

c. *Type C* Type C fire extinguishers are intended for use in electrical fires.

Security-Related Policies and Procedures *A periodic security audit of which of the following can help determine whether privilege-granting processes are appropriate and whether computer usage and escalation processes are in place and working?* a. Event logs b. User account and ldp settings c. User access and rights review d. System security log files

c. *User access and rights review* A periodic security audit of user access and rights review can help determine whether privilege-granting processes are appropriate and whether computer usage and escalation processes are in place and working.

Wireless Networking Security *Which of the following is not one of the three transmission technologies used to communicate in the 802.11 standard?* a. DSSS b. FHSS c. VITA d. OFDM

c. *VITA* The three technologies available for use with the 802.11 standard are DSSS (direct-sequence spread spectrum), FHSS (frequency-hopping spread spectrum), and OFDM (orthogonal frequency division multiplexing). VITA (Volunteer Income Tax Assistance) is not a wireless transmission technology.

*You are setting up a switched network in which each department requires a logical separation. Which of the following meets these requirements?* a. DMZ b. VPN c. VLAN d. NAT

c. *VLAN* The purpose of a VLAN is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. Answer A is incorrect because a DMZ is a small network between the internal network and the Internet that provides a layer of security and privacy. Answer B is incorrect because a virtual private network (VPN) is a network connection that allows you access via a secure tunnel created through an Internet connection. Answer D is incorrect because NAT acts as a liaison between an internal network and the Internet.

* A switch can be used to prevent broadcast storms between connected systems through the use of what?* a. SSL b. S/MIME c. VLANs d. LDAP

c. *VLANs* Switches can create VLANs. Broadcast storms aren't transmitted between one VLAN and another.

*If Bob wants to send a secure message to Val using public key encryption without sender validation, what does Val need?* a. Bob's private key b. Bob's public key c. Val's private key d. Val's public key

c. *Val's private key* Val needs her own private key to decrypt the message Bob encrypted with her public key. Neither of Bob's keys is needed because the originator does not need to be validated, making Answers A and B incorrect. Answer D is incorrect because Val's public key is used to encrypting the original message before transmission.

Security and Vulnerability in the Network *Which of the following is a software application that checks your network for any known security holes?* a. Logic bomb b. Log analyzer c. Vulnerability scanner d. Design reviewer

c. *Vulnerability scanner* A vulnerability scanner is a software application that checks your network for any known security holes.

Wireless Networking Security *Which protocol is mainly used to enable access to the Internet from a mobile phone or PDA?* a. WEP b. WTLS c. WAP d. WOP

c. *WAP* Wireless Application Protocol (WAP) is an open international standard for applications that use wireless communication.

Wireless Networking Security *WAP uses a smaller version of HTML for Internet displays. This is known as:* a. DSL b. HSL c. WML d. OFML

c. *WML* WAP uses a smaller version of HTML called Wireless Markup Language (WML) for Internet displays.

Trusted Root Certificate Authority (CA)

*Due to organizational requirements strong encryption cannot be used. Which of the following is the most basic form of encryption that can be used on 802.11-based wireless networks to provide privacy of data sent between a wireless client and its access point?* a. Wireless Application Environment (WAE) b. Wireless Session Layer (WSL) c. Wired Equivalent Privacy (WEP) d. Wireless Transport Layer Security (WTLS)

c. *Wired Equivalent Privacy (WEP)* WEP is the most basic form of encryption that can be used on 802.11-based wireless networks to provide privacy of data sent between a wireless client and its access point. Answer A is incorrect. Wireless Application Environment (WAE) specifies the framework used to develop applications for mobile devices, including cell phones, data pagers, tablets, and laptops. Answers B and D are incorrect. Wireless Session Layer (WSL), Wireless Transport Layer (WTL), and Wireless Transport Layer Security (WTLS) are the specifications that are included in the WAP standard.

*Due to organizational requirements, strong encryption cannot be used. Which of the following is the most basic form of encryption that can be used on 802.11-based wireless networks to provide privacy of data sent between a wireless client and its access point?* a. Wireless Application Environment (WAE) b. Wireless Session Layer (WSL) c. Wired Equivalent Privacy (WEP) d. Wireless Transport Layer Security (WTLS)

c. *Wired Equivalent Privacy (WEP)* WEP is the most basic form of encryption that can be used on 802.11-based wireless networks to provide privacy of data sent between a wireless client and its access point. Answer A is incorrect. Wireless Application Environment (WAE) specifies the framework used to develop applications for mobile devices, including cell phones, data pagers, tablets, and laptops. Answers B and D are incorrect. Wireless Session Layer (WSL), Wireless Transport Layer (WTL), and Wireless Transport Layer Security (WTLS) are the specifications that are included in the WAP standard.

*_______________ is an IEEE 802.11 security protocol designed to ensure that only authorized parties can view transmitted wireless information.* a. PSK2-mixed mode b. Temporal Key Integrity Protocol (TKIP) c. Wired Equivalent Privacy (WEP) d. Extensible Authentication Protocol (EAP)

c. *Wired Equivalent Privacy (WEP)* Wired Equivalent Privacy (WEP) is an IEEE 802.11 security protocol designed to ensure that only authorized parties can view transmitted wireless information.

*Risk _______________ simply means that the risk is acknowledged but that no steps are taken to address it.* a. deterrence b. mitigation c. acceptance d. avoidance

c. *acceptance* Acceptance simply means that the risk is acknowledged but no steps are taken to address it.

Network Security *When a modern firewall receives a packet, it tends to use a(n) _______________ method to determine the action to be taken.* a. rule-based b. role-based c. application-based d. authentication-based

c. *application-based* Traditional firewalls are rule-based while more modern firewalls are application-based.

Network Security *A load balancer is typically located _______________ in a network configuration.* a. in front of a server b. in front of a router c. between a router and a server d. between a router and a switch

c. *between a router and a server* Because load balancers generally are located between routers and servers, they can detect and stop attacks directed at a server or application.

*All wireless network interface card (NIC) adapters have _______________ antennas.* a. external b. peripheral c. embedded d. focused

c. *embedded* Although all wireless network interface card (NIC) adapters have embedded antennas, attaching an external antenna will significantly increase the ability to detect a wireless signal.

*A _______________ is an event that does not appear to be a risk but actually turns out to be one.* a. false positive b. negative-positive c. false negative d. positive-negative

c. *false negative* A false negative is an event that does not appear to be a risk but actually turns out to be one.

*TCP/IP uses its own _______________ architecture that corresponds generally to the OSI reference model.* a. two-layer b. three-layer c. four-layer d. seven-layer

c. *four-layer* TCP/IP uses its own four-layer architecture that includes Network Interface, Internet, Transport, and Application layers. This corresponds generally to the OSI reference model.

*Fibre Channel over Ethernet (FCoE) encapsulates Fibre Channel _______________ over Ethernet networks.* a. headers b. addresses c. frames d. packets

c. *frames* A variation of FC is Fibre Channel over Ethernet (FCoE) that encapsulates Fibre Channel frames over Ethernet networks. This allows Fibre Channel to use fast Ethernet networks while preserving the Fibre Channel protocol.

*One of the best practices for access control is _______________, which requires that if the fraudulent application of a process might potentially result in a breach of security, the process should be divided between two or more individuals.* a. job rotation b. mandatory vacation c. separation of duties d. least privilege

c. *separation of duties* Separation of duties requires that if the fraudulent application of a process could potentially result in a breach of security, the process should be divided between two or more individuals.

*Allowing an IP address to be split anywhere within its 32 bits is known as _______________.* a. splitting b. spanning c. subnetting d. IP spraying

c. *subnetting* Allowing an IP address to be split anywhere within its 32 bits. This is known as subnetting or subnet addressing.

*The term risk _______________ refers to the act of shifting risk to a third party.* a. deterrence b. mitigation c. transference d. avoidance

c. *transference* Risk transference is the act of transferring the risk to a third party.

What is the order of volatility?

cache memory, regular RAM, swap or paging file, hard drive data, logs stored on remote systems, archived media

An HTTP proxy

caches information from a web server for a set amount of time. This way an organization can save bandwidth, and the users can get their web pages quicker.

Remote Access Dial-in User Service (RADIUS)

central authentication services - verifies credentials and send back reply to grant/deny access - AAA protocol that uses UDP at transport layer protocol - port 1812 to authentication and authorization - port 1813 for accounting services - encrypts only password between client and server

Network address translation (NAC)

central device that is used for internet acess and translate the private address info to public

Monoalphabetic cipher

changes alphabetic character by one cipher rather than multiple ROT13: Shift Cipher

Temporal Key Integrity Protocol (TKIP)

changes the encryption key for every packet sent

Transposition cypher

changing position of plaintext letters. Letters written backwords Chicken = nekcihc

14) Class A fire

common combustibles - wood, paper, cloth, or plastic - fire extinguisher that uses water or soda-acid

Rule-Based Access Control

configuring rules on a system or device that allow or disallow different actions - ex) routers use RBAC to determine what traffic can enter or leave

17) Record time offset

configuring time zone in forensics software to match time zone of suspected system

adhoc network

connect to other devices in a p2p environment without the need for access point

What is COOP

continuity of operations planning - site that provides an alternate location for operations after a critical outage.

*An Internet Protocol version 4 (IPv4) address is _______________ in length.* a. 64 bits b. 64 bytes c. 32 bytes d. 32 bits

d. *32 bits* An Internet Protocol version 4 (IPv4) address is 32 bits in length, providing about 4.3 billion possible IP address combinations. This no longer is sufficient for the number of devices that are being connected to the Internet.

Disaster Recovery and Incident Response *With five nines availability, the total amount of downtime allowed per year is:* a. 4.38 hours b. 526 minutes c. 52.65 minutes d. 5.26 minutes

d. *5.26 minutes* With five nines availability, the total amount of downtime allowed per year is 5.26 minutes.

Network Security *Which statement concerning a network intrusion detection system (NIDS) is correct?* a. A NIDS knows such information as the applications that are running as well as the underlying operating systems so that it can provide a higher degree of accuracy regarding potential attacks. b. Compared to a network intrusion prevention system (NIPS), a NIDS can more quickly take action to block and attack. c. A NIDS attempts prevent malicious attacks by stopping the attack. d. A NIDS has sensors that monitor the traffic entering and leaving a firewall, and reports back to the central device for analysis.

d. *A NIDS has sensors that monitor the traffic entering and leaving a firewall, and reports back to the central device for analysis.* A network intrusion prevention system (NIPS) is similar to a NIDS in that it monitors network traffic to immediately react to block a malicious attack. One of the major differences between a NIDS and a NIPS is its location. A NIDS has sensors that monitor the traffic entering and leaving a firewall, and reports back to the central device for analysis. A NIPS, on the other hand, would be located "in line" on the firewall itself. This can allow the NIPS to more quickly take action to block an attack.

*What is the last step in the access control process?* a. Identification b. Authentication c. Authorization d. Access control

d. *Access control* Only after credentials have been provided, authenticated, and authorized will access control list (ACL) values be assigned based on explicit and inherited grant and denial constraints. Answer A is incorrect because identification involves only the presentation of credentials and not the requirement for verifying those credentials as valid. Answers B and C are incorrect because both authentication and authorization must occur before access control constraints can be applied to an access request.

*Which of the following is included in hardening a host operating system?* a. A policy for antivirus updates b. A policy for remote wipe c. An efficient method to connect to remote sites d. An effective system for file-level security

d. *An effective system for file-level security* Hardening of the operating system includes planning against both accidental and directed attacks, such as the use of fault-tolerant hardware and software solutions. In addition, it is important to implement an effective system for file-level security, including encrypted file support and secured file system selection that allows the proper level of access control. Answer A is incorrect because it is a host protection measure, not an OS hardening measure. Answer B is incorrect because this is a feature associated with data security, not host hardening. Answer C is incorrect because this is a secure communication measure.

