Security+

What do TLS and SSL use for authentication?

Certificates. Clients can verify the authenticity of the certificate by querying the Certificate Authority (CA) that issued the certificate.

Which of the following is a private IPv4 address? 11.16.0.1 172.16.0.1 208.0.0.1 127.0.0.1

172.16.0.1 is the only address listed that is private. The private assigned ranges can be seen in Table 5-2 earlier in the chapter. 11.16.0.1 is a public IPv4 address, as is 208.0.0.1. 127.0.0.1 is the IPv4 loopback address.

To increase security, TKIP places a wrapper around the WEP encryption with a key that is based on things such as the MAC address of the host device and the serial number of the paket. What is the size of the wrapper? 1. 64-bit 2. 128-bit 3. 256-bit 4. 512-bit

2. 128-bit TKIP laces a 128-bit wrapper around the WEP encryption with a key that is based on things such as the MAC address of the host device and the serial number of the packet. Chapter 5 501 Prowse.

What feature in IPSec is used to provide confidentiality?

Encapsulating Security Payload (ESP)

Logical/technical access controls Logical access controls and technical access controls

are the hardware or software mechanisms used to manage access to resources and systems and provide protection for those resources and systems. Examples of logical or technical access controls include encryption, smart cards, passwords, biometrics, constrained interfaces, access control lists (ACLs), protocols, firewalls, routers, intrusion detection systems, and clipping levels.

AES encrypts at how many bits at a time? Select 3. a. 512 b. 128 c. 192 d. 168 e. 256

b. 128 c. 192 e. 256. AES is a symmetric cipher and encrypts in 128-, 192-, or 256-bit blocks. 3DES increases key length to 168 bits (using 3 56-bit keys)

You are comparing different encryption methods. Which method includes a storage root key? a. HSM b. TPM c. NTFS d. VSAN

b. TPM A Trusted Platform Module (TPM) includes a storage root key. The TPM generates this key when a user activated the TPM. A Hardware Security Module (HSM) uses RSA keys, but not a storage root key. NT file systems (NTFS) supports encryption with Encrypting File System (EFS). A VSAN is a virtualization technique, and it doesn't provide encryption.

Which of the following would best describe FCoE? a. requires specialized networking hardware b. cannot be routed c. encapsulates using IP packets d. allows for the geographic separation of the servers from the storage devices

b. cannot be routed Fibre Channel over Ethernet (FCoE) is a computer network technology that encapsulates Fibre Channel frames over Ethernet networks. This allows Fibre Channel to use 10 Gigabit Ethernet networks (or higher speeds) while preserving the Fibre Channel protocol. FCoE works with standard Ethernet cards, cables and switches to handle Fibre Channel traffic at the data link layer, using Ethernet frames to encapsulate, route, and transport FC frames across an Ethernet network from one switch with Fibre Channel ports and attached devices to another, similarly equipped switch.

Administrative access controls Administrative access controls are

the policies and procedures defined by an organizations security policy to implement and enforce overall access control. Administrative access controls focus on two areas: personnel and business practices (e.g., people and policies). Examples of administrative access controls include policies, procedures, hiring practices, background checks, data classification, security training, vacation history, reviews, work supervision, personnel controls, and testing.

Which symmetric encryption algorithms are mandated for use with IPSec?

AES or 3DES.

TLS and SSL support which types of symmetric encryption?

AES, 3DES and RC4, among others

Name 3 block ciphers.

AES, DES, MD5

What is the order of volatility of the following: cpu cache, hard drive, RAM, swap file

1. CPU cache 2. RAM 3. Swap file 4. Hard drive http://www.davidlprowse.com/articles/?p=1463

Which algorithm is used to create a temporary secure sessions for the exchange of key information? 1. KDC 2. KEA 3. SSL 4. RSA

2. KEA The Key Exchange Algborithim is used to create a temporary sessions to exchange key information this session creates a secret key. When the key has been exchanged, the regular session begins. (Ch. 8 501 Prowse)

Which of the following is a voluntary set of standards governing encryption? 1. PKI 2. PKCS 3. ISA 4. SSL

2. PKCS. The Public Key Cryptography Standards (PKCS is a set of voluntary standards created by RSA and security leaders. Early members of this group included Apple, Microsoft, DEC (now HP) Lotus, Sun and MIT. There are currently 15 published standards

A security administrator has configured FTP in passive mode. Which of the following ports should the security administrator allow on the firewall by default?

21. When establishing an FTP session, clients start a connection to an FTP server that listens on TCP port 21 by default.

Which port should be used by a system administrator to securely manage a remote server?

22

In the key recovery process, which key must be recoverable? 1. Rollover key 2. Secret key 3. Previous key 4. Escrow key

3. Previous key A key recovery process must be able to recover a previous key. If the previous key can't be recovered, then all the information for which the key was used will be irrecoverably lost. (Ch 8 501 Prowse)

Which mechanism is used by PKI to allow immediate verification of a certificate's validity? 1. CRL 2. MD5 3. SSH 4. OCSP

4. OCSP Online Certificate Status Protocol (OCSP) is the mechanism used to verify immediately whether a certificate is valid. The certificate Revocation List (CRL) is published on a regular basis, but it isn't current once it's published

How much of overall capacity of a drive must be used for RAID?

50%

After a new firewall has been installed, devices cannot obtain a new IP address. Which of the following ports should Matt, the security administrator, open on the firewall?

68. The Dynamic Host Configuration Protocol (DHCP) is a standardized network protocol used on Internet Protocol (IP) networks for distributing IP addresses for interfaces and services. DHCP makes use of port 68.

Examples of localized authentication systems

802.1X, LDAP, Kerberos, and RDP

CSU/DSU

A CSU/DSU (Channel Service Unit/Data Service Unit) is a digital-interface device used to connect a data terminal equipment (DTE), such as a router, to a digital circuit, such as a Digital Signal 1 (DS1) T1 line. The CSU/DSU implements two different functions. The channel service unit (CSU) is responsible for the connection to the telecommunication network, while the data service unit (DSU) is responsible for managing the interface with the DTE. DSL and cable modems are CSU/DSUs because they convert from one type of digital signal to another. A CSU/DSU is the equivalent of the modem for an entire LAN.[1]

Trusted Platform Module (TPM)

A Trusted Platform Module (TPM) is a specialized chip on an endpoint device that stores RSA encryption keys specific to the host system for hardware authentication. Each TPM chip contains an RSA key pair called the Endorsement Key (EK). The pair is maintained inside the chip and cannot be accessed by software. TPM chips also provide safe storage of encryption keys, certificates and passwords used for logging in to online services, which is a more secure method than storing them inside software on the hard drive. TPM chips in network-connected set-top boxes enable digital rights management, so media companies can distribute content without worrying about theft.

Which of the following technologies was originally designed to decrease broadcast traffic and reduce the likelihood of having information compromised by network sniffers? RADIUS VPN VLAN DMZ

A VLAN, or virtual local-area network, was originally designed to decrease broadcast traffic on the data link layer. However, if implemented properly, it can also reduce the likelihood of having information compromised by network sniffers. It does both of these by compartmentalizing the network, usually by MAC address. This should not be confused with subnetting, which compartmentalizes the network by IP address on the network layer.

What is another name for a malicious attacker? White hat Penetration tester Fuzzer Black hat

A black hat is someone who attempts to break into computers and networks without authorization. A black hat is considered to be a malicious attacker. See the section titled "Think Like a Hacker" in Chapter 1, "Introduction to Security," for more information. Incorrect answers: A white hat is a nonmalicious hacker, often employed by an organization to test the security of a system before it goes online. An example of a white hat would be a penetration tester who administers active tests against systems to determine whether specific threats can be exploited. A fuzzer is a colloquial name for a software tester.

Which of the following should be placed between the LAN and the Internet? HIDS Domain controller DMZ Extranet

A demilitarized zone, or DMZ, can be placed between the LAN and the Internet; this is known as a back-to-back perimeter configuration. This allows external users on the Internet to access services but segments access to the internal network. In some cases, it will be part of a 3-leg firewall scheme.

Which of the following is a type of packet filtering used by firewalls that retains memory of the packets that pass through the firewall? Stateful packet inspection Circuit-level gateway NAT filtering Stateless packet filter

A firewall running stateful packet inspection is normally not vulnerable to IP spoofing attacks because it examines the header in each packet. This type of packet inspection can distinguish between legitimate and illegitimate packets. Stateless packet filtering does not retain a memory of packets that pass through the firewall and, because of this, is vulnerable to IP spoofing attacks. Circuit-level gateway firewalls apply security mechanisms when TCP or UDP connections are established but do not examine the headers of the packets themselves. NAT filtering filters out traffic according to TCP or UDP ports. See the section titled "Firewalls and Network Security" in Chapter 7, "Network Perimeter Security," for more information.

The __ is a generic space time tradeoff cryptographic attack. Meet in the middle attack Known plaintext attack Man in the middle attack Replay attack

A meet-in-the-middle attack is a cryptographic attack, first developed by Diffie and Hellman, that employs a space-time tradeoff to drastically reduce the complexity of cracking a multiple-encryption scheme. The meet-in-the-middle attack targets block cipher cryptographic functions. The intruder applies brute force techniques to both the plaintext and ciphertext of a block cipher.

Which of the following can enable you to find all the open ports on an entire network? Protocol analyzer Firewall Performance monitor Network scanner

A network scanner is a port scanner used to find open ports on multiple computers on the network. A protocol analyzer is used to delve into packets. A firewall protects a network, and a performance monitor is used to create baselines for and monitor a computer.

What tool should you use to identify network spike activity? Protocol analyzer Performance Monitor Multimeter Network mapper

A protocol analyzer is used to capture network packets and analyze them. It can identify network spikes and a host of other issues that can adversely affect your network. A network mapper is used to create a diagram of your network and discover all the computers on the network. Performance Monitor is a Microsoft program that is used to watch the performance of a computer's CPU, RAM, and so on. A multimeter is used to test voltage and other electrical properties. See the section titled "Assessing Vulnerability with Security Tools" in Chapter 11, "Vulnerability and Risk Assessment," for more information.

Protocol analyzer

A protocol analyzer, or "packet sniffer," is a tool used to intercept traffic, store it, and present it in a decoded, human-readable state. Modern protocol analyzers like Wireshark can even spot rudimentary problems on their own and then perform statistical analyses with captured data. Regardless of features, packet sniffers all work the same basic way. They insert themselves into the network stack and copy all traffic out to a buffer or file. Most will also place the network driver into "promiscuous mode," which basically allows these tools to retrieve all traffic that enters the network stack instead of only gathering traffic destined for the system itself.

A customer has asked you to implement a solution to hide as much information about the internal structure of the network as possible. The customer also wants to minimize traffic with the Internet and does not want to increase security risks to the internal network. Which of the following solutions should you implement? NIDS Proxy server Firewall Protocol analyzer

A proxy server, specifically a caching proxy, will minimize traffic with the Internet. Users that access the same websites will get their information from the proxy server instead of from the Internet. An IP proxy server will hide information about the internal structure of the network. Proxy servers are available that can handle both of these functions. A NIDS, network intrusion detection system, detects attacks on the network. A firewall closes off ports on the network, and although some firewalls also come with proxy functionality, it is not the best answer for this scenario. Protocol analyzers, also known as network sniffers, can analyze packets of information that have been captured. See the section titled "Firewalls and Network Security" in Chapter 7, "Network Perimeter Security," for more information.

A security analyst noticed a colleague typing the following command: `Telnet some-host 443' Which of the following was the colleague performing?

A quick test to see if there is a service running on some-host TCP/443, which is being routed correctly and not blocked by a firewall. TCP port 443 provides the HTTPS (used for secure web connections) service; it is the default SSL port. By running the Telnet some-host 443 command, the security analyst is checking that routing is done properly and not blocked by a firewall.

You want to reduce network traffic on a particular network segment to limit the amount of user visibility. Which of the following is the best device to use in this scenario? Firewall Router Switch Hub

A switch can reduce network traffic on a particular network segment. It does this by keeping a table of information about computers on that segment. Instead of broadcasting information to all ports of the switch, the switch selectively chooses where the information goes.

What would you implement to separate two departments? MAC filtering Cloud computing VLAN SaaS

A virtual LAN (VLAN) is used to logically separate groups of computers. It is often done to separate departments in a virtual manner without having to change the physical cabling design.

Which statement best applies to the term Java applet? It uses digital signatures for authentication. It decreases the usability of web-enabled systems. It is a programming language. A web browser must have the capability to run Java applets.

A web browser must have the capability to run Java applets. To run Java applets, a web browser must have that option enabled. Java increases the usability of web-enabled systems, and Java is a programming language. It does not use digital signatures for authentication.

Which of the following will an Internet filtering appliance analyze? (Select the three best answers.) A. Content B. Certificates C. Certificate revocation lists D. URLs

A, B, and D. Internet filtering appliances will analyze content, certificates, and URLs. However, certificate revocation lists will most likely not be analyzed. Remember that CRLs are published only periodically.

Which of the following can be implemented with multiple bit strength? A. AES B. DES C. MD5 D. Blowfish

A. AES D. Blowfish AES (a symmetric algorithm) uses key sizes of 128, 192, or 256 bits. Blowfish uses a 64-bit block size and a variable key length from 32 bits up to 448 bits DES uses a 56 bit key MD5 uses a 128 bit key

The security administrator has noticed cars parking just outside of the building fence line. Which of the following security measures can the administrator use to help protect the company's WiFi network against war driving? (Select TWO) A. Create a honeynet B. Reduce beacon rate C. Add false SSIDs D. Change antenna placement E. Adjust power level controls F. Implement a warning banner

A. Create a honeynet E. Adjust power level controls

Pete, an employee, attempts to visit a popular social networking site but is blocked. Instead, a page is displayed notifying him that this site cannot be visited. Which of the following is MOST likely blocking Pete's access to this site? A. Internet content filter B. Firewall C. Proxy server D. Protocol analyzer

A. Internet content filter Web filtering software is designed to restrict or control the content a reader is authorized to access, especially when utilized to restrict material delivered over the Internet via the Web, e-mail, or other means.

An attack that is using interference as its main attack to impede network traffic is which of the following? A. Introducing too much data to a targets memory allocation B. Utilizing a previously unknown security flaw against the target C. sing a similar wireless configuration of a nearby network D. Inundating a target system with SYN requests

A. Introducing too much data to a target's memory allocation

VPN's use tunneling protocols when establishing a connection between two remote systems over an the internet or other public network. What protocols are commonly used? A. PPTP B. IPSec C. L2TP

A. PPTP, Point to Point Tunneling B. IPSec C. L2TP, Layer 2 Tunneling Protocol PPTP PPTP allows multi- protocol traffic to be encrypted and then encapsulated in an IP header to be sent across an IP network or a public IP network, such as the Internet. PPTP can be used for remote access and site-to-site VPN connections. When using the Internet as the public network for VPN, the PPTP server is a PPTP-enabled VPN server with one interface on the Internet and a second interface on the intranet. Encapsulation The scope of a VPN tunnel can vary based on what your route and encrypt through it. The two most common scopes are a full tunnel and a split tunnel. With a full tunnel configuration, all requests are routed and encrypted through the VPN, whereas with a split tunnel, onlsy some

Which of the following is a common symptom of spyware? A. Pop-up windows B. Infected files C. Computer shuts down D. Applications freeze

A. Pop-up windows Pop-up windows are common to spyware. The rest of the answers are more common symptoms of viruses. See the section titled "Computer Systems Security Threats" in Chapter 2, "Computer Systems Security," for more information.

A company is deploying a new VoIP phone system. They require 99.999% uptime for their phone service and are concerned about their existing data network interfering with the VoIP phone system. The core switches in the existing data network are almost fully saturated. Which of the following options will pro-vide the best performance and availability for both the VoIP traffic, as well as the traffic on the existing data network? A. Put the VoIP network into a different VLAN than the existing data network. B. Upgrade the edge switches from 10/100/1000 to improve network speed C. Physically separate the VoIP phones from the data network D. Implement flood guards on the data network

A. Put the VoIP network into a different VLAN than the existing data network.

A company plans to expand by hiring new engineers who work in highly specialized areas. Each engineer will have very different job requirements and use unique tools and applications in their job. Which of the following is MOST appropriate to use? A. Role-based privileges B. Credential management C. User assigned privileges D. User access

A. Role-based privileges Role-based access control (RBAC) is an access model that like MAC, is controlled by the system and unlike DAC, not by the owner of the resource. RBAC is different from MAC in the way that permissions are configured. RBAC works with sets of permissions, instead of individual permissions that are label-based. A set of permissions constitutes a role. When users are assigned to roles, they can then gain access to resources. A role might be the ability to complete a specific operation in an org. as opposed to accessing a single data file. Roles are created for various job functions within an org. and might have overlapping privileges and responsibilities. Also, some general operations can be completed by all the employees of an organization. Because there is an overlap, an administrator can develop role hierarchies; these define roles that can contain other roles, or have exclusive attributes.

Which of the following encryption algorithms are supported by the IEEE 802.11i standard? (Select the two best answers.) AES TKIP RSA ECC Select 2 answers

AES TKIP The IEEE 802.11i standard amends the original 802.11 standard and was later incorporated into the IEEE 802.11-2007 standard. It specifies security mechanisms for wireless networks, including TKIP and AES. It also deprecates WEP. TKIP, the Temporal Key Integrity Protocol, is used as a solution to replace WEP without requiring any replacement of older hardware. Although it is a better solution than WEP, TKIP was deprecated in 2009 by the IEEE - CCMP is recommended in its place. (CCMP stands for Counter Mode Cipher Block Chaining Message Authentication Code Protocol.) AES, the Advanced Encryption Standard, is the superior type of encryption to use in wireless networks. It works with WPA and WPA2 but might require hardware upgrades. RSA (Rivest, Shamir, Adleman) is a public key cryptography algorithm commonly used on the Internet and considered to be unbreakable if used properly. ECC, which stands for elliptic curve cryptography, is another type of public key cryptography, but this is based on the structure of an elliptic curve and mathematical problems. See the section titled "Encryption Algorithms" in Chapter 13, "Encryption and Hashing Concepts," for more information.

