TestOut Chapter 14 - Network Hardening
14.3.9 You have a company network with a single switch. ll devices connect to the network through the switch. You want to control which devices will be able to connect to your network. For devices that do not have the latest operating system patches, you want to prevent access to all network devices except for a special server that holds the patches that the computers need to download. Which of the following components will be part of you solution? (Select two.) - Honeypot - DMZ - 802.1x authentication - Extranet - Remediation servers
- 802.1x authentication - Remediation servers
14.1.9 Which of the following are security devices that perform stateful inspection of packet data, looking for patterns that indicate malicious code? (Select two.) - ACL - Firewall - VPN - IPS - IDS
- IPS - IDS
14.1.9 Which of the following activities are considered passive in regards to the function of an intrusion detection system? (Select two.) - Monitoring the audit trails on a server - Disconnecting a port being used by a zombie - Transmitting FIN or RES packets to an external host - Listening to network traffic
- Monitoring the audit trails on a server - Listening to network traffic
14.1.9 Creating fake resources such as honeypots, honeynets, and tarpits fulfills which of the following main intrusion detection and prevention goals? (Select two.) - Offers attackers a target that occupies their time and attention while distracting them from valid resources. - Detect anomalous behavior that varies from standard activity patterns, also referred to as heuristic recognition. - Lures attackers into a non-critical network segment where their actions are passively monitored and logged, then shuns the attacker by simply dropping their connection. - Detect attacks that are unique to the services on valid system resources and monitor application activity. - Entices attackers to reveal their IDs signatures, which can then be matched to known attack patterns. - Reveals information about an attacker's method and gathers evidence for identification or prosecution purposes.
- Offers attackers a target that occupies their time and attention while distracting them from valid resources. - Reveals information about an attacker's method and gathers evidence for identification or prosecution purposes.
14.1.9 An active IDS system often performs which of the following actions? (Select two.) - Request a second logon test for users performing abnormal activities. - Perform reverse lookups to identify an intruder. - Trap and delay the intruder until the authorities arrive. - Update filters to block suspect traffic.
- Perform reverse lookups to identify an intruder. - Update filters to block suspect traffic.
14.2.4 Which of the following activities are typically associated with a penetration test? (Select two.) - Running a port scanner - Running a vulnerability scanner on network servers - Attempting social engineering - Interviewing employees to verify the security policy is being followed. - Creating a performance baseline
- Running a port scanner - Attempting social engineering
14.1.9 What actions can a typical passive intrusion detection system (IDS) take when it detects an attack? (Select two.) - The IDS configuration is changed dynamically, and the source IP address is banned. - The IDS logs all pertinent data about the intrusion. - LAN-side clients are halted and removed from the domain. - An alert is generated and delivered via email, the console, or an SNMP trap.
- The IDS logs all pertinent data about the intrusion. - An alert is generated and delivered via email, the console, or an SNMP trap.
14.3.9 Match the port security MAC address type on the left with its description on the right. Drag - SecureConfigured - SecureDynamic - SecureSticky Drop - A MAC address manually identified as an allowed address. - A MAC address that has been learned and allowed by the switch. - A MAC address that is manually configured or dynamically learned that is saved in the config file.
A MAC address manually identified as an allowed address. - SecureConfigured A MAC address that has been learned and allowed by the switch. - SecureDynamic A MAC address that is manually configured or dynamically learned that is saved in the config file. - SecureSticky
14.2.4 A security administrator is conducting a penetration test on a network. She connects a notebook system running Linux to the wireless network then uses NMAP to probe various network hosts to see which operating system they are running. Which process did the administrator use in the penetration test in this scenario? - Network enumeration - Active fingerprinting - Firewalking - Passive fingerprinting
Active fingerprinting
14.1.9 You are concerned about protecting your network from network-based attacks from the internet. Specifically, you are concerned about zero day attacks (attacks that have not yet been identified or that do not have prescribed protections.) Which type of device should you use? - Signature-based IDS - Anti-virus scanner - Anomaly-based IDS - Host-based firewall - Network-based firewall
Anomaly-based IDS
14.1.9 What does a tarpit specifically do to detect and prevent intrusion into your network? - Answers connection requests in such a way that the attacking computer is stuck for a period of time. - Entices intruders by displaying a vulnerability, configuration flow, or data that appears to be of value. - Passively monitors and logs suspicious activity until it detects a known attack pattern, then shuns the intruder by dropping their connection. - Uses a packet sniffer to examine network traffic and identify known attack patterns, then locks the attacker's connection to prevent any further intrusion activities.
Answers connection requests in such a way that the attacking computer is stuck for a period of time.