*Historical data can be used to determine the likelihood of a risk occurring within a year. This is known as the _______________.* a. Annualized Loss Expectancy b. Single Loss Expectancy c. Multiple Loss Expectancy d. Annualized Rate of Occurrence

d. *Annualized Rate of Occurrence* Historical data can be used to determine the likelihood of a risk occurring within a year. This is known as the Annualized Rate of Occurrence (ARO).

Network Security *Which statement concerning anomaly-based monitoring is correct?* a. Anomaly-based monitoring is founded on experience based techniques. b. Anomaly-based monitoring looks for well-known patterns. c. Anomaly-based monitoring operates by being adaptive and proactive. d. Anomaly-based monitoring is designed for detecting statistical anomalies.

d. *Anomaly-based monitoring is designed for detecting statistical anomalies.* Anomaly-based monitoring is designed for detecting statistical anomalies.

*Which of the following is the most useful when you're dealing with data that is stored in a shared cloud environment?* a. Full disk encryption b. File-level encryption c. Media-level encryption d. Application-level encryption

d. *Application-level encryption* In a cloud environment, application-level encryption is preferred because the data is encrypted by the application before being stored in the database or file system. The advantage is that it protects the data from the user all the way to storage. Answer A is incorrect because full disk encryption is most useful when you're dealing with a machine that is being taken on the road by people such as traveling executives, sales managers, or insurance agents. Answer B is incorrect because in file- or folder-level encryption, individual files or folders are encrypted by the file system itself. Answer C is incorrect because media encryption is used for USB flash drives, iPods, and other portable storage devices.

*Which statement accurately describes a weakness in disabling SSID broadcasts?* a. Turning off the SSID broadcast may allow users to freely roam from one AP coverage area to another. b. For most hardware routers, the effect is temporary and the disabling actions must be repeated frequently. c. Disabling SSID broadcasts may disable the entire network. d. Attackers with protocol analyzers can still detect the SSID.

d. *Attackers with protocol analyzers can still detect the SSID.* The SSID can be easily discovered even when it is not contained in beacon frames because it is transmitted in other management frames sent by the AP. Attackers with protocol analyzers can still detect the SSID.

*Which of the following is not focused on recovering after loss of function?* a. RTO b. DRP c. RPO d. BCP

d. *BCP* Business continuity planning (BCP) / continuity of operations (COO) is focused on maintaining continued service availability even if in a limited form. Recovery time objectives (RTOs) and recovery point objectives (RPOs) are components of disaster recovery planning (DRP) focusing on recovery after a loss of function, making answers A, B, and C incorrect.

*_______________ can be prevented with loop protection.* a. IP address spoofing b. Man-in-the-middle attacks c. Denial of service (DoS) attacks d. Broadcast storms

d. *Broadcast storms* Broadcast storms can be prevented with loop protection, which uses the IEEE 802.1d standard spanning-tree algorithm (STA).

*Which of the following types of cloud computing is designed to meet industry-specific needs such as healthcare, public sector, or energy?* a. Public b. Private c. Hybrid d. Community

d. *Community* Community clouds are designed to accommodate the mutual needs of a particular business community. This is generally industry-specific such as healthcare, public sector, or energy. Answer A is incorrect because a public cloud is an environment where the services and infrastructure are hosted at a service provider's offsite facility and accessed over the Internet based on a monthly or yearly usage fee. Answer B is incorrect because a private cloud is a hosted infrastructure on a private platform and can sometimes be referred to as an internal, corporate, or enterprise cloud. Answer C is incorrect. A hybrid cloud is a combination of public and private clouds where control of data is kept using a private cloud while other functions are hosted using a public cloud.

*The security service that protects the secrecy of data, information, or resources is known as what?* a. Integrity b. Authentication c. Non-repudiation d. Confidentiality

d. *Confidentiality* The security service that protects the secrecy of data, information, or resources is known as confidentiality. Integrity protects the reliability and correctness of data. Authentication verifies the identity of the sender or receiver of a message. Non-repudiation prevents the sender of a message or the perpetrator of an activity from being able to deny that they sent the message or performed the activity.

Network Security *Which type of Internet content filtering restricts unapproved websites from being displayed by searching for and matching keywords?* a. Uniform resource locator (URL filtering) b. Profiling c. Malware inspection d. Content inspection

d. *Content inspection* Internet content filters monitor Internet traffic and block access to preselected websites and files. A requested webpage is displayed only if it complies with the specified filters. Unapproved websites can be restricted based on the Uniform Resource Locator or URL (URL filtering) or by searching for and matching keywords such as sex or hate (content inspection) as well as looking for malware (malware inspection).

*Which of the following is a commonly applied principle for fault tolerance against accidental faults designed into critical facilities planning?* a. Firmware version control b. Wrappers c. Manual updates d. Control redundancy

d. *Control redundancy* Control redundancy is replication of a component in identical copies to compensate for random hardware failures. Redundancy is usually dispersed geographically as well as through backup equipment and databases, or hot sparing of system components. Answer A is incorrect because firmware version control is important in systems like gaming consoles because many vulnerabilities cannot be fixed via firmware updates, leaving a system vulnerable until a new console is released. Answer B is incorrect because wrappers are used in several types of implementations such as smart grids, integration of legacy systems, and reducing the risk of web-based attacks. Answer C is incorrect because manual updates, although inconvenient, may also be necessary when the system contains sensitive data and is segmented.

Physical and Hardware-Based Security *Which of the following is a method of cooling server racks in which hot air and cold are both handled in the server room?* a. Hot/cold vessels b. Hot and cold passages c. Hot/cold walkways d. Hot and cold aisles

d. *Hot and cold aisles* Hot and cold aisles is a method of cooling server racks in which hot air and cold are both handled in the server room.

Threats and Vulnerabilities *Which of the following is an attack in which the end user executes unwanted actions on a web application while he is currently authenticated?* a. Buffer overflow b. Input validation error c. Cross-site scripting d. Cross-site request forgery

d. *Cross-site request forgery* Cross-site request forgery (XSRF) is an attack in which the end user executes unwanted actions on a web application while he is currently authenticated. Answer A is incorrect because a buffer overflow is a direct result of poor or incorrect input validation or mishandled exceptions. Answer B is incorrect because input validation errors are a result of improper field checking in the code. Answer C is incorrect because Cross-Site Scripting (XSS) vulnerabilities can be used to hijack the user's session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A.

Security-Related Policies and Procedures *Which policy defines what constitutes sensitive data and applies protection to it?* a. Classification b. BCP c. Data review d. Data theft

d. *Data theft* A data theft policy defines what constitutes sensitive data and applies protection to it.

*In which of the following phases should code security first be implemented?* a. Testing b. Review c. Implementation d. Design

d. *Design* It is important that security is implemented from the very beginning. In the early design phase, potential threats to the application must be identified and addressed. Ways to reduce the associated risks must also be taken into consideration. Therefore, answers A, B, and C are incorrect.

*What item is considered to be the biggest obstacle to log management?* a. Offsite storage accessibility b. Very large volume of data c. Multiple devices generating logs d. Different log formats

d. *Different log formats* Perhaps the biggest obstacle to log management is that different devices record log information in different formats and even with different data captured. Combining multiple logs, each with a different format, can be a major challenge.

*A newer secure version of DNS known as _______________ allows DNS information to be digitally signed so that an attacker cannot forge DNS information.* a. Domain Name System Security (DNSS) b. Advanced Domain Name System (ADNS) c. Domain Name System2 (DNS2) d. Domain Name System Security Extensions (DNSSEC)

d. *Domain Name System Security Extensions (DNSSEC)* A newer secure version of DNS known as Domain Name System Security Extensions (DNSSEC) allows DNS information to be digitally signed so that an attacker cannot forge DNS information.

*Which form of fire suppression functions best in an Alaskan fire of burning metals?* a. Dry-pipe sprinkler b. Wet-pipe sprinkler c. Carbon dioxide d. Dry powder

d. *Dry powder* Combustible metal fires (Class D) require sodium chloride and copper-based dry powder extinguishers. Although dry-pipe would be preferable to wet-pipe sprinklers in regions that experience very low temperatures such as Alaska, water is only appropriate for wood, paper, and trash fires (Class A), making answers A and B incorrect. Answer C is incorrect because carbon dioxide and Halon extinguishers are useful for fires involving live electric wiring (Class C) and would not be used for burning metals.

Physical and Hardware-Based Security *Which form of cabling is least susceptible to EM interference?* a. STP b. UTP c. Coaxial d. Fiber optic

d. *Fiber optic* Fiber-optic cabling is least subject to electromagnetic interference because its communications are conducted by transmitting pulses of light over glass, plastic, or sapphire transmission fibers. Twisted-pair (shielded STP as well as unshielded UTP) copper cables provide minimal shielding against interference but can function as antenna picking up nearby EM sources when extended over long cable runs, making answers A and B incorrect. Answer C is incorrect because although coaxial cables limit EM interference by encasing one conductor in a sheath of conductive material, they are still conductive and not as resistant as purely optical forms of communication.

*What form of storage or file-transfer technology was originally designed to be operated over an optical network but was adapted to run over a copper network as well?* a. FTP b. iSCSI c. SATA d. Fibre Channel

d. *Fibre Channel* Fibre Channel is a form of network data-storage solution (SAN or NAS) that allows for high-speed file transfers upwards of 16 Gbps. It was designed to be operated over fiber optic cables, but support for copper cables was added later to offer less expensive options.

Cryptography Basics *Which of the following is a hybrid cryptosystem?* a. PAP b. MD5 c. RSA d. GPG

d. *GPG* Privacy Guard (GnuPG or GPG) is a hybrid cryptosystem that uses combination of public key and private key encryption. The incorrect choices are A, B, and C: PAP is a basic form of authentication during which the username and password are transmitted unencrypted, RSA is an asymmetric cipher, and MD5 is a hash.

Educating and Protecting the User *Which of the following actions would not be allowed in the Bell-LaPadula model?* a. General with Top Secret clearance writing at the Top Secret level b. Corporal with Confidential clearance writing at the Confidential level c. General with Top Secret clearance reading at the Confidential level d. General with Top Secret clearance writing at the Confidential level

d. *General with Top Secret clearance writing at the Confidential level* The first three actions would be allowed since you can write to your level and read at your level (or below). The situation that would not be allowed is the General with Top Secret clearance writing at the Confidential level.

Security-Related Policies and Procedures *Which policies define how individuals are brought into an organization?* a. Service policies b. Continuity policies c. Pay policies d. Hiring policies

d. *Hiring policies* Hiring policies define how individuals are brought into an organization. They also establish the process used to screen prospective employees for openings.

*What tool is used to lure or retain intruders in order to gather sufficient evidence without compromising the security of the private network?* a. Firewall b. IDS c. Router d. Honeypot

d. *Honeypot* A honeypot is used to lure or retain intruders in order to gather sufficient evidence without compromising the security of the private network.

Certificate Policy

•Dictates circumstances a specific certificate can be used

*What form of recovery site requires the least amount of downtime before mission-critical business operations can resume?* a. Cold b. Warm c. Hot d. Offsite

d. *Hot* A hot site requires the least amount of downtime before mission-critical business operations can resume, because it is a real-time mirror of the primary site.

*Loop protection uses the _______________ standard spanning-tree algorithm (STA).* a. IEEE 801.2d b. IEEE 802.3 c. IEEE 802.11n d. IEEE 802.1d

d. *IEEE 802.1d* Broadcast storms can be prevented with loop protection, which uses the IEEE 802.1d standard spanning-tree algorithm (STA).