The IT director asks you to set up a system that will encrypt credit card data. She wants you to use the most secure symmetric algorithm with the least amount of CPU usage. Which of the following algorithms should you select? RSA 3DES AES SHA-1

AES (Advanced Encryption Standard) is the best solution for this scenario. It uses the least amount of CPU resources yet is the most secure symmetric algorithm listed. SHA-1 is not a symmetric encryption algorithm; it is a hashing algorithm. 3DES is the predecessor to AES; it is not as secure or fast. RSA is an asymmetric encryption algorithm; it is secure but can use a lot of CPU resources. See the section "Encryption Algorithms" in Chapter 13, "Encryption and Hashing Concepts," for more information.

You work at the help desk for a small company. One of the most common requests to which you must respond is to help retrieve a file that has been accidentally deleted by a user. On average, this happens once a week. if the user creates the file and then deletes it on the server (about 60% of the incidents), then it can be restored in moments from the shadow copy and there is rarely any data lost. If the user creates the file on their workstation and then deletes it (about 40% of the incidents), and if it can't be recovered and it takes the user an average of two hours to re-create it at $12 an hour, what is the ALE.

ALE = SLE X ARO SLE = $12 X 2 = $24 ARO = 20.8 (52 weeks X .4) ALE = $24 X 20.8 = $499.20

Sara, a security analyst, is trying to prove to management what costs they could incur if their customer database was breached. This database contains 250 records with PII. Studies show that the cost per record for a breach is $300. The likelihood that their database would be breached in the next year is only 5%. Which of the following is the ALE that Sara should report to management for a security breach?

ALE = SLE X ARO SLE = AV X EF = (250 X 300) = $75000 SLE ($75K) X ARO (.05) = $3750

You're the administrator of a web server that generates $25,000 per hour in revenue. The probability of the web server failing during the year is estimated to be 25%. A failure would lead to 3 hours of downtime and cost $5,000 in components to correct. What is the ALE?

ALE = SLE x ARO SLE = (25K x 3) + 5K = $80K ARO = .25 ALE = $80k X .25 = $20K

Joe, the system administrator, has been asked to calculate the Annual Loss Expectancy (ALE) for a $5,000 server, which often crashes. In the past year, the server has crashed 10 times, requiring a system reboot to recover with only 10% loss of data or function. Which of the following is the ALE of this server?

ALE = SLE, Single Loss Event X ARO, Annualized Rate of Exposure SLE = AV Asset Value X Exposure Factor = 5K X 10 = $50K ALE = $50k (SLE) X.1 (ARO) = $5K

Given SLE and ARO, what value can you calculate?

ALE. Annual Loss Expectancy. This is a monetary measure of how much loss you could expect in a year. SLE X ARO = ALE

You're the administrator for a research firm that works on only one project at a time and collects data through the web to a single server. The value of each research project is approximately $100,000. At any given time, an intruder could commandeer no more than 90% of the data. The industry average for ARO is .33. What is the ALE?

ALE= SLE X ARO. SLE = $100K X .9 = 90K ARO = .33 ALE = $90K X .33 = 29.7

You have been asked by an organization to help correct problems with users unknowingly downloading malicious code from websites. Which of the following should you do to fix this problem? Disable unauthorized ActiveX controls. Install a network-based intrusion detection system. Use virtual machines. Implement a policy to minimize the problem.

ActiveX controls can be built directly into websites and can contain malicious code that can be easily downloaded by users without their knowledge. ActiveX controls can be disabled in whole or in part within the browser and can also be controlled as add-ons. A NIDS can possibly defend against malicious ActiveX controls to a certain extent, but you should not solely depend on it. Implementing policies is always a good idea, but you don't want to minimize the problem; you want to fix it. The use of virtual machines works well to isolate problems that might occur from ActiveX controls, but it does not fix the problem as far as downloading the malicious code. See the section "Securing the Browser" in Chapter 4, "Application Security," for more information.

What are most of the current encryption methods based on? DRM Timestamps PKI Algorithms

Algorithms Algorithms, or ciphers, are what most current encryption methods are based on. Regardless of whether the encryption type is symmetric (AES, RC4) or asymmetric (RSA, Diffie-Hellman), the encryption rests on the mathematics or algorithm. The two core parts of an encryption scheme include the algorithm and the key. PKI, which stands for public-key infrastructure, is an entire set of hardware, software, policies, procedures, and people that creates and distributes digital certificates. Timestamps are used in various technologies, including the hashing of files; this helps with the integrity of the file. DRM, which stands for Digital Rights Management, is a type of encryption placed on media such as MP3s. See the section titled "Cryptography Concepts" in Chapter 13, "Encryption and Hashing Concepts," for more information.

Alice wishes to send a file to Bob using a PKI. Which of the following types of keys should Alice use to sign the file? Alice's private key Alice's public key Bob's private key Bob's public key

Alice should use her own private key to sign the file. Refer to Table 1 following question 16 (or Table 13-4 in the book). It shows that to send an encrypted signature, the sender would need her own private key. To decrypt the signature, Bob (the recipient) would need Alice's (the sender's) public key. Incorrect answers: In this scenario, Bob's keys don't even come into play because he is the receiver. However, in a scenario where Alice had sent Bob an encrypted message, it is Bob's public key and private key that would be utilized for the encrypting and decrypting of the message, respectively.

Which of the following types of firewalls provides inspection of data at layer 7 of the OSI model? Circuit-level gateway Network address translation Application-proxy Stateful inspection

An Application-proxy firewall inspects data at layer 7 of the OSI model. These types of firewalls are also known as application-level gateways, or ALGs. They apply security mechanisms to applications such as FTP. Network address translation, or NAT, firewalls filter traffic according to TCP or UDP ports, which concerns the transport layer, layer 4 of the OSI model. Stateful inspection, or stateful packet inspection (SPI), keeps track of network connections by examining the header of each packet, which concerns the network layer, layer 3 of the OSI model. Circuit-level gateways work at the session layer of the OSI model and apply security mechanisms when TCP or UDP connections are established. See the section titled "Firewalls and Network Security" in Chapter 7, "Network Perimeter Security," for more information.

Which of the following types of firewalls provides inspection of data at layer 7 of the OSI model? Network address translation Circuit-level gateway Stateful inspection Application-proxy

An Application-proxy firewall inspects data at layer 7 of the OSI model. These types of firewalls are also known as application-level gateways, or ALGs. They apply security mechanisms to applications such as FTP. Network address translation, or NAT, firewalls filter traffic according to TCP or UDP ports, which concerns the transport layer, layer 4 of the OSI model. Stateful inspection, or stateful packet inspection (SPI), keeps track of network connections by examining the header of each packet, which concerns the network layer, layer 3 of the OSI model. Circuit-level gateways work at the session layer of the OSI model and apply security mechanisms when TCP or UDP connections are established. See the section titled "Firewalls and Network Security" in Chapter 7, "Network Perimeter Security," for more information.

Of the following, which type of device attempts to serve client requests without the user actually contacting the remote server? IP proxy HTTP proxy Firewall DMZ

An HTTP proxy caches information from a web server for a set amount of time. This way an organization can save bandwidth, and the users can get their web pages quicker. An HTTP proxy is also known as a caching proxy. An IP proxy secures a network by keeping the computers behind it anonymous, usually through the use of network address translation.

Which of the following displays a single public IP address to the Internet while hiding a group of internal private IP addresses? HTTP proxy IP proxy SMTP proxy Protocol analyzer

An IP proxy displays a single public IP address to the Internet while hiding a group of internal private IP addresses. It sends data back and forth between the IP addresses by using network address translation (NAT). This functionality is usually built into SOHO routers and is one of the main functions of those routers. HTTP proxies store commonly accessed Internet information.

ISA

An ISA specifies technical and security requirements for planning, establishing, maintaining, and disconnecting a secure connection between two or more entities. For example, it may stipulate certain types of encryption for all data in transit.

In this scenario, your organization and a sister organization use multiple certificate authorities (CAs). Which component of PKI is necessary for one CA to know whether to accept or reject certificates from another CA? CRL Recovery agent Key escrow RA

An RA is a registration authority used to verify requests for certificates from a certificate authority or multiple certificate authorities. A CRL is a certificate revocation list; if for some reason a certificate cannot be verified by any parties involved and the issuer of the certificate confirms this, the issuer needs to revoke the certificate. The certificate is placed in the CRL that is published. Key escrow is when certificates are held if the third parties need them in the future. Recovery agents recover certificates that were corrupted or lost. See the section titled "Public-Key Infrastructure" in Chapter 14, "PKI and Encryption Protocols," for more information.

You have collected login information, file access information, security log files, and unauthorized security violations. What is this collection known as? Security log Audit Audit trail Access control list

An audit trail is a collection of security log files, unauthorized security violations, and other logged information such as successful or failed logins. And it is a technical assessment made of applications and networks; quite often this includes an audit trail. See the section "Conducting Audits" in Chapter 12, "Monitoring and Auditing," for more information.

An attacker captures the encrypted communication between two parties for a week, but is unable to decrypt the messages. The attacker then compromises the session key during one exchange and successfully compromises a single message. The attacker plans to use this key to decrypt previously captured and future communications, but is unable to. This is because the encryption scheme in use adheres to: A. Asymmetric encryption B.Out-of-band key exchange C.Perfect forward secrecy D.Secure key escrow

Asymmetric encryption. Used in PKI. Session keys are used with asymmetric encryption with encryption algorithms such as RSA, Diffie-Hellman, and elliptic curve cryptography. SSL and TLS protocols use asymmetric key alogrithms, generally in a PKI environment.

What is IPSec Authentication Header (AH) used for?

Authentication and Integrity.

Which of the following risk concepts requires an organization to determine the number of failures per year? A. SLE B. ALE C. MTBF D. Quantitative analysis

B. ALE

An administrator performs a risk calculation to determine if additional availability controls need to be in place. The administrator estimates that a server fails and needs to be replaced once every 2 years at a cost of $8,000. Which of the following represents the factors that the administrator would use to facilitate this calculation? A. ARO= 0.5; SLE= $4,000; ALE= $2,000 B. ARO=0.5; SLE=$8,000; ALE=$4,000 C. ARO=0.5; SLE= $4,000; ALE=$8,000 D. ARO=2; SLE= $4,000; ALE=$8,000 E. ARO=2; SLE= $8,000; ALE= $16,000

B. ARO=0.5; SLE=$8,000; ALE=$4,000 ALE = SLE X ARO SLE = 8,000 ARO = .5 ALE = 8,000 X .5 = 4000

Layer 7 devices used to prevent specific types of html tags are called: A. Firewalls B. Content filters C. Routers D. NIDS

B. Content filters A content filter is a type of software designed to restrict or control the content a reader is authorized to access, particularly when used to limit material delivered over the Internet via the Web, e-mail, or other means. Because the user and the OSI layer interact directly with the content filter, it operates at Layer 7 of the OSI model.

A security administrator suspects that data on a server has been exfiltrated as a result of unauthorized remote access. Which of the following would assist the administrator to confirm the suspicions? (Select TWO) A. Networking access control B. DLP alerts C. Log analysis D. File integrity monitoring E. Host firewall rules

B. DLP alerts and C. Log analysis

The administrator installs database software to encrypt each field as it is written to disk. Which of the following describes the encrypted data? A. In-transit B. In-use C. Embedded D. At-rest

B. In-use

Which of the following devices would be MOST useful to ensure availability when there are a large number of requests to a certain website? A. Protocol analyzer B. Load balancer C. VPN concentrator D. Web security gateway

B. Load balancer Load balancing refers to shifting a load from one device to another. A load balancer can be implemented as a software or hardware solution, and it is usually associated with a device—a router, a firewall, NAT appliance, and so on. In its most common implementation, a load balancer splits the traffic intended for a website into individual requests that are then rotated to redundant servers as they become available.

Which of the following network design elements allows for many internal devices to share one public IP address? A. DNAT B. PAT C. DNS D. DMZ

B. PAT Port Address Translation (PAT), is an extension to network address translation (NAT) that permits multiple devices on a local area network (LAN) to be mapped to a single public IP address. The goal of PAT is to conserve IP addresses. Most home networks use PAT. In such a scenario, the Internet Service Provider (ISP) assigns a single IP address to the home network's router. When Computer X logs on the Internet, the router assigns the client a port number, which is appended to the internal IP address. This, in effect, gives Computer X a unique address. If Computer Z logs on the Internet at the same time, the router assigns it the same local IP address with a different port number. Although both computers are sharing the same public IP address and accessing the Internet at the same time, the router knows exactly which computer to send specific packets to because each computer has a unique internal address.

A network technician is trying to determine the source of an ongoing network based attack. Which of the following should the technician use to view IPv4 packet data on a particular internal network segment? A. Proxy B. Protocol analyzer C. Switch D. Firewall

B. Protocol analyzer

Which of the following would enhance the security of accessing data stored in the cloud? (Select TWO) A. Block level encryption B. SAML authentication C. Transport encryption D. Multi-factor authentication E. Predefined challenge questions F. Hashing

B. SAML authentication D. Multi-factor authentication

Where are software firewalls usually located? A. On routers B. On servers C. On clients D. On every computer

C. On clients Software-based firewalls, such as Windows firewall, are normally running on the client computers. Although a software-based firewall could also be run on a server, it is not as common. Also, a SOHO router might have a built-in firewall, but not all routers have firewalls.

In order to secure additional budget, a security manager wants to quantify the financial impact of a one-time compromise. Which of the following is MOST important to the security manager? A. Impact B. SLE C. ALE D. ARO

B. SLE SLE is a monetary value, and it represents how much you expect to lose at any one time: the single loss expectancy. SLE can be divided into two components: AV (asset value) and the EF (exposure factor). Thus a one-time compromise would resort under the SLE for the security manager.

The Chief Information Officer (CIO) has asked a security analyst to determine the estimated costs associated with each potential breach of their database that contains customer information. Which of the following is the risk calculation that the CIO is asking for? A. Impact B. SLE C. ARO D. ALE

B. SLE The cost of a single loss when it occurs. This loss can be a critical failure, or it can be the result of an attack

Which of the following techniques can bypass a user's or computer's web browser privacy settings? (Select Two) A. SQL injection B. Session hijacking C. Cross-site scripting D. Locally shared objects E. LDAP injection

B. Session hijacking C. Cross-site scripting (is a special type of session hijacking where the attacker manipulates a client computer into executing code considered trusted as if it came from the server the client was connected to.)

Which of the following delineates why it is important to perform egress filtering and monitoring on Internet connected security zones of interfaces on a firewall? A. Egress traffic is more important than ingress traffic for malware prevention B. To re-balance the amount of outbound traffic and inbound traffic C. Outbound traffic could be communicating to known botnet sources D. To prevent DDoS attacks originating from external network

B. To re-balance the amount of outbound traffic and inbound traffic

Company XYZ has decided to make use of a cloud-based service that requires mutual, certificate-based authentication with its users. The company uses SSL-inspecting IDS at its network boundary and is concerned about the confidentiality of the mutual authentication. Which of the following models prevent the IDS from capturing credentials used to authenticate users to the new service or keys to decrypt that communication? A. Use of OATH between the user and the service and attestation from the company domain B. Use of active directory federation between the company and the cloud-based service C. Use of smartcards that store x.509 keys, signed by a global CA D. Use of a third-party, SAML-based authentication service for attestation

B. Use of active directory federation between the company and the cloud-based service

A security engineer is reviewing log data and sees the output below: POST: /payload.php HTTP/1.1 HOST: localhost Accept: */* Referrer: http://localhost/ ******* HTTP/1.1 403 Forbidden Connection: close Log: Access denied with 403. Pattern matches form bypass Which of the following technologies was MOST likely being used to generate this log? A. Host-based Intrusion Detection System B. Web application firewall C. Network-based Intrusion Detection System D. Stateful Inspection Firewall E. URL Content Filter

B. Web application firewall A web application firewall is a device, server add-on, virtual service, or system filter that defines a strict set of communication rules for a website and all visitors. It's intended to be an application-specific firewall to prevent cross-site scripting, SQL injection, and other web application attacks.

Which of the following concepts can ease administration but can be the victim of a malicious attack? Backdoors Group Policy Zombies Buffer overflow

Backdoors were originally created to ease administration. However, hackers quickly found that they could use these backdoors for a malicious attack

You are in charge of your organization's backup plan. You need to make sure that the data backups are available in case of a disaster. However, you need to keep the plan as inexpensive as possible. Which of the following solutions should you implement? Back up data to removable media and store a copy offsite. Implement a remote backup solution. Implement a hot site. Implement a cold site.

Backing up data to removable media and storing it offsite is the least expensive solution. Hot sites and cold sites can cost the organization a lot of money, especially hot sites. Implementing a remote backup solution usually requires some sort of service with a monthly fee. You, as the network administrator, can back up data to removable media and store it offsite without incurring any other fees except for the cost of the removable media. See the section "Disaster Recovery Planning and Procedures" in Chapter 15, "Redundancy and Disaster Recovery," for more information.

Which of the following requires a baseline? (Select the two best answers.) Performance Monitor Anomaly-based monitoring Behavior-based monitoring Signature-based monitoring Select 2 answers

Behavior-based monitoring and anomaly-based monitoring require creating a baseline. Many host-based IDS systems will monitor parts of the dynamic behavior and the state of the computer system. An anomaly-based IDS will classify activities as either normal or anomalous; this will be based on rules instead of signatures. Both behavior-based and anomaly-based monitoring require a baseline to make a comparative analysis. Signature-based monitoring systems do not require this baseline because they are looking for specific patterns or signatures and are comparing them to a database of signatures. Performance Monitor can be used to create a baseline on Windows computers, but it does not necessarily require a baseline.

