CISSP | Test Questions | Domain 2 | Telecommunications & Network Security

Which of the following configurations is not a good security practice for a single domain name system (DNS) name server to perform? a. Both authoritative name server and recursive name server b. Both caching name server and local name server c. Both primary name server and secondary name server d. Both master name server and slave name server

a. A specific name server can be configured to be both an authoritative and a recursive name server. In this configuration, the same name server provides authoritative information for queries pertaining to authoritative zones while it performs the resolving functions for queries pertaining to other zones. To perform the resolving function, it has to support recursive queries. Any server that supports recursive queries is more vulnerable to attack than a server that does not support such queries. As a result, authoritative information might be compromised. Therefore, it is not a good security practice to configure a single name server to perform both authoritative and recursive functions. Caching name and local name server are incorrect because a caching name server generally is the local name server in the enterprise that performs the name resolution function on behalf of the various enterprise clients. A caching name server, also called a resolving/recursive name server, provides responses either through a series of queries to authoritative name servers in the hierarchy of domains found in the name resolution query or from a cache of responses built by using previous queries. Primary, secondary, master, and slave name servers are incorrect because a master (or primary) name server contains zone files created and edited manually by the zone administrator. A slave (or secondary) name server also contains authoritative information for a zone, but its zone file is a replication of the one in the associated master name server. The replication is enabled through a transaction called "zone transfer" that transfers all Resource Records (RRs) from the zone file of a master name server to the slave name server.

Which one of the following firewalls is simple, inexpensive, and quick to implement? a. Static packet filter firewall b. Dynamic packet filter firewall c. Application gateway firewall d. Stateful inspection gateway firewall

a. A static packet filtering firewall is the simplest and least expensive way to stop messages with inappropriate network addresses. It does not take much time to implement when compared to other types of firewalls.

Mobile computing is where remote users' access host computers for their computing needs. Remote access software controls the access to host computers. Which of the following technologies is behind the performance improvement to permit users to work offline on network tasks? a. Agent-based technology b. Windows-based technology c. Hardware-based technology d. Network-based technology

a. Agent-based technology can boost the performance of remote access software capability. It gives the users the ability to work offline on network tasks, such as e-mail, and complete the task when the network connection is made. Agent-based technology is softwaredriven. It can work with the Windows operating system.

Which of the following is not an example of alternative access points to an organization's IT resources? a. Internet gateway b. Workstations c. Modems d. Wireless access points

a. An organization's major access point is the Internet gateway. Attackers often enter networks from alternative access points to avoid detection by security controls monitoring major access points. A classic example of an alternative access point is a modem in a user's workstation. If an attacker can dial into the workstation and gain access, then attacks can be launched from that workstation against other hosts. In such cases, little or no information about the network activity may be logged because the activity does not pass through firewalls, intrusion detection system (IDS)-monitored network segments, and other common data collection points. Organizations typically address this by limiting alternative access points, such as modems and wireless access points, and ensuring that each is monitored and restricted through firewalls, IDS sensors, or other controls.

Which of the following is not part of the Internet Engineering Task Force (IETF) AAA Working Group dealing with the remote access security? a. Assurance b. Authentication c. Authorization d. Accounting

a. Assurance includes techniques to achieve integrity, availability, confidentiality, and accountability, and metrics to measure them. The IETF's AAA Working Group remote access security services are labeled as authentication, authorization, and accounting (AAA) services.

Which of the following is not a recommended solution to make network address translation (NAT) compatible with Internet Protocol security (IPsec)? a. Perform NAT after applying IPsec. b. Use UDP encapsulation of ESP packets. c. Configure cable and DSL routers properly at small offices. d. Configure cable and DSL routers properly at home offices.

a. Because network address translation (NAT) hides the network-addressing schema present behind a firewall environment and that NAT converts the limited number of Internet IP addresses into a large number of legal addresses, NAT should be performed before applying IPsec, not after. For example, the gateway can perform NAT first and then IPsec for outbound packets. The other three choices are incorrect because they are recommended solutions.

Which of the following is inherently efficient and difficult to intercept in the use of wireless technologies? a. Code division multiple access (CDMA) b. Time division multiple access (TDMA) c. Public-switched telephone network (PSTN) d. Very small aperture terminal (VSAT)

a. Code division multiple access (CDMA) is more efficient and secure than time division multiple access (TDMA) because it uses spread spectrum technology more efficiently. Instead of assigning a time slot on a single channel, CDMA uses many different channels simultaneously. CDMA is also inherently more difficult to crack because the coding scheme changes with each conversation and is given only once at the beginning of the transmission.

Domain name system (DNS) is a part of which of the following TCP/IP layers? a. Applications layer b. Transport layer c. Network layer d. Data link layer

a. DNS is a function of the application layer, along with HTTP, SMTP, FTP, and SNMP. This layer sends and receives data for particular applications. The transport layer is incorrect because it provides connection-oriented or connectionless services for transporting application layer services between networks. The network layer is incorrect because it routes packets across networks. The data link layer is incorrect because it handles communications on the physical network components.

Which of the following is the most common transaction in a domain name system (DNS)? a. DNS query/response b. Zone transfer c. Dynamic updates d. DNS NOTIFY message

a. Domain name system (DNS) query/response is the most common transaction in DNS. The most common query is a search for a Resource Record (RR), based on its owner name or RR type. The response may consist of a single RR, an RRset, or an appropriate error message. A zone transfer is incorrect because it refers to the way a secondary (slave) server refreshes the entire contents of its zone file from the primary (master) name servers. The dynamic update facility is incorrect because it provides operations for addition and deletion of RRs in the zone file. The DNS NOTIFY message is incorrect because it signals a secondary DNS server to initiate a zone transfer.

Spoofing in a local-area network (LAN) occurs with which of the following? 1. Internet Protocol (IP) addresses 2. Media access control (MAC) addresses 3. Network address translation (NAT) 4. Dynamic host configuration protocol (DHCP) servers a. 1 or 2 b. 2 or 3 c. 1 or 4 d. 3 or 4

a. Dynamic host configuration protocol (DHCP) servers typically are configured to log each Internet Protocol (IP) address assignment and the associated media access control (MAC) address, along with a timestamp. This information can be helpful to analysts in identifying which host-performed activity uses a particular IP address. However, information security analysts should be mindful of the possibility that attackers on an organization's internal networks have falsified their IP addresses or MAC addresses to create spoofing. This is possible in light of manufacturers accidentally creating network interface cards (NICs) with duplicate MAC addresses. Network address translation (NAT) modifies the IP addresses in a packet, which directly violates the packet integrity assurance provided by IPsec. Spoofing MACs on a LAN can also occur by a malicious user trying to bypass authentication or by a malicious program modifying the device MAC.