Security-Related Policies and Procedures *An organization is partnering with another organization which requires shared systems. Which of the following documents would outline how the shared systems interface?* a. SLA b. BPA c. MOU d. ISA

d. *ISA* An interconnection security agreement (ISA) is an agreement between organizations that have connected IT systems. Answer A is incorrect because a service level agreement (SLA) is a contract between a service provider and a customer that specifies the nature of the service to be provided and the level of service that the provider will offer to the customer. Answer B is incorrect because a business partners agreement (BPA) is a contract that establishes partner profit percentages, partner responsibilities, and exit strategies for partners. Answer C is incorrect because a memorandum of understanding (MOU) is a document that outlines the terms and details of an agreement between parties, including each party's requirements and responsibilities.

*Which of the following methods of cloud computing enables the client to literally outsource everything that would normally be in a typical IT department?* a. SaaS b. DaaS c. PaaS d. IaaS

d. *IaaS* Infrastructure-as-a-service (IaaS) is the delivery of computer infrastructure in a hosted service model over the Internet. This method of cloud computing enables the client to literally outsource everything that would normally be in a typical IT department. Answer A is incorrect because software-as-a-service (SaaS) is the delivery of a licensed application to customers over the Internet for use as a service on demand. Answer B is incorrect because desktop-as-a-service (DaaS), also called virtual desktop or hosted desktop services, is the outsourcing of a virtual desktop infrastructure (VDI) to a third-party service provider. Answer C is incorrect. Platform-as-a-service (PaaS) is the delivery of a computing platform, often an operating system with associated services, that is delivered over the Internet without downloads or installation.

*Which cloud computing service model provides the customer the highest level of control?* a. Application as a Service (AaaS) b. Software as a Service (SaaS) c. Platform as a Service (PaaS) d. Infrastructure as a Service (IaaS)

d. *Infrastructure as a Service (IaaS)* In the Infrastructure as a Service (IaaS) model, the customer has the highest level of control. The cloud computing vendor allows customers to deploy and run their own software, including operating systems and applications. Consumers have some control over the operating systems, storage, and their installed applications, but do not manage or control the underlying cloud infrastructure.

Cryptography Basics *A brainstorming session has been called. The moderator tells you to pull out a sheet of paper and write down your security concerns based on the technologies that your company uses. If your company uses public keys, what should you write as the primary security concern?* a. Privacy b. Authenticity c. Access control d. Integrity

d. *Integrity* Public keys are created to be distributed to a wide audience. The biggest security concern regarding their use is ensuring that the public keys maintain their integrity. This can be accomplished by using a thumbprint or a second encryption scheme in the certificate or key.

Cryptography Implementation *One disadvantage of decentralized key generation is:* a. It depends on key escrow. b. It is more vulnerable to single point attacks. c. There are more risks of attacks. d. It creates a storage and management issue.

d. *It creates a storage and management issue.* A disadvantage of decentralized key generation is the storage and management issue it creates.

Cryptography Implementation *The primary difference between an RA and _____ is that the latter can be used to identify or establish the identity of an individual.* a. MLA b. STR c. BSO d. LRA

d. *LRA* The primary difference between an RA and LRA is that the LRA can be used to identify or establish the identity of an individual.

Security and Vulnerability in the Network *Rule-based management defines conditions for access to objects and is also known as:* a. Distributed management b. Management by objective c. Role-based management d. Label-based management

d. *Label-based management* Rule-based management, also known as label-based management, defines conditions for access to objects.

Educating and Protecting the User *Which classification of information designates that information can be released on a restricted basis to outside organizations?* a. Private information b. Full distribution c. Restricted information d. Limited distribution

d. *Limited distribution* Limited distribution information can be released to select individuals and organizations, such as financial institutions, governmental agencies, and creditors.

*Which of the following is more formal than a handshake agreement but not a legal binding contract?* a. SLA b. BIA c. DLP d. MOU

d. *MOU* A memorandum of understanding (MOU) is an expression of agreement or aligned intent, will, or purpose between two entities. An MOU is not typically a legal agreement or commitment, but rather a more formal form of a reciprocal agreement or gentleman's handshake (neither of which is typically written down). An SLA is a formal control. BIA is business impact assessment. DLP is data loss prevention.

one-time pad (OTP)

secure method of encryption information that involves using random generated key only once

*Which of the following is the length of time a device or product is expected to last in operation?* a. RTO b. MTBF c. RPO d. MTTF

d. *MTTF* Mean time to failure (MTTF) is the length of time a device or product is expected to last in operation. Answer A is incorrect because recovery time objective (RTO) is the amount of time within which a process must be restored after a disaster to meet business continuity. It defines how much time it takes to recover after notification of process disruption. Answer B is incorrect because mean time between failures (MTBF) is the average amount of time that passes between hardware component failures excluding time spent waiting for or being repaired. Answer C is incorrect because recovery point objective (RPO) is the amount of time that can elapse during a disruption before the quantity of data lost during that period exceeds the BCP's maximum allowable threshold. It determines up to what point in time data recovery could happen before business is disrupted.

Access Control and Identity Management *If Sally wants to send a secure message to Mark using public key encryption but is not worried about sender verification, what does she need in addition to her original message text?* a. Sally's private key b. Sally's public key c. Mark's private key d. Mark's public key

d. *Mark's public key* Sally needs Mark's public key to encrypt her original message in a form that only Mark can decrypt. Neither of Sally's keys is needed because the originator does not need to be validated, making answers A and B incorrect. Answer C is incorrect because Mark's private key is used for decrypting the encrypted message to reveal Sally's original message.

*What is the average amount of time expected until the first failure of a piece of equipment?* a. Mean Time to Recovery b. Failure In Time c. Mean Time Between Failures d. Mean Time To Failure

d. *Mean Time To Failure* Mean Time To Failure (MTTF) is the average amount of time expected until the first failure of a piece of equipment.

Security-Related Policies and Procedures *Which Windows Firewall events are logged by default in Windows 7?* a. Dropped packets b. Successful connections c. Both dropped packets and successful connections d. Neither dropped packets nor successful connections

d. *Neither dropped packets nor successful connections* By default, Windows Firewall in Windows 7 logs neither dropped packets nor successful connections. Logging occurs only when one or both of these are turned on.

Cryptography Basics *Mary claims that she didn't make a phone call from her office to a competitor and tell them about developments her company is working on. Telephone logs, however, show that such a call was placed from her phone, and time clock records show she was the only person working at the time. What do these records provide?* a. Integrity b. Confidentiality c. Authentication d. Non-repudiation

d. *Non-repudiation* Non-repudiation offers undisputable proof that a party was involved in an action.

Cryptography Basics *The CRL takes time to be fully disseminated. Which protocol allows a certificate's authenticity to be immediately verified?* a. CA b. CP c. CRC d. OCSP

d. *OCSP* Online Certificate Status Protocol (OCSP) can be used to immediately verify a certificate's authenticity.

*Which type of risk control may include using video surveillance systems and barricades to limit access to secure sites?* a. Technical b. System c. Management d. Operational

d. *Operational* Operational risk control types may include using video surveillance systems and barricades to limit access to secure sites.

*An organization is looking for a basic mobile solution which will be used to prevent unauthorized access to users' phones. Which of the following fulfills this requirement?* a. GPS tracking b. Voice encryption c. Remote wipe d. Passcode policy

d. *Passcode policy* A screen lock or passcode is used to prevent access to the phone. Answer A is incorrect because if a mobile device is lost, GPS tracking can be used to find the location. Answer B is incorrect because mobile voice encryption can allow executives and employees alike to discuss sensitive information without having to travel to secure company locations. Answer C is incorrect because remote wipe allows the handheld's data to be remotely deleted in the event the device is lost or stolen.

Security and Vulnerability in the Network *Which of the following involves trying to get access to your system from an attacker's perspective?* a. Loop recon b. Flood gating c. Vulnerability scanning d. Penetration testing

d. *Penetration testing* Penetration testing involves trying to get access to your system from an attacker's perspective.

*Which statement represents a best practice for securing router configurations?* a. Allow remote configuration for dynamic installation in case of an emergency. b. Store the router configuration on a public network for easy access in case of an emergency. c. Store the router configuration on a USB drive for compact storage. d. Perform changes in the router configuration from the console.

d. *Perform changes in the router configuration from the console.* The configuration of the router should be performed from the console and not a remote location. This configuration can then be stored on a secure network drive as a backup and not on a laptop or USB flash drive.

Educating and Protecting the User *What is the form of social engineering in which you simply ask someone for a piece of information that you want by making it look as if it is a legitimate request?* a. Hoaxing b. Swimming c. Spamming d. Phishing

d. *Phishing* Phishing is the form of social engineering in which you simply ask someone for a piece of information that you want by making it look as if it is a legitimate request.

*A video surveillance system is a form of which type of access control?* a. Quantitative b. Management c. Technical d. Physical

d. *Physical* Physical controls include facility design details such as layout, door, locks, guards, and electronic surveillance systems. Quantitative risk analysis involved the use of numerical metrics and is used to identify and sort risks rather than to control risk, making answer A incorrect. Answer B is incorrect because management controls include policies and procedures. Answer C is incorrect because technical controls include access control systems, encryption, and data classification solutions.

Trusted OS

identify a system that implements multiple layers of security such as authentication and authroization

•Extranet

segment of your network set aside for trusted networks

*Which cloud computing service model allows the consumer to install and run their own specialized applications on the cloud computing network without requiring the consumer to manage or configure any of the underlying cloud infrastructure?* a. Application as a Service (AaaS) b. Infrastructure as a Service (IaaS) c. Software as a Service (SaaS) d. Platform as a Service (PaaS)

d. *Platform as a Service (PaaS)* Unlike Software as a Service (SaaS), in which the application software belonging to the cloud computing vendor is used, in Platform as a Service (PaaS), consumers can install and run their own specialized applications on the cloud computing network.

Physical and Hardware-Based Security *A new switch has been implemented in areas where there is very little physical access control. Which of the following would the organization implement as a method for additional checks to prevent unauthorized access?* a. Loop protection b. Flood guard c. Implicit deny d. Port security

d. *Port security* Port security is a Layer 2 traffic control feature on Cisco Catalyst switches. It enables individual switch ports to be configured to allow only a specified number of source MAC addresses coming in through the port. Answer A is incorrect because the loop guard feature makes additional checks in Layer 2 switched networks. Answer B is incorrect because a flood guard is a firewall feature used to control network activity associated with denial-of-service (DoS) attacks. Answer C is incorrect because implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access.

Educating and Protecting the User *You are implementing network access for several internal business units that work with sensitive information on a small organizational network. Which of the following would best mitigate risk associated with users improperly accessing other segments of the network without adding additional switches?* a. Log analysis b. Access control lists c. Network segmentation d. Proper VLAN management

d. *Proper VLAN management* VLANs provide a way to limit broadcast traffic in a switched network. This creates a boundary and, in essence, creates multiple, isolated LANs on one switch. Answer A is incorrect because logging is the process of collecting data to be used for monitoring and auditing purposes. Answer B is incorrect because access control generally refers to the process of making resources available to accounts that should have access while limiting that access to only what is required. Answer C is incorrect because network segmentation is used for interconnected networks where a compromised system on one network can easily threaten machines on other network segments.

Access Control and Identity Management *What is the name given to the system of digital certificates and certificate authorities used for public key cryptography over networks?* a. Protocol key instructions (PKI) b. Public key extranet (PKE) c. Protocol key infrastructure (PKI) d. Public key infrastructure (PKI)

d. *Public key infrastructure (PKI)* Public key infrastructure describes the trust hierarchy system for implementing a secure public key cryptography system over TCP/IP networks. Answers A, B, and C are incorrect because these are bogus terms.

Disaster Recovery and Incident Response *You're the head of information technology for MTS and have a brother in a similar position for ABC. The companies are approximately the same size and are located several hundred miles apart. As a benefit to both companies, you want to implement an agreement that would allow either company to use resources at the other site should a disaster make a building unusable. What type of agreement between two organizations provides mutual use of their sites in the event of an emergency?* a. Backup-site agreement b. Warm-site agreement c. Hot-site agreement d. Reciprocal agreement

d. *Reciprocal agreement* A reciprocal agreement is between two organizations and allows one to use the other's site in an emergency.