A network consists of various remote sites that connect back to two main locations. Pete, the security administrator, needs to block TELNET access into the network. Which of the following, by default, would be the BEST choice to accomplish this goal?

Block port TCP port 23 on the network firewall

A firewall technician has been instructed to disable all non-secure ports on a corporate firewall. The technician has blocked traffic on port 21, 69, 80, and 137-139. The technician has allowed traffic on ports 22 and 443. Which of the following correctly lists the protocols blocked and allowed?

Blocked: FTP, TFTP, HTTP, NetBIOS; Allowed: SFTP, SSH, SCP, HTTPS

You have analyzed what you expect to be malicious code. The results show that JavaScript is being utilized to send random data to a separate service on the same computer. What attack has occurred? LDAP injection Buffer overflow SQL injection DoS

Buffer overflows can be initiated by sending random data to other services on a computer. While JavaScript is commonly used in XSS attacks, it can also be used to create a buffer overflow. DoS stands for denial-of-service, which is when a computer sends many packets to a server or other important system in the hope of making that system fail. SQL and LDAP injection do not use JavaScript.

Heaps and stacks can be affected by which of the following attacks? SQL injection Cross-site scripting Buffer overflows Rootkits

Buffer overflows. Heaps and stacks are data structures that can be affected by buffer overflows. Value types are stored in a stack, whereas reference types are stored in a heap. An ethical coder will try to keep these running efficiently. An unethical coder will attempt to use a buffer overflow to affect heaps and stacks, which in turn could affect the application in question or the operating system. The buffer overflow might be initiated by certain inputs and can be prevented by bounds checking. Both heap and stack are stored in the computer's RAM (Random Access Memory).

BPA

Business partners agreement (BPA) A BPA is a written agreement that details the relationship between business partners, including their obligations toward the partnership. It typically identifies the shares of profits or losses each partner will take, their responsibilities to each other, and what to do if a partner chooses to leave the partnership. One of the primary benefits of a BPA is that it can help settle conflicts when they arise.

How do certificate owners share their public key?

By sharing a copy of their certificate.

Which of the following is a layer 7 device used to prevent specific types of HTML tags from passing through to the client computer? A. Router B. Firewall C. Content filter D. NIDS

C. Content filter A content filter is an application layer (layer 7) device that is used to prevent undesired HTML tags, URLs, certificates, and so on, from passing through to the client computers. A router is used to connect IP networks. A firewall blocks network attacks. A NIDS is used to detect anomalous traffic.

Which of the following security devices can be replicated on a Linux based computer using IP tables to inspect and properly handle network based traffic? A. Sniffer B. Router C. Firewall D. Switch

C. Firewall IP tables are a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores. Iptables is an extremely flexible firewall utility built for Linux operating systems. iptables is a command-line firewall utility that uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a rule in its list to match it to. If it doesn't find one, it resorts to the default action.

The Chief Information Security Officer (CISO) has mandated that all IT systems with credit card data be segregated from the main corporate network to prevent unauthorized access and that access to the IT systems should be logged. Which of the following would BEST meet the CISO's requirements? A. Sniffers B. NIDS C. Firewalls D. Web proxies E. Layer 2 switches

C. Firewalls The basic purpose of a firewall is to isolate one network from another.

The database server used by the payroll system crashed at 3 PM and payroll is due at 5 PM. Which of the following metrics is MOST important is this instance? A. ARO B. SLE C. MTTR D. MTBF

C. MTTR Mean Time To Restore (MTTR) is the measurement of how long it takes to repair a system or component once a failure occurs.

Which of the following devices would detect but not react to suspicious behavior on the network? (Select the most accurate answer.) A. NIPS B. Firewall C. NIDS D. HIDS E. UTM

C. NIDS A NIDS, or network intrusion detection system, will detect suspicious behavior but most likely will not react to it. To prevent it and react to it, you would want a NIPS. Firewalls block certain types of traffic but by default do not check for suspicious behavior. HIDS is the host-based version of an IDS; it checks only the local computer, not the network. A UTM is an all-inclusive security product that will probably include an IDS or IPS—but you don't know which, so you can't assume that a UTM will function in the same manner as a NIDS.

Bastion hosts exist outside the DMZ. Select two of the most appropriate items A. Web Server B. RADIUS server C. Router D. Firewall

C. Router D. Firewall A bastion host is a computer that is fully exposed to attack. The system is on the public side of the DMZ, unprotected by a firewall or filtering router. Frequently the roles of these systems are critical to the network security system and are typically accessed using SSH or RDP. Indeed, the firewalls and routers can be considered bastion hosts. A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks.

A security administrator needs an external vendor to correct an urgent issue with an organization's physical access control system (PACS). The PACS does not currently have internet access because it is running a legacy operation system. Which of the following methods should the security administrator select the best balances security and efficiency? A. Temporarily permit outbound internet access for the PACS so desktop sharing can be set up B. Have the external vendor come onsite and provide access to the PACS directly C. Set up VPN concentrator for the vendor and restrict access to the PACS using desktop sharing D. Set up a web conference on the administrator's PC; then remotely connect to the PACS

C. Set up VPN concentrator for the vendor and restrict access to the PACS using desktop sharing

When performing the daily review of the system vulnerability scans of the network Joe, the administrator, noticed several security related vulnerabilities with an assigned vulnerability identification number. Joe researches the assigned vulnerability identification number from the vendor website. Joe proceeds with applying the recommended solution for identified vulnerability. Which of the following is the type of vulnerability described? A. Network based B. IDS C. Signature based D. Host based

C. Signature based A signature-based monitoring or detection method relies on a database of signatures or patterns of known malicious or unwanted activity. The strength of a signature-based system is that it can quickly and accurately detect any event from its database of signatures.

A review of the company's network traffic shows that most of the malware infections are caused by users visiting gambling and gaming websites. The security manager wants to implement a solution that will block these websites, scan all web traffic for signs of malware, and block the malware before it enters the company network. Which of the following is suited for this purpose? A. ACL B. IDS C. UTM D. Firewall

C. UTM An all-in-one appliance, also known as Unified Threat Management (UTM) and Next Generation Firewall (NGFW), is one that provides a good foundation for security. A variety is available; those that you should be familiar with for the exam fall under the categories of providing URL filtering, content inspection, or malware inspection. Malware inspection is the use of a malware scanner to detect unwanted software content in network traffic. If malware is detected, it can be blocked or logged and/or trigger an alert.

Which of the following will an Internet filtering appliance analyze? (Select the three best answers.) Certificates Content Certificate revocation lists URLs

Certificates Content URLs Internet filtering appliances will analyze content, certificates, and URLs. However, certificate revocation lists will most likely not be analyzed. Remember that CRLs are published only periodically.

Of the following, which statement correctly describes the difference between a secure cipher and a secure hash? A hash can be reversed; a cipher cannot. A cipher can be reversed; a hash cannot. A hash produces a variable output for any input size; a cipher does not. A cipher produces the same size output for any input size; a hash does not.

Ciphers can be reverse engineered but hashes cannot when attempting to re-create a data file. Hashing is not the same as encryption; hashing is the digital fingerprint, so to speak, of a group of data. Hashes are not reversible.

Which of the following might be included in Microsoft Security Bulletins? CVE PHP TLS CGI

Common Vulnerabilities and Exposures (CVE) can be included in Microsoft Security Bulletins and will be listed for other web server products such as Apache. PHP and CGI are pseudo-programming languages used within HTML for websites. Both can contain harmful scripts if used inappropriately. Transport Layer Security (TLS) is a protocol used by sites secured by HTTPS.

Which of the following encompasses application patch management? Virtualization Policy management Fuzzing Configuration management

Configuration management encompasses application patch management and other ways of hardening an OS or application. Policy management is considered separate because it can be used to harden or soften a system; plus, it is best done at a server - affecting many systems at once. Fuzzing (or fuzz testing) is the act of providing random data to a computer program, testing it in an automated fashion. Virtualization is the term used to refer to any virtual computing platform.

As part of your user awareness training, you recommend that users remove which of the following when they finish accessing the Internet? Group policies Instant messaging Cookies Temporary files

Cookies. The best answer is cookies, which can be used for authentication and session tracking and can be read as plain text. They can be used by spyware and can track people without their permission. It is also wise to delete temporary Internet files as opposed to temporary files.

Which of the following attacks uses a JavaScript image tag in an e-mail? SQL injection Directory traversal Cross-site scripting Cross-site request forgery

Cross-site scripting (XSS) can be initiated on web forms or through e-mail. It often uses JavaScript to accomplish its means. SQL injection is when code (SQL based) is inserted into forms or databases. Cross-site request forgery (XSRF) is when a user's browser sends unauthorized commands to a website, without the user's consent. Directory traversal is when an attacker attempts to gain access to higher directories in an OS.

Which of the following web application security weaknesses can be mitigated by preventing the usage of HTML tags? SQL injection Cross-site scripting LDAP injection Rootkits

Cross-site scripting (XSS) is an attack on website applications that injects client-side script into web pages. SQL injection is a type of code injection that exploits vulnerabilities in databases. LDAP injection can be used to modify LDAP statements and modify the LDAP tree. Rootkits are software designed to gain administrator-level access over a computer system. See the section titled "Secure Programming" in Chapter 4, "Application Security," for more information.

The security administrator at ABC company received the following log information from an external party: 10:45:01 EST, SRC 10.4.3.7:3056, DST 8.4.2.1:80, ALERT, Directory traversal 10:45:02 EST, SRC 10.4.3.7:3057, DST 8.4.2.1:80, ALERT, Account brute force 10:45:03 EST, SRC 10.4.3.7:3058, DST 8.4.2.1:80, ALERT, Port scan The external party is reporting attacks coming from abc-company.com. Which of the following is the reason the ABC company's security administrator is unable to determine the origin of the attack? A. A NIDS was used in place of a NIPS. B. The log is not in UTC. C. The external party uses a firewall. D. ABC company uses PAT.

D. ABC company uses PAT. PAT would ensure that computers on ABC's LAN translate to the same IP address, but with a different port number assignment. The log information shows the IP address, not the port number, making it impossible to pin point the exact source.

An organization wants to conduct secure transactions of large data files. Before encrypting and exchanging the data files, the organization wants to ensure a secure exchange of keys. Which of the following algorithms is appropriate for securing the key exchange? A. DES B. Blowfish C. DSA D. Diffie-Hellman E. 3DES

D. Diffie-Hellman

Which of the following is a best practice when securing a switch from physical access? A. Disable unnecessary accounts B. Print baseline configuration C. Enable access lists D. Disable unused ports

D. Disable unused ports Disabling unused switch ports a simple method many network administrators use to help secure their network from unauthorized access. All ports not in use should be disabled. Otherwise, they present an open door for an attacker to enter.

The help desk is receiving numerous password change alerts from users in the accounting department. These alerts occur multiple times on the same day for each of the affected users' accounts. Which of the following controls should be implemented to curtail this activity? A. Password Reuse B. Password complexity C. Password History D. Password Minimum age

D. Password Minimum age

The administrator receives a call from an employee named Joe. Joe says the Internet is down and he is receiving a blank page when typing to connect to a popular sports website. The administrator asks Joe to try visiting a popular search engine site, which Joe reports as successful. Joe then says that he can get to the sports site on this phone. Which of the following might the administrator need to configure? A. The access rules on the IDS B. The pop up blocker in the employee's browser C. The sensitivity level of the spam filter D. The default block page on the URL filter

D. The default block page on the URL filter

Your organization is concerned about spear phising. The CEO wants to improve the overall security posture by proving where e-mail comes for all e-mail messages?

Digitally sign all outgoing messages. Must first obtain a certificate from a company such as DocuSign.

DLP, Data Loss Prevention software

Data loss prevention software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage).

Which of the following is the first step in creating a security baseline? Install software patches. Mitigate risk. Define a security policy. Perform vulnerability testing.

Define a security policy. When creating a security baseline, you should first define what the security policy will be for the organization. The organization might already have a policy written and expected to be enforced. After a security policy is created, perform vulnerability testing and mitigate risks by installing software patches, uninstalling applications, disabling unnecessary services, and so on. See the section titled "Hardening Operating Systems" in Chapter 3, "OS Hardening and Virtualization," for more information.

Which key-exchange method is RSA based on?

Diffie-Hellman. Diffie Hellman Ephemeral (DHE) uses ephemeral keys, generating different keys for each session. Elliptic Curve Diffie-Hellman (ECDHE) is a version of Diffie-Hellman that uses elliptic curve cryptography to generate encryption keys.

When a private key is used for encrypting, what is it being used for?

Digital Signature. A digital signature is an encrypted hash of a message, encrypted with the sender's private key

What are two ways to secure Internet Explorer? (Select the two best answers.) Add malicious sites to the Trusted Sites zone. Disable the pop-up blocker. Disable ActiveX controls. Set the Internet zone's security level to High.

Disable ActiveX controls. Set the Internet zone's security level to High. By increasing the Internet zone security level to High, you employ the maximum safeguards for that zone. ActiveX controls can be used for malicious purposes; disabling them makes it so that they do not show up in the browser. Disabling a pop-up blocker and adding malicious sites to the Trusted Sites zone would make Internet Explorer less secure.

Which of the following can restrict access to resources according to the identity of the user? Mandatory access control Discretionary access control CRL Role-based access control

Discretionary access control is an access control policy generally determined by the owner. Objects such as files and printers can be created and accessed by the owner, and the owner decides which users are allowed to have access to the objects. Mandatory access control and role-based access control models are controlled by the system, not by the owner of a resource. CRL stands for certificate revocation list. This deals with the revoking of compromised encryption certificates within a public-key infrastructure. See the section titled "Authentication Models and Components" in Chapter 9, "Physical Security and Authentication Models," for more information

What does the command netstat do?

Displays current detailed network connections. Works in both Linux and Windows. Example of what you might see: Active Connections Proto Local Address Foreign Address State TCP 127.0.0.1:5357 VM-Windows-7:49229 TIME_WAIT TCP 127.0.0.1:49225 VM-Windows-7:12080 TIME_WAIT TCP 192.168.1.14:49194 75.125.212.75:http CLOSE_WAIT TCP 192.168.1.14:49196 a795sm.avast.com:http CLOSE_WAIT TCP 192.168.1.14:49197 a795sm.avast.com:http CLOSE_WAIT TCP 192.168.1.14:49230 TIM-PC:wsd TIME_WAIT TCP 192.168.1.14:49231 TIM-PC:icslap ESTABLISHED TCP 192.168.1.14:49232 TIM-PC:netbios-ssn TIME_WAIT TCP 192.168.1.14:49233 TIM-PC:netbios-ssn TIME_WAIT TCP [::1]:2869 VM-Windows-7:49226 ESTABLISHED TCP [::1]:49226 VM-Windows-7:icslap ESTABLISHED

Which of the following is most often used to enable a client or a partner access to your network? VLAN Extranet DMZ Intranet

Extranet. An extranet is created so that sister companies, partner companies, or clients of your organization can gain access to some of your data at your discretion. Intranets normally share information with people within your organization. A DMZ, or demilitarized zone, is an area in between the LAN and the Internet that stores servers. A DMZ might be used with an extranet, but it is not necessary. A VLAN is a virtual local-area network that groups computers virtually by port or by a MAC address. See the section titled "Network Design" in Chapter 5, "Network Design Elements," for more information.

Segmenting the network can be accomplished by the following except A. Subnetting B. Virtualization C. Air gap D. Switches E. Routers F. Web server G. VLAN

F. Web server

Which of the following would a DMZ typically contain? Customer account database User workstations SQL server FTP server

FTP Server. A DMZ typically contains servers such as FTP servers, web servers, and e-mail servers. Basically it contains servers that users on the Internet would need to access. SQL servers are database servers normally stored on a company's internal network. The same holds true for customer account databases and user workstations. See the section titled "Network Design" in Chapter 5, "Network Design Elements," for more information.

Which of the following would a DMZ typically contain? Customer account database User workstations SQL server FTP server

FTP server A DMZ typically contains servers such as FTP servers, web servers, and e-mail servers. Basically it contains servers that users on the Internet would need to access. SQL servers are database servers normally stored on a company's internal network. The same holds true for customer account databases and user workstations. See the section titled "Network Design" in Chapter 5, "Network Design Elements," for more information.

Which of the following are best practices when installing and securing a new computer for a home user? Apply system patches. Install a firewall. Install remote control software. Apply service packs. Select 3 answers

Firewalls, service packs, and system patches should always be installed to a new computer to secure it before the user starts working with it. Remote control software should not be installed because this creates an entrance to the user's computer that is not necessary. See the section titled "Firewalls and Network Security" in Chapter 7, "Network Perimeter Security," for more information.

Which of the following threats is not associated with Bluetooth? Bluejacking Bluesnarfing Fraggle attack Discovery mode

Fraggle attack A Fraggle attack is a type of denial-of-service attack that sends a large amount of UDP Echo traffic and is not associated with Bluetooth. Discovery mode is a configuration setting that, if enabled, can allow security threats to access the Bluetooth-enabled device; some people consider it a threat unto itself. If Bluetooth devices are set to "discoverable," bluesnarfing and bluejacking attacks could possibly occur. Bluesnarfing is the unauthorized access of information through the Bluetooth connection and is generally the theft of data such as calendar information and phonebook contacts. Bluejacking is the sending of unsolicited messages to Bluetooth-enabled devices. One way to prevent both of these attacks is to set the Bluetooth device to "undiscoverable." See the section titled "Network Design" in Chapter 5, "Network Design Elements," for more information.