Which of the following fills the gap left by firewalls in terms of not monitoring authorized users' actions and not addressing internal threats? a. Sensors b. Switches c. Bridges d. Routers

a. Firewalls do not monitor authorized users' actions of both internal and external users, and do not address internal (insider) threats, leaving a gap. Sensors fill the gap left by firewalls with the use of monitors and scanners. A sensor is an intrusion detection and prevention system (IDPS) component that monitors, scans, and analyzes network activity. The other three choices cannot fill the gap left by firewalls. A switch is a mechanical, electromechanical, or electronic device for making, breaking, or changing the connections in or among circuits. A bridge is a device that connects similar or dissimilar two or more LANs together to form an extended LAN. A router converts between different data link protocols and resegments transport level protocol data units (PDUs) as necessary to accomplish this conversion and re-segmentation.

Which of the following virtual private network (VPN) architectures is transparent to users and to users' systems? a. Gateway-to-gateway b. Host-to-gateway c. Contractor-to-company d. Host-to-host

a. Gateway-to-gateway virtual private networks (VPNs) are typically transparent to users who do not need to perform separate authentication just to use the VPN. Also, the users' systems and the target hosts (e.g., servers) do not need to have any VPN client software installed, nor should they require any reconfiguration, to use the VPN. A host-to-gateway VPN is incorrect because it is not transparent to users because they must be authenticated before using the VPN. Also, the user's hosts need to have VPN client software configured. A contractor-to-company is incorrect because it is not transparent to users and needs to have VPN client software configured. A host-to-host VPN model is not transparent to users because they must be authenticated before using the VPN.

Which of the following cannot log the details of encryption-protected hypertext transfer protocol (HTTP) requests? a. Web proxy servers b. Routers c. Nonproxying firewalls d. Web browsers

a. Hypertext transfer protocol (HTTP) is the mechanism for transferring data between the Web browsers and Web servers. Through Web browsers, people access Web servers that contain nearly any type of data imaginable. The richest source of information for Web usage is the hosts running the Web browsers. Another good source of Web usage information is Web servers, which keep logs of the requests that they receive. Besides Web browser and servers, several other types of devices and software might also log related information. For example, Web proxy servers and application proxying firewalls might perform detailed logging of HTTP activity, with a similar level of detail to Web server logs. However, Web proxy servers cannot log the details of SSL or TLS-protected HTTP requests because the requests and the corresponding responses pass through the proxy encrypted, which conceals their contents. Routers, nonproxying firewalls, and other network devices might log the basic aspects of HTTP network connections, such as source and destination IP addresses and ports.

Telecommuting from home requires special considerations to ensure integrity and confidentiality of data stored and used at home. Which of the following is not an effective control? a. Employee accountability b. Removable hard drives c. Storage encryption d. Communications encryption

a. In addition to risks to internal corporate systems and data in transit, telecommuting from home raises other concerns related to whether employees are using their own computers or using computers supplied to them by the organization. Other members of the employee's household may want to use the computer used for telecommuting. Children, spouses, or other household members may inadvertently corrupt files, introduce viruses, or snoop. Therefore, employee accountability is difficult to monitor or enforce. The other three choices provide effective controls. Removable hard drives are incorrect because they reduce the risk if corporate data is stored on them due to their removability, which can be safely stored away. Storage encryption and communications encryption are incorrect because they both provide confidentiality of data during its storage as well as in transit.

Most attacks are targeted at which of the following Transmission Control Protocol/Internet Protocol (TCP/IP) layers? a. Application layer b. Transport layer c. Network layer d. Data link layer

a. In most cases, the application layer contains the actual activity of interest—most attacks are against vulnerabilities in applications, and nearly all misuse involves misuse of applications. The transport layer, the network layer, and the data link layer have fewer attacks compared to the application layer. Hypertext transfer protocol (HTTP) is a function of the application layer, along with DNS, SMTP, FTP, and SNMP. This layer sends and receives data for particular applications. The transport layer provides connection-oriented or connectionless services for transporting application layer services between networks. The network layer routes packets across networks. The data link layer handles communications on the physical network components.

When monitoring failures occur, redundant equipment should be used for which of the following? a. IDS sensors b. Network-based firewalls c. Host-based firewalls d. System logs

a. In most organizations, the cost of redundant monitoring makes it feasible only for the highest risk areas. In the case of dedicated monitoring systems, such as intrusion detection system (IDS) sensors, using redundant equipment (e.g., two sensors monitoring the same activity) can lessen the impact of monitoring failures. Another strategy is to perform multiple levels of monitoring, such as configuring network-based and host-based firewalls to log connections.

Which of the following is an inappropriate control over telecommunication hardware? a. Logical access controls b. Security over wiring closets c. Contingency plans d. Restricted access to test equipment

a. Logical access control is a software-based control, not a hardware-based control. Security over wiring-closets circuits, transmission media, and hardware devices, and restricting access to test equipment are appropriate to protect hardware. Contingency plans to minimize losses from equipment failure or damage are important and appropriate. The other choices are physical security controls over telecommunications hardware. They minimize risks such as physical damage or unauthorized access to telecommunications hardware.

Which of the following are more efficient and secure for use in wireless technologies? a. Spread spectrum b. Radio spectrum c. Radio signals d. Radio carriers

a. New digital communications systems such as time division multiple access (TDMA) or code division multiple access (CDMA) use spread spectrum much more efficiently than analog cellular and other traditional radio systems. The spread spectrum technology uses a wide band of frequencies to send radio signals. The other three choices are not relevant here.

In border gateway protocol (BGP), prefix filters help to limit the damage to the routes in which of the following ways? a. The egress filters of an autonomous system (AS) is matched with the ingress filters of BGP peers. b. The ingress filters of BGP peers is matched with the ingress filters of an autonomous system (AS). c. The ingress filters of an autonomous system (AS) is matched with the ingress filters of BGP peers. d. The egress filters of BGP peers is matched with egress filters of an autonomous system (AS).

a. Normally, border gateway protocol (BGP) peers should have matching prefix filters with the autonomous system (AS). This means, the egress filters of an AS should be matched by the ingress filters of BGP peers with which it communicates. This matching approach helps to reduce the risk from attackers that seek to inject false routes by pretending to send updates from the AS to its peers. Attackers can of course still send faulty routes, but filtering limits the damage to these routes.