*A goal of NAC is which of the following?* a. Reduce social engineering threats b. Map internal private addresses to external public addresses c. Distribute IP address configurations d. Reduce zero-day attacks

d. *Reduce zero-day attacks* The goals of Network Access Control (NAC) include preventing/reducing zero-day attacks, enforcing security policy throughout the network, and using identities to perform access control.

* _______________ refers to any combination of hardware and software that enables remote users to access a local internal network.* a. Virtual LAN (VLAN) management b. Cloud computing c. Unified threat management (UTM) d. Remote access

d. *Remote access* Remote access refers to any combination of hardware and software that enables remote users to access a local internal network.

Network Security *What type of firewall systems are static in nature and cannot do anything other than what they have been expressly configured to do?* a. Application-based b. Authentication-based c. Role-based d. Rule-based

d. *Rule-based* Rule-based systems are static in nature and cannot do anything other than what they have been expressly configured to do.

Operating System and Application Security *Which of the following is a network protocol that supports file transfers and is a combination of RCP and SSH?* a. HTTPS b. FTPS c. SFTP d. SCP

d. *SCP* The Secure Copy Protocol (SCP) is a network protocol that supports file transfers. SCP is a combination of RCP and SSH. It uses the BSD RCP protocol tunneled through the Secure Shell (SSH) protocol to provide encryption and authentication. Answer A is incorrect because HTTPS is used for secured web-based communications. Answer B is incorrect. FTPS, also known as FTP Secure and FTP-SSL, is an FTP extension that adds support for TLS and SSL. Answer C is incorrect because SFTP, or secure FTP, is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network.

Network Security *Which statement concerning signature-based monitoring is correct?* a. Signature-based monitoring is designed for detecting statistical anomalies. b. Signature-based monitoring uses an algorithm to determine if a threat exists. c. Signature-based monitoring operates by being adaptive and proactive. d. Signature-based monitoring looks for well-known patterns.

d. *Signature-based monitoring looks for well-known patterns.* A method for auditing usage is to examine network traffic, activity, transactions, or behavior and look for well-known patterns, much like antivirus scanning. This is known as signature-based monitoring because it compares activities against a predefined signature.

*Which category of authentication includes your ATM card?* a. Something you are b. Something you do c. Somewhere you are d. Something you have

d. *Something you have* "Something you have" includes ATM cards, smart cards, and keys. "Somewhere you are" is a location, making answer C incorrect. Answers A and B are incorrect because both "something you are" and "something you do" are biometric measures present even without your ATM card.

Measuring and Weighing Risk *An executive from ABC Corp receives an email from a vice president of XYZ Corp, which is a prestigious partner organization of ABC Corp. This email was formatted using XYZ's corporate logo, images, and text from their website (checked by the executive before opening the included form). After clicking the provided link, the executive was asked to verify his credentials for access to a confidential report about ABC Corp, but after he filled out the form, the executive received only a referral to XYZ's site. What type of attack was used in this scenario?* a. Phishing b. Smishing c. Vishing d. Spear phishing

d. *Spear phishing* This is an example of a spear phishing attack, which uses fraudulent email to obtain access to data of value (here, the executive's credentials) from a targeted organization. Answer A is incorrect because while phishing attacks involve email, spear phishing attacks are targeted and customized to a selected target. The question's description of the images, links, and report all indicate a very targeted attack. Answer B is incorrect because smishing attacks are conducted using SMS messages. Answer C is similarly incorrect because vishing attacks employ telephone or VoIP audio communications.

*While performing regular security audits, you suspect that your company is under attack and someone is attempting to use resources on your network. The IP addresses in the log files belong to a trusted partner company, however. Assuming an attack, which of the following might be occurring?* a. Replay b. Authorization c. Social engineering d. Spoofing

d. *Spoofing* The most likely answer is spoofing because this enables an attacker to misrepresent the source of the requests. Answer A is incorrect because this type of attack records and replays previously sent valid messages. Answer B is incorrect because this is not a type of attack but is instead the granting of access rights based on authentication. Answer C is incorrect because social engineering involves nontechnical means of gaining information.

*Which of the following does not describe techniques for assessing threats and vulnerabilities?* a. Understanding attack surface b. Baseline reporting c. Reviews of architecture, design, and code d. System hardening

d. *System hardening* System hardening refers to reducing a system's security exposure and strengthening its defenses against unauthorized access attempts and other forms of malicious attention. Answers A, B, and C, in contrast, are specific techniques to assess for threats and vulnerabilities.

*When a vendor releases a patch, which of the following is the most important?* a. Installing the patch immediately b. Setting up automatic patch installation c. Allowing users to apply patches d. Testing the patch before implementation

d. *Testing the patch before implementation* It is most important to test patches before installing them onto production systems. Otherwise, business tasks can be interrupted if the patch does not perform as expected. Never rush to install a patch, if that means skipping testing. Do not automatically roll out patches; be sure to test them first. Do not give users the power to install patches; this should be managed by administrators.

*What is the advantage of using an access point's (AP's) power level control?* a. The power can be adjusted to "jam" frequencies of sniffers used by potential hackers. b. The power can be adjusted to provide a cleaner signal with less interference. c. The power can be adjusted so that more of the signal leaves the premises and reaches outsiders. d. The power can be adjusted so that less of the signal leaves the premises and reaches outsiders.

d. *The power can be adjusted so that less of the signal leaves the premises and reaches outsiders.* A security feature on some APs is the ability to adjust the level of power at which the WLAN transmits. On devices with that feature, the power can be adjusted so that less of the signal leaves the premises and reaches outsiders.

Cryptography Basics *Which of the following best describes the process of encrypting and decrypting data using an asymmetric encryption algorithm?* a. Only the public key is used to encrypt, and only the private key is used to decrypt. b. The public key is used to either encrypt or decrypt. c. Only the private key is used to encrypt, and only the public key is used to decrypt. d. The private key is used to decrypt data encrypted with the public key.

d. *The private key is used to decrypt data encrypted with the public key.* When encrypting and decrypting data using an asymmetric encryption algorithm, you use only the private key to decrypt data encrypted with the public key. Answers A and B are both incorrect because in public key encryption, if one key is used to encrypt, you can use the other to decrypt the data. Answer C is incorrect because the public key is not used to decrypt the same data it encrypted.

*Users received a spam email from an unknown source and chose the option in the email to unsubscribe and are now getting more spam as a result. Which one of the following is most likely the reason?* a. The unsubscribe option does not actually do anything. b. The unsubscribe request was never received. c. Spam filters were automatically turned off when making the selection to unsubscribe. d. They confirmed that their addresses are "live."

d. *They confirmed that their addresses are "live."* Often an option to opt out of further email does not unsubscribe users; instead it means, "send me more spam" because it has been confirmed that the email address is not dormant. This is less likely to occur with email a user receives that he or she opted into in the first place, however. Answers A, B, and C are incorrect because these are less likely and not the best choices.

Access Control and Identity Management *Which is the best rule-based access control constraint to protect against unauthorized access when admins are off-duty?* a. Least privilege b. Separation of duties c. Account expiration d. Time of day

d. *Time of day* Time-of-day rules prevent administrative access requests during off-hours when local admins and security professionals are not on duty. Answer A is incorrect because least privilege is a principle of assigning only those rights necessary to perform assigned tasks. Answer B is incorrect because separation of duties aids in identification of fraudulent or incorrect processes by ensuring that action and validation practices are performed separately. Answer C is incorrect because account expiration policies ensure that individual accounts do not remain active past their designated lifespan but do nothing to ensure protections are enabled during admin downtime.

Network Security *What is the role of a switch?* a. To inspect packets and either accept or deny entry b. To forward packets across different network computer networks c. To intercept user requests from the internal secure network and then process that request on behalf of the user d. To connect networks together so that they function as a single network segment

d. *To connect networks together so that they function as a single network segment* Early local area networks (LANs) used a hub, which is a standard network device for connecting multiple network devices together so that they function as a single network segment. A network switch is a device that connects network devices together. However, unlike a hub, a switch has a degree of "intelligence."

Network Security *What is the primary role of a firewall?* a. To forward packets across different network computer networks b. To intercept user requests from the internal secure network and then process that request on behalf of the user c. To connect networks together so that they function as a single network segment d. To inspect packets and either accept or deny entry

d. *To inspect packets and either accept or deny entry* Although a host-based application software firewall that runs as a program on one client is different from a hardware-based network firewall designed to protect an entire network, their functions are essentially the same: to inspect packets and either accept or deny entry.

*Several organizational users are experiencing network and Internet connectivity issues. Which of the following would be most helpful in troubleshooting where the connectivity problems might exist?* a. SSL b. IPsec c. SNMP d. Traceroute

d. *Traceroute* Traceroute uses an ICMP echo request packet to find the path between two addresses. Answer A is incorrect because SSL is a public key-based security protocol that is used by Internet services and clients for authentication, message integrity, and confidentiality. Answer B is incorrect because the Internet Protocol Security (IPsec) authentication and encapsulation standard is widely used to establish secure VPN communications. Answer C is incorrect because SNMP is an application layer protocol whose purpose is to collect statistics from TCP/IP devices. SNMP is used for monitoring the health of network equipment, computer equipment, and devices such as uninterruptible power supplies (UPSs).

Cryptography Implementation *Which of the following uses a secure crypto-processor to authenticate hardware devices such as a PC or laptop?* a. Public key infrastructure b. Full disk encryption c. File-level encryption d. Trusted Platform Module

d. *Trusted Platform Module* Trusted Platform Module (TPM) refers to a secure crypto-processor used to authenticate hardware devices such as a PC or laptop. The idea behind TPM is to allow any encryption-enabled application to take advantage of the chip. Answer A is incorrect because public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. Answer B is incorrect because full-disk encryption involves encrypting the operating system partition on a computer and then booting and running with the system drive encrypted at all times. Answer C is incorrect because in file- or folder-level encryption, individual files or folders are encrypted by the file system itself.

Security-Related Policies and Procedures *Which of the following occurs under the security policy administered by a trusted security domain?* a. Positive inspection b. Confident poll c. Voucher session d. Trusted transaction

d. *Trusted transaction* A trusted transaction occurs under the security policy administered by a trusted security domain. Your organization may decide that it can serve as its own trusted security domain and that it can use third-party CAs, thus allowing for additional flexibility.

Educating and Protecting the User *When you combine phishing with Voice over IP, it is known as:* a. Spoofing b. Spooning c. Whaling d. Vishing

d. *Vishing* Vishing involves combining phishing with Voice over IP.

Wireless Networking Security *Which of the following is a script language WAP-enabled devices can respond to?* a. WXML b. Winsock c. WIScript d. WMLScript

d. *WMLScript* WAP-enabled devices can respond to scripts using an environment called WMLScript.

Trusted operating system (OS)

identify a system to determine if the system follows strict security practices such as mandatory access controls

WPA2

improvements on WPA - uses Counter mode with cipher block chaning message authentication code protocol (CCMP or CCM mode protocol) - also uses AES protocol instead of TKIP - support 128/192/256 bit encryption

Infrastructure and Connectivity *You want to implement a technology solution for a small organization that can function as a single point of policy control and management for access to Internet content. Which of the following should you choose?* a. Proxy gateway b. Circuit-level gateway c. Application-level gateway d. Web security gateway

d. *Web security gateway* Web security gateways offer a single point of policy control and management for web-based content access. Answer A is too generic to be a proper answer. Answer B is incorrect because a circuit-level gateway's decisions are based on source and destination addresses. Answer C is incorrect because an application-level gateway understands services and protocols.

