Security - Chapter 6
Which of the following ports are used with TACACS?
49
What ports does LDAP use by default? (Select two.)
636 389
You want to increase the security of your network by allowing only authenticated users to access network devices through a switch. Which of the following should you implement?
802.1x
Which of the following are requirements to deploy Kerberos on a network? (Select two.)
A centralized database of users and passwords Time synchronization between devices.
Which of the following is an appropriate definition of a VLAN?
A logical grouping of devices based on service need, protocol, or other criteria.
Which of the following is the best example of remote access authentication?
A user establishes a dial-up connection to a server to gain access to shared resources.
Drag the description on the left to the appropriate switch attack shown on the right. Drag: Causes packets to fill up the forwarding table and consumes so much of the switch's memory that it enters a state called fail open mode. The source device sends frames to the attacker's MAC address instead of the correct device. Can be used to hide the identity of the attacker's computer or impersonate another device on the network. Should be disabled on he switch's end user (access) ports before implementing the switch configuration into the network. Drop: ARP Spoofing / Poisoning Dynamic Trunking Protocol MAC Flooding MAC Spoofing
ARP Spoofing / Poisoning - The source device sends frames to the attacker's MAC address instead of the correct device. Dynamic Trunking Protocol - Should be disabled on the switch's end user (access) ports before implementing the switch configuration into the network. MAC Flooding - Causes packets to fill up the forwarding table and consumes so much of the switch's memory that it enters a state called fail open mode. MAC Spoofing - Can be used to hide the identity of the attacker's computer or impersonate another device on the network.
Which of the following switch attacks associates the attacker's MAC address with the IP address of the victim's devices?
ARP spoofing/poisoning
Which is a typical goal of MAC spoofing?
Bypassing 802.1x port-based security
Which remote access authentication protocol periodically and transparently re-authenticates during a logon session by default?
CHAP
You are configuring a dial-up connection to a remote access server. Which protocols would you choose to establish the connection and authenticate, providing the most secure connection possible? (Select two.)
CHAP PPP
You've just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a server room that requires an ID for access. You've backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer using a Telnet client with a user name of admin and a password of admin. You have used the MD5 hashing algorithm to protect the password. What should you do to increase the security of this device? (Select two.)
Change the default administrative user name and password. Use a SSH client to access the router configuration.
You've just deployed a new Cisco router so you can connect a new segment to your organization's network. The router is physically located in a server room that can only be accessed with an ID card. You've backed up the router configuration to a remote location in an encrypted file. You access the router configuration from your notebook computer by connecting it to the console port on the router. The web-based management interface uses the default user name of cusadmin and a password of highspeed. What should you do to increase the security of this device?
Change the user name and create a more complex password.
Which of the following are performed by the Microsoft Baseline Security Analyzer (MBSA) tool? (Select three.)
Check for missing patches Check for open ports Check user accounts for weak passwords.
You have a small network of devices connected using a switch. You want to capture the traffic that is sent from Host A to Host B. On Host C, you install a packet sniffer that captures network traffic. After running the packet sniffer, you cannot find any captured packets between Host A and Host B. What should you do?
Configure port mirroring
You have configured an NIDS to monitor network traffic. Which of the following describes harmless traffic that has been identified as a potential attack by the NIDS device?
False positive
You are implementing a new application control solution. Prior to enforcing your application whitelist, you want to monitor user traffic for a period of time to discover user behaviors and log violations for later review. How should you configure the application control software to handle applications not contained in the whitelist?
Flag
What do host-based intrusion detection systems often rely upon to perform detection activities?
Host system auditing capabilities
As a security precaution, you have implemented IPsec that is used between any two devices on your network. IPsec provides encryption for traffic between devices. You would like to implement a solution that can scan the contents of the encrypted traffic to prevent any malicious attacks. Which solution should you implement?
Host-based IDS
Which of the following devices can monitor a network and detect potential security attacks?
IDS
Which of the following are security devices that perform stateful inspection of packet data and look for patterns that indicate malicious code? (Select two.)
IDS IPS
Which of the following devices is capable of detecting and responding to security threats?
IPS
You are concerned about attacks directed at your network firewall. You want to be able to identify and be notified of any attacks. In addition, you want the system to take immediate action to stop or prevent the attack, if possible. Which tool should you use?
IPS
Your organization's security policy specifies that peer-to-peer file sharing is not allowed. Recently, you received an anonymous tip that an employee has been using a BitTorrent client to download copyrighted media while at work. You research BitTorrent and find that it uses TCP ports 6881-6889 by default. When you check your perimeter firewall configuration, only ports 80 and 443 are open. When you check your firewall logs, you find that no network traffic using ports 6881-6889 has been blocked. What should you do?
Implement an application control solution.