In border gateway protocol (BGP), which of the following is physically present? a. Routing/forwarding table b. Adj-Routing Information Base (RIB)-In table c. Loc-RIB table d. Adj-RIB-Out table

a. Only the routing/forwarding table is physically present, whereas, the tables mentioned in the other three choices are conceptually based tables, not physically present. However, system developers can decide whether to implement the routing information base (RIB) tables either in the physical form or in the conceptual form. BGP is used in updating routing tables, which are essential in assuring the correct operation of networks, as it is a dynamic routing scheme. Routing information received from other BGP routers is accumulated in a routing table. These routes are then installed in the router's forwarding table. An eavesdropper could easily mount an attack by changing routing tables to redirect traffic through nodes that can be monitored. The attacker could thus monitor the contents or source and destination of the redirected traffic or modify it maliciously. The adj-RIB-In table routes after learning from the inbound update messages from BGP peers. The loc-RIB table routes after selecting from the adj-RIB-In table. The adj-RIB-Out table routes to its peers that the BGP router will advertise based on its local policy.

Which of the following can prevent e-mail spoofing? a. Pretty good privacy b. Point-to-point protocol c. Microcom networking protocol d. Password authentication protocol

a. Pretty good privacy (PGP) is a cryptographic software application for the protection of computer files and e-mail. PGP provides a good authentication mechanism, confidentiality protection, and nonrepudiation protection. Point-to-point protocol (PPP) connects two TCP/IP devices over a standard serial line, such as a common telephone link. Microcom networking protocol (MNP) defines various levels of error correction and compression for modems. Password authentication protocol (PAP) is a handshaking protocol.

Secure gateways block or filter access between two networks. Which of the following benefits resulting from the use of secure gateways is not true? a. Secure gateways prevent the spread of computer viruses. b. Secure gateways reduce risks from malicious hackers. c. Secure gateways reduce internal system security overhead. d. Secure gateways can centralize management services.

a. Questions frequently arise as to whether secure gateways (also known as firewalls) prevent the spread of viruses. In general, having a gateway scan transmitted files for viruses requires more system overhead than is practical, especially because the scanning would have to handle many different file formats. Secure gateways enable internal users to connect to external networks and at the same time prevent malicious hackers from compromising the internal systems. In addition to reducing the risks from malicious hackers, secure gateways have several other benefits. They can reduce internal system security overhead, because they enable an organization to concentrate security efforts on a limited number of machines. Another benefit is the centralization of services. A secure gateway can be used to provide a central management point for various services, such as advanced authentication, e-mail, or public dissemination of information. Having a central management point can reduce system overhead and improve service.

Which of the following does not require redundancy and fail-over capabilities to provide a robust Internet Protocol security (IPsec) solution? a. IPsec client software in a managed environment b. IPsec gateways c. Authentication servers d. Directory servers

a. Redundancy and fail-over capabilities should be considered not only for the core IPsec components, but also for supporting systems. IPsec client software may be broken by a new operating system update. This issue can be handled rather easily in a managed environment, but it can pose a major problem in a nonmanaged environment. Therefore, the IPsec client software does not require redundancy and fail-over capabilities. IPsec gateways are incorrect because two IPsec gateways can be configured so that when one gateway fails, users automatically fail over to the other gateway. Authentication servers and directory servers are incorrect because they also need redundancy due to their support role.

Secure remote procedure call (RPC) provides which one of the following security services? a. Authentication b. Confidentiality c. Integrity d. Availability

a. Secure remote procedure call (RPC) provides authentication services only. Confidentiality, integrity, and availability services must be provided by other means.

All the following are examples of sliding window protocols except: a. Wavelength division multiple access (WDMA) b. Synchronous data link control (SDLC) c. High-level data link control (HDLC) d. Link access procedure B (LAPB)

a. Sliding window protocols, which are used to integrate error control and flow, are classified in terms of the size of the sender's window and the size of the receiver's window. Sliding window protocols (e.g., SDLC, HDLC, and LAPB) are bit-oriented protocols and use flag bytes to delimit frames and bit stuffing to prevent flag bytes from occurring in the data. Wavelength division multiple access (WDMA) is an example of medium/media access control (MAC) sublayer protocol that contains two channels for each station. A narrow channel is provided as a control channel to signal the station, and a wide channel is provided so that the station can output data frames.

For network data analysis, managed switches collect which of the following statistical data? a. Bandwidth usage b. Payload size c. Source and destination IP addresses d. Ports for each packet

a. Some managed switches and other network devices offer basic network monitoring capabilities, such as collecting statistics on bandwidth usage. The other three choices are functions of network monitoring software, which collects information such as the payload size and the source and destination IP addresses and ports for each packet. Network monitoring software is designed to observe network traffic and gather statistics on it. Packet sniffers, protocol analyzers, and intrusion detection system (IDS) software may also perform basic network monitoring functions.

Which of the following is not a primary component of an Internet Protocol security (IPsec)? a. IPComp b. AH c. ESP d. IKE protocol

a. The IP payload compression protocol (IPComp) is a part of an Internet Protocol security (IPsec) implementation, not a primary component. Authentication header (AH), encapsulating security payload (ESP), and Internet key exchange (IKE) protocol are incorrect because they are primary components of IPsec.

In the ISO/OSI reference model, which of the following relates to end system-level security? a. Transport layer or network layer b. Application layer or presentation layer c. Session layer or transport layer d. Data link layer or physical layer

a. The ISO/OSI standards give a choice where either a transport layer or network layer can be used to provide end system-level security. An assumption is made that the end systems are trusted and that all underlying communication networks are not trusted.

Which of the following permits Internet Protocol security (IPsec) to use external authentication services such as Kerberos and RADIUS? a. EAP b. PPP c. CHAP d. PAP

a. The Internet Key Exchange (IKE) Version 2 of IPsec supports the extensible authentication protocol (EAP), which permits IPsec to use external authentication services such as Kerberos and RADIUS. The point-to-point protocol (PPP) standard specifies that password authentication protocol (PAP) and challenge handshake authentication protocol (CHAP) may be negotiated as authentication methods, but other methods can be added to the negotiation and used as well.

Which of the following cannot protect non-IP protocols? a. IPsec b. PPTP c. L2TP d. L2F

a. The Internet Protocol security (IPsec) can protect only IP-based communications and protocols, which is one of its weaknesses. The other three choices are incorrect because PPTP, L2TP, and L2F can protect non-IP protocols. Point-to-point tunneling protocol (PPTP) hides information in IP packets. Layer 2 tunneling protocol (L2TP) protects communications between an L2TP-enabled client and a server. Layer 2 forwarding (L2F) protocol protects communications between two network devices, such as an ISP network access server and VPN gateways.