*Which of the following best describes the difference between phishing and whaling?* a. They are the same. b. Whaling makes use of the voice channel, whereas phishing uses email. c. Whaling uses SMS, whereas phishing uses email. d. Whaling is similar to phishing but specifically targets high-profile individuals.

d. *Whaling is similar to phishing but specifically targets high-profile individuals.* Whaling specifically targets high-profile individuals. Phishing attempts to acquire sensitive information from anyone. Although they are very similar, they differ in the scope of the target, making answer A incorrect. Answer B is incorrect and refers to vishing, which is essentially phishing but using the phone. Answer C is incorrect as this describes smishing, which uses Short Message Service (SMS), or text messaging.

*When is business continuity needed?* a. When new software is distributed b. When business processes are interrupted c. When a user steals company data d. When business processes are threatened

d. *When business processes are threatened* Business continuity is used when business processes are threatened. Security policy is used when new software is distributed. Disaster recovery is used when business processes are interrupted. Incident response is used when a user steals company data.

Operating System and Application Security *An organization is looking to add a layer of security and maintain strict control over the apps employees are approved to use. Which of the following fulfills this requirement?* a. Blacklisting b. Encryption c. Lockout d. Whitelisting

d. *Whitelisting* Application whitelisting only permits known good apps. When security is a concern, whitelisting applications is a better option because it allows organizations to maintain strict control over the apps employees are approved to use. Answer A is incorrect because although blacklisting is an option, it is not as effective as whitelisting. Answer B is incorrect because encryption has nothing to do with restricting application usage. Answer C is incorrect because lockout has to do with number of times a user can enter a passcode.

Cryptography Basics *Which authorization protocol is generally compatible with TACACS?* a. LDAP b. RADIUS c. TACACS+ d. XTACACS

d. *XTACACS* The Extended Terminal Access Controller Access Control System (XTACACS) protocol is a proprietary form of the TACACS protocol developed by Cisco and is compatible in many cases. Neither LDAP nor RADIUS is affiliated with the TACACS protocol, making answers A and B incorrect. Answer C is incorrect because the newer TACACS+ is not backward compatible with its legacy equivalent.

*A security _______________ log can provide details regarding requests for specific files on a system.* a. event b. administration c. audit d. access

d. *access* A security access log can provide details regarding requests for specific files on a system while an audit log is used to record which user performed an action and what that action was. System event logs document any unsuccessful events and the most significant successful events.

*Risk _______________ involves identifying the risk, but making a decision to not engage in the activity.* a. deterrence b. mitigation c. acceptance d. avoidance

d. *avoidance* Risk avoidance involves identifying the risk but making the decision to not engage in the activity.

*With _______________, the customer's data should be properly isolated from that of other customers, and the highest level of application availability and security must be maintained.* a. virtualization b. IP telephony c. Sandboxing d. cloud computing

d. *cloud computing* In cloud computing, the customer's data must be properly isolated from that of other customers, and the highest level of application availability and security must be maintained.

*Another name for layered security is _______________.* a. network separation b. VPN tunneling c. Unified threat management (UTM) d. defense in depth

d. *defense in depth* A basic level of security can be achieved through using the security features found in standard network hardware. And because networks typically contain multiple types of network hardware, this allows for layered security, also called defense in depth.

*A _______________ functions as a separate network that rests outside the secure network perimeter.* a. gateway b. segment c. virtual private network (VPN) d. demilitarized zone (DMZ)

d. *demilitarized zone (DMZ)* In order to allow untrusted outside users access to resources such as web servers, most networks employ a demilitarized zone (DMZ). The DMZ functions as a separate network that rests outside the secure network perimeter: untrusted outside users can access the DMZ but cannot enter the secure network.

Security and Vulnerability in the Network *You want to implement MAC filtering on a small network but do not know the MAC address of a Windows-based workstation. Which command-line tool can you run on the workstation to find the MAC address?* a. ifconfig b. ifconfig /show c. ipconfig d. ipconfig /all

d. *ipconfig /all* The command ipconfig /all will show the MAC address as the physical address.

*Limiting access to rooms in a building is a model of the information technology security principle of _______________.* a. job rotation b. mandatory vacations c. separation of duties d. least privilege

d. *least privilege* Limiting access to rooms in a building is a model of the information technology security principle of least privilege.

key

information used by encryption algorithm to perform encryption/decryption of the data ex) Caesar cipher - "increment each character in the message by <key>"

permission

someone level of access to a resource

*With subnetting, rather than simply having networks and hosts, networks can effectively be divided into three parts: _______________.* a. network, subnet, and port b. port, subnet, and IP address c. network, port, and host d. network, subnet, and host

d. *network, subnet, and host* Improved addressing techniques introduced in 1985 allowed an IP address to be split anywhere within its 32 bits. This is known as subnetting or subnet addressing. Instead of just having networks and hosts, with subnetting, networks essentially can be divided into three parts: network, subnet, and host.

*In a(n) _______________ attack, a malformed ICMP ping that exceeds the size of an IP packet is sent to the victim's computer potentially causing the host to crash.* a. network discovery b. smurf c. ICMP redirect d. ping of death

d. *ping of death* In a ping of death attack, a malformed ICMP ping that exceeds the size of an IP packet is sent to the victim's computer. This can cause the host to crash.

*The _______________ approach to calculating risk attempts to create "hard" numbers associated with the risk of an element in a system by using historical data.* a. cumulative b. qualitative c. technical d. quantitative

d. *quantitative* The quantitative approach to calculating risk attempts to create "hard" numbers associated with the risk of an element in a system by using historical data.

*The _______________ is the length of time it will take to recover the data that has been backed up.* a. mean time to recovery b. recovery point objective c. mean time to failure d. recovery time objective

d. *recovery time objective* The recovery time objective is the length of time it will take to recover the data that has been backed up.

*A(n) _______________ VPN, often used on mobile devices like laptops in which the VPN endpoint is actually software running on the device itself, offers the most flexibility in how network traffic is managed.* a. closed b. open c. hardware-based d. software-based

d. *software-based* Software-based VPNs, often used on mobile devices like laptops in which the VPN endpoint is actually software running on the device itself, offer the most flexibility in how network traffic is managed.

Network Security *A _______________ is a special type of firewall that looks at the applications using HTTP.* a. network intrusion detection system (NIDS) b. network intrusion prevention system (NIPS) c. spam filter d. web application firewall

d. *web application firewall* A Web application firewall is a special type of firewall that looks at the applications using HTTP.

Network Security *A(n) _______________ can block malicious content in real time as it appears.* a. uniform resource locator (URL) filter b. virtual private network (VPN) c. Internet content filter d. web security gateway

d. *web security gateway* A web security gateway can block malicious content in real time as it appears (without first knowing the URL of a dangerous site).

*A(n) _______________ policy is one that defines the actions users may perform while accessing systems and networking equipment.* a. data acquisition b. privacy c. data storage d. acceptable use

d.* acceptable use* An Acceptable Use Policy (AUP) is a policy that defines the actions users may perform while accessing systems and networking equipment.

13) Repository

database that store certs and public keys - should be available to all participants in the PKI structure - LDAP compliant directory

Operational control

day-to-day activities that need operation going - ex) backups`

17) FAU copying physical memory

dd.exe if=\\.\PhysicalMemory of=e:\Comp1_Mem.img conv=noerror -localwrt

Discretionary Access Control (DAC)

decides who gets access to resource based on discretionary access control list (DACL)

Implicit deny

deny anyone access to system until they are authenticated

Difference between mirroring and duplexing

duplexing adds a second disk controller.

RSA is used to encrypt __ and other ___ ___ ___ __ ___. It requires a ___ key and a ____ key.

e-mail data transmitted over the internet public private

type d firextinguisher

flammable metals

What gas is now used in fire suppression systems

fm200

18) Profiling Phase

hacker use internet resources to discover any information about the company. Obtain infor from - website - Google - whois database - DNS profiling

HSM

hardware security module

Mandatory access control

has two common implementations: rule-based access control and lattice-based access control.

SHA-2

hashing algorithm with blocks of 512 bits.

SLE (Single Loss Expectancy)

he monetary value expected from the occurrence of a risk on an asset.

S/MIME. Secure Multipurpose Internet Mail Extensions

hybrid cryptosystem Centralized and uses PKI hierarchical trust. X.509 Digital Certs (CA digital signature). Provides protection for email. Has authentication, integrity, confidentiality, integrity, And non repudiation

Pharming

is a form of redirection in which traffic intended for one host is sent to another. This can be accomplished on a small scale by changing entries in the hosts file and on a large scale by changing entries in a DNS server (the poisoning mentioned earlier). In either case, when a user attempts to go to a site, they are redirected to another.

federated identity

is a means of linking a user's identity with their privileges in a manner that can be used across business boundaries (for example, Microsoft Passport or Google checkout). This allows a user to have a single identity that they can use across different business units and perhaps even entirely different businesses.

Bell-La Padula

is a state machine model used for enforcing access control in government applications. It is a less-common, multilevel security derivative of mandatory access control. This model focuses on data confidentiality and controlled access to classified information.

A Fraggle attack

is a type of DoS attack that sends large amounts of UDP traffic to ports 7 and 19. This is similar to the Smurf attack.

Clark-Wilson

is another integrity model that provides a foundation for specifying and analyzing an integrity policy for a computing system.

Any IPv6 private address

is fd

PAP

is insecure because usernames and passwords are sent as clear text.

Discretionary access control list (DACL)

is listing of users or group who are granted access to a resource - determine what access the user has on entries of the access control entry (ACE)

MS-CHAPv1

is not capable of mutual authentication of the client and server.

Block size

is the amount of bits in which you will be encrypting

DAC

is the discretionary access control method.

19) System monitoring (linux)

linux equilavent to windows Performance monitoring - system menu > administration > system monitoring

access control list (ACL)

listing of systems or person that are authorized to access resources

NAC, network access control,

makes security checks of the users or the actual connections that are made before sessions are initiated. It can also remediate issues automatically if configured properly.

17) Network traffic log

might be necessary to look at network traffic and logs

19) Performance Monitor (perfmon)

monitor performance related information - allows to add counters to monitor ex) memory, disk, processor, network interface

19) tasklist command

monitor processing running on the system -

Wireless scanners

netstumbler - windows kismet - linux

Socket Secure (SOCKS)

network protocol designed to allow clients to communicate with internet servers through firewall

18) Syn scan on entire 10.0.0.0 network running remote desktop

nmap -sS 10.0.0.0/8 -p 3389

Crossover error rate (CER)

number represent number type i error equal to type 2 error. the lower number the better

Network control protocol (ncp)

part of Point-to-Point protocol (PPP) that encapsulates network traffic.

Port 53

port used by DNS,

7

port used by Echo

88

port used by Kerberos

1433

port used by Mssql ,

119

port used by NNTP.

port 161

port used by SNMP, and

MOU (memorandum of understanding)

prevents misunderstandings and disputes by clarifying the expectations of the partners

16) Redundant Array of Independent Disks (RAID)

technology that duplicates data across drives so that if a drive fails, the other drives in the solution can provide the data

Vishing

the act of using the telephone in an attempt to scam the user into surrendering private information that will be used for identity theft.

16) Mean time between failures (MTBF)

the amount of time between failures of a system or device

iv attack

the initialization vector (IV) that WEP uses for encryption is 24-bit, which is quite weak and means that IVs are reused with the same key. By examining the repeating result, it was easy for attackers to crack the WEP secret key. This is known as an IV attack. Since the IV is shorter than the key, it must be repeated when used. To put it in perspective, the attack happened because the algorithm used is RC4, the IV is too small, the IV is static, and the IV is part of the RC4 encryption key.