Which of the following threats is not associated with Bluetooth? Fraggle attack Bluejacking Bluesnarfing Discovery mode

Fraggle attack. A Fraggle attack is a type of denial-of-service attack that sends a large amount of UDP Echo traffic and is not associated with Bluetooth. Discovery mode is a configuration setting that, if enabled, can allow security threats to access the Bluetooth-enabled device; some people consider it a threat unto itself. If Bluetooth devices are set to "discoverable," bluesnarfing and bluejacking attacks could possibly occur. Bluesnarfing is the unauthorized access of information through the Bluetooth connection and is generally the theft of data such as calendar information and phonebook contacts. Bluejacking is the sending of unsolicited messages to Bluetooth-enabled devices. One way to prevent both of these attacks is to set the Bluetooth device to "undiscoverable." See the section titled "Network Design" in Chapter 5, "Network Design Elements," for more information.

You have implemented a security technique where an automated system generates random input data to test an application. What have you put into practice? XSRF Input validation Fuzzing Hardening

Fuzzing. Fuzzing (or fuzz testing) is when a person, or more commonly an automated system, enters random data into a form or application in an effort to test it. XSRF (cross-site request forgery, also abbreviated as CSRF) is an exploit of a website where unauthorized commands are issued from a trusted user. Hardening is the act of securing an operating system or application. Input validation is when forms and other web pages are checked to make sure that they will filter inputted data properly, and is used in conjunction with fuzzing.

An organization hires you to test an application that you have limited knowledge of. You are given a login to the application but do not have access to source code. What type of test are you running? SDLC White-box Black-box Gray-box

Gray box. A gray-box test is when you are given limited information about the system you are testing. Black-box testers are not given logins, source code, or anything else, though they may know the functionality of the system. White-box testers are given logins, source code, documentation, and more. SDLC stands for systems development life cycle, of which these types of tests are just a part.

Which of the following is a network addressing scheme that uses numbers and letters? IPv4 IPv6 ICMP IGMP

IPv6 is a network addressing scheme that utilizes IP numbers that are 128-bit and are composed of numbers and letters, due to the fact that they are based on the hexadecimal numbering system. IPv4 uses numbers only. ICMP and IGMP are TCP/IP protocols. See the section titled "Network Design" in Chapter 5, "Network Design Elements," for more information.

Which hashing method (used by IPSec) provides both integrity and authenticity?

HMAC. *Routers and firewalls identify AH traffic with protocol ID 51.

TCP port 80 and TCP port 443

HTTP and HTTPS ports necessary for communicating through a firewall

Which of the following uses an asymmetric key to open a session, and then establishes a symmetric key for the remainder of the session? TLS SFTP TFTP SSL HTTPS HTTPS will govern the entire session when a person attempts to connect to a website securely (for example, HTTPS://www.yourbanknamehere.com). It initiates a key exchange using SSL or TLS, riding on asymmetric encryption such as RSA or ECC. Then, it performs the rest of the session data transfer using symmetric encryption such as AES. SFTP is Secure FTP, based on SSH. TFTP is Trivial FTP, which has little security.

HTTPS will govern the entire session when a person attempts to connect to a website securely (for example, HTTPS://www.yourbanknamehere.com). It initiates a key exchange using SSL or TLS, riding on asymmetric encryption such as RSA or ECC. Then, it performs the rest of the session data transfer using symmetric encryption such as AES. SFTP is Secure FTP, based on SSH. TFTP is Trivial FTP, which has little security.

Of the following, which two security measures should be implemented when logging a server? (Select the two best answers.) Cyclic redundancy checks Storing of temporary files Hashing of log files The application of retention policies on log files Select 2 answers

Hashing of log files The application of retention policies on log files The log files should be retained in some manner either on this computer or on another computer. By hashing the log files, the integrity of the files can be checked even after they are moved. Cyclic redundancy checks, or CRCs, have to deal with the transmission of Ethernet frames over the network. Temporary files are normally not necessary when dealing with log files.

What are kernel-level rootkits designed to do to a computer? Select 2 answers Crack the user's password Hide evidence of an attacker's presence Extract confidential information Hide backdoors into the computer Make a computer susceptible to pop-ups

Hide evidence of an attacker's presence Extract confidential information. Rootkits in general are designed to gain administrator access while not being detected. Kernel-level rootkits will change code within the operating system and possibly device drivers, enabling the attacker to execute with the same privileges as the operating system. This type of rootkit allows for unrestricted security access. See the section titled "Computer Systems Security Threats" in Chapter 2, "Computer Systems Security," for more information.

Which of the following answers are not part of IPsec? (Select the two best answers.) Key exchange Authentication header TKIP AES

IPsec contains (or uses) a key exchange (either Internet Key Exchange or Kerberized Internet Negotiation of Keys) and an authentication header (in addition to many other components). TKIP and AES are other encryption protocols.

You see a network address in the command-line that is composed of a long string of letters and numbers. What protocol is being used? ICMP IPv6 IPv3 IPv4

IPv6 uses a long string of numbers and letters in the IP address. These addresses are 128-bit in length. IPv4 addresses are shorter (32-bit) and are numeric only. ICMP is the Internet Control Message Protocol, which is used by ping and other commands. IPv3 was a test version prior to IPv4 and was similar in IP addressing structure.

Your organization is considering storage of sensitive data in a cloud provider. Your organization wants to ensure the data is encrypted while at rest and while in transit. What type of interoperability agreement can your organization use to ensure the data is encrypted while in transit? A. SLA B. BPA C. MOU D. ISA

ISA Interconnection Security Agreement

In which of the following phases of identification and authentication does proofing occur? Authentication Identification Authorization Verification

Identification is the phase in which identity proofing occurs. Identity proofing is an initial validation of an identity. Authentication happens afterward, granting access to a network or building. Then authorization occurs when a person is approved access to specific resources. Verification of identification is important within authentication schemes; for example, a security guard may be required to run checks of employees' IDs. See the section titled "Physical Security" in Chapter 9, "Physical Security and Authentication Models," for more information.

The IT director asks you to perform a risk assessment of your organization's network. Which of the following should you do first? Identify organizational assets. Identify threats and threat likelihood. Identify potential monetary impact. Identify vulnerabilities.

Identify organizational assets. When you first perform a risk assessment, you need to know exactly what you are assessing. Organizational assets can include firewalls, servers, and other computers and devices. These need to be identified first before you can identify vulnerabilities and threats. Last on the list when assessing risk is to identify potential monetary impact, which can be done in a qualitative or quantitative manner. See the section titled "Conducting Risk Assessments" in Chapter 11, "Vulnerability and Risk Assessment," for more information.

Of the following backup types, which describes the backup of files that have changed since the last full or incremental backup? Copy Incremental Full Differential

Incremental An incremental backup backs up only the files that have changed since the last incremental or full backup. Generally it is used as a daily backup. Differential backups are meant to be used to back up files that have changed since the last full backup. A full backup backs up all files in a particular folder or drive, depending on what has been selected; this is regardless of any previous differential or incremental backups. Copies of data can be made, but they will not affect backup rotations that include incremental, differential, and full backups. Technically, this question could be answered "Incremental" or "Differential," but "Incremental" is the accepted (and therefore best) answer. The CompTIA objectives expect a person to understand that an incremental backup will back up anything that was created/changed since the last incremental backup, or the last full backup if that was the last one completed.

Which of the following best describes a protective countermeasure for SQL injection? Validating user input within web-based applications Eliminating XSS vulnerabilities Installing an IDS to monitor the network Implementing a firewall server between the Internet and the database server

Input validation is extremely important when it comes to secure programming. To prevent SQL injection attacks, be sure that the developers have thoroughly tested the web page by validating user input. An IDS can help to detect network attacks, but is not going to help prevent SQL injection. Eliminating XSS vulnerabilities might just happen to help with all types of code injection, but you can't be sure. You should validate inputs specifically for each attack. A firewall may stop some network-based attacks, but not coded attacks.

Which of the following is the most effective way of preventing adware? Install a firewall. Install a host-based intrusion detection system. Install an antivirus program. Install a pop-up blocker.

Install a pop-up blocker. Pop-up blockers are the most-effective way to prevent adware. Adware consists of the advertisements that pop up on your screen when you go to particular websites. Pop-up blockers are generally installed as add-ons to your web browser and are most often associated with the browser. Antivirus programs protect the computer from various types of malware. In some cases they include a pop-up blocker, but not always. The best way to be sure is to install a separate pop-up blocker directly into the web browser. Host-based intrusion detection systems look for attackers in particular types of attacks that might not stop pop-ups. A firewall blocks intrusions and closes off any open ports but does not detect pop-ups. See the section titled "Securing the Browser" in Chapter 4, "Application Security," for more information.

You are the security administrator for a multimedia development company. Users are constantly searching the Internet for media, information, graphics, and so on. You receive complaints from several users about unwanted windows appearing on their displays. What should you do? Install pop-up blockers Install screensavers Install antivirus software Install a host-based firewall

Install pop-up blockers The windows that are being displayed are most likely pop-ups. Standard pop-up blockers will prevent most of these. Antivirus software of itself does not have pop-up blocking technology but might be combined in a suite of anti-malware software that does have pop-up blocking capability. Screensavers won't affect the users' web sessions. Host-based firewalls are a good idea and will prevent attacks, but since a firewall will allow the connections that users make to websites, it cannot stop pop-ups.

Your company uses instant messaging between the central office and satellite offices. What is the most important security issue that you need to deal with when it comes to instant messaging? Instant messaging can adversely affect Internet bandwidth. Different instant messaging programs have no common protocol. Instant messaging has no or weak encryption. Instant messaging program sessions are open and unprotected.

Instant messaging program sessions are open and unprotected. By default, most instant messaging program sessions are open and unprotected. The inbound port numbers used by these programs are well known to hackers. Although instant messaging programs quite often have no common protocol, no encryption or very weak encryption, and will often adversely affect Internet bandwidth, these issues are not as severe as the fact that instant messaging program sessions are open and unprotected. See the section titled "Securing Other Applications" in Chapter 4, "Application Security," for more information.

Your company uses instant messaging between the central office and satellite offices. What is the most important security issue that you need to deal with when it comes to instant messaging? Instant messaging can adversely affect Internet bandwidth. Instant messaging has no or weak encryption. Different instant messaging programs have no common protocol. Instant messaging program sessions are open and unprotected.

Instant messaging program sessions are open and unprotected. By default, most instant messaging program sessions are open and unprotected. The inbound port numbers used by these programs are well known to hackers. Although instant messaging programs quite often have no common protocol, no encryption or very weak encryption, and will often adversely affect Internet bandwidth, these issues are not as severe as the fact that instant messaging program sessions are open and unprotected. See the section titled "Securing Other Applications" in Chapter 4, "Application Security," for more information.

ICMP

Internet Control Message Protocol, supporting protocol in the IP suite used by network devices, including routers, to send error messages and operational information indicating, for example, that a requested service is not available or that a host router cannot be reached.

A client contracts you to prevent users from accessing inappropriate websites. Which of the following technologies should you implement? IP proxy Internet content filter Honeypot NIDS

Internet content filters prevent users from accessing inappropriate websites. Quite often they are built into caching proxies; however, IP proxies are used to enable the connection of many hosts on a LAN through one IP address out to the Internet. A NIDS, or network intrusion detection system, can detect attacks on the network and alert a network administrator if they occur. A honeypot is used to attract and trap attackers on the network for further analysis. See the section titled "Firewalls and Network Security" in Chapter 7, "Network Perimeter Security," for more information.

A client contracts you to prevent users from accessing inappropriate websites. Which of the following technologies should you implement? NIDS Internet content filter Honeypot IP proxy

Internet content filters prevent users from accessing inappropriate websites. Quite often they are built into caching proxies; however, IP proxies are used to enable the connection of many hosts on a LAN through one IP address out to the Internet. A NIDS, or network intrusion detection system, can detect attacks on the network and alert a network administrator if they occur. A honeypot is used to attract and trap attackers on the network for further analysis. See the section titled "Firewalls and Network Security" in Chapter 7, "Network Perimeter Security," for more information.

Which of the following statements best defines a computer virus? It is a learning mechanism, contamination mechanism, and can exploit. It is a replication mechanism, activation mechanism, and has an objective. It is a search mechanism, connection mechanism, and can integrate. It is a find mechanism, initiation mechanism, and can propagate.

It is a replication mechanism, activation mechanism, and has an objective. Computer viruses are code that acts as a replication mechanism, replicating from file to file. They are activated by users who execute the virus. Viruses have an objective, which could be one of many malicious functions. Viruses do not propagate from computer to computer, but worms do. Viruses are not search or learning mechanisms either. See the section titled "Computer Systems Security Threats" in Chapter 2, "Computer Systems Security," for more information.

Which of the following characterizations best suits the term Java applet? Java applets allow for customized controls and icons. Java applets are the same as ActiveX controls. Java applets need to have virtual machine web browser support. Java applets include a digital signature.

Java applets need to have virtual machine web browser support. Web browsers must have the capability to run Java applets in a virtual machine environment. If the virtual machine browser does not have the capability to do this, the Java applet cannot function. Virtual machines isolate an operating system or a web browser to secure them. However, they need to function properly; therefore, the virtual web browser must support Java applets. Java applets can be used for various things, but not all will include a digital signature, nor will all of them be used for customized controls and icons. The answers concerning digital signatures and customized controls are absolute, whereas Java applets will have many functions. Java applets are not the same as Microsoft's ActiveX controls. See the section titled "Securing the Browser" in Chapter 4, "Application Security," for more information. A Java applet is a small application that is written in the Java programming language, or another programming language that compiles to Java bytecode, and delivered to users in the form of Java bytecode. The user launches the Java applet from a web page, and the applet is then executed within a Java virtual machine (JVM) in a process separate from the web browser itself. A Java applet can appear in a frame of the web page, a new application window, Sun's AppletViewer, or a stand-alone tool for testing applets. Java applets were introduced in the first version of the Java language, which was released in 1995

Which of the following characterizations best suits the term Java applet? Java applets allow for customized controls and icons. Java applets need to have virtual machine web browser support. Java applets include a digital signature. Java applets are the same as ActiveX controls.

Java applets need to have virtual machine web browser support. Web browsers must have the capability to run Java applets in a virtual machine environment. If the virtual machine browser does not have the capability to do this, the Java applet cannot function. Virtual machines isolate an operating system or a web browser to secure them. However, they need to function properly; therefore, the virtual web browser must support Java applets. Java applets can be used for various things, but not all will include a digital signature, nor will all of them be used for customized controls and icons. The answers concerning digital signatures and customized controls are absolute, whereas Java applets will have many functions. Java applets are not the same as Microsoft's ActiveX controls. See the section titled "Securing the Browser" in Chapter 4, "Application Security," for more information.

Password-cracking tools are easily available over the Internet. Which of the following is a password-cracking tool? AirSnort John the Ripper Wireshark Nessus

John the Ripper is a password-cracking tool, otherwise known as a password analysis or recovery tool; it all depends on who uses the tool. This particular tool can do dictionary attacks, brute-force attacks, and cryptanalysis attacks on passwords. AirSnort is a wireless network finder. Nessus is a vulnerability scanner, and Wireshark is a protocol analyzer, otherwise known as a network sniffer. See the section titled "Assessing Vulnerability with Security Tools" in Chapter 11, "Vulnerability and Risk Assessment," for more information.

What should you do to make sure that a compromised PKI key cannot be used again? Renew the key. Revoke the key. Create a new key. Reconfigure the key.

Key revocation is the proper way to approach the problem of a compromised PKI key. The revoked key will then be listed in the CRL (certificate revocation list).

Study the following items carefully. Which one permits a user to "float" a domain registration for a maximum of 5 days? Domain spoofing Domain hijacking Kiting DNS poisoning

Kiting is when a person floats a domain for up to 5 days. Domain name kiting is the process of deleting a previously registered domain name within the 5-day grace period given to the user by the domain registrar. This grace period is also known as an add grace period, or AGP. The person doing the kiting will immediately reregister the domain name for another 5-day period and continue the process until the domain name is sold for a profit. Otherwise, the person will continue to use the domain without ever paying for it. DNS poisoning is the modification of name resolution information in a DNS server's cache. Domain hijacking is the process by which the registration of a domain name is transferred without the permission of the owner. Domain spoofing is attempting to make users think that your domain is actually another one; this is commonly done with similar-looking domain names. See the section titled "Malicious Attacks" in Chapter 6, "Networking Protocols and Threats," for more information.

Which of the following is usually used with L2TP? SHA IPsec PHP SSH

L2TP IPsec is usually used with L2TP. SSH is a more secure way of connecting to remote computers. PHP is a type of language commonly used on the web. SHA is a type of hashing algorithm.

Which of the following protocols creates an unencrypted tunnel? PPTP L2TP IPsec VPN

L2TP In VPNs (virtual private networks), Layer Two Tunneling Protocol (L2TP) creates an unencrypted tunnel between two IP addresses. It is usually used with IPsec to encrypt the data transfer. PPTP is the Point-to-Point Tunneling Protocol, which includes encryption.

Which of the following is used to implement an unencrypted tunnel between two networks? L2TP AES HTTPS PPTP

L2TP (Layer Two Tunneling Protocol) implements an unencrypted tunnel between two devices or networks. The protocol that handles encryption in this type of VPN is IPsec. Hypertext Transfer Protocol Secure (HTTPS) secures websites. Point-to-Point Tunneling Protocol (PPTP), which is used in VPNs, has built-in encryption and automatically creates an encrypted tunnel but is less secure than a VPN using L2TP with IPsec. The Advanced Encryption Standard (AES) is common in wireless networks. See the section "Security Protocols" in Chapter 14, "PKI and Encryption Protocols," for more information

NTLM is for the most part backward compatible and is an improved version of which of the following? AES passwd LANMAN MD5

LANMAN is an outdated hash used in Windows; it is the original hash used to store passwords. NTLM (and the newer NTLMv2) hash are used in newer versions of Windows to replace LANMAN. AES is the Advanced Encryption Standard, a popular encryption method. MD5 is a different hash function used in the downloading of files, among other things. Passwd is a text-based file used in Linux that stores user information and permissions. See the section titled "Hashing Basics" in Chapter 13, "Encryption and Hashing Concepts," for more information.