Which of the following is not compatible with the Internet Protocol (IP) version 6? a. IP version 4 b. TCP c. UDP d. BGP

a. The Internet Protocol version 6 (IPv6) is not backward compatible with IPv4 but is compatible with TCP, UDP, ICMP, IGMP, OSPF, BGP, and DNS. The IPsec services are provided at the IP layer (network layer), offering protection for IP and/or upper-layer protocols such as TCP, UDP, ICMP, IGMP, OSPF, BGP, and DNS.

Which of the following is a mitigation technique to handle Internet relay chat (IRC) vulnerability for lack of confidentiality due to messages sent in plaintext throughout the IRC network? a. Install operating system-level VPNs or application-level SSL/TLS. b. Implement timers. c. Put the system in a lockdown mode. d. Block filtering requests based on filename extensions.

a. The Internet relay chat (IRC) communication is inherently insecure because it is a plaintext open protocol that uses transmission control protocol (TCP) that is susceptible to sniffing and interception. The original IRC protocol does not provide for any confidentiality, meaning that standard chat, nickname passwords, channel passwords, and private messaging are sent in plaintext throughout the IRC network. Confidentiality may be achieved by applying operating system level VPNs or SSL/TLS within the IRC network. The IRC clients and servers use encryption to protect information from unauthorized users. Furthermore, IPsec VPNs with PKI certificates or tunneled through Secure Shell should be used to provide further security for identification and authentication. Timers are implemented to mitigate the IRC vulnerability of netsplits. A system lockdown mode is implemented to combat denial-of-service (DoS) attacks on the IRC network. The security administrator should block outright filtering requests based on filename extensions to prevent direct client connection (DCC) vulnerability within IRC networks. DCCs are performed directly from one client application to another, thus bypassing the IRC servers to form a clientto- client connection. DCC vulnerabilities, if not controlled properly, lead to unauthorized file transfers between IRC clients, allow users to bypass server-based security, shorten the communication path, allow social engineering attacks, and compromise the user's application system.

All the following can be disallowed at the voice gateway in Voice over Internet Protocol (VoIP) except: a. Application level gateway b. H.323 gateway protocol c. Session initiation protocol (SIP) d. Media gateway control protocol (MGCP)

a. The application level gateway or firewall control proxy is designed for VoIP traffic to deny packets that are not part of a properly originated call or track the state of connections, which should be allowed to function. The protocols such as H.323, SIP, and MGCP, which are connections from the data network, should be disallowed at the voice gateway of the VoIP that interfaces with the public-switched telephone network (PSTN) because they are not secure. H.323 gateway is a gateway protocol used in the Internet telephone systems, and it speaks the H.323 protocol on the Internet side and the PSTN protocols on the telephone side. The session initiation protocol (SIP) just handles setup, management, and session termination. The media gateway control protocol (MGCP) is used in large deployment for gateway decomposition.

Regarding network data analysis, which of the following can tell a security analyst which application was most likely used or targeted? a. IP number and port numbers b. Network interface card c. NIC and MAC address d. IP and ARP

a. The combination of the Internet protocol (IP) number (IP layer field) and port numbers (transport layer fields) can tell an analyst which application was most likely used or targeted. Network interface card (NIC) is incorrect because it is a physical device and a part of the data link layer; it cannot tell a security analyst which application was most likely used or targeted. Media access control/medium access control (MAC) address is incorrect because it is a part of the data link layer and cannot tell a security analyst which application was most likely used or targeted. Address resolution protocol (ARP) is incorrect because it is a part of the hardware layer (data link layer) and cannot tell a security analyst which application was most likely used or targeted.

Which of the following virtual private network (VPN) architectures often replaces costly private wide-area network (WAN) circuits? a. Gateway-to-gateway b. Host-to-gateway c. Contractor-to-company d. Host-to-host

a. The gateway-to-gateway virtual private network (VPN) architecture often replaces more costly private wide-area network (WAN) circuits. The host-to-gateway VPN architecture often replaces dial-up modem pools, is somewhat complex to implement and maintain for user and host management, and is most often used to provide secure remote access. The contractor-to-company architecture is an exclusive connection between the VPN client and the VPN network device; all other connectivity is blocked after the establishment of the VPN session, so there is no chance of IP packets being forwarded between the Internet and the company's private network. The host-to-host VPN architecture is most often used when a small number of trusted users need to use or administer a remote system that requires the use of insecure protocols (e.g., a legacy system), that requires a secure remote access solution, and that can be updated to provide VPN services. System administrators performing remote management of a single server can use the host-to-host VPN architecture. The host-to-host VPN architecture is resource-intensive to implement and maintain for user and host management.

In a domain name system (DNS) environment, which of the following is referred to when indicating security status among parent and child domains? a. Chain of trust b. Chain of custody c. Chain of evidence d. Chain of documents

a. The information system, when operating as part of a distributed, hierarchical namespace, provides the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains. An example means to indicate the security status of child subspaces is through the use of delegation signer (DS) resource records in the DNS. The other three choices are not related to the chain of trust but they are related to each other. Chain of custody refers to tracking the movement of evidence, chain of evidence shows the sequencing of evidence, and chain of documents supports the chain of custody and the chain of evidence, and all are required in a court of law.

An information systems security analyst attempts to validate the identity of a suspicious host. Which of the following is not an acceptable approach? a. Contact the IP address owner directly. b. Contact management of his organization. c. Contact legal advisors of his organization. d. Seek Internet service provider assistance.

a. The information systems security analyst should not contact the owner directly. This is due primarily to concerns involving sharing information with external organizations; also, the owner of an Internet Protocol (IP) address could be the person attacking the organization. The other three choices are incorrect because they are acceptable approaches. The analyst should provide information on the owner to the management and legal advisors for the analyst's organization. Seeking the Internet service provider (ISP) assistance is generally only an option during the most serious external network-based attacks; particularly those that involve IP address spoofing. Some ISPs may have the ability to trace ongoing attacks back to their source, whether the IP addresses are spoofed.

From a security configuration viewpoint, what is a managed or enterprise operational IT environment referred to as? a. Inward-facing b. Inward-dialing c. Outward-facing d. Outward-dialing

a. The managed environment is an inward-facing environment typically structured and centrally managed. When a system connects on the interior of a network behind a firewall, it is called inward facing. When a high-risk system or network directly connects to the Internet, it is called outward facing (e.g., public Web server, e-mail server, and DNS server). Inward dialing is incorrect because it refers to calling into a system and is not a meaningful term here. Outward dialing is incorrect because it refers to calling from a system and is not a meaningful term here.