14.3.9 You are the network administrator for a city library. Throughout the library, there are several groups of computers that provide public access ot the internet. Supervision of these computers has been difficult. You've had problems with patrons bringing personal laptops into he library and disconnecting the network cables from the library computers to connect their laptops to the internet. The library computers are in groups of four. Each group of four computers is connected to a hub that is connected to the library network through an access port on a switch. You want to restrict access to the network so only the library computers are permitted connectivity to the internet. What can you do to fix this problem? - Create a VLAN for each group of four computers. - Remove the hub and place each library computer on its own access port. - Create static MAC addresses for each computer and associate them with a VLAN. - Configure port security on the switch.
Configure port security on the switch.
14.3.9 A network switch detects a DHCP frame on the LAN that appears to have come from a DHCP server that is not located on the local network. In fact, it appears to have originated from outside the organization's firewall. As a result, the switch drops the DHCP message from that server. Which security feature was enabled on the switch to accomplish this? - DHCP snooping - Dynamic ARP inspection - IGMP snooping - Port security
DHCP snooping
14.3.9 Which of the following actions should you take to reduce the attack surface of a server? - Install anti-malware software. - Install a host-based IDS. - Disable unused services. - Install the latest patches and hotfixes.
Disable unused services.
14.3.9 A network switch is configured to perform the following validation checks on its ports: - All ARP requests and responses are intercepted. - Each intercepted request is verified to ensure that it has a valid IP-to-MAC address binding. - If the packet has a valid binding, the switch forwards the packet to the appropriate destination. - If the packet has an invalid binding, the switch drops the ARP packet. Which security feature was enabled on the switch to accomplish this task? - Dynamic ARP Inspection - IGMP snooping - DHCP snooping - Port security
Dynamic ARP Inspection
14.3.9 Match the network access protection (NAP) component on the left with its description on the right. Drag - NAP client - NAP server - Enforcement server (ES) - Remediation server Drop - Generates a statement of health (SoH) that reports the client configuration for health requirements. - Runes the System Health Validator (SHV) program. - Is clients' connection point to the network. - Contain resources accessible to non-compliant computers on the limited-access network.
Generates a statement of health (SoH) that reports the client configuration for health requirements. - NAP client Runs the System Health Validator (SHV) program. - NAP server Is clients' connection point to the network. - Enforcement server (ES) Contain resources accessible to non-compliant computers on the limited-access network - Remediation server
14.1.9 As a security precaution, you have implemented IPsec between any two devices on your network. IPsec provides encryption for traffic between devices. You would like to implement a solution that can scan the contents of the encrypted traffic to prevent any malicious attacks. Which solution should you implement? - Port scanner - Host-based IDS - Network-based IDS - VPN concentrator - Protocol analyzer
Host-based IDS
14.1.9 What security mechanism can be used to detect attacks originating on the internet or from within an internal trusted subnet? - Security alarm - Firewall - IDS - Biometric system
IDS
14.1.9 You are concerned about attacks directed against the firewall on your network. You want to be able to identify attacks and be notified of attacks. In addition, you want the system to take immediate action when possible to stop ore prevent the attack. Which tool should you use? - Packet sniffer - IPS - Port scanner - IDS
IPS
14.2.4 Match each network enumeration technique on the left with its corresponding description on the right. Drag - Wardriving - War dialing - Banner grabbing - Firewalking Drop - Identifying phone numbers with modems - Scanning for wireless access points - Identifying operating system type and version number - Identifying services that can pass through a firewall
Identifying phone numbers with modems - War dialing Scanning for wireless access points - Wardriving Identifying operating system type and version number - Banner grabbing Identifying services that can pass through a firewall - Firewalking
14.2.4 You have decided to perform a double blind penetration test. Which of the following actions would you perform first? - Run system fingerprinting software. - Engage in social engineering. - Perform operational reconnaissance. - Inform senior management.
Inform senior management.
14.3.9 Members of the sales team use laptops to connect to the company network. While traveling, they connect their laptops to the internet through airport and hotel networks. You are concerned that these computers will pick up viruses that could spread to your private network. You would like to implement a solution that prevents the laptops from connection to your network unless anti-virus software and the latest operating system patches have been installed. Which solution should you use? - VLAN - NAC - NIDS - DMZ - NAT
NAC
14.2.4 A security administrator is conducting a penetration test on a network. She connects a notebook system to a mirror port on a network switch. She then uses a packet sniffer to monitor network traffic to try and determine which operating systems are running on network hosts. Which process did the administrator use in the penetration test in this scenario? - Active fingerprinting - Firewalking - Passive fingerprinting - Network enumeration
Passive fingerprinting
14.2.4 Which of the following uses hacking techniques to proactively discover internal vulnerabilities? - Reverse engineering - Inbound scanning - Penetration testing - Passive reconnaissance
Penetration testing
14.1.9 Properly configured passive IDS and system audit logs are an integral part of a comprehensive security plan. What step must be taken to ensure that the information is useful in maintaining a secure environment? - Periodic reviews must be conducted to detect malicious activity or policy violations. - The accounting department must compress the longs on a quarterly basis. - All files must be verified with the IDs checksum. - All logs should be deleted and refreshed monthly.