Your organization uses a web server to host an e-commerce site. Because this web server handles financial transactions, you are concerned that it could become a prime target for exploits. You want to implement a network security control that will analyze the contents of each packet going to or from the web server. The security control must be able to identify malicious payloads and block them. What should you do?
Implement an application-aware IPS in front of the web server.
A security administrator need sto run a vulnerability scan that will analyze a system from the perspective of a hacker attacking the organization from the outside. What type of scan should he use?
Non-credentialed scan
Which of the following can make passwords useless on a router?
Not controlling physical access to the router.
Which of the following identifies standards and XML formats for reporting and analyzing system vulnerabilities?
OVAL
You have a network with three remote access servers, a RADIUS server used for authentication and authorization, and a second RADIUS server used for accounting. Where should you configure remote access policies?
On the RADIUS server used for authentication and authorization.
Which of the following authentication protocols transmits passwords in cleartext, and is, therefore, considered too insecure for modern networks?
PAP
You are concerned about attacks directed against the firewlal on your network. You would like to examine the content of individual frames sent to the firewall. Which tool should you use?
Packet sniffer
You want to know which protocols are being used on your network. You'd like to monitor network traffic and sort traffic by protocol. Which tool should you use?
Packet sniffer
What common design feature among instant messaging clients make them less secure than other means of communicating over the internet?
Peer-to-peer networking
CHAP performs which of the following security functions?
Periodically verifies the identity of a peer using a three-way handshake.
You have run a vulnerability scanning tool and identified several patches that need to be applied to a system. What should you do next after applying the patches?
Run the vulnerability assessment again.
You can use a variety of methods to manage the configuration of a network router. Match the management option on the right with its corresponding description on the left. (Each option can be used more than once.) Drag: - Uses public-key cryptography - Transfers data in cleartext - Cannot be sniffed Drop: - SSL - HTTP - SSH - Telnet - Console port
SSL - Uses public-key cryptography HTTP - Transfers data in cleartext SSH - Uses public-key cryptography Telnet - Transfers data in cleartext Console Port - Cannot be sniffed
What type of attack is most likely to succeed with communications between instant messaging clients?
Sniffing
Which of the following solutions would you implement to eliminate switching loops?
Spanning tree
You manage a network that uses multiple switches. You want to provide multiple paths between switches to that if one link goes down, an alternate path is available. Which feature should your switch support?
Spanning tree
You manage a single subnet with three switches. These switches are connected to provide redundant paths between the switches. Which feature prevents switching loops and ensures there is only a single active path between any two switches?
Spanning tree
When configuring VLANs on a switch, what type of switch ports are members of all VLANs defined on the switch?
Trunk ports
You want to use a vulnerability scanner to check a system for known security risks. What should you do first?
Update the scanner definition files.
You've just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a locked server closet. You use an FTP client to regularly back up the router configuration to a remote server in an encrypted file. You access the router configuration interface from a notebook computer that is connected to the router's console port. You've configured the device with the user name admin01 and the password P@ssW0rd. You have used the MD5 hashing algorithm to protect the password. What should you do to increase the security of this device?
Use SCP to back up the router configuration to a remote location.
In this VLAN configuration shown in the diagram above, workstations in VLAN1 are not able to communicate with workstations in VLAN2, even though they are connected to the same physical switch. Which of the following can you use to allow workstations in VLAN1 to communicate with the workstations in VLAN2? (Select two. Each correct answer is a complete solution.)
Use a layer 3 switch to route packets between VLAN1 and VLAN2 Use a router to route packets between VLAN1 and VLAN2.
You've jut deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a server room that requires an ID card to gain access. You've backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer by connecting it to the console port on the router. You configured the management interface with a username of admin and a password of password. What should you do to increase the security of this device?
Use a stronger administrative password.
Your organization has started receiving phishing emails. You suspect that an attacker is attempting to find an employee workstation they can compromise. You know that a workstation can be used as a pivot point to gain access to more sensitive systems. Which of the following is the most important aspect of maintaining network security against this type of attack?
User education and training
Which of the following are characteristics of TACACS+? (Select two.)
Uses TCP Allows three different servers, one each for authentication, authorization, and accounting.
You run a small network for your business that has a single router connected to the Internet and a single switch. You keep sensitive documents on a computer that you would like to keep isolated from other computers on the network. Other hosts on the network should not be able to communicate with this computer through the switch, but you still need to access the network through the computer. What should you use for this situation?
VLAN
Your company is a small start-up company that has leased office space in a building shared by other businesses. All businesses share a common network infrastructure. A single switch connects all devices in the building to the router that provides Internet access. You would like to make sure that your computers are isolated from computers used by other companies. Which feature should you request to have implemented?
VLAN
You manage a network that uses a single switch. All ports within your building connect through the single switch. In the lobby of your building are three RJ-45 ports connected to the switch. You want to allow visitors to plug into these ports to gain Internet access, but they should not have access to any other devices on your private network. Employees connected throughout the rest of your building should have both private and Internet access. Which feature should you implement?