The network address translation (NAT) changes which of the following from a connectionless network to a connection-oriented network? a. Internet b. Transmission control protocol (TCP) c. Internet Protocol (IP) d. Switched multimegabit data services (SMDS)

a. The network address translation (NAT) changes the Internet from a connectionless network to a connection-oriented network through its converting, mapping, and hiding of the Internet IP addresses. By design, the TCP is a connection-oriented network and both IP and SMDS are connectionless networks, which are not changed by the NAT.

Which of the following ISO/OSI layers provide confidentiality, authentication, and data integrity services? a. Network layer b. Presentation layer c. Session layer d. Physical layer

a. The network layer is responsible for transmitting a message from the source to the destination. It provides routing (path control) services to establish connections across communications networks. Therefore, it requires confidentiality, authentication, and data integrity services to achieve this goal. The presentation layer is incorrect because it provides authentication and confidentiality services but not data integrity. The presentation layer defines and transforms the format of data to make it useful to the receiving application. Session layer is incorrect because it does not provide any security-related services. It establishes, manages, and terminates connections between applications and provides checkpoint recovery services. It helps users interact with the system and other users. The physical layer is incorrect because it provides confidentiality service only. The physical layer provides for the transmission of unstructured bit streams over the communications channel. It is the innermost software that handles the electrical interface between a terminal and a modem.

Which of the following provides a security service in authenticating a remote network access? a. Remote access server b. Windows NT server c. An exchange server d. A DNS server

a. The remote access server (RAS) provides the following services: When a remote user dials in through a modem connection, the server hangs up and calls the remote user back at the known phone number. The other three servers mentioned do not have this kind of dial-in and callback dual control mechanism.

Which of the following local-area network (LAN) topologies uses a central hub? a. Star b. Bus c. Token ring d. Token bus

a. The star topology uses a central hub connecting workstations and servers. The bus topology uses a single cable running from one end of the network to the other. The ring topology interconnects nodes in a circular fashion.

Which of the following is suitable for a low-risk computing environment? a. Static packet filter firewall b. Hybrid gateway firewall c. Stateful inspection gateway firewall d. Dynamic packet firewall

a. The static packet filter firewall offers minimum-security provisions suitable for a lowrisk computing environment. The hybrid gateway firewall is good for medium- to high-risk computing environment. Both stateful and dynamic packet firewalls are appropriate for highrisk computing environments.

Which of the following makes the transport layer security (TLS) proxy server architecture fully compatible with network address translation (NAT)? a. HTTPS b. PGP c. GPG d. SSH

a. The transport layer security (TLS) proxy server provides transport layer VPN services. The use of HTTPS makes the proxy server architecture fully compatible with NAT. HTTPS usage is permitted by firewall rulesets. The other three choices are incorrect because PGP, GPG, and SSH are application layer VPN protocols. Pretty good privacy (PGP) provides security for e-mail encryption, disk encryption, and digital signatures for home and office use. GNU privacy guard (GPG) is the software for safe and encrypted e-mail communication, which is a free software alternative to the PGP.

Which of the following establishes rules of engagement (ROE) prior to the start of penetration testing? a. White team b. Red team c. Tiger team d. Blue team

a. The white team establishes the rules of engagement (ROE) prior to the start of penetration testing. ROE describes tools, techniques, and procedures that both the red team and blue team should follow. The tiger team is same as the red team, which is an old name for the red team. Outsiders (i.e., contractors and consultants) conduct both red team and blue team testing whereas white team members are employees of the testing organization. The white team does not conduct any testing.

Which of the following is not used by an individual or a specialized computer program to read an online advertisement displayed by the Internet search engine without the intention of buying a product or service? a. Honeynets b. Pay-per-click feature c. Botnets d. Third parties

a. This question relates to click fraud. Honeynets are networks of honeypots, which are used to create fake production systems to attract attackers to study their behaviors and actions with an information system. Honeynets are not used in click fraud. The other three choices are used to create a click fraud, which is a major problem at Internet service providers (ISPs) and other websites. The click fraud is perpetrated by a combination of individuals, specialized computer programs, bot networks (botnets), and third parties who are hired for a fee to click because they are paid on a per-click basis. (For example, the more clicks they do the more money they make.) In all these situations, fraudulent clicks are made on an online advertisement with no intention of learning further about a product or purchasing the product. The advertiser pays the website owners based on the number of clicks made on its advertisement. Unethical website owners are creating a click fraud to make easy money. Specialized computer programs are written to do the automatic clicking.

Which of the following involves a complicated technique that combines the public-key encryption method with a hashing algorithm that prevents reconstructing the original message? a. Digital signature b. Voice over Internet Protocol c. Electronic signature d. Firewalls

a. Two steps are involved in creating a digital signature. First, the encryption software uses a hashing algorithm to create a message digest from the file being transmitted. Second, the software uses a sender's private (secret) key to encrypt the message digest. The result is a digital signature for that specific file. Voice over Internet Protocol (VoIP) is incorrect because it is a technology that enables network managers to route phone calls and facsimile transmissions over the same network they use for data. Electronic signature is incorrect because it is an electronic sound, symbol, or process attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record. Firewalls are incorrect because a firewall is software whose purpose is to block access to computing resources.

A virtual private network (VPN) cannot provide or improve which of the following security services? a. Availability b. Confidentiality c. Integrity d. Replay protection

a. VPNs cannot provide or improve availability, which is the ability for authorized users to access systems as needed. Many VPN implementations tend to decrease availability somewhat because they add more components and services to the existing network infrastructure. A VPN can provide several types of data protection, including confidentiality, integrity, data origin authentication, replay protection, and access control.

A virtual private network (VPN) creates a secure, private network over the Internet through all the following except: a. Authentication b. Encryption c. Packet tunneling d. Firewalls

a. VPNs enable an organization to create a secure, private network over a public network such as the Internet. They can be created using software, hardware, or a combination to create a secure link between peers over a public network. The secure link is built through encryption, firewalls, and packet tunneling. Authentication is done outside the network.

Voice encryption in cell/mobile phones uses which of the following algorithms? a. RSA b. 3DES c. IDEA d. DES

a. Voice encryption schemes are based on Rivest, Shamir, and Adelman (RSA) algorithm to provide privacy protection over mobile or cellular phones. The main constraints with encryption are the slow speed of processing and the lag that occurs if signals take too long to pass through the system. The other three choices (i.e., 3DES, IDEA, and DES) are not used in voice encryption because they are used in transaction encryption.