An information bank has been established to store contacts, phone numbers and other records. A UNIX application needs to connect to the index server using port 389. Which of the following authentication services should be used on this port by default?

LDAP Lightweight Directory

What is the default directory service when you install Active Directory on a Windows server and it becomes a Domain Controller

LDAP. LDAP can be used for Single Sign On. To be a domain controller you also need DNS.

What are the three categories commonly used to identify the likelihood of a risk?

Likelihood is commonly assigned as High (1.0), Medium (0.5), or Low (0.1) values for risk comparison.

Which of the following would BEST be used to calculate the expected loss of an event, if the likelihood of an event occurring is known? (Select TWO). A. DAC B. ALE C. SLE D. ARO E. ROI

Likelihood of Expected loss of an event is ARO so, ALE and SLE, B. and C. would best be used to calculate ARO ALE = SLE X ARO

Which of the following provides for the best application availability and can be easily expanded as an organization's demand grows? Server virtualization Load balancing RAID 6 Multi-CPU motherboards

Load balancing. Load balancing is the best option for application availability and expansion. You can cluster multiple servers together to make a more powerful supercomputer of sorts - one that can handle more and more simultaneous access requests. RAID 6 is meant more for data files, not applications. It may or may not be expandable depending on the system used. Multi-CPU motherboards are used in servers and power workstations, but are internal to one system. The CPUs are indeed used together, but will not help with expandability, unless used in a load-balancing scenario.

You receive complaints about network connectivity being disrupted. You suspect that a user connected both ends of a network cable to two different ports on a switch. What can be done to prevent this? Port forwarding Loop protection DMZ VLAN segregation

Loop protection should be enabled on the switch to prevent the looping that can occur when a person connects both ends of a network cable to the same switch. A DMZ is a demilitarized zone that is used to keep servers in a midway zone between the Internet and the LAN. VLAN segregation (or VLAN separation) is a way of preventing ARP poisoning. Port forwarding refers to logical ports associated with protocols.

If a switch enters fail open mode because its CAM table memory has been filled, then it will cease to function properly as a switch. What type of attack could cause this? DoS Double tagging Physical tampering MAC flooding

MAC flooding is when an attacker attempts to flood the CAM table of a switch with many packets, each of which has a different source MAC address. The CAM table is an area in memory set aside to store MAC address to physical port translations. Double tagging is an attack by a host that attaches VLAN tags to the frames it transmits. Physical tampering can be done to a switch at a dedicated monitoring port; from there a person could perpetuate a variety of attacks on the network. A DoS attack is a denial of service usually associated with servers. In this type of attack, a user seeks to stop the server from functioning. See the section titled "Network Design" in Chapter 5, "Network Design Elements," for more information.

Which of the following will most likely enable an attacker to force a switch to function like a hub? ARP poisoning DNS spoofing MAC flooding DNS poisoning

MAC flooding sends many packets to a switch, each of which has a different source MAC address in an attempt to use up the memory on the switch, changing the state of the switch to fail open mode, which ultimately makes it function as a hub. Spoofing attacks are when an attacker masquerades as another person, which can be done with DNS, websites, e-mail, and so on. ARP poisoning is an attack that exploits Ethernet networks that may enable an attacker to sniff frames of information or modify that information. DNS poisoning is the modification of name resolution information that should be within a DNS server's cache. See the section titled "Malicious Attacks" in Chapter 6, "Networking Protocols and Threats," for more information.

If a switch enters fail open mode because its CAM table memory has been filled, then it will cease to function properly as a switch. What type of attack could cause this? DoS MAC flooding Double tagging Physical tampering

MAC flooding. MAC flooding is when an attacker attempts to flood the CAM table of a switch with many packets, each of which has a different source MAC address. The CAM table is an area in memory set aside to store MAC address to physical port translations. Double tagging is an attack by a host that attaches VLAN tags to the frames it transmits. Physical tampering can be done to a switch at a dedicated monitoring port; from there a person could perpetuate a variety of attacks on the network. A DoS attack is a denial of service usually associated with servers. In this type of attack, a user seeks to stop the server from functioning. See the section titled "Network Design" in Chapter 5, "Network Design Elements," for more information.

Virtualized browsers can protect the OS that they are installed within from which of the following? DDoS attacks against the underlying OS Phishing and spam attacks Man-in-the-middle attacks Malware installation from Internet websites

Malware installation from Internet websites. The beauty of a virtualized browser is that regardless of whether a virus or other malware damages it, the underlying operating system will remain unharmed. The virtual browser can be deleted and a new one can be created; or if the old virtual browser was backed up previous to the malware attack, it can be restored. This concept applies to entire virtual operating systems as well, if configured properly.

What does an ARP command do?

Maps IP addresses to MAC addresses. Unlike other commands, it requires at least one flag. Eg. ARP -a C:\>arp -a Interface: 192.168.40.123 Internet Address Physical Address Type 192.168.40.1 00-00-0c-1a-eb-c5 dynamic 192.168.40.124 00-dd-01-07-57-15 dynamic Interface: 10.57.8.190 Internet Address Physical Address Type 10.57.9.138 00-20-af-1d-2b-91 dynamic The computer in this example is multihomed (has more than one network adapter), so there is a separate ARP cache for each interface.

MOU

Memorandum of understanding (MOU) An MOU expresses an understanding between two or more parties indicating their intention to work together toward a common goal. It is similar to an SLA in that it defines the responsibilities of each of the parties. However, it is less formal than an SLA and does not include monetary penalties. Additionally, it doesn't have strict guidelines in place to protect sensitive data. Many times, MOUs are used in conjunction with ISAs. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-47, "Security Guide for Interconnecting Information Technology Systems," includes more in-depth information on MOUs and ISAs.

What do TLS and SSL use for message integrity?

Message Authentication Code (MAC). For example, they can use HMAC-MD5 or HMAC-SHA1.

The IT director asks you to create a solution to protect your network from Internet-based attacks. The solution should include pre-admission security checks and automated remediation and should also integrate with existing network infrastructure devices. Which of the following solutions should you implement? VLAN NAT Subnetting NAC

NAC, or network access control, makes security checks of the users or the actual connections that are made before sessions are initiated. It can also remediate issues automatically if configured properly. Examples of network access control include 802.1X and FreeNAC. NAT is a network address translation that converts one set of IP addresses to another. VLAN is a virtual local-area network, and subnetting compartmentalizes IP networks by way of IP addresses and mathematics. See the section titled "Network Design" in Chapter 5, "Network Design Elements," for more information.

Which of the following security applications cannot proactively detect computer anomalies? Antivirus software NIDS HIPS Personal software firewall

NIDS, or network intrusion detection system, cannot proactively detect computer anomalies. It is deployed to the entire network and looks for a network intrusion, not intrusions to individual computers. HIPS (host-based intrusion prevention system), antivirus software, and personal software firewalls can all be loaded on an individual computer and can be updated as well. These can proactively detect computer anomalies. See the section titled "NIDS Versus NIPS" in Chapter 7, "Network Perimeter Security," for more information.

Which of the following security applications cannot proactively detect computer anomalies? Antivirus software Personal software firewall HIPS NIDS

NIDS, or network intrusion detection system, cannot proactively detect computer anomalies. It is deployed to the entire network and looks for a network intrusion, not intrusions to individual computers. HIPS (host-based intrusion prevention system), antivirus software, and personal software firewalls can all be loaded on an individual computer and can be updated as well. These can proactively detect computer anomalies. See the section titled "NIDS Versus NIPS" in Chapter 7, "Network Perimeter Security," for more information.

Which of the following would you most likely find in a buffer overflow attack? Set flags Sequence numbers NOP instructions IV length

NOP instructions. In computer science, a NOP, no-op, or NOOP (pronounced "no op"; short for no operation) is an assembly language instruction, programming language statement, or computer protocol command that does nothing. A large number of No Operation instructions (known as NOP or no-op instructions) can be used to overflow a buffer, which could allow unwanted code to be executed or result in a denial of service (DoS). Large numbers of NOP instructions can be used to perform a NOP slide (or NO-OP sled). Sequence numbers are how TCP packets are numbered. IV length has to do with the length of a string in a cipher. Flags are one or more bits that are set to a binary number to indicate whether something is on or off. See the section titled "Secure Programming" in Chapter 4, "Application Security," for more information.

A customer's computer uses FAT16 as its file system. What file system can you upgrade it to when using the convert command? NFS FAT32 NTFS HPFS

NTFS. The convert command is used to upgrade FAT and FAT32 volumes to the more secure NTFS without loss of data. HPFS is the High Performance File System developed by IBM and is not used by Windows. NFS is the Network File System, something you would see in a storage area network.

Of the following, what is the worst place to store a backup tape? Near a power line Near an LCD screen Near a bundle of fiber-optic cables Near a server

Near a power line

A malicious program modified entries in the LMHOSTS file of an infected system. Which of the following protocols would be affected by this?

NetBIOS. The LMHOSTS file provides a NetBIOS name resolution method that can be used for small networks that do not use a WINS server. NetBIOS has been adapted to run on top of TCP/IP, and is still extensively used for name resolution and registration in Windows-based environments.

Which layer of the OSI model does IPsec operate at? Transport Application Data Link Network

Network IPsec is a dual-mode, end-to-end security scheme that operates at layer 3, the network layer of the OSI model, also known as the internet layer within the Internet Protocol suite. It is often used with L2TP for VPN tunneling, among other protocols.

Which of the following tools require a computer with a network adapter that can be placed in promiscuous mode? Password cracker Port scanner Network mapper Protocol analyzer Vulnerability scanner

Network mapper Protocol analyzer Some network mapping programs such as AirMagnet require that a network adapter be placed in promiscuous mode. This is when the network adapter captures all packets that it has access to regardless of the destination of those packets. Some protocol analyzers (for example, Wireshark) also require that a network adapter be placed in promiscuous mode. Password crackers, port scanners, and other vulnerability scanners do not require promiscuous mode. See the section titled "Using Tools to Monitor Systems and Networks" in Chapter 12, "Monitoring and Auditing," for more information.

Which of the following has schemas written in XML? 3DES WPA PAP OVAL

OVAL (Open Vulnerability and Assessment Language) uses XML as a framework for the language. It is a community standard dealing with the standardization of information transfer. 3DES is an encryption algorithm. WPA is a wireless encryption standard, and the deprecated PAP is the Password Authentication Protocol, used for identifying users to a server.

Which of the following cloud computing services offers easy to configure operating systems? SaaS IaaS PaaS VM

Platform as a service (PaaS) is a cloud computing service that offers many software solutions, including easy-to-configure operating systems and on-demand computing. SaaS is software as a service, used to offer solutions such as webmail. IaaS is infrastructure as a service, used for networking and storage. VM stands for virtual machine, which is something that PaaS also offers.

E-mail servers can be maliciously exploited in many ways, for example, spoofing e-mail messages. Which of the following is a common component that attackers would use to spoof e-mails? Session hijacking Open relay Logic bomb Web proxy

Open relay. An open relay is an invitation for attackers to send out spoofed e-mails and spam. These relays should be closed on SMTP servers so that only authenticated users can gain access to them. Web proxies are go-betweens for clients on the network and the web servers that they want to connect to. The web proxy stores web page information so that the organization can save Internet bandwidth and the clients can get their information faster. Session hijacking is the exploitation of a computer session in an attempt to gain unauthorized access to data services or other resources on the computer. Logic bombs are code that has in some way been inserted into software, initiating malicious functions when specific criteria are met. See the section titled "Computer Systems Security Threats" in Chapter 2, "Computer Systems Security," for more information.

Name two key stretching cryptographic methods

PBKDF2 and Bcrypt

Which of the following threats has the highest probability of being increased by the availability of devices such as USB flash drives on your network? Increased loss of business data Loss of wireless connections Removal of PII data Introduction of new data on the network

PII. Personally identifiable information (PII) and other sensitive data can easily be removed from the network through the use of USB flash drives and other similar removable media. This is the most important threat you need to be aware of that could increase due to the use of these devices. Although new data on the network might be introduced, or business data might be lost, the most common threat when USB flash drives are available is the removal of PII data. A loss of a wireless connection will be rare but possible if the USB flash drive has a special type of malware installed on it. Generally, companies disable USB access on the computer either within the operating system or within the BIOS if they are concerned about the removal of PII data. See the section titled "Securing Computer Hardware, Peripherals, and Mobile Devices" in Chapter 2, "Computer Systems Security," for more information.

You have been asked to set up authentication through PKI, and encryption of a database using a different cryptographic process to decrease latency. What encryption types should you use? Public key encryption to authenticate users and public keys to encrypt the database Private key encryption to authenticate users and private keys to encrypt the database Public key encryption to authenticate users and private keys to encrypt the database Private key encryption to authenticate users and public keys to encrypt the database

PKI uses public keys to authenticate users. If you are looking for a cryptographic process that allows for decreased latency, then symmetrical keys (private) would be the way to go. So the PKI system uses public keys to authenticate the users, and the database uses private keys to encrypt the data.

Which of the following protocols is not used to create a VPN tunnel and not used to encrypt VPN tunnels? IPsec PPP L2TP PPTP

PPP, or Point-to-Point Protocol, does not provide security and is not used to create VPN connections. You will see PPP used in dial-up connections, and it is an underlying protocol used by L2TP, PPTP, and IPsec, which are all used in VPN connections.

Perfect Forward Secrecy

Perfect Forward Secrecy is a feature of specific key agreement protocols that gives assurances your session keys will not be compromised even if the private key of the server is compromised. By generating a unique session key for every session a user initiates, even the compromise of a single session key will not affect any data other than that exchanged in the specific session protected by that particular key. Perfect Forward Secrecy represents a huge step forwards in protecting data on the transport layer and following on from Heartbleed, everyone using SSL/TLS should be looking to implement it. To enable PFS, the client and the server have to be capable of using a cipher suite that utilises the Diffie-Hellman key exchange. Importantly, the key exchange has to be ephemeral. This means that the client and the server will generate a new set of Diffie-Hellman parameters for each session.

Jason is a security administrator for a company of 4000 users. He wants to store 6 months of logs to a logging server for analysis. The reports are required by upper management due to legal obligations but are not time-critical. When planning for the requirements of the logging server, which of the following should not be implemented? Time stamping and integrity of the logs Log storage and backup requirements Log details and level of verbose logging Performance baseline and audit trails You answered this question correctly. × Explanation: A performance baseline and audit trails are not necessarily needed. Because the reports are not time-critical, a performance baseline should not be implemented. Auditing this much information could be unfeasible for one person. However, it is important to implement time stamping of the logs and store log details. Before implementing the logging server, Jason should check whether he has enough storage and backup space to meet his requirements.

Performance baseline and audit trails. A performance baseline and audit trails are not necessarily needed. Because the reports are not time-critical, a performance baseline should not be implemented. Auditing this much information could be unfeasible for one person. However, it is important to implement time stamping of the logs and store log details. Before implementing the logging server, Jason should check whether he has enough storage and backup space to meet his requirements.

You have established a baseline for your server. Which of the following is the best tool to use to monitor any changes to that baseline? Performance Monitor Anti-spyware Vulnerability assessments software Antivirus software

Performance monitoring software can be used to create a baseline and monitor for any changes to that baseline. An example of this would be the Performance console window within Windows Server. (It is commonly referred to as Performance Monitor.)

What is the difference between phishing vs. pharming?

Phishing is an email that appears to come from a legitimate source. Pharming attacks compromise at the DNS server level, re-directing you to a hacker's site when you type in a company's Web address.

Which of the following is the most effective way of preventing adware? Install a pop-up blocker. Install an antivirus program. Install a firewall. Install a host-based intrusion detection system.

Pop-up blockers are the most-effective way to prevent adware. Adware consists of the advertisements that pop up on your screen when you go to particular websites. Pop-up blockers are generally installed as add-ons to your web browser and are most often associated with the browser. Antivirus programs protect the computer from various types of malware. In some cases they include a pop-up blocker, but not always. The best way to be sure is to install a separate pop-up blocker directly into the web browser. Host-based intrusion detection systems look for attackers in particular types of attacks that might not stop pop-ups. A firewall blocks intrusions and closes off any open ports but does not detect pop-ups. See the section titled "Securing the Browser" in Chapter 4, "Application Security," for more information.

Which of the following inbound ports must be opened on a server to allow a user to log in remotely? 53 636 3389 389

Port 3389 is the inbound port used by the Remote Desktop Protocol. It is implemented on Microsoft systems as either Remote Desktop Services or the older Microsoft Terminal Services. If this port is open, it enables a remote user to log in to the computer. Port 53 is used by DNS. Port 389 is used by LDAP. Port 636 is used by secure LDAP. See the section titled "Authentication Models and Components" in Chapter 9, "Physical Security and Authentication Models," for more information.

Question Id : SY0-401-REVIEW-12-016 As you review your firewall log, you see the following information. What type of attack is this? S=207.50.135.54:53 - D=10.1.1.80:0 S=207.50.135.54:53 - D=10.1.1.80:1 S=207.50.135.54:53 - D=10.1.1.80:2 S=207.50.135.54:53 - D=10.1.1.80:3 S=207.50.135.54:53 - D=10.1.1.80:4 S=207.50.135.54:53 - D=10.1.1.80:5 Port scanning Denial-of-service Ping scanning DNS spoofing

Port scanning. The information listed is an example of a port scan. The source IP address perpetuating the port scan should be banned or blocked on the firewall. The fact that the source computer is using port 53 is of no consequence during the port scan and does not imply DNS spoofing. It is not a denial-of-service attack; note that the destination IP address ends in 80, but the number 80 is part of the IP address and is not the port.