Periodic reviews must be conducted to detect malicious activity or policy violations.
14.3.9 You manage a network that uses switches. In the lobby of your building are three RJ45 ports connected to a switch. You want to make sure that visitors cannot plug in their computers into the free network jacks and connect tot he network, but you want employees who plug into those same jacks should be able to connect to the network. What feature should you configure? - Bonding - Mirroring - VLANs - Port authentication - Spanning tree
Port authentication
14.1.9 You want to make sure that a set of servers will only accept traffic for specific network services. You have verified that the servers are only running services, but you also want to make sure that the servers will not accept packets sent to those services. Which tool should you use? - Packet sniffer - IPS - System logs - IDS - Port scanner
Port scanner
14.3.9 Which type of security uses MAC addresses to identity devices that are allowed or denied a connection to a switch? - Port security - Traffic shaping - MAC spoofing - Secure Sockets Layer
Port security
14.3.9 A network utilizes a network access control (NAC) solution to protect against malware. When a wired or wireless host tries to connect to the network, a NAC agent on the host checks it to make sure it has all of the latest operating system updates installed and that the latest antivirus definitions have been applied. What is this process called? - Posture assessment - Remediation - Quarantine - Port security
Posture assessment
14.1.9 Which of the following is the most common detection method used by an IDS? - Anomaly - Behavior - Heuristic - Signature
Signature
14.1.9 If maintaining confidentiality is of the utmost importance to your organization, what is the best response when an intruder is detected on your network? - Delay the intruder. - Record audit trails about the intruder. - Terminate the intruder's session. - Monitor the intruder's actions.
Terminate the intruder's session.
14.2.4 What is the primary purpose of penetration testing? - Assess the skill level of new IT security staff. - Test the effectiveness of your security perimeter. - Infiltrate a competitor's network. - Evaluate newly deployed firewalls.
Test the effectiveness of your security perimeter.
14.1.9 You have just installed a new network-based IDS system that uses signature recognition. What should you do on a regular basis? - Generate a new baseline. - Modify clipping levels. - Update the signature files. - Check for backdoors.
Update the signature files.
14.3.9 Your company is a small start-up that has leased office space in a building shared by other businesses. All businesses share a common network infrastructure. A single switch connects all devices in the building to the router that provides internet access. You would like to make sure that your computers are isolated from computers used by other companies. Which feature should you request to have implemented. - Spanning tree - Port security - VPN - VLAN
VLAN
14.2.4 What is the main difference between vulnerability scanning and penetration testing? - Vulnerability scanning uses approved methods and tools; penetration testing uses hacking tools. - Vulnerability scanning is performed with a detailed knowledge of the system; penetration testing starts with no knowledge of the system. - Vulnerability scanning is performed within the security perimeter; penetration testing is performed outside of the security perimeter. - The goal of vulnerability scanning is to identify potential weaknesses; the goal of penetration testing is to attack a system.
Vulnerability scanning is performed within the security perimeter; penetration testing is performed outside of the security perimeter.
14.2.4 Drag each penetration test characteristic on the left to the appropriate penetration test name on the right. Drag - The tester has no prior knowledge of the target system. - The tester has detailed information about the target system prior to starting the test. - The tester has the same amount of information that would be available to a typical insider int he organization. - The tester does not have prior information about the system, and the administrator has no knowledge that the test is being performed. - Either the attacker has prior knowledge about the target system or the administrator knows that the test is being performed. Drop - White box test - Grey box test - Black box test - Single-blind test - Double-blind test
White box test - The tester has detailed information about the target system prior to starting the test. Grey box test - The tester has the same amount of information that would be available to a typical insider int he organization. Black box test - The tester has no prior knowledge of the target system. Single-blind test - Either the attacker has prior knowledge about the target system or the administrator knows that the test is being performed. Double-blind test - The tester does not have prior information about the system, and the administrator has no knowledge that the test is being performed.
14.3.9 In which of the following situations would you use port security? - You want to control the packets sent and received by a router. - You want to restrict the devices that could connect through a switch port. - You want to prevent MAC address spoofing. - You want to prevent sniffing attacks on the network.
You want to restrict the devices that could connect through a switch port.
14.2.4 Which of the following types of penetration test teams will provide you information that is most revealing of a real-world hacker attack? - Partial knowledge team - Split knowledge team - Zero knowledge team - Full knowledge team
Zero knowledge team