The basic causes of a majority of security-related problems in Web servers are due to which of the following? a. Hardware design and protocols b. Software design and configurations c. Hardware specifications and testing d. Software acquisition and implementation

b. A Web server is like a window to the world, and therefore it must be protected to provide a controlled network access to both authorized and unauthorized individuals. Web servers contain large and complex programs that can contain security weaknesses. These weaknesses are due to poor software design and configuration of the Web server. Hardware design and protocols provide better security than software design.

In a legacy wireless local-area network (WLAN) environment using wired equivalent privacy (WEP) protocol (IEEE 802.11), a bit-flipping attack results in which of the following? a. Loss of confidentiality b. Loss of integrity c. Loss of availability d. Loss of accountability

b. A bit-flipping attack occurs when an attacker knows which cyclic redundancy check-32- bits (CRC-32 bits) can change when message bits are altered, resulting in loss of integrity. A proposed countermeasure is encrypting the CRC-32 to produce an integrity check value (ICV), but it did not work because of use of stream ciphers (WEP's RC4), meaning that the same bits flip whether encryption is used. Therefore, WEP ICV offers no additional protection against bit flipping. Eavesdropping attacks using sniffers result in loss of confidentiality. Packet flooding attacks and radio frequency signal jams result in loss of availability. Loss of accountability is not applicable here because it deals with an individual's actions.

Which one of the following items replaces the other three items? a. telnet b. SSH c. rcp and rsh d. FTP

b. A commonly used application layer protocol suite is secure shell (SSH), which contains secure replacements for several unencrypted application protocols, including telnet, rcp, rsh, and FTP. SSH tunnel-based VPNs are resource-intensive to set up and are most commonly used by small groups of IT administrators.

Which of the following are examples of security boundary access controls? a. Patches and probes b. Fences and firewalls c. Tags and labels d. Encryption and smart cards

b. A firewall is an example of logical access control whereas fences provide a physical security and perimeter access control. When these two controls are combined, they provide a total boundary control. By limiting access to host systems and services, firewalls provide a necessary line of perimeter defense against attacks, thus providing logical security boundary control. Similarly, perimeter fences provide a physical security boundary control for a facility or building. A patch is a modification to software that fixes an error in an operational application system on a computer. Generally, the software vendor supplies the patch. A probe is a device programmed to gather information about a system or its users. Tags and labels are used in access controls. Encryption and smart cards are used in user identification and authentication mechanisms.

A limitation of point-to-point tunneling Protocol (PPTP) is which of the following? a. End-to-end secure virtual networks b. Lack of authentication at end nodes c. Hiding information in IP packets d. In-band management

b. A limitation of the point-to-point tunneling protocol (PPTP), when compared to secure sockets layer (SSL), is that it does not provide authentication of the endpoints. PPTP is useful in implementing end-to-end secure virtual networks, hiding information in IP packets, and providing in-band management.

What does a domain name system (DNS) query originate from? a. Authoritative name server b. Resolver c. Caching name server d. Recursive name server

b. A resolver, a component of DNS, accesses the services provided by a DNS name server on behalf of user programs. A DNS query originates from a resolver; the destination is an authoritative or caching name server. An authoritative name server for a zone is incorrect because it provides responses to name resolution queries for resources for that zone, using the Resource Records (RRs) in its own zone file. Caching and recursive name servers are incorrect because two primary categories of resolver include (i) caching, recursive, resolving name server and (ii) stub resolver, distinguished by functionality.

Which of the following internetworking devices sends traffic addressed to a remote location from a local-area network (LAN) over the wide-area network (WAN) to the remote destination? a. Bridge b. Router c. Brouter d. Backbone

b. A router sends traffic addressed to a remote location from the local network over the wide area connection to the remote destination. The router connects to either an analog line or a digital line. Routers connect to analog lines via modems or to digital lines via a channel-service unit or data-service units. Bridge is incorrect because it is a device that connects similar or dissimilar LANs to form an extended LAN. Brouters are incorrect because they are routers that can also bridge; they route one or more protocols and bridge all other network traffic. Backbone is incorrect because it is the high-traffic-density connectivity portion of any communications network.

All the following are applications of spanning tree concept except: a. Multicast routing b. Spanning port c. Risk analysis d. Bridges

b. A spanning port is a switch port that can see all network traffic going through the switch. The spanning port has nothing to do with the spanning tree whereas the other three choices are applications of the spanning tree concept. The spanning tree has several applications such as (i) multicast routing which makes excellent use of bandwidth where each router knows which of its lines belong to the tree, (ii) conducting risk analysis, and (iii) building plug-and-play bridges.

Which of the following items are not synergistic in nature? a. Single sign-on system and Kerberos authentication technique b. Telecommuting and software piracy policies c. Firewalls and intrusion detection systems d. Architectural security design and layered protections

b. A synergistic control is a complementary control where two or more individual controls are combined to provide an additive or multiplicative (magnifying) effect. The other three choices are examples of synergistic controls. Telecommuting and software piracy policies are not synergistic as they are an example of contradictory control, where a company policy encouraging telecommuting work on one hand and another policy restricting employees to carry software home from work conflict with each other. In addition to accomplishing work from home, these policies target the software piracy issue, so there is no legal problem for the company. Note that these software policies vary much in practice: (i) some companies allow the employee to carry software home and some do not, (ii) some companies allow the employee only to use the licensed software either by preloading the work/home PC or download the software to the work/home PC from a central computer, and (iii) some companies permit the employee to buy the approved and licensed software and the employee get reimbursed or the company may buy the software and give it to the employee. Regardless, an implicit and potential risk is that a noncompliant telecommuting employee or a family member could load unlicensed, unauthorized, and personal software on the work/home PC without the knowledge of the company. This action could infect the work/home PC with computer viruses and worms, thus risking the work-related data, programs, and systems.

What is a client/server application that requires nothing more than a browser and runs on only a user's computer called? a. Thick client b. Thin client c. Internet client d. Web server

b. A thin client is a software application that requires nothing more than a browser and can be run only on the user's computer (e.g., Microsoft Word). A thick client is a software application that requires programs other than just the browser on a user's computer, that is, it requires code on both a client and server computers (e.g., Microsoft Outlook). The terms "thin" and "thick" refer to the amount of code that must be run on the client computer. Thin clients are generally more secure than thick clients in the way encryption keys are handled. The Internet client and Web server are incorrect because they are not needed for the thin client to work but are needed for the thick client to work.