VLANs
You want to be able to identify the services running on a set of servers on your network. Which tool would best give you the information you need?
Vulnerability scanner
You want to use a tool to see packets on a network, including the source and destination of each packet. Which tool should you use?
Wireshark
Based on the VLAN configuration shown in the diagram above, which of the following is not true?
Workstations in VLAN1 are able to communicate with workstations in VLAN2 because they are connected to the same physical switch.
The IT manager has asked you to create a separate VLAN to be used exclusively for wireless guest devices to connect to. Which of the following is the primary benefit of creating this VLAN?
You can control security by isolating wireless guest devices within this VLAN.
Which of the following is NOT an administrative benefit of implementing VLANs?
You can simplify routing traffic between separate networks.
In which of the following situations would you use port security?
You want to restrict the devices that could connect through a switch port.
Which of the following is a characteristic of TACACS+?
Encrypts the entire packet, not just authentication packets.
RADIUS is primarily used for what purpose?
Authenticating remote clients before access to the network is granted.
While developing a network application, a programmer adds functionality that allows her to access the running program without authentication so she can capture debugging data. The programmer forgets to remove this functionality prior to finalizing the code and shipping the application. What type of security weakness does this represent?
Backdoor
Network-based intrusion detection is most suited to detect and prevent which types of attacks?
Bandwidth-based denial of service
You are the network administrator for a city library. Throughout the library are several groups of computers that provide public access to the Internet. Supervision of these computers has been difficult. You've had problems with patrons bringing personal laptops into the library and disconnecting the network cables from the library computers to connect their laptops to the Internet. The library computers are in groups of four. Each group of four computers is connected to a hub that is connected to the library network through an access port on a switch. You want to restrict access to the network so only the library computers are permitted connectivity to the Internet. What can you do?
Configure port security on the switch.
Which of the following applications typically use 802.1x authentication? (Select two.)
Controlling access through a switch Controlling access through a wireless access point
You notice that over the last few months more and more static systems, such as the office environment control system, the security system, and lighting controls, are connecting to your network. You know that these devices can be a security threat. Which of the following measures can you take to minimize the damage these devices can cause if they are compromised?
Create a VLAN to use as a low-trust network zone for these static systems to connect to. If your network has static systems, such as IoT devices, then you probably want to have them on their own network segment. This minimizes the damage they can cause to a single network segment and makes identifying issues with them much easier. The most common way to segment networks is to create VLANs for each network zone. You do have some control over static systems, but very little, so they would be best be placed in a low-trust zone. The Internet would be classified as a no-trust zone, since you have no control over it.
A security administrator logs on to a Windows server on her organization's network. She then runs a vulnerability scan on that sever. What type of scan was conducted in this scenario?
Credentialed scan
Which protocol should you disable on the user access ports of a switch?
DTP
You are using a vulnerability scanner that conforms to the OVAL specifications. Which of the following items contains a specific vulnerability or security issue that could be present on a system?
Definition
Which of the following functions can a port scanner provide? (Select two.)
Determining which ports are open on a firewall. Discovering unadvertised servers.
Which of the following best describes the concept of a virtual LAN?
Devices on the same network logically grouped as if they were on separate networks
As a security professional, you need to understand your network on multiple levels. You should focus on the following areas: 1. Entry points 2. Inherent vulnerabilities 3. Documentation 4. Network baseline Drag the area of focus on the left to the appropriate example on the right. (Areas of focus may be used once, more than once, or not at all.) Drag: Entry points Inherent vulnerabilities Documentation Network baseline Drop: IoT and SCADA devices. Used to identify a weak network architecture or design. Public-facing servers, workstations, Wi-Fi networks, and personal devices. An older version of Windows that is used for a particular application. What activity looks like in normal day-to-day usage.
IoT and SCADA devices. - Inherent vulnerabilities Used to identify a weak network architecture or design - Documentation Public-facing severs, workstations, Wi-Fi networks, and personal devices. - Entry points An older version of Windows that is used for a particular application. - Inherent vulnerabilities What activity looks like in normal day-to-day usage. - Network baseline
You want to check a server for user accounts that have weak passwords. Which tool should you use?
John the Ripper
Which of the following describes a false positive when using an IPS device?
Legitimate traffic being flagged as malicious
Which of the following activities are considered passive in regards to the function of an intrusion detection system? (Choose two.)
Listening to network traffic Monitoring the audit trails on a server
Which of the following attacks, if successful, causes a switch to function like a hub?
MAC flooding
You decide to use a packet sniffer to identify the type of traffic sent to a router. You run the packet sniffing software on a device that is connected to a hub with three other computers. The hub is connected to the same switch that is connected to the router. When you run the software, you see frames addressed to the four workstations, but not to the router. Which feature should you ignore?