Which of the following solutions should be used by heavily utilized networks? Remote access VPN concentrator Telephony Provider cloud

Provider clouds can offer Infrastructure as a Service (IaaS), which can alleviate some of the stress an organization's network might suffer from. In addition, provider clouds can offer software (SaaS) and platforms (PaaS).

Which of the following types of keys are stored in a CRL? Private keys only Public keys only Public and private keys TPM keys

Public and private keys are stored in a CRL. A CRL, or certificate revocation list, stores revoked certificates that contain both public and private keys associated with the certificate. This is common within a PKI, which is asymmetric, using private and public keys. TPMs, trusted platform modules, use one type of key, usually secret and private. See the section titled "Public Key Infrastructure" in Chapter 14, "PKI and Encryption Protocols," for more information.

Which of the following types of keys are stored in a CRL? TPM keys Private keys only Public keys only Public and private keys

Public and private keys. A CRL, or certificate revocation list, stores revoked certificates that contain both public and private keys associated with the certificate. This is common within a PKI, which is asymmetric, using private and public keys. TPMs, trusted platform modules, use one type of key, usually secret and private. See the section titled "Public Key Infrastructure" in Chapter 14, "PKI and Encryption Protocols," for more information.

Which of the following might a public key be used to accomplish? To decrypt wireless messages To encrypt web browser traffic To decrypt the hash of a digital signature To digitally sign a message

Public keys can be used to decrypt the hash of a digital signature. Session keys are used to encrypt web browser traffic. Private keys are used to digitally sign a message and decrypt wireless messages.

Your organization uses VoIP. Which of the following should be performed to increase the availability of IP telephony by prioritizing traffic? Subnetting NAC NAT QoS

Quality of Service (QoS) should be configured on the router to prioritize traffic, promoting IP telephony traffic to be more available. You'll get some detractors of QoS, especially for the SOHO side of networks, but if used on the right device and configured properly, it can make a difference. This might sound like more of a networking question, but it ties in directly to the CIA triad of security. Data confidentiality and integrity are important, but just as important is availability - the ability for users to access data when required.

TCP port 25 is used by?

SMTP Simple Mail Transfer Protocol

Mitigating risk based on cost could be described as which of the following? Qualitative risk assessment Vulnerability assessment Quantitative risk assessment Business impact analysis

Quantitative risk assessment measures risk using exact monetary values. Qualitative risk assessment assigns numeric values to the probability of risk. Business impact analysis is the differentiation of critical and nonurgent functions and is part of a DRP or BCP. A vulnerability assessment is an analysis of security weakness in an organization. See the section titled "Conducting Risk Assessments" in Chapter 11, "Vulnerability and Risk Assessment," for more information.

In this scenario, your organization and a sister organization use multiple certificate authorities (CAs). Which component of PKI is necessary for one CA to know whether to accept or reject certificates from another CA? RA Recovery agent CRL Key escrow

RA. An RA is a registration authority used to verify requests for certificates from a certificate authority or multiple certificate authorities. A CRL is a certificate revocation list; if for some reason a certificate cannot be verified by any parties involved and the issuer of the certificate confirms this, the issuer needs to revoke the certificate. The certificate is placed in the CRL that is published. Key escrow is when certificates are held if the third parties need them in the future. Recovery agents recover certificates that were corrupted or lost. See the section titled "Public-Key Infrastructure" in Chapter 14, "PKI and Encryption Protocols," for more information.

What are the 4 main RAID types in use?

RAID 0, 1, 3, and 5.

Which of the following RAID versions offers the least amount of performance degradation when a disk in the array fails? RAID 0 RAID 5 RAID 4 RAID 1

RAID 1 is known as mirroring. If one drive fails, the other will still function and there will be no downtime and no degraded performance. All the rest of the answers are striping-based and therefore have either downtime or degraded performance associated with them. RAID 5 is the second best option because in many scenarios it will have zero downtime and little degraded performance. RAID 0 will not recover from a failure; it is not fault tolerant.

Which RAID types use one or more disks for parity information?

RAID 4 and RAID 5

Which RAID types support fault tolerance?

RAID 5 or RAID 1

One of your database servers is mission-critical. You cannot afford any downtime. What is the best item to implement to ensure minimal downtime of the server and ensure fault tolerance of the data stored on the database server? RAID UPS Redundant server Spare parts

RAID. RAID (redundant array of inexpensive disks) is a way to make data fault-tolerant. The best example would be to use RAID 5 or RAID 1. RAID 5 will have minimal downtime if data failure occurs; RAID 1 should have a zero downtime if data failure occurs. A redundant server might or might not offer all the data fault tolerance that you want; it depends on how it is configured. A UPS should be installed to protect from power outages but cannot protect from a hard drive error. See the section titled "Redundancy Planning" in Chapter 15, "Redundancy and Disaster Recovery," for more information.

Examples of remote authentication systems

RAS, VPN, and RADIUS

WEP improperly uses an encryption protocol and because of this is considered to be insecure. What encryption protocol does it use? AES RSA RC6 RC4

RC4 has several vulnerabilities when used incorrectly by protocols such as WEP. WEP does not use AES, RSA, or RC6, all of which are secure protocols if used correctly.

Which are the symmetric encryption ciphers?

RC4, DES, 3DES, AES, Blowfish, and Two Fish

Which of the following algorithms depends on the inability to factor large prime numbers? Diffie-Hellman AES Elliptic curve RSA

RSA (Rivest, Shamir, and Adleman) is a public-key cryptography algorithm based on the inability to factor large prime numbers. It is used in many e-commerce scenarios. AES is based on the substitution-permutation network. Elliptic curve is based on the difficulty of certain mathematical problems that generate keys by graphing specific points on a curve. Diffie-Hellman relies on the secure exchange of keys before data can be transferred. See the section "Encryption Algorithms" in Chapter 13, "Encryption and Hashing Concepts," for more information.

You are tasked with ensuring that messages being sent and received between two systems are both encrypted and authenticated. Which of the following protocols accomplishes this? SHA-1 RSA Diffie-Hellman BitLocker

RSA can both encrypt and authenticate messages. Diffie-Hellman encrypts only. BitLocker is a type of whole disk encryption (WDE), which deals with encrypting entire hard drives but is not used to send and receive messages. SHA-1 is a cryptographic hash function used to preserve the integrity of files.

Which the following algorithms is used by the protocol TLS to establish a session key? RC4 RSA HTTPS AES

RSA is the asymmetric cryptographic algorithm used by TLS (Transport Layer Security) to establish a session key. TLS is the successor to SSL (Secure Sockets Layer) that can use RSA or Diffie-Hellman for key exchange as well as AES and RC4 for the encryption of the rest of the session. HTTPS is the web-based secure protocol that makes use of TLS (or SSL), which then makes use of RSA for the key exchange at the start of a session. See the section titled "Encryption Algorithms" in Chapter 13, "Encryption and Hashing Concepts," for more information.

Which the following algorithms is used by the protocol TLS to establish a session key? AES RC4 RSA HTTPS

RSA is the asymmetric cryptographic algorithm used by TLS (Transport Layer Security) to establish a session key. TLS is the successor to SSL (Secure Sockets Layer) that can use RSA or Diffie-Hellman for key exchange as well as AES and RC4 for the encryption of the rest of the session. HTTPS is the web-based secure protocol that makes use of TLS (or SSL), which then makes use of RSA for the key exchange at the start of a session. See the section titled "Encryption Algorithms" in Chapter 13, "Encryption and Hashing Concepts," for more information.

What are the 6 phases of SDLC, Software Development Life Cycle?

Requirement gathering and analysis. Design. Implementation or coding. Testing. Deployment. Maintenance.

You have been commissioned by a customer to implement a network access control model that limits remote users' network usage to normal business hours only. You create one policy that applies to all the remote users. What access control model are you implementing? Rule-based access control Discretionary access control Mandatory access control Role-based access control

Role-based access control (RBAC) works with sets of permissions; each set of permissions constitutes a role. Users are assigned to roles to gain access to resources. Examples of user groups that are assigned to roles include remote users, extranet users, guests, and so on. In this question, the remote users are the group that has been assigned a role that enables them to access the network only during normal business hours. This should not be confused with a rule-based access control that is a type of mandatory access control. Mandatory access control (MAC) is an access control policy determined by a computer system and not by a user or owner. Discretionary access control (DAC) is generally determined by the owner of a resource. See the section titled "Access Control Models Defined" in Chapter 10, "Access Control Methods and Models," for more information.

Which of the following details one of the primary benefits of using S/MIME? S/MIME enables users to send anonymous e-mail messages. S/MIME enables users to send e-mail messages with a return receipt. S/MIME enables users to send both encrypted and digitally signed e-mail messages. S/MIME expedites the delivery of e-mail messages.

S/MIME (Secure/Multipurpose Internet Mail Extensions) enables users to send both encrypted and digitally signed e-mail messages, enabling a higher level of e-mail security. It does not make the delivery of e-mail any faster, nor does it have anything to do with return receipts. Return receipts are usually controlled by the SMTP server. Anonymous e-mail messages would be considered spam, completely insecure, and something that a security administrator wants to reduce, and certainly does not want users to implement.

What does SFTP do?

SFTP encrypts authentication and data traffic between the client and server by making use of SSH to provide secure FTP communications. As a result, SFTP offers protection for both the authentication traffic and the data transfer taking place between a client and server.

An SHA algorithm will have how many bits? 64 128 1024 512

SHA-2 algorithm blocks have 512 bits. SHA-1 is 160-bit. MD5 is 128-bit; 1024-bit keys are common in asymmetric encryption.

A company has decided to move large data sets to a cloud provider in order to limit the costs of new infrastructure. Some of the data is sensitive and the Chief Information Officer wants to make sure both parties have a clear understanding of the controls needed to protect the data. Which of the following types of interoperability agreement is this? A. ISA B. MOU C. SLA D. BPA

SLA Service Level Agreement

Given ARO and ALE, what value can you calculate

SLE, Single Loss Expectancy, which is equal to Asset Value (AV) times Exposure Factor (EF). SLE X ARO, Annualized Rate of Occurance = ALE, Annual Loss Expectancy

The IT director has asked you to install agents on several client computers and monitor them from a program at a server. What is this known as? SNMP Performance Monitor SMP SMTP

SNMP (Simple Network Management Protocol) is used when a person installs agents on client computers to monitor those systems from a single remote location. SMTP is used by e-mail clients and servers. SMP is symmetric multiprocessing, which is not covered in the Security+ exam objectives. Performance Monitor enables a person to monitor a computer and create performance baselines.

You have been tasked with providing daily network usage reports of layer 3 devices without compromising any data during the information gathering process. Which of the following should you select in this scenario? SNMPv3 SNMP ICMP SSH

SNMPv3 should be used because it provides a higher level of security (encryption of packets, message integrity, and authentication), allowing you to gather information without fear of the data being compromised. SNMPv1 and v2 do not have the elaborate security of SNMPv3. ICMP is the Internet Control Message Protocol used with the ping utility, among other things. It has little to do with monitoring. SSH is Secure Shell, which is a more secure way of remotely controlling systems; it acts as a secure alternative to Telnet.

Which protocol can be used to secure the e-mail login from an Outlook client using POP3 and SMTP? SPA Exchange SMTP SAP

SPA SPA (Secure Password Authentication) is a Microsoft protocol used to authenticate e-mail clients. S/MIME and PGP can be used to secure the actual e-mail transmissions.

Which of the following network protocols sends data between two computers while using a secure channel? SSH SNMP P2P SMTP

SSH, or Secure Shell, enables two computers to send data via a secure channel. SMTP is the Simple Mail Transfer Protocol, which deals with e-mail. SNMP is the Simple Network Management Protocol, which enables the monitoring of remote systems. P2P is an abbreviation of peer-to-peer network.

What is it known as when a web script runs in its own environment and does not interfere with other processes? Honeynet Quarantine Sandbox VPN

Sandbox. When a web script runs in its own environment for the express purpose of not interfering with other processes, it is known as running in a sandbox. Often, the sandbox will be used to create sample scripts before they are actually implemented. Quarantining is a method used to isolate viruses. A honeynet is a collection of servers used to attract hackers and isolate them in an area where they can do no damage. VPN is short for virtual private network, which enables the connection of two hosts from remote networks

What is SSH? What are common applications

Secure Shell (SSH) is a cryptographic network protocol for securing data communication. It establishes a secure channel over an insecure network in a client-server architecture, connecting an SSH client application with an SSH server. Common applications include remote command-line login, remote command execution, but any network service can be secured with SSH. SSH uses port 22.

Tara has written an application and is ready to go through the hardening process. Which of the following could be considered a hardening process of the SDLC? Application patching management schedule Disabling unnecessary services Secure coding concepts Disabling unnecessary accounts

Secure coding concepts. Secure coding concepts such as input validation will help to harden an application within the systems development life cycle (SDLC). While disabling unnecessary services and accounts and patching the application are all important, these could all be considered application or server hardening, not hardening within the SDLC. See the section titled "Secure Programming" in Chapter 4, "Application Security," for more information.

SAML

Security Assertion Markup Language (SAML, pronounced sam-el) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. Associated with Single Sign On (SSO). Service Providers often use this third-party authentication mechanism.

SLA

Service level agreement (SLA) An SLA is an agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels. Organizations use SLAs when contracting services from service providers such as Internet Service Providers (ISPs). Many SLAs include a monetary penalty if the vendor is unable to meet the agreed-upon expectations.

Which of the following OSI model layers is where SSL provides encryption? Network Transport Session Application

Session. The session layer, layer 5 of the OSI model, is where SSL provides encryption. Though it is considered to be an application layer protocol, the actual encryption happens at layer 5. The transport layer deals with ports used by sessions; for example, an SSL session will use port 443. The network layer transmits the actual packets of information from one IP address to another. SSL relies on a PKI to obtain and validate certificates (for example, when you go to a secure e-commerce website). See the section titled "Security Protocols" in Chapter 14, "PKI and Encryption Protocols," for more information.

What ports dos SNMP use?

Simple Network Management Protocol uses UDP ports 161 and 162

Give two examples of hardware devices that can store keys. (Select the two best answers.) PCI Express card Network adapter Smart card USB flash drive Select 2 answers

Smart cards and USB flash drives can be used as devices that carry a token and store keys; this means that they can be used for authentication to systems, often in a multifactor authentication scenario. Network adapters and PCI Express cards are internal to a PC and would not make for good key storage devices.

Which of the following tools require a computer with a network adapter that can be placed in promiscuous mode? Port scanner Protocol analyzer Vulnerability scanner Password cracker Network mapper Which of the following tools require a computer with a network adapter that can be placed in promiscuous mode? Port scanner Protocol analyzer Vulnerability scanner Password cracker Network mapper Select 2 answers

Some network mapping programs such as AirMagnet require that a network adapter be placed in promiscuous mode. This is when the network adapter captures all packets that it has access to regardless of the destination of those packets. Some protocol analyzers (for example, Wireshark) also require that a network adapter be placed in promiscuous mode. Password crackers, port scanners, and other vulnerability scanners do not require promiscuous mode. See the section titled "Using Tools to Monitor Systems and Networks" in Chapter 12, "Monitoring and Auditing," for more information.

Closing open mail relays can help prevent what type of malware? Worm Virus Spam Trojan

Spam. Spam e-mail can be prevented in several ways. By closing open mail relays, also known as SMTP relays, only properly authenticated users can use those e-mail servers. A virus is code that runs on a computer without the user's consent. A worm is similar to a virus except that worms can self-replicate, whereas viruses do not. A Trojan, or Trojan horse, appears to perform desired functions but performs malicious actions behind the scenes. See the section titled "Computer Systems Security Threats" in Chapter 2, "Computer Systems Security," for more information.

Phishing done through social media is called what?

Spim

Which of the following firewall types inspects Ethernet traffic at the MOST levels of the OSI model? A. Packet Filter Firewall B. Stateful Firewall C. Proxy Firewall D. Application Firewall

Stateful inspections occur at all levels of the network.

Which of the following statements best describes a static NAT? Static NAT uses a one-to-many mapping. Static NAT uses a many-to-one mapping. Static NAT uses a one-to-one mapping. Static NAT uses a many-to-many mapping.

Static network address translation normally uses a one-to-one mapping when dealing with IP addresses.

A website administrator has received an alert from an application designed to check the integrity of the company's website. The alert indicated that the hash value for a particular MPEG file has changed. Upon further investigation, the media appears to be the same as it was before the alert. Which of the following methods has MOST likely been used? A. Cryptography B. Time of check/time of use C. Man in the middle D. Covert timing E. Steganography

Steganography

An employee has been terminated from your organization. What can ensure that the organization continues to have access to the employee's private keys? Store the keys in a CRL. Delete the employee's user account. Store the keys in escrow. Retain the employee's token.

Store the keys in escrow. By storing the keys in escrow, the organization can continue to have access to them, even after the employee has been terminated. A CRL is a certificate revocation list, which stores certificates that have been revoked; for many different reasons, these certificates are no longer in circulation. Usually organizations will have a policy stating that employees' user accounts should not be deleted. By not deleting the user account, it will continue to be linked to the user's private keys and to any logged auditing information associated with the employee. Generally, when employees are terminated, the hardware token and users' accounts will be disabled. A hardware token deals with a different technology than private keys being stored in escrow. The proper place to access the employee's private keys is within escrow within a PKI. See the section "Public Key Infrastructure" in Chapter 14, "PKI and Encryption Protocols," for more information.

Which of the following is used by PGP to encrypt the session key before it is sent? Asymmetric key distribution system Symmetric scheme Symmetric key distribution system Asymmetric scheme

Symmetric scheme Pretty Good Privacy (PGP) encryption uses a symmetric key scheme for the session key data, and asymmetric RSA for the sending of the session key, plus a combination of hashing and data compression. Key distribution systems are part of an entire encryption scheme, which typically includes a technology, such as Kerberos (key distribution center) or quantum cryptography.

When HTTPS uses SSL and TLS to encrypt data, what kind of key, symmetric or asymmetric, is used to share session data?