Which of the following would be inherently in conflict with a traffic padding security mechanism? a. Security labels and data splitting b. Packet-switching network and local-area network c. Packet-switching network and security labels d. Local-area network and data splitting

b. A traffic-padding security mechanism provides security services such as traffic flow confidentiality. It involves collecting and transmitting spurious cases of communication and data and is used with encryption so that "dummy" data is separated from the real data. A packet-switching network is in conflict with the traffic-padding security mechanism because it divides the data traffic into blocks, called packets. These packets, a group of binary digits, are delivered to the destination address in a data envelope. Because of a routing function used in packet switching, it is possible that packets can reach their destination out of sequence. The intended traffic-padding security mechanism will not be achieved with the use of a packetswitching network. A local-area network refers to a network that interconnects systems located in a small geographic area, such as a building or a complex of buildings (campus). Traffic padding operates a network up to its full capacity thereby curtailing the resource sharing potential of the LAN. Security label is a designation assigned to a system resource, such as a file, which cannot be changed except in emergency situations. Security labels protect the confidentiality of data. Similarly, data splitting increases the confidentiality of data where the file is broken up into two or more separate files so that an intruder cannot make any sense out of them. The separate files are then transferred independently via different routes and/or at different times.

What is an attack that attempts to exploit a weakness in a system at a level below the developers' design level (such as through operating system code versus application code) called? a. Technical attack b. Tunneling attack c. NAK attack d. Active attack

b. A tunneling attack attempts to exploit a weakness in a system that exists at a level of abstraction lower than that used by the developer to design the system. For example, an attacker might discover a way to modify the microcode of a processor that is used when encrypting data, rather than attempting to break the system's encryption algorithm. Preventing a tunneling attack can be costly. A technical attack is perpetrated by circumventing or nullifying hardware and software protection mechanisms, rather than by subverting system personnel or other users. A NAK attack capitalizes on a potential weakness in an operating system that does not handle asynchronous interrupts properly and thus leaves the system in an unprotected state during such interrupts. An active attack alters data by bypassing security controls on a computer system.

Which of the following border gateway protocol (BGP) attacks does not use message digest 5 (MD5) authentication signature option as a countermeasure? a. Peer spoofing b. Link cutting attack c. Malicious route injection d. Unallocated route injection

b. An inherent vulnerability in routing protocols is their potential for manipulation by cutting links in the network. By removing links, either through denial-of-service or physical attacks, an attacker can divert traffic to allow for eavesdropping, blackholing, or traffic analysis. Because routing protocols are designed to find paths around broken links, these attacks are hard to defend against. Examples of countermeasures against link cutting attacks include using encryption, intrusion detection systems, and redundant backup paths, not an MD5 authentication signature option. The other three choices use a message digest 5 (MD5) authentication signature option. The MD5 hash algorithm can be used to protect BGP sessions by creating a keyed hash for TCP message authentication. Because MD5 is a cryptographic algorithm using a 128-bit cryptographic hash (checksum), rather than a simple checksum such as CRC-32 bit, it is computationally difficult to determine the MD5 key from the hash value. In a peer spoofing attack, the goal is to insert false information into a BGP peer's routing tables. Examples of countermeasures against peer spoofing include using strong sequence number randomization and an MD5 authentication signature option. In a malicious route injection attack, a malicious party could begin sending out updates with incorrect routing information. Examples of countermeasures against malicious route injection include using route filtering and an MD5 authentication signature option. In an unallocated route injection attack, which is a variation of malicious route injection attack, routes are transmitted to unallocated prefixes. These prefixes contain a set of IP addresses that have not been assigned yet, so no traffic should be routed to them. Examples of countermeasures against unallocated route injection include dropping unallocated prefixes and using route filtering and an MD5 authentication signature option.

Which of the following network connectivity hardware and software devices do not perform similar functions? a. Guards, firewalls, and routers b. Connectors, concentrators, and sockets c. Switches, hubs, and bridges d. Bridges, routers, and brouters

b. Connectors, concentrators, and sockets do not perform similar functions. A connector is an electromechanical device on both ends of cables that permits them to be connected with and disconnected from other cables. A concentrator gathers several lines in one central location as in the fiber distributed data interface (FDDI). Sockets are endpoints created in a transmission control protocol (TCP) service by both the sender and the receiver. The other three choices perform similar functions. The hardware/software guard system is composed of a server, workstations, malicious code detection, a firewall, and/or filtering routers all configured to allow transfer of information among communities of users operating at different security levels. Bridges are similar to switches in that both route on frame addresses. Switches are similar to hubs in that they enable communications between hosts. Bridges are routers that can also bridge; they route one or more protocols and bridge all other network traffic.

Which of the following networks is used to distribute music, games, movies, and news using client caching, server replication, client's request redirection, and a proxy server? a. Asynchronous transfer mode (ATM) network b. Content delivery network (CDN) c. Voice over Internet Protocol (VoIP) network d. Integrated services digital network (ISDN)

b. Content delivery networks are used to deliver the contents of music, games, movies, and news from content owner's website to end users quickly with the use of tools and techniques such as client caching, server replication, client's request redirection, and a proxy content server to enhance the Web performance in terms of optimizing the disk space and preload time. ATMs are good for voice traffic only. VoIP is the transmission of voice over packet-switched IP networks and it takes a wide variety of forms, including traditional telephone handsets, conferencing units, and mobile units. ISDN is an international communications standard for sending voice, video, and data over digital or standard telephone wires. The ISDN security must begin with the user (i.e., may be a person, an organizational entity, or a computer process).

Which of the following guarantees network quality-of-service (QoS) and quality-ofprotection (QoP)? a. Memorandum of agreement (MOA) b. Service-level agreement (SLA) c. Memorandum of understanding (MOU) d. Rules of network connection

b. Either MOA or MOU are initial documents prior to finalizing the SLA document. The rules of network connection can be informal and not binding. The SLA document is between a user (customer) organization and a service provider, so as to satisfy specific customer application system requirements. The SLA should address performance properties such as throughput (bandwidth), transit delay (latency), error rates, packet priority, network security, packet loss, and packet jitter.

The encapsulating security payload (ESP) mode of Internet Protocol security (IPsec) cannot be used to provide which of the following? a. Only encryption b. Integrity protection at the outermost IP header c. Encryption and integrity protection d. Only integrity protection

b. Encapsulating security payload (ESP) can be used to provide only encryption, encryption and integrity protection, or only integrity protection. In the second version of IPsec, ESP became more flexible. It can perform authentication to provide integrity protection, although not for the outermost IP header. Also, ESP's encryption can be disabled through the Null Encryption Algorithm.