L2F Layer 2 Forwarding

tunneling protocol that sets up a VPN tunnel

mutual authentication

two sides of communication channel authenticate to one another

Physical control

used to control access to physical facility and locations - ex) doors, lock, security guards, video surveillance

Key stretching/key strengthening

used to ensure that a weak key is not victim of brute force attack. - special algorithm used to convert weak password into stronger keys - common algorithm PBKDF2 and Bcyrpt

Cipher Suite

used to negotiate the security settings for a network connection using Transport Layer Security (TLS), Secure Socket Layer (SSL), Secure Shell (SHH), or other secure network protocol.

WiFi Protected Access (WPA)

uses 128-bit key TKIP - improvements over WEP - support EPA

Microsoft CHAP (MS-CHAP)

uses MD4 hash and Microsoft Point-to-Point encryption (MPPE)

Kerberos

uses a KDC (Key Distribution Center) to centralize the distribution of certificate keys and keep a list of revoked keys.

Colon rule

uses double colon to compress address where sets of 0s are together but can only use colon rule 1 time 3FFE:0000:0000:0002:0000:0000:000C 3FFE::2:0:0:C Loopback is ::1

IPV6

uses hexadecimal where there is 8 sets of 4 hexadecimal digits with each bit represents 4 bits 1-9 1-f Xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

17) Verifying the evidence

validate content by running a hash algorithm on data to generate a hash value - can compare hash value to verify data

DES (Data Encryption Standard)

was developed in the 1970s; 56-bit key. Considered weak

IP spoofing

when an attacker sends IP packets with a forged source IP address.

True clustering

when multiple computers' resources are used together to create a faster, more efficient system; it often uses load balancing to accomplish this. However, true clustering does not necessarily allow for fault tolerance of data.

IP Sec (IP security)

works at layer 3 provides security. Used in Authentication. MAC/HMAC. Transport Mode: designed for end to end encryption of data. Packet data is protects but header left intact Tunnel Mode: designed for link to link communications Both packet contents and the ip header are encapsulated Transport on the LAN and Tunnel on the WAN.

Role-based access control (RBAC)

works with sets of permissions; each set of permissions constitutes a role. Users are assigned to roles to gain access to resources. Examples of user groups that are assigned to roles include remote users, extranet users, guests, and so on.

DMZ

zone that allows selected traffic from the internet to reach public server such as DNS, FTP, HTTP

Certificate Authority pg 38

Certificate Practice Statement

Certificate Signing Request (CSR)

NetBIOS

Layer 2 - Switch connects multiple network segments (trunking ports, access ports)

•Improves network efficiency and uses MAC address for delivery determination

Layer1 - NIC connects host to the network (also layer 2)

•Modem connects host to the telephone network •Hub allows nodes to communicate with each other •War Dialing, Layer 1 attack: an attack where an individual runs an application to dial telephone numbers. Identify and contact modems.

Layer 3 - Network Layer Devices

•Router connects to other networks and web. •Protocols •RIP (Routing Information Protocol), BGP (Border Gateway Protocol), OSPF (Open Shortest Path First). •Secure Router Configuration: Document baseline configuration, Change default settings, Change Control •Perform the initial configuration from the console and back it up securely

Fibre Channel

•uses fibre optics or copper-based wiring. High speed (16 Gbps). Layer 2

Measuring and Weighing Risk *If you calculate SLE to be $25,000 and that there will be one occurrence every four years (ARO), then what is the ALE?* a. $6,250 b. $12,500 c. $25,000 d. $100,000

a. *$6,250* If you calculate SLE to be $25,000 and that there will be one occurrence every four years (ARO), then the ALE is $6,250 ($25,000 × .25).

Infrastructure and Connectivity *How many bits are used for addressing with IPv4 and IPv6, respectively?* a. 32, 128 b. 16, 64 c. 8, 32 d. 4, 16

a. *32, 128* IPv4 uses 32 bits for the host address, while IPv6 uses 128 bits for this.

Threats and Vulnerabilities *Internal users are reporting repeated attempts to infect their systems as reported to them by pop-up messages from their virus-scanning software. According to the pop-up messages, the virus seems to be the same in every case. What is the most likely culprit?* a. A server is acting as a carrier for a virus. b. You have a worm virus. c. Your antivirus software has malfunctioned. d. A DoS attack is under way.

a. *A server is acting as a carrier for a virus.* Some viruses won't damage a system in an attempt to spread into all the other systems in a network. These viruses use that system as the carrier of the virus.

Access Control and Identity Management *A newly hired junior administrator will assume your position temporarily while you attend a conference. You're trying to explain the basics of security to her in as short a period of time as possible. Which of the following best describes an ACL?* a. ACLs provide individual access control to resources. b. ACLs aren't used in modern systems. c. The ACL process is dynamic in nature. d. ACLs are used to authenticate users.

a. *ACLs provide individual access control to resources.* Access control lists allow individual and highly controllable access to resources in a network. An ACL can also be used to exclude a particular system, IP address, or user.

Threats and Vulnerabilities *You're explaining the basics of security to upper management in an attempt to obtain an increase in the networking budget. One of the members of the management team mentions that they've heard of a threat from a virus that attempts to mask itself by hiding code from antivirus software. What type of virus is he referring to?* a. Armored virus b. Polymorphic virus c. Worm d. Stealth virus

a. *Armored virus* An armored virus is designed to hide the signature of the virus behind code that confuses the antivirus software or blocks it from detecting the virus.

Access Control and Identity Management *The present method of requiring access to be strictly defined on every object is proving too cumbersome for your environment. The edict has come down from upper management that access requirements should be reduced slightly. Which access model allows users some flexibility for information-sharing purposes?* a. DAC b. MAC c. RBAC d. MLAC

a. *DAC* DAC allows some flexibility in information-sharing capabilities within the network.

Access Control and Identity Management *LDAP is an example of which of the following?* a. Directory access protocol b. IDS c. Tiered model application development environment d. File server

a. *Directory access protocol* Lightweight Directory Access Protocol (LDAP) is a directory access protocol used to publish information about users. This is the computer equivalent of a phone book.

Threats and Vulnerabilities *Which type of attack denies authorized users access to network resources?* a. DoS b. Worm c. Logic bomb d. Social engineering

a. *DoS* A DoS attack is intended to prevent access to network resources by overwhelming or flooding a service or network.

Protecting Networks *What is a system that is intended or designed to be broken into by an attacker called?* a. Honeypot b. Honeybucket c. Decoy d. Spoofing system

a. *Honeypot* A honeypot is a system that is intended to be sacrificed in the name of knowledge. Honeypot systems allow investigators to evaluate and analyze the attack strategies used. Law enforcement agencies use honeypots to gather evidence for prosecution.

Infrastructure and Connectivity *Which protocol is primarily used for network maintenance and destination information?* a. ICMP b. SMTP c. IGMP d. Router

a. *ICMP* ICMP is used for destination and error reporting functions in TCP/IP. ICMP is routable and is used by programs such as Ping and Traceroute.

Protecting Networks *Security has become the utmost priority at your organization. You're no longer content to act reactively to incidents when they occur—you want to start acting more proactively. Which system performs active network monitoring and analysis and can take proactive steps to protect a network?* a. IDS b. Sniffer c. Router d. Switch

a. *IDS* An IDS is used to protect and report network abnormalities to a network administrator or system. It works with audit files and rule-based processing to determine how to act in the event of an unusual situation on the network.

Access Control and Identity Management *You've been given notice that you'll soon be transferred to another site. Before you leave, you're to audit the network and document everything in use and the reason why it's in use. The next administrator will use this documentation to keep the network running. Which of the following protocols isn't a tunneling protocol but is probably used at your site by tunneling protocols for network security?* a. IPSec b. PPTP c. L2TP d. L2F

a. *IPSec* IPSec provides network security for tunneling protocols. IPSec can be used with many different protocols besides TCP/IP, and it has two modes of security.

Infrastructure and Connectivity *You've been given notice that you'll soon be transferred to another site. Before you leave, you're to audit the network and document everything in use and the reason why it's in use. The next administrator will use this documentation to keep the network running. Which of the following protocols isn't a tunneling protocol but is probably used at your site by tunneling protocols for network security?* a. IPSec b. PPTP c. L2TP d. L2F

a. *IPSec* IPSec provides network security for tunneling protocols. IPSec can be used with many different protocols besides TCP/IP, and it has two modes of security.

Access Control and Identity Management *What is invoked when a person claims they are the user but cannot be authenticated—such as when they lose their password?* a. Identity proofing b. Social engineering c. Directory traversal d. Cross-site requesting

a. *Identity proofing* Identity proofing is invoked when a person claims they are the user but cannot be authenticated, such as when they lose their password.

Threats and Vulnerabilities *Your system has just stopped responding to keyboard commands. You noticed that this occurred when a spreadsheet was open and you dialed in to the Internet. Which kind of attack has probably occurred?* a. Logic bomb b. Worm c. Virus d. ACK attack

a. *Logic bomb* A logic bomb notifies an attacker when a certain set of circumstances has occurred. This may in turn trigger an attack on your system.

Access Control and Identity Management *Upper management has suddenly become concerned about security. As the senior network administrator, you are asked to suggest changes that should be implemented. Which of the following access methods should you recommend if the method is to be one that is primarily based on preestablished access and can't be changed by users?* a. MAC b. DAC c. RBAC d. Kerberos

a. *MAC* Mandatory Access Control (MAC) is oriented toward preestablished access. This access is typically established by network administrators and can't be changed by users.

Protecting Networks *A junior administrator bursts into your office with a report in his hand. He claims that he has found documentation proving that an intruder has been entering the network on a regular basis. Which of the following implementations of IDS detects intrusions based on previously established rules that are in place on your network?* a. MD-IDS b. AD-IDS c. HIDS d. NIDS

a. *MD-IDS* By comparing attack signatures and audit trails, a misuse-detection IDS determines whether an attack is occurring.

Threats and Vulnerabilities *An administrator at a sister company calls to report a new threat that is making the rounds. According to him, the latest danger is an attack that attempts to intervene in a communications session by inserting a computer between the two systems that are communicating. Which of the following types of attacks does this constitute?* a. Man-in-the-middle attack b. Backdoor attack c. Worm d. TCP/IP hijacking

a. *Man-in-the-middle attack* A man-in-the-middle attack attempts to fool both ends of a communications session into believing the system in the middle is the other end.

Protecting Networks *The IDS console is known as what?* a. Manager b. Window c. Dashboard d. Screen

a. *Manager* The IDS console is known as the manager.

Access Control and Identity Management *After a careful risk analysis, the value of your company's data has been increased. Accordingly, you're expected to implement authentication solutions that reflect the increased value of the data. Which of the following authentication methods uses more than one authentication process for a logon?* a. Multifactor b. Biometrics c. Smart card d. Kerberos

a. *Multifactor* A multifactor authentication method uses two or more processes for logon. A two-factor method might use smart cards and biometrics for logon.

Protecting Networks *Which of the following can be used to monitor a network for unauthorized activity? (Choose two.)* a. Network sniffer b. NIDS c. HIDS d. VPN

a. *Network sniffer* b. *NIDS* Network sniffers and NIDSs are used to monitor network traffic. Network sniffers are manually oriented, whereas an NIDS can be automated.

Infrastructure and Connectivity *Which protocol is unsuitable for WAN VPN connections?* a. PPP b. PPTP c. L2TP d. IPSec

a. *PPP* PPP provides no security, and all activities are unsecure. PPP is primarily intended for dial-up connections and should never be used for VPN connections.

Access Control and Identity Management *Which protocol is unsuitable for WAN VPN connections?* a. PPP b. PPTP c. L2TP d. IPSec

a. *PPP* PPP provides no security, and all activities are unsecure. PPP is primarily intended for remote connections and should never be used for VPN connections.

Threats and Vulnerabilities *Your system log files report an ongoing attempt to gain access to a single account. This attempt has been unsuccessful to this point. What type of attack are you most likely experiencing?* a. Password-guessing attack b. Backdoor attack c. Worm attack d. TCP/IP hijacking

a. *Password-guessing attack* A password-guessing attack occurs when a user account is repeatedly attacked using a variety of different passwords.