Symmetric, because it is larger and need a faster algorithm. Server and client must know which session key algorithm they will be using before they share data, so they send the key information using asymmetric encryption.

In a secure environment, which authentication mechanism performs better? RADIUS because it encrypts client/server passwords. TACACS+ because it encrypts client/server negotiation dialogs. TACACS+ because it is a remote access authentication service. RADIUS because it is a remote access authentication service.

TACACS+ has a few advantages over RADIUS. It encrypts the initial negotiation between the remote client and the server. It also separates authentication and authorization into two separate functions that introduce another layer of security. Finally, it offers more types of authentication requests than RADIUS. However, RADIUS is more common in Windows environments, whereas TACACS+ is used in a variety of environments. So a security administrator should analyze the IT environment carefully before implementing either of these remote authentication systems. See the section titled "Authentication Models and Components" in Chapter 9, "Physical Security and Authentication Models," for more information.

A company has implemented PPTP as a VPN solution. Which two ports would need to be opened on the firewall in order for this VPN to function properly?

TCP 1723, UDP 47. A PPTP tunnel is instantiated by communication to the peer on TCP port 1723. This TCP connection is then used to initiate and manage a second GRE tunnel to the same peer. The PPTP GRE packet format is non-standard, including an additional acknowledgement field replacing the typical routing field in the GRE header. However, as in a normal GRE connection, those modified GRE packets are directly encapsulated into IP packets, and seen as IP protocol number 47.

All protocols encrypted by SSH, including SFTP, SHTTP, SCP, SExec, and slogin, use what port?

TCP port 22

If a risk has an ALE of $25,000 and an ARO of 50%, what is the value of its SLE?

The (SLE) is $50,000 per event. With an annualize rate of occurrence (ARO) of 50%, this risk is expected to occur once every other year on average, so the annualized loss expectancy (ALE) is equal to the SLE($50,000) times the ARO (.5) or $25,000.

Which of the following concepts does the Diffie-Hellman algorithm rely on? VPN tunneling Key exchange Usernames and passwords Biometrics

The Diffie-Hellman algorithm relies on key exchange before data can be sent. Usernames and passwords are considered a type of authentication. VPN tunneling is done to connect a remote client to a network. Biometrics is the science of identifying people by one of their physical attributes.

You are tasked with selecting an asymmetric encryption method that allows for the same level of encryption strength, but with a lesser key length than is typically necessary. Which encryption method fulfills your requirement? RSA ECC Twofish DHE

The ECC (elliptic curve cryptography) method allows for lesser key lengths but at the same level of strength as other asymmetric methods. This reduces the computational power needed. RSA and Diffie-Hellman require more computational power due to the increased key length. DHE especially uses more CPU power because of the ephemeral aspect. (ECDHE would be the solution in that respect.) Twofish is a symmetric algorithm.

172.16.1.1/16 169.254.50.1/24 10.254.254.1/16 192.168.1.1/16

The IPv4 address 172.16.1.1/16 is a Class B private IP address. It is within the Class B range of 128 to 191. The /16 simply tells us the amount of bits masked within the subnet mask for that IP. /16 equates to 11111111.11111111.00000000.00000000 or 255.255.0.0. For a Class B IP address such as 172.16.1.1, this is the default subnet mask. 10.254.254.1 would normally be Class A, but the /16 in this case makes it classless; it effectively makes what would usually be a Class A address function as a Class B address. 192.168.1.1 would normally be Class C, but the /16 makes it classless as well. 169.254.50.1 would normally be an APIPA Class B private address, but the /24 makes it classless, effectively functioning as a Class C address. You need to use private IP addresses for your internal network to keep them secure and separate from the Internet. See the section titled "Network Design" in Chapter 5, "Network Design Elements," for more information.

Which of the following is a Class B private IP address? 10.254.254.1/16 169.254.50.1/24 192.168.1.1/16 172.16.1.1/16

The IPv4 address 172.16.1.1/16 is a Class B private IP address. It is within the Class B range of 128 to 191. The /16 simply tells us the amount of bits masked within the subnet mask for that IP. /16 equates to 11111111.11111111.00000000.00000000 or 255.255.0.0. For a Class B IP address such as 172.16.1.1, this is the default subnet mask. 10.254.254.1 would normally be Class A, but the /16 in this case makes it classless; it effectively makes what would usually be a Class A address function as a Class B address. 192.168.1.1 would normally be Class C, but the /16 makes it classless as well. 169.254.50.1 would normally be an APIPA Class B private address, but the /24 makes it classless, effectively functioning as a Class C address. You need to use private IP addresses for your internal network to keep them secure and separate from the Internet. See the section titled "Network Design" in Chapter 5, "Network Design Elements," for more information.

Your boss (the IT director) wants to move several internally developed software applications to an alternate environment, supported by a third-party, in an effort to reduce the footprint of the server room. Which of the following is the IT director proposing? IaaS Community cloud PaaS SaaS

The IT director is most likely proposing that you use infrastructure as a service (IaaS). A cloud-based service, IaaS is often used to house servers (within virtual machines) that store developed applications. It differs from PaaS in that it is the servers, and already developed applications, that are being moved from the server room to the cloud. However, PaaS might also be required if the applications require further development. The most basic cloud-based service, software as a service (SaaS), is when users work with applications (often web-based) that are provided from the cloud. A community cloud is when multiple organizations share certain aspects of a public cloud.

You scan a computer for weak passwords and discover that you can figure out the password by cracking the first seven characters and then cracking the second part of the password separately. What type of hash is being used on the computer? MD5 SHA-1 NTLMv2 LANMAN

The LANMAN hash is a deprecated cryptographic hash function that breaks the password into two parts, the first of which is only seven characters. Due to the LANMAN hash's weakness, NTLMv2 is recommended. MD5 and SHA-1 are more powerful cryptographic hash functions that do not have this problem.

Your organization has a policy that states that user passwords must be at least 16 characters. Your computers use NTLM2 authentication for clients. Which of the following hash algorithms will be used for password authentication? AES LM hash MD5 SHA

The MD5 hashing algorithm is used by NTLM2 authentication. MD5 stands for Message-Digest algorithm 5. It uses a 128-bit key and is a widely used hashing algorithm. LM hash is used with passwords of 14 or fewer characters. If you use a password of 15 characters or more on newer versions of Windows, the OS will store a constant string as the LM hash, which is effectively a null password, and thereby uncrackable. The real password will be stored as an NTLM2 hash and (in this case calculated with MD5) will be used solely. AES is the Advanced Encryption Standard, used widely in wireless networks. SHA is the Secure Hash Algorithm, which employs a 160-bit hash. Newer versions of SHA are more secure than MD5. See the section titled "Hashing Basics" in Chapter 13, "Encryption and Hashing Concepts," for more information.

NDP

The Neighbor Discovery Protocol (NDP) is a protocol in the Internet protocol suite used with Internet Protocol Version 6 (IPv6) for MAC address resolution.

You are in charge of auditing resources and the changes made to those files. Which of the following log files will show any unauthorized changes to those resources? System log file Security log file Application log file Directory Services log file

The Security log file shows any unauthorized changes to the resources that you decide to audit. These resources can include files, folders, printers, and so on. This can work only if object access auditing has been enabled, and if auditing has been turned on for the resource in question. The System log file logs information pertaining to drivers, operating system files, the kernel, and so on. The Application log file logs information pertaining to applications such as Windows Explorer, File Explorer, the Command Prompt, and third-party applications. The Directory Services log file logs information pertaining to the active directory. See the section "Conducting Audits" in Chapter 12, "Monitoring and Auditing," for more information.

You ping a hostname on the network and receive a response including the address 2001:4560:0:2001::6A. What type of address is listed within the response? MAC address IPv4 address IPv6 address Loopback address

The address in the response is a truncated IPv6 address. You can tell it is an IPv6 address because of the hexadecimal numbering, the separation with colons, and the groups of four digits. You can tell it is truncated because of the single zero and the double colon.

Of the following, which is the best way for a person to find out what security holes exist on the network? Use a network sniffer. Run a port scan. Perform a vulnerability assessment. Use an IDS solution.

The best way to find all the security holes that exist on a network is to perform a vulnerability assessment. This may include utilizing a port scanner and using a network sniffer and perhaps using some sort of IDS.

Last week, one of the users in your organization encrypted a file with a private key. This week the user left the organization, and unfortunately the systems administrator deleted the user's account. What are the most probable outcomes of this situation? (Select the two best answers.) The data can be decrypted using the root user account. The file can be decrypted with a PKI. The former user's account can be re-created to access the file. The data can be decrypted using the recovery agent. The data is not recoverable.

The data can be decrypted using the recovery agent. The data is not recoverable. Many systems have a recovery agent that is designed just for this purpose. If the account that encrypted the file is deleted, it cannot be re-created (without different IDs and therefore no access to the file), and the recovery agent will have to be used. If there is no recovery agent (which in some cases needs to be configured manually), then the file will be unrecoverable. This file was encrypted with a private key and needs to be decrypted with a private key - PKI is a system that uses asymmetric key pairs (private and public). The root user account does not have the ability to recover files that were encrypted by other users.

What is a default rule found in a firewall's ACL? Deny all add address=192.168.0.0/16 netsh advfirewall firewall Permit all

The deny all rule is a default rule found in a corporate firewall's access control lists (ACLs). It is an example of the implicit deny concept. Permit all is not a default rule, as that would be quite dangerous. Netsh advfirewall firewall is a command used in Windows to view personal firewall information. Add address=192.168.0.0/16 is a way to disable (or enable) private addressing space. See the section titled "Firewalls and Network Security" in Chapter 7, "Network Perimeter Security," for more information.

You suspect that files are being illegitimately copied to an external location. The file server that the files are stored on does not have logging enabled. Which log should you access to find out more about the files that are being copied illegitimately? Firewall log System log DNS logs Antivirus log

The firewall log can help to find out whether files are being illegitimately copied to an external location. This is the only log listed that can give you any information about files being copied to an external or remote location. DNS logs can find out whether unauthorized zone transfers or DNS poisoning has occurred. Antivirus logs show what viruses have been detected and quarantined on a system. The System log is a log file within the event viewer that provides information about the operating system and device drivers. See the section titled "Conducting Audits" in Chapter 12, "Monitoring and Auditing," for more information.

Which of the following tape backup methods enables daily backups, weekly full backups, and monthly full backups? Grandfather-father-son Towers of Hanoi Differential Incremental

The grandfather-father-son (GFS) backup scheme generally uses daily backups (the son), weekly backups (the father), and monthly backups (the grandfather). The Towers of Hanoi is a more complex strategy based on a puzzle. Incremental backups are simply one-time backups that back up all data that has changed since the last incremental backup. These might be used as the son in a GFS scheme. Differential backups back up everything since the last full backup.

Your network uses the subnet mask 255.255.255.224. Which of the following IPv4 addresses are able to communicate with each other? (Select the two best answers.) 10.36.36.184 10.36.36.158 10.36.36.224 10.36.36.166 10.36.36.126

The hosts using the IP addresses 10.36.36.166 and 10.36.36.184 would be able to communicate with each other because they are on the same subnet (known as subnet ID 5). All of the other answer choices' IP addresses are on different subnets, so they would not be able to communicate with each other (or with the IP addresses of the correct answers) by default. Table 5-6 provides the complete list of subnets and their ranges for this particular subnetted network. It is noteworthy that the answer 10.36.36.224 is not even usable because it is the first IP of one of the subnets. Remember that the general rule is: you can't use the first and last IP within each subnet. That is because they are reserved for the subnet ID and the broadcast addresses, respectively. Table 5-6 - List of Subnets for 10.36.36.0/27 (255.255.255.224 Subnet Mask) Groups of 32 starting with 0-31, 32-63, 64-95, etc. eg *.1 and *.254 not usable

One of the developers in your organization installs a new application in a test system to test its functionality before implementing into production. Which of the following is most likely affected? Initial baseline configuration Baseline comparison Application security Application design

The initial baseline configuration is most likely affected. Because the application has just been installed, there is only an initial baseline, but no other baselines to yet compare with. Since it is a testing environment, and the developer has just installed the application, security is not a priority. The developer probably wants to see what makes the application tick, and possibly reverse engineer it, but is not yet at the stage of application design, and probably won't be until a new application or modification of the current application is designed.

Malware can use virtualization techniques. Why would this be difficult to detect? The malware could be running at a more privileged level than the computer's antivirus software. The malware might be running in the command-line. The malware might be using a Trojan. A portion of the malware might have already been removed by an IDS.

The malware could be running at a more privileged level than the computer's antivirus software. By using privilege escalation, the malware can gain access to the system and possibly run at a higher privilege level than the computer's antivirus software. One of the ways to do this is through the use of virtualization techniques. See the section titled "Computer Systems Security Threats" in Chapter 2, "Computer Systems Security," for more information.

Analyze the following network traffic logs depicting communications between Computer1 and Computer2 on opposite sides of a router. The information was captured by the computer with the IPv4 address 10.254.254.10. Computer1 Computer2 [192.168.1.105]------[INSIDE 192.168.1.1 router OUTSIDE 10.254.254.1] -----[10.254.254.10] LOGS 7:58:36 SRC 10.254.254.1:3030, DST 10.254.254.10:80, SYN 7:58:38 SRC 10.254.254.10:80, DST 10.254.254.1:3030, SYN/ACK 7:58:40 SRC 10.254.254.1:3030, DST 10.254.254.10:80, ACK Given the information, which of the following can you infer about the network communications? 192.168.1.105 is a web server. The router filters port 80 traffic. The web server listens on a nonstandard port. The router implements NAT.

The only one of the listed answers that you can infer from the log is that the router implements network address translation (NAT). You can tell this from the first line of the log, which shows the inside of the router using the 192.168.1.1 IP address and the outside using 10.254.254.1. NAT is occurring between the two at the router. This allows the IP 192.168.1.105 to communicate with 10.254.254.10 ultimately. However, the rest of the logs only show the first step of that communication between 10.254.254.10 and the router at 10.254.254.1. What's really happening here? The router is showing that port 3030 is being used on 10.254.254.1. That is the port used by an online game known as netPanzer. The client (10.254.254.10) is using port 80 to make a web-based connection to the game. You can see the three-way TCP handshake occurring with the SYN, SYN/ACK, and ACK packets. Ultimately, 10.254.254.10 is communicating with 192.168.1.105, but we only see the first stage of that communication to the router. As a security analyst you would most likely want to shut down the use of port 3030, so that employees can be more productive and you have less overall chance of a network breach. As far as the incorrect answers, the router definitely is not filtering out port 80, as traffic is successfully being sent on that port. 192.168.1.105 is not a web server; it is most likely the netPanzer game server. Finally, even though port 80 is used by the client computer, there is likely no web server in this scenario.

Which of the following statements is correct about IPsec authentication headers? The authentication information is a keyed hash based on all the bytes in the packet. The authentication information hash will remain the same even if the bytes change on transfer. The authentication header cannot be used in combination with the IP Encapsulating Security Payload. The authentication information is a keyed hash based on half of the bytes in the packet.

The only statement that is true is that the authentication information is a keyed hash that is based on all the bytes in the packet. A hash will not remain the same if the bytes change on transfer; a new hash will be created for the authentication header (AH). The authentication header can be used in combination with the Encapsulating Security Payload (ESP).

Which of the following is the proper order of functions for asymmetric keys? Decrypt, decipher, and code and encrypt Sign, encrypt, decrypt, and verify Encrypt, sign, decrypt, and verify Decrypt, validate, and code and verify

The proper order of functions for asymmetric keys is as follows: encrypt, sign, decrypt, and verify. This is the case when a digital signature is used to authenticate an asymmetrically encrypted document.

Which of the following OSI model layers is where SSL provides encryption? Application Transport Network Session

The session layer, layer 5 of the OSI model, is where SSL provides encryption. Though it is considered to be an application layer protocol, the actual encryption happens at layer 5. The transport layer deals with ports used by sessions; for example, an SSL session will use port 443. The network layer transmits the actual packets of information from one IP address to another. SSL relies on a PKI to obtain and validate certificates (for example, when you go to a secure e-commerce website). See the section titled "Security Protocols" in Chapter 14, "PKI and Encryption Protocols," for more information.

You are implementing a testing environment for the development team. They use several virtual servers to test their applications. One of these applications requires that the servers communicate with each other. However, to keep this network safe and private, you do not want it to be routable to the firewall. What is the best method to accomplish this? Remove the virtual network from the routing table. Use a virtual switch. Use a standalone switch. Create a VLAN without any default gateway.

The virtual switch is the best option. This virtual device will connect the virtual servers together without being routable to the firewall (by default). Removing the virtual network from the routing table is another possibility; but if you have not created a virtual switch yet, it should not be necessary. A physical standalone switch won't be able to connect the virtual servers together; a virtual switch (or individual virtual connections) is required. Creating a VLAN would also require a physical switch. In that scenario, you can have multiple virtual LANs each containing physical computers (not virtual computers), and each working off of the same physical switch. That answer would keep the VLAN from being routable to the firewall, but not virtual servers.

Which of the following ports is required by an e-commerce web server running SSL? Port 80 outbound Port 443 inbound Port 443 outbound Port 80 inbound

The web server needs to have inbound port 443 open to accept secure requests for SSL sessions from clients. The outbound port doesn't actually matter; it's the inbound port that is important for the server. Inbound port 80 is used by default for regular HTTP connections. See the section titled "Security Protocols" in Chapter 14, "PKI and Encryption Protocols," for more information.

Which of the following is often misused by spyware to collect and report a user's activities? Session cookie Tracking cookie Persistent cookie Web bug

Tracking cookie. Tracking cookies track where a user has been on the Internet. Spyware misuses this to report on a user's activities in many malicious ways. The spyware might open additional advertising websites, share information with third parties, or lead the user to additional malicious websites. See the section titled "Securing the Browser" in Chapter 4, "Application Security," for more information.