Mirroring
You've just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a cubicle near your office. You've backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer using an SSH client with the user name admin01 and the password P@ssW0rd. You have used the MD5 hashing algorithm to protect the password. What should you do to increase the security of this device?
Move the router to a secure server room.
Which of the following is a feature of MS-CHAP v2 that is not included in CHAP?
Mutual authentication
You want to use a tool to scan a system for vulnerabilities, including open ports, running services, and missing patches. Which tools should you use? (Select two.)
Nessus Retina
You want to identify all devices on a network along with a list of open ports on those devices. You want the results displayed in a graphical diagram. Which tool should you use?
Network mapper
Your network devices ar?e categorized into the following zone types: 1. No-trust zone 2. Low-trust zone 3. Medium-trust zone 4. High-trust zone Your network architecture employs multiple VLANs for each of these network zones. Each zone is separated by a firewall that ensures only specific traffic is allowed. Which of the following is the secure architecture concept that is being used on this network?
Network segmentation
Drag the network attack technique on the left to the appropriate description or example on the right. (Each technique may be used once, more than once, or not at all.) Drag: Active attack Passive attack External attack Inside attack Drop: Perpetrators attempt to compromise or affect the operations of a system Unauthorized individuals try to breach a network from off-site. Attempting to find the root password on a web server by brute force. Attempting to gather information without affecting the flow of information on the network. Sniffing network packets or performing a port scan.
Perpetrators attempt to compromise or affect the operations of a system - Active attack Unauthorized individuals try to breach a network from off-site. - External attack Attempting to find the root password on a web server by brute force. - Active attack Attempting to gather information without affecting the flow of information on the network. - Passive attack Sniffing network packets or performing a port scan. - Passive attack
You manage a network that uses switches. In the lobby of your building are three RJ-45 ports connected to a switch. You want to make sure that visitors cannot plug in their computers to the free network jacks and connect to the network. However, employees who plug into those same jacks should be able to connect to the network. What feature should you configure?
Port authentication
You want to make sure that a set of servers will only accept traffic for specific network services. You have verified that the servers are only running the necessary services, but you also want to make sure that the servers will not accept packets sent to those services. Which tool should you use?
Port scanner
Instant messaging does not provide which of the following?
Privacy
A relatively new employee in the data entry cubical farm was assigned a user account similar to the other data entry employees' accounts. However, audit logs have shown that this user account has been used to change ACLs on several confidential files and has accessed data in restricted areas. This situation indicates which of the following has occurred?
Privilege escalation
An attacker has obtained the logon credentials for a regular user on your network. Which type of security threat exists if this user account is used to perform administrative functions?
Privilege escalation
You decide to use a packet sniffer to identify the type of traffic sent to a router. You run the packet sniffing software on a device, which is connected of the same hub that is connected to the router. When you run the software, you only see frames addressed to the workstation, not to other devices. Which feature should you configure?
Promiscuous mode
You have recently reconfigured FTP to require encryption of both passwords and data transfers. You would like to check network traffic to verify that all FTP passwords and data are encrypted. Which tool should you use?
Protocol analyzer
You want to identify traffic that is generated and sent through the network by a specific application running on a device. Which tool should you use?
Protocol analyzer
Which of the following are differences between RADIUS and TACACS+?
RADIUS combines authentication and authorization into a single function; TACACS+ allos these services to be split between different servers.
You want to set up a service to allow multiple users to dial into the office server from modems on their home computers. What service should you implement?
RAS
You often travel away from the office. While traveling, you would like to use a modem on your laptop computer to connect directly to a server in your office and access files. You want the connection to be as secure as possible. Which type of connection will you need?
Remote access
A virtual LAN can be created using which of the following?
Switch
When configuring VLANs on a switch, what is used to identify which VLAN a device belongs to?
Switch port
Which of the following are methods for providing centralized authentication, authorization, and accounting for remote access? (Select two.)
TACACS+ RADIUS
Which of the following is the type of port scan that does not complete the full three-way TCP handshake, but rather listens only for either SYN/ACK or RST/ACK packets?
TCP SYN scan
Which actors can a typical passive intrusion detection system (IDS) take when it detects an attack? (Select two.)
The IDS logs all pertinent data about the intrusion An alert is generated and delivered via email, the console, or an SNMP trap.
Which of the following describes the worst possible action by an IDS?
The system identified harmful traffic as harmless and allowed it to pass without generating any alerts.
When using Kerberos authentication, which of the following terms is used to describe the token that verifies the user's identity to the target system?
Ticket
Which of the following are required when implementing Kerberos for authentication and authorization? (Select two.)
Time synchronization Ticket granting server
A honeypot is used for which purpose?
To delay intruders in order to gather auditing data