Protecting Networks *Which of the following copies the traffic from all ports to a single port and disallows bidirectional traffic on that port?* a. Port spanning b. Socket blending c. Straddling d. Amalgamation

a. *Port spanning* Port spanning (also known as port mirroring) copies the traffic from all ports to a single port and disallows bidirectional traffic on that port.

Protecting Networks *Sockets are a combination of the IP address and which of the following?* a. Port b. MAC address c. NIC setting d. NetBIOS ID

a. *Port* Sockets are a combination of the IP address and the port.

Infrastructure and Connectivity *Upper management has decreed that a firewall must be put in place immediately, before your site suffers an attack similar to one that struck a sister company. Responding to this order, your boss instructs you to implement a packet filter by the end of the week. A packet filter performs which function?* a. Prevents unauthorized packets from entering the network b. Allows all packets to leave the network c. Allows all packets to enter the network d. Eliminates collisions in the network

a. *Prevents unauthorized packets from entering the network* Packet filters prevent unauthorized packets from entering or leaving a network. Packet filters are a type of firewall that blocks specified port traffic.

Measuring and Weighing Risk *Which of the following strategies necessitates an identified risk that those involved understand the potential cost/damage and agree to accept?* a. Risk acceptance b. Risk avoidance c. Risk deterrence d. Risk mitigation e. Risk transference

a. *Risk acceptance* Risk acceptance necessitates an identified risk that those involved understand the potential cost/damage and agree to accept.

Measuring and Weighing Risk *Which of the following policies are designed to reduce the risk of fraud and prevent other losses in an organization?* a. Separation of duties b. Acceptable use c. Least privilege d. Physical access control

a. *Separation of duties* The separation of duties policies are designed to reduce the risk of fraud and prevent other losses in an organization.

Protecting Networks *Which device monitors network traffic in a passive manner?* a. Sniffer b. IDS c. Firewall d. Web browser

a. *Sniffer* Sniffers monitor network traffic and display traffic in real time. Sniffers, also called network monitors, were originally designed for network maintenance and troubleshooting.

Educating and Protecting the User *As part of your training program, you're trying to educate users on the importance of security. You explain to them that not every attack depends on implementing advanced technological methods. Some attacks, you explain, take advantage of human shortcomings to gain access that should otherwise be denied. What term do you use to describe attacks of this type?* a. Social engineering b. IDS system c. Perimeter security d. Biometrics

a. *Social engineering* Social engineering uses the inherent trust in the human species, as opposed to technology, to gain access to your environment.

Threats and Vulnerabilities *You're the administrator for a large bottling company. At the end of each month, you routinely view all logs and look for discrepancies. This month, your email system error log reports a large number of unsuccessful attempts to log on. It's apparent that the email server is being targeted. Which type of attack is most likely occurring?* a. Software exploitation attack b. Backdoor attack c. Worm d. TCP/IP hijacking

a. *Software exploitation attack* A software exploitation attack attempts to exploit weaknesses in software. A common attack attempts to communicate with an established port to gain unauthorized access. Most email servers use port 25 for email connections using SMTP.

Infrastructure and Connectivity *Which of the following are multiport devices that improve network efficiency?* a. Switches b. Modems c. Gateways d. Concentrators

a. *Switches* Switches are multiport devices that improve network efficiency. A switch typically has a small amount of information about systems in a network.

Threats and Vulnerabilities *A server on your network will no longer accept connections using TCP. The server indicates that it has exceeded its session limit. Which type of attack is probably occurring?* a. TCP ACK attack b. Smurf attack c. Virus attack d. TCP/IP hijacking

a. *TCP ACK attack* A TCP ACK attack creates multiple incomplete sessions. Eventually, the TCP protocol hits a limit and refuses additional connections.

Access Control and Identity Management *Your company provides medical data to doctors from a worldwide database. Because of the sensitive nature of the data you work with, it's imperative that authentication be established on each session and be valid only for that session. Which of the following authentication methods provides credentials that are valid only during a single session?* a. Tokens b. Certificate c. Smart card d. Kerberos

a. *Tokens* Tokens are created when a user or system successfully authenticates. The token is destroyed when the session is over.

Threats and Vulnerabilities *A mobile user calls you from the road and informs you that his laptop is exhibiting erratic behavior. He reports that there were no problems until he downloaded a tic-tac-toe program from a site that he had never visited before. Which of the following terms describes a program that enters a system disguised in another program?* a. Trojan horse virus b. Polymorphic virus c. Worm d. Armored virus

a. *Trojan horse virus* A Trojan horse enters with a legitimate program to accomplish its nefarious deeds.

Access Control and Identity Management *Which technology allows a connection to be made between two networks using a secure protocol?* a. Tunneling b. VLAN c. Internet d. Extranet

a. *Tunneling* Tunneling allows a network to make a secure connection to another network through the Internet or other network. Tunnels are usually secure and present themselves as extensions of both networks.

Access Control and Identity Management *You're the administrator for Mercury Technical. Due to several expansions, the network has grown exponentially in size within the past two years. Which of the following is a popular method for breaking a network into smaller private networks that can coexist on the same wiring and yet be unaware of each other?* a. VLAN b. NAT c. MAC d. Security zone

a. *VLAN* Virtual local area networks (VLANs) break a large network into smaller networks. These networks can coexist on the same wiring and be unaware of each other. A router or other routing-type device would be needed to connect these VLANs.

Access Control and Identity Management *Which of the following security areas encompasses network access control (NAC)?* a. Physical security b. Operational security c. Management security d. Triad security

b. *Operational security* Operational security issues include network access control (NAC), authentication, and security topologies after the network installation is complete.

Measuring and Weighing Risk *Consider the following scenario: The asset value of your company's primary servers is $2 million and they are housed in a single office building in Anderson, Indiana. You have field offices scattered throughout the United States, so the servers in the main office account for approximately half the business. Tornados in this part of the country are not uncommon, and it is estimated one will level the building every 60 years.* *Which of the following is the SLE for this scenario?* a. $2 million b. $1 million c. $500,000 d. $33,333.33 e. $16,666.67

b. *$1 million* SLE (single loss expectancy) is equal to asset value (AV) times exposure factor (EF). In this case, asset value is $2 million and exposure factor is 1/2.

Threats and Vulnerabilities *You're working late one night, and you notice that the hard disk on your new computer is very active even though you aren't doing anything on the computer and it isn't connected to the Internet. What is the most likely suspect?* a. A disk failure is imminent. b. A virus is spreading in your system. c. Your system is under a DoS attack. d. TCP/IP hijacking is being attempted.

b. *A virus is spreading in your system.* A symptom of many viruses is unusual activity on the system disk. This is caused by the virus spreading to other files on your system.

Measuring and Weighing Risk *Which of the following policies describes how the employees in an organization can use company systems and resources, both software and hardware?* a. Separation of duties b. Acceptable use c. Least privilege d. Physical access control

b. *Acceptable use* The acceptable use policies describe how the employees in an organization can use company systems and resources, both software and hardware.

Protecting Networks *Which of the following is the process in which a law enforcement officer or a government agent encourages or induces a person to commit a crime when the potential criminal expresses a desire not to go ahead?* a. Enticement b. Entrapment c. Deceit d. Sting

b. *Entrapment* Entrapment is the process in which a law enforcement officer or a government agent encourages or induces a person to commit a crime when the potential criminal expresses a desire not to go ahead.

Infrastructure and Connectivity *IPv6, in addition to having more bits allocated for each host address, also has mandatory requirements built in for which security protocol?* a. TFTP b. IPSec c. SFTP d. L2TP

b. *IPSec* The implementation of IPSec is mandatory with IPv6. While it is widely implemented with IPv4, it is not a requirement.

Access Control and Identity Management *You've been assigned to mentor a junior administrator and bring him up to speed quickly. The topic you're currently explaining is authentication. Which method uses a KDC to accomplish authentication for users, programs, or systems?* a. CHAP b. Kerberos c. Biometrics d. Smart cards

b. *Kerberos* Kerberos uses a key distribution center (KDC) to authenticate a principal. The KDC provides a credential that can be used by all Kerberos-enabled servers and applications.

Infrastructure and Connectivity *Which device is used to connect voice, data, pagers, networks, and almost any other conceivable application into a single telecommunications system?* a. Router b. PBX c. Hub d. Server

b. *PBX* Many modern PBX (private branch exchange) systems integrate voice and data onto a single data connection to your phone service provider. In some cases, this allows an overall reduction in cost of operations. These connections are made using existing network connections such as a T1 or T3 network.

Infrastructure and Connectivity *Most of the sales force have been told that they should no longer report to the office on a daily basis. From now on, they're to spend the majority of their time on the road calling on customers. Each member of the sales force has been issued a laptop computer and told to connect to the network nightly through a dial-up connection. Which of the following protocols is widely used today as a transport protocol for Internet dial-up connections?* a. SMTP b. PPP c. PPTP d. L2TP

b. *PPP* PPP can pass multiple protocols and is widely used today as a transport protocol for dial-up connections.

Access Control and Identity Management *Most of your client's sales force have been told that they should no longer report to the office on a daily basis. From now on, they're to spend the majority of their time on the road calling on customers. Each member of the sales force has been issued a laptop computer and told to connect to the network nightly through a remote connection. Which of the following protocols is widely used today as a transport protocol for remote Internet connections?* a. SMTP b. PPP c. PPTP d. L2TP

b. *PPP* PPP can pass multiple protocols and is widely used today as a transport protocol for remote connections.

Threats and Vulnerabilities *You are the senior administrator for a bank. A user calls you on the telephone and says they were notified to contact you but couldn't find your information on the company website. Two days ago, an email told them there was something wrong with their account and they needed to click a link in the email to fix the problem. They clicked the link and filled in the information, but now their account is showing a large number of transactions that they did not authorize. They were likely the victims of what type of attack?* a. Spimming b. Phishing c. Pharming d. Escalating

b. *Phishing* Sending an email with a misleading link to collect information is a phishing attack.

Threats and Vulnerabilities *Your system has been acting strangely since you downloaded a file from a colleague. Upon examining your antivirus software, you notice that the virus definition file is missing. Which type of virus probably infected your system?* a. Polymorphic virus b. Retrovirus c. Worm d. Armored virus

b. *Retrovirus* Retroviruses are often referred to as anti-antiviruses. They can render your antivirus software unusable and leave you exposed to other, less-formidable viruses.

Measuring and Weighing Risk *Which of the following strategies involves identifying a risk and making the decision to no longer engage in the action?* a. Risk acceptance b. Risk avoidance c. Risk deterrence d. Risk mitigation e. Risk transference

b. *Risk avoidance* Risk avoidance involves identifying a risk and making the decision to no longer engage in the actions associated with that risk.

Threats and Vulnerabilities *What kind of virus could attach itself to the boot sector of your disk to avoid detection and report false information about file sizes?* a. Trojan horse virus b. Stealth virus c. Worm d. Polymorphic virus

b. *Stealth virus* A stealth virus reports false information to hide itself from antivirus software. Stealth viruses often attach themselves to the boot sector of an operating system.

Infrastructure and Connectivity *As more and more clients have been added to your network, the efficiency of the network has decreased significantly. You're preparing a budget for next year, and you specifically want to address this problem. Which of the following devices acts primarily as a tool to improve network efficiency?* a. Hub b. Switch c. Router d. PBX

b. *Switch* Switches create virtual circuits between systems in a network. These virtual circuits are somewhat private and reduce network traffic when used.

Access Control and Identity Management *Which of the following is a client-server-oriented environment that operates in a manner similar to RADIUS?* a. HSM b. TACACS c. TPM d. ACK

b. *TACACS* Terminal Access Controller Access-Control System (TACACS) is a client-server-oriented environment, and it operates in a manner similar to how RADIUS operates.