What port does TFTP use?

Trivial File Transfer Protocol uses UDP 69

A thumb drive has been used to compromise systems and enable unauthorized access. What kind of malware was most likely installed to the thumb drive? Bot Logic bomb Virus Trojan

Trojans are used to access a system without authorization. They can be installed to USB flash drives, can be remote access programs, or could be unwittingly stumbled upon when accessing disreputable websites. The key phrase here is "unauthorized access"; that is what the Trojan is trying to do. See the section titled "Malicious Software Types" in Chapter 2, "Computer Systems Security Part I," for more information. Incorrect answers: A bot is a computer that performs actions without the user's consent and is often controlled by a remote master computer. Although the bot doesn't enable unauthorized access, a Trojan might carry a bot program as part of its payload. Logic bombs are generally a method of transferring malware and are meant to initiate a malicious function at a specific time. Viruses infect a computer but are not used for unauthorized access.

What are the two best ways to protect a Voice over IP PBX from man-in-the-middle attacks? Install a key system. Use encryption. Use an authentication scheme. Update the Voice over IP system.

Use an authentication scheme. Update the Voice over IP system. By keeping the Voice over IP system up to date, you can avoid a lot of the attacks that look for backdoors or other entrances to the system. Using a strong authentication scheme that has complex passwords is the next best way to protect the system. Key systems are older types of phone systems that you would not want to employ, unless as a backup, if you have a Voice over IP system. Encryption is a good idea for Voice over IP, but it won't necessarily stop a man-in-the-middle attack; however, it will be difficult for the attacker to decrypt the information. See the section titled "Network Design" in Chapter 5, "Network Design Elements," for more information.

What are the two best ways to protect a Voice over IP PBX from man-in-the-middle attacks? Select 2 answers Use an authentication scheme. Install a key system. Update the Voice over IP system. Use encryption.

Use an authentication scheme. Update the Voice over IP system. By keeping the Voice over IP system up to date, you can avoid a lot of the attacks that look for backdoors or other entrances to the system. Using a strong authentication scheme that has complex passwords is the next best way to protect the system. Key systems are older types of phone systems that you would not want to employ, unless as a backup, if you have a Voice over IP system. Encryption is a good idea for Voice over IP, but it won't necessarily stop a man-in-the-middle attack; however, it will be difficult for the attacker to decrypt the information. See the section titled "Network Design" in Chapter 5, "Network Design Elements," for more information.

You are contracted with a customer to protect its user data. The customer requires the following: Easy backup of all user data Minimizing the risk of physical data theft Minimizing the impact of failure on any one file server Which of the following solutions should you implement? Use file servers attached to a NAS. Lock the file servers and NAS in a secure area. Use file servers with removable hard disks. Secure the hard disks in a separate area after hours. Back up user files to USB hard disks attached to the customer's systems. Store the USB hard disks in a secure area after hours. Use internal hard disks installed in file servers. Lock the file servers in a secure area.

Use file servers with removable hard disks. Secure the hard disks in a separate area after hours Using file servers with removable hard disks is the best answer. All the other answers do not offer easy backup of user data. The time it would take to use separate USB hard disks makes it anything but easy. The idea of locking entire servers in a secure area doesn't sound easy either. However, securing removable hard disks in a separate area seems like an easy way to implement the solution. It should also minimize the risk of physical data theft because the hard disks are stored in a secure area. Using multiple file servers should minimize the impact of failure on any one file server. See the section "Redundancy Planning" in Chapter 15, "Redundancy and Disaster Recovery," for more information.

The IT director asks you to verify that the organization's virtualization technology is implemented securely. What should you take into consideration? Subnet the network so that each virtual machine is on a different network segment. Verify that virtual machines are multihomed. Perform penetration testing on virtual machines. Verify that virtual machines have the latest service packs and patches installed.

Verify that virtual machines have the latest service packs and patches installed. One of the most important security precautions you can take is to install the latest service packs and patches. This concept applies to regular operating systems, applications, and virtual machines. It is unnecessary for virtual machines to be multihomed because this will not increase their security. Penetration testing should be completed before the virtual machines have been implemented. Subnetting is not necessary for virtual machines, although it can increase security. Subnetting should be taken into account during the planning and implementation stage. See the section titled "Virtualization Technology" in Chapter 3, "OS Hardening and Virtualization," for more information.

You have received several reports from users of corrupted data. You patched the affected systems but are still getting reports of corrupted data. Which of the following methods should you use to help identify the problem? Penetration testing Hardware baseline review Data integrity check Vulnerability scan

Vulnerability scan If the data is becoming corrupted more than once even after an update to the affected systems, you should perform a vulnerability scan to find out what the possible threats and vulnerabilities are to those systems. A data integrity check would simply tell you that the data has been corrupted and, therefore, that integrity is not intact. Penetration testing determines whether a system can be compromised by exploiting a particular threat. A hardware baseline review will tell you how your hardware is performing and how secure it is compared to the last baseline. Baselines are examples of vulnerability assessments, but in this case you need a software-based vulnerability assessment. See the section titled "Conducting Risk Assessments" in Chapter 11, "Vulnerability and Risk Assessment," for more information.

In Windows, which of the following commands will not show the version number? Wf.msc Winver Systeminfo Msinfo32.exe

Wf.msc. Of the answers listed, the only one that will not show the version number is wf.msc. That brings up the Windows Firewall with Advanced Security. All of the other answers will display the version number in Windows.

Anytime there is a phishing attempt of a CEO, either by email, phone, etc. is called what?

Whaling

Which of the following are certificate-based authentication mapping schemes? (Select the two best answers.) One-to-one mapping One to-many mapping Many-to-many mapping Many-to-one mapping Select 2 answers

When dealing with certificate authentication, asymmetric systems use one-to-one mappings and many-to-one mappings.

You have been tasked with segmenting internal traffic between layer 2 devices on the LAN. Which of the following network design elements would most likely be used? DMZ VLAN Routing NAT

You would most likely use a virtual LAN (VLAN). This allows you to segment internal traffic within layer 2 of the OSI model, by using either a protocol-based scheme or a port-based scheme.

17. Which encryption type encrypts 64 bits at a time? Select 3. a. 3 DES b. DES c. Blowfish d. Twofish e. AES f. RC4 g. RSA

a. 3 DES b. DES c. Blowfish Encryption by bits at a time are block ciphers and are symmetric. The block ciphers that encrypt 64-bit at a time are 3 DES, DES and Blowfish. Twofish encrypts 128-bit blocks, AES at 128-, 192-, or 256-bit blocks. RC4 is a streaming cipher (single bit at a time) and RSA is asymmetric.

What type of encryption does RADIUS use? a. Symmetric b. Asymmetric c.

a. Symmetric Transactions between the client and RADIUS server are authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server. When it is provided with the user name and original password given by the user, RADIUS can support PPP, Password Authentication Protocol (PAP), or Challenge Handshake Authentication Protocol (CHAP), UNIX login, and other authentication mechanisms to authenticate users. RADIUS uses UDP on port 1812 for RADIUS authentication messages and UDP port 1813 for RADIUS accounting messages. RADIUS is used to provide authentication, authorization, and accounting services.

What does an incremental backup do during the backup? a. backs up all the files with the archive bit set; resets the archive bit. b. backs up all the files regardless of the archive bit; does not reset the archive bit c. backs up all the files regardless of the archive bit; resets the archive bit d. backs up all the files with the archive bit set; does not reset the archive bit.

a. backs up all the files with the archive bit set; resets the archive bit. An incremental backup only backs up files with the archive bit set (files that have been modified). After backing up the file, the archive bit is reset. the primary attraction to this backup plan is that it requires less storage space and processing time to complete the backup. Restoration starts from the last full backup and then requires the loading of each subsequent incremental backup for a full restoration. A full backup backs up all the files regardless of the archive bit and resets the archive bit. A copy backup backs up all the files without resetting the archive bit. A differential backup backs up all files with the archive bit set but does NOT reset the archive bit.

A small organization can only afford to purchase an all-in-one wireless router/switch. The organization has three wireless BYOD users and two wired web servers. Which of the following should the company configure to protect the servers from the user devices? (select 2 best answers) a. Create a server VLAN b Change the default HTTP port c. Implement EAP-TLS to establish mutual authentication d. Deny incoming connections to the outside router interface. e. Create an ACL for access to the servers f. Disable the physical switch ports

a. create a server VLAN e. create an ACL for access to the servers.

Which of the following would make the best use of a TPM? a. full-disk encryption b. TLS c. secure data removal d. SSH e. Application-based firewall rules.

a. full-disk encryption. TPMs can be used to facilitate FDE. TPMs are typically on the motherboard of a system.

Maggie is compiling a list of approved software for desktop operating systems within a company. What is the MOST likely purpose of this list? a. host software baseline b. baseline reporting c. application configuration baseline d. code review

a. host software baseline A host software baseline (also called an application baseline) identifies a list of approved software for systems and compares it with installed applications. Baseline reporting is a process that monitors systems for changes and reports discrepancies. An application configuration baseline identifies proper settings for applications. A code review looks at the actual code of the software, and doesn't just create a list.

Role Based Access Control (RBAC) Role Based Access Control. In RBAC models,

an administrator defines a series of roles and assigns them to subjects. Different roles can exist for system processes and ordinary users. Objects are set to be a certain type, to which subjects with a certain role have access. This can save an administrator from the tedious job of defining permissions per user.

What concept manages user names, passwords, PINs and other passcodes? a. administrator b. credential management c. Rule-based access control d. MAC

b. credential manager The concept of credential management is the complete management of credentials. For eg., how and where will passwords be stored, when will accounts expire, and how long can passwords be used? These are all part of credential management. Such management is usually accomplished via enforced account policies. If your org. has a policy that passwords must be at least 12 characters long and should be changed every 90 days, then there must be a mechanism to enforce that account policy. Rule-based access control is also known as label-based access control and defines whether access should be granted or denied to objects by comparing the object label and the subject label. Rule-based access control is part of MAC and should not be confused with role-based access control. Mandatory Access Control (MAC) is an access policy determined by a computer system, not by a user or owner, as it is in DAC, Discretionary Access Control.

which of these comes first in order of volatility? a. temporary file system b. network typology c. ARP cache d. remote monitoring data e. archival data

c. ARP cache. ARP is a dynamic resolution protocol, which means that

Remote authenticator that uses TCP 49 by default? a. LDAP b. RADIUS c. TACACS+ d. RAS

c. TACACS+ is a remote authenticator that uses Transmission Control Protocol (TCP) port 49 Remote authenticator RADIUS uses UPD 1812 Remote authenticator LDAP uses TCP/UDP 389 or Secure LDAP over TLS/SSL TCP/UDP 636 RAS began as a service that enabled dial-up connections from remote clients and is still used where other internet connections are not available

What DHCP port is used by the client? a. UDP 67 b. TCP 69 c. UDP 68 d. TCP 68

c. UDP 68 The DHCP employs a connectionless service model, using the User Datagram Protocol (UDP). It is implemented with two UDP port numbers for its operations which are the same as for the BOOTP protocol. UDP port number 67 is the destination port of a server, and UDP port number 68 is used by the client. In most client-server-applications, the port number of a server is a well-known number, while the client uses a currently available port number. DHCP is different.

Which of the following are used to create a digital signature? a. symmetric key b. stream cipher c. private key d. shared secret e. public key

c. private key. The sender uses the private key to create the signature. The receiver uses the public key of the sender to validate the signature.

You check the application log of your web server and see that someone attempted unsuccessfully to enter the text test; etc/passwd into an HTML form field. Which attack was attempted? Code injection SQL injection Command injection Buffer overflow

command injecton. In this case a command was entered, and the attacker was attempting to gain access to the password file within the /etc directory. If the attacker tried to inject code, he would not use commands, but rather PHP, ASP, or another language. SQL injections are usually run on databases, not web servers' HTML forms. Buffer overflows have to do with memory and how applications utilize it.

Which part of an all-in-one security appliance would most likely be configured to restrict access to P2P file sharing websites? a. spam filter b. malware inspection c. content inspection d. url filter

d. URL filter. Block by the actual specific web address. Content inspection is not enough. It would have to be content filtering

which of these best describes 3 DES? A. used in WPA2 B. 3 times more complex than DES C. Has been replaced due to a cryptographic vulnerability D. A FIPS- compliant standard

d. a FIPS- compliant standard

What does a differentail backup do during the backup? a. backs up all the files with the archive bit set; resets the archive bit. b. backs up all the files regardless of the archive bit; does not reset the archive bit c. backs up all the files regardless of the archive bit; resets the archive bit d. backs up all the files with the archive bit set; does not reset the archive bit.

d. backs up all the files with the archive bit set; does not reset the archive bit. A differential backup backs up all the files with the archive bit set (files that have been modified) but does NOT reset the archive bit. this backup strategy can create a shorter restoration time than an incremental backup but may consume more disk space depending on the frequency of full backups and the amount and frequency of file changes. Restoration is a two-step process--load the last full backup first, and then finish the restoration by loading the last differential backup. An incremental backup only backs up files with the archive bit set. A full backup backs up all the files regardless of the archive bit and resets the archive bit. A copy backup backs up all files without resetting the archive bit.

Which of these security features is provided by PEAP? a. secure file transfers b.data encryption on wireless networks c. client-based vpn d. encrypt a wireless authentication e. encrypted tunnel between two devices

d. encrypt a wireless authentication

Bart copied an encrypted file from his desktop computer to his USB drive and discovered that the copied file isn't encrypted. He asks you what he can do to ensure files he encrypted remain encrypted when he copies them to a USB drive. What would you recommend as the BEST solution to this problem? a. use file-level encryption b. convert the USB to FAT32. c. use whole disk encryption the the desktop computer. d. use whole disk encryption the the USB drive.

d. use whole disk encryption the the USB drive. The best solution is to use whole disk encryption on the USB drive. The scenario indicates Bart is using file-level encryption (such as NTFS encryption) on the desktop computer, the the USB drive doesn't support it, possibly because it's formatted as a FAT32 drive. The result is that the system decrypts the file before copying it to the USB drive. Another solution is to convert the USB to NTFS. Whole disk encryption on the desktop computer wouldn't protect files copied to the USB drive.

Directive access control A directive access control is

deployed to direct, confine, or control the actions of subject to force or encourage compliance with security policies. Examples of Directive access controls include security guards, guard dogs, security policy, posted notifications, escape route exit signs, monitoring, supervising, work task procedures, and awareness training. Access controls can be further categorized by how they are implemented. In this case, the categories are administrative, logical/technical, or physical.

Deterrent access control

deployed to discourage the violation of security policies. A deterrent control picks up where prevention leaves off. The deterrent doesn't stop with trying to prevent an action; instead, it goes further to exact consequences in the event of an attempted or successful violation. Examples of deterrent access controls include locks, fences, security badges, security guards, mantraps, security cameras, trespass or intrusion alarms, separation of duties, work task procedures, awareness training, encryption, auditing, and firewalls.

Detective access control A detective access control is

deployed to discover unwanted or unauthorized activity. Often detective controls are after-the-fact controls rather than real-time controls. Examples of detective access controls include security guards, guard dogs, motion detectors, recording and reviewing of events seen by security cameras or CCTV, job rotation, mandatory vacations, audit trails, intrusion detection systems, violation reports, honey pots, supervision and reviews of users, incident investigations, and intrusion detection systems.

Compensation access control a compensation access control is

deployed to provide various options to other existing controls to aid in the enforcement and support of a security policy. Examples of compensation access controls include security policy, personnel supervision, monitoring, and work task procedures. Compensation controls can also be considered to be controls used in place of or instead of more desirable or damaging controls. For example, if a guard dog cannot be used because of the proximity of a residential area, a motion detector with a spotlight and a barking sound playback device can be used.

Recovery access control A recovery access control is

deployed to repair or restore resources, functions, and capabilities after a violation of security policies. Recovery controls have more advanced or complex capability to respond to access violations than a corrective access control. For example, a recovery access control can repair damage as well as stop further damage. Examples of recovery access controls include backups and restores, fault tolerant drive systems, server clustering, antivirus software, and database shadowing.

Corrective access control A corrective access control is

deployed to restore systems to normal after an unwanted or unauthorized activity has occurred. Usually corrective controls have only a minimal capability to respond to access violations. Examples of corrective access controls include intrusion detection systems, antivirus solutions, alarms, mantraps, business continuity planning, and security policies.

Preventative access control

deployed to stop unwanted or unauthorized activity from occurring. Examples of preventative access controls include fences, locks, biometrics, mantraps, lighting, alarm systems, separation of duties, job rotation, data classification, penetration testing, access control methods, encryption, auditing, presence of security cameras or closed circuit television (CCTV), smart cards, callback, security policies, security awareness training, and antivirus software.

Which of the following would be most likely filtered by an IPS. a. Spam b. windows virus c. URL hijack d. MitM attackkkk e. Windows OS exploit

e. Windows OS exploit

Your organization's servers and applications are being audited. One of the IT auditors tests an application as an authenticated user. Which of the following testing methods is being used? White-box Gray-box Black-box Penetration testing

gray-box. This would be an example of gray-box testing. The IT auditor is not an employee of the company (which is often a requirement for white-box testing) but rather an outside consultant. Being an outside consultant, the IT auditor should not be given confidential details of the system to be tested. However, the auditor was given a real login, so the auditor cannot be employing black-box testing. Penetration testing might be occurring in this scenario as well - this is when an auditor, or other security expert, tests servers' network connections for vulnerabilities. But the scenario only states that the auditor is testing an application.

Joe, a security analyst, is asked by a co-worker, "What is this AAA thing all about in the security world? Sounds like something I can use for my car." Which of the following terms should Joe discuss in his response to his co-worker? (Select THREE). A. Accounting ​B. Accountability ​C. Authorization D. Authentication E. Agreement

​B. Accountability C. Authorization D. Authentication