Protecting Networks *Which of the following utilities can be used in Linux to view a list of users' failed authentication attempts?* a. badlog b. faillog c. wronglog d. killlog

b. *faillog* Use the faillog utility in Linux to view a list of users' failed authentication attempts.

Measuring and Weighing Risk *If you calculate SLE to be $4,000 and that there will be 10 occurrences a year (ARO), then the ALE is:* a. $400 b. $4,000 c. $40,000 d. $400,000

c. *$40,000* If you calculate SLE to be $4,000 and that there will be 10 occurrences a year (ARO), then the ALE is $40,000 ($4,000 × 10).

Protecting Networks *Which of the following IDS types looks for things outside of the ordinary?* a. Incongruity-based b. Variance-based c. Anomaly-based d. Difference-based

c. *Anomaly-based* An anomaly-detection IDS (AD-IDS) looks for anomalies, meaning it looks for things outside of the ordinary.

Measuring and Weighing Risk *The risk-assessment component, in conjunction with the ________, provides the organization with an accurate picture of the situation facing it.* a. RAC b. ALE c. BIA d. RMG

c. *BIA* The risk-assessment component, in conjunction with the BIA (Business Impact Analysis), provides the organization with an accurate picture of the situation facing it.

Threats and Vulnerabilities *An alert signals you that a server in your network has a program running on it that bypasses authorization. Which type of attack has occurred?* a. DoS b. DDoS c. Backdoor d. Social engineering

c. *Backdoor* In a backdoor attack, a program or service is placed on a server to bypass normal security procedures.

Measuring and Weighing Risk *Which of the following is the structured approach that is followed to secure the company's assets?* a. Asset management b. Incident management c. Change management d. Skill management

c. *Change management* Change management is the structured approach that is followed to secure the company's assets.

Measuring and Weighing Risk *Separation of duties helps prevent an individual from embezzling money from a company. To successfully embezzle funds, an individual would need to recruit others to commit an act of ________ (an agreement between two or more parties established for the purpose of committing deception or fraud).* a. Misappropriation b. Misuse c. Collusion d. Fraud

c. *Collusion* Collusion is an agreement between two or more parties established for the purpose of committing deception or fraud. Collusion, when part of a crime, is also a criminal act in and of itself.

Protecting Networks *Which type of active response fools the attacker into thinking the attack is succeeding while the system monitors the activity and potentially redirects the attacker to a system that is designed to be broken?* a. Pretexting b. Shamming c. Deception d. Scamming

c. *Deception* A deception active response fools the attacker into thinking the attack is succeeding while the system monitors the activity and potentially redirects the attacker to a system that is designed to be broken.

Measuring and Weighing Risk *You're the chief security contact for MTS. One of your primary tasks is to document everything related to security and create a manual that can be used to manage the company in your absence. Which documents should be referenced in your manual as the ones that identify the methods used to accomplish a given task?* a. Policies b. Standards c. Guidelines d. BIA

c. *Guidelines* Guidelines help clarify processes to maintain standards. Guidelines tend to be less formal than policies or standards.

Infrastructure and Connectivity *You're the administrator for Mercury Technical. A check of protocols in use on your server brings up one that you weren't aware was in use; you suspect that someone in HR is using it to send messages to multiple recipients. Which of the following protocols is used for group messages or multicast messaging?* a. SMTP b. SNMP c. IGMP d. L2TP

c. *IGMP* IGMP is used for group messaging and multicasting. IGMP maintains a list of systems that belong to a message group. When a message is sent to a particular group, each system receives an individual copy.

Infrastructure and Connectivity *You're explaining protocols to a junior administrator shortly before you leave for vacation. The topic of Internet mail applications comes up, and you explain how communications are done now as well as how you expect them to be done in the future. Which of the following protocols is becoming the newest standard for Internet mail applications?* a. SMTP b. POP c. IMAP d. IGMP

c. *IMAP* IMAP is becoming the most popular standard for email clients and is replacing POP protocols for mail systems. IMAP allows mail to be forwarded and stored in information areas called stores.

Access Control and Identity Management *What is implied at the end of each access control list?* a. Least privilege b. Separation of duties c. Implicit deny d. Explicit allow

c. *Implicit deny* An implicit deny clause is implied at the end of each ACL, and it means that if the proviso in question has not been explicitly granted, then it is denied.

Measuring and Weighing Risk *Which of the following policies should be used when assigning permissions, giving users only the permissions they need to do their work and no more?* a. Separation of duties b. Acceptable use c. Least privilege d. Physical access control

c. *Least privilege* The principle of least privilege should be used when assigning permissions. Give users only the permissions they need to do their work and no more.

Infrastructure and Connectivity *Which of the following can be implemented as a software or hardware solution and is usually associated with a device—a router, a firewall, NAT, and so on—and used to shift a load from one device to another?* a. Proxy b. Hub c. Load balancer d. Switch

c. *Load balancer* A load balancer can be implemented as a software or hardware solution, and is usually associated with a device—a router, a firewall, NAT, and so on. As the name implies, it is used to shift a load from one device to another.

Infrastructure and Connectivity *What protocol, running on top of TCP/IP, is often used for name registration and resolution with Windows-based clients?* a. Telnet b. SSL c. NetBIOS d. TLS

c. *NetBIOS* NetBIOS is used for name resolution and registration in Windows-based environments. It runs on top of TCP/IP.

Protecting Networks *In order for network monitoring to work properly, you need a PC and a network card running in what mode?* a. Launch b. Exposed c. Promiscuous d. Sweep

c. *Promiscuous* In order for network monitoring to work properly, you need a PC and a network card running in promiscuous mode.

Access Control and Identity Management *Your office administrator is being trained to perform server backups. Which authentication method would be ideal for this situation?* a. MAC b. DAC c. RBAC d. Security tokens

c. *RBAC* Role-Based Access Control (RBAC) allows specific people to be assigned to specific roles with specific privileges. A backup operator would need administrative privileges to back up a server. This privilege would be limited to the role and wouldn't be present during the employee's normal job functions.

Measuring and Weighing Risk *Which of the following strategies involves understanding something about the enemy and letting them know the harm that can come their way if they cause harm to you?* a. Risk acceptance b. Risk avoidance c. Risk deterrence d. Risk mitigation e. Risk transference

c. *Risk deterrence* Risk deterrence involves understanding something about the enemy and letting them know the harm that can come their way if they cause harm to you.

Infrastructure and Connectivity *Which of the following devices is the most capable of providing infrastructure security?* a. Hub b. Switch c. Router d. Modem

c. *Router* Routers can be configured in many instances to act as packet-filtering firewalls. When configured properly, they can prevent unauthorized ports from being opened.

Threats and Vulnerabilities *A user calls you in a panic. He is receiving emails from people indicating that he is inadvertently sending viruses to them. Over 200 such emails have arrived today. Which type of attack has most likely occurred?* a. SAINT b. Backdoor attack c. Worm d. TCP/IP hijacking

c. *Worm* A worm is a type of malicious code that attempts to replicate using whatever means are available. The worm may not have come from the user's system; rather, a system with the user's name in the address book has attacked these people.

Measuring and Weighing Risk *Which of the following policy statements should address who is responsible for ensuring that it is enforced?* a. Scope b. Exception c. Overview d. Accountability

d. *Accountability* The accountability policy statement should address who is responsible for ensuring that it is enforced.

Protecting Networks *Which IDS function evaluates data collected from sensors?* a. Operator b. Manager c. Alert d. Analyzer

d. *Analyzer* The analyzer function uses data sources from sensors to analyze and determine whether an attack is under way.

Access Control and Identity Management *Which of the following is a type of smart card issued by the Department of Defense as a general identification/authentication card for military personnel, contractors, and non-DoD employees?* a. PIV b. POV c. DLP d. CAC

d. *CAC* One type of smart card is the Common Access Card (CAC). These cards are issued by the Department of Defense as a general identification/authentication card for military personnel, contractors, and non-DoD employees.

Measuring and Weighing Risk *What is the term used for events that mistakenly were flagged and aren't truly events to be concerned with?* a. Fool's gold b. Non-incidents c. Error flags d. False positives

d. *False positives* False positives are events that mistakenly were flagged and aren't truly events to be concerned with.

Threats and Vulnerabilities *A smurf attack attempts to use a broadcast ping on a network; the return address of the ping may be a valid system in your network. Which protocol does a smurf attack use to conduct the attack?* a. TCP b. IP c. UDP d. ICMP

d. *ICMP* A smurf attack attempts to use a broadcast ping (ICMP) on a network. The return address of the ping may be a valid system in your network. This system will be flooded with responses in a large network.

Measuring and Weighing Risk *Which of the following strategies is accomplished anytime you take steps to reduce the risk?* a. Risk acceptance b. Risk avoidance c. Risk deterrence d. Risk mitigation e. Risk transference

d. *Risk mitigation* Risk mitigation is accomplished anytime you take steps to reduce the risk.

Infrastructure and Connectivity *Which device stores information about destinations in a network?* a. Hub b. Modem c. Firewall d. Router

d. *Router* Routers store information about network destinations in routing tables. Routing tables contain information about known hosts on both sides of the router.

Infrastructure and Connectivity *Which of the following services use only TCP ports and not UDP? (Choose all that apply.)* a. IMAP b. LDAP c. FTPS d. SFTP

d. *SFTP* SFTP uses only TCP ports. IMAP, LDAP, and FTPS all use both TCP and UDP ports.

Protecting Networks *Which of the following implies ignoring an attack and is a common response?* a. Eschewing b. Spurning c. Shirking d. Shunning

d. *Shunning* Shunning, or ignoring an attack, is a common response.

Threats and Vulnerabilities *A user reports that he is receiving an error indicating that his TCP/IP address is already in use when he turns on his computer. A static IP address has been assigned to this user's computer, and you're certain this address was not inadvertently assigned to another computer. Which type of attack is most likely underway?* a. Man-in-the-middle attack b. Backdoor attack c. Worm d. TCP/IP hijacking

d. *TCP/IP hijacking* One of the symptoms of a TCP/IP hijacking attack may be the unavailability of a TCP/IP address when the system is started.

Threats and Vulnerabilities *A junior administrator comes to you in a panic. After looking at the log files, he has become convinced that an attacker is attempting to use an IP address to replace another system in the network to gain access. Which type of attack is this?* a. Man-in-the-middle attack b. Backdoor attack c. Worm d. TCP/IP hijacking

d. *TCP/IP hijacking* TCP/IP hijacking is an attempt to steal a valid IP address and use it to gain authorization or information from a network.

Access Control and Identity Management *You have added a new child domain to your network. As a result of this, the child has adopted all the trust relationships with other domains in the forest that existed for its parent domain. What is responsible for this?* a. LDAP access b. XML access c. Fuzzing access d. Transitive access

d. *Transitive access* Transitive access exists between the domains and creates this relationship.

Protecting Networks *Which Linux utility can show if there is more than one set of documentation on the system for a command you are trying to find information on?* a. Lookaround b. Howmany c. Whereall d. Whatis

d. *Whatis* In Linux, the whatis utility can show if there is more than one set of documentation on the system for a command you are trying to find information on.

Measuring and Weighing Risk *Refer to the scenario in question 2. Which of the following is the ALE for this scenario?* a. $2 million b.$1 million c. $500,000 d. $33,333.33 e. $16,666.67

e. *$16,666.67* ALE (annual loss expectancy) is equal to SLE times the annualized rate of occurrence. In this case, SLE is $1 million and the ARO is 1/60.


संबंधित स्टडी सेट्स

NAQT: Authors of Speculative Fiction

View Set

Department of Defense (DoD) Cyber Awareness Challenge 2024 (1 hr) (Pre Test)

View Set

26. Residential and Commercial Financing

View Set

ATI Fundamentals Proctored Exam Study Guide

View Set