In a public cloud computing environment, which of the following is mostly needed to establish a level of trust among cloud service providers and subscribers? a. Compensating controls b. Third-party audits c. Threshold for alerts d. Service contracts

b. Establishing a level of trust about a cloud service is dependent on the degree of control an organization can exert on the service provider to protect the organization's data and applications. Evidence is needed about the effectiveness of security controls over such data and applications. Third-party audits may be used to establish a level of trust and evidence if it is not feasible to verify through normal means. If the level of trust in the service falls below expectations and the organization cannot employ compensating controls, it must either reject the service or accept a greater degree of risk. Threshold for alerts and notification is needed to keep visibility on the cloud service provider.

Which of the following system security testing and information gathering tools can produce false positives? a. Information scanning tool b. Vulnerability scanning tool c. Network scanning tool d. Penetration testing tool

b. False positives occur when a tool reports a security weakness when no weakness is present. A vulnerability scanner is a program that looks for vulnerabilities on either the local system or on remote systems. Vulnerability scanners help attackers to find hosts that they can exploit successfully. The automated vulnerability scanning tools is used to scan a group of hosts or a network for known vulnerable services such as use of file transfer protocol (FTP) and sendmail relaying. Some of the vulnerabilities flagged by the automated scanning tool may actually not be vulnerable for a particular site based on its configuration. Thus, this scanning tool can produce false positives, which are warning and alerts that incorrectly indicate that malicious activity is occurring. The automated information scanning tool does not produce false positives because it is used to collect system information efficiently to build individual profiles of the target IT system. The network scanning tool, which does not produce false positives, lists all active hosts and services operating in the address space scanned by the port-scanning tool. The penetration testing tool is a specific tool for information systems testing and does not produce false positives.

Firewalls cannot provide a "line of perimeter defense" against attacks from which of the following? a. Traffic entering a network b. Traffic to and from the Internet c. Traffic to host systems d. Traffic leaving a network

b. Firewalls police network traffic that enters and leaves a network. Firewalls can stop many penetrating attacks by disallowing many protocols that an attacker could use to penetrate a network. By limiting access to host systems and services, firewalls provide a necessary line of perimeter defense against attack. The new paradigm of transaction-based Internet services makes these "perimeter" defenses less effective as their boundaries between friendly and unfriendly environments blur.

Who should not be given access to firewalls? a. Primary firewall administrator b. Functional users c. Backup firewall administrator d. Network service manager

b. Firewalls should not be used as general-purpose servers. The only access accounts on the firewalls should be those of the primary and backup firewall administrators and the network service manager, where the latter manages both administrators. Functional users should not be given access to firewalls because they do not contain business-related application systems.

Firewalls are the perfect complement to which of the following? a. Bridges b. Routers c. Brouters d. Gateways

b. Given that all routers support some type of access control functionality, routers are the perfect complement to firewalls. The generally accepted design philosophy is that boundary routers should protect firewall devices before the firewall devices ever have to protect themselves. This principle ensures that the boundary router can compensate for any operating system or platform-specific vulnerabilities that might be present on the firewall platform. Brouters combine the functionality of bridges and routers.

Which of the following is an example of a personal firewall? a. Network-based firewalls b. Host-based firewalls c. Source-based IP address d. Destination-based IP address

b. Host-based firewalls, also known as personal firewalls, can be effective at preventing unauthorized access to endpoints if configured to block unwanted activity. Host-based firewalls might need to be reconfigured from their typical settings to permit legitimate activity, such as enabling an IPsec endpoint. Accordingly, organizations should consider providing information to external endpoint administrators and users on which services, protocols, or port numbers the host-based firewalls should permit for necessary services. The other three choices are not related to personal firewalls.

Which of the following functions of Internet Control Message Protocol (ICMP) of TCP/IP model is used to trick routers and hosts? a. Detecting unreachable destinations b. Redirecting messages c. Checking remote hosts d. Controlling traffic flow

b. Internet Control Message Protocol (ICMP) redirect messages can be used to trick routers and hosts acting as routers into using "false" routes; these false routes aid in directing traffic to an attacker's system instead of a legitimate, trusted system.

Which of the following is not an attack targeted at the Transmission Control Protocol (TCP) and Internet Protocol (IP)? a. Session hijacking b. Invalidated input c. Ping of death d. SYN flood

b. Invalidated input is an attack targeted at the application layer of the TCP/IP suite. Weaknesses in TCP and IP enable attacks, such as session hijacking, ping of death, synchronization (SYN) floods, and address impersonation. TCP operates at the transport layer whereas IP operates at the network layer of the TCP/IP suite.

Local-area networks (LANs) operate at what layer of the ISO/OSI reference model? a. Physical Layer 1 b. Data link Layer 2 c. Network Layer 3 d. Transport Layer 4

b. Layer 2 (data link) of the ISO/OSI reference model represents the layer at which network traffic delivery on local-area networks (LANs) occurs.

Which of the following is a viable option for providing confidentiality and integrity for dial-up communications? a. L2TP only b. L2TP with IPsec c. PPTP only d. L2F only

b. Layer 2 tunneling protocol (L2TP) with Internet Protocol security (IPsec) is a viable option for providing confidentiality and integrity for dial-up communications, particularly for organizations that contract virtual private network (VPN) services to an Internet service provider (ISP). L2TP and IPsec together provide stronger security, and the IPsec makes up for the L2TP weaknesses. Point-to-point tunneling protocol (PPTP) hides information in IP packets. Layer 2 forwarding (L2F) protocol protects communications between two network devices, such as an ISP network access server and VPN gateways. IPsec supersedes PPTP, whereas L2TP supersedes L2F.

For network security threats, which of the following steals or makes an unauthorized use of a service? a. Denial-of-service b. Misappropriation c. Message replay d. Message modification

b. Misappropriation is a threat in which an attacker steals or makes unauthorized use of a service. A denial-of-service (DoS) threat prevents or limits the normal use or management of networks or network devices. Message replay is a threat that passively monitors transmissions and retransmits messages, acting as if the attacker were a legitimate user. Message modification is a threat that alters a legitimate message by deleting, adding to, changing, or reordering it.

Which of the following is used for high-speed remote access with virtual private networks (VPNs)? a. Calling cards with ISDN b. Cable modems with ADSL c. Modem pools with ADSL d. Toll-free lines with ISDN

b. Modem pools, calling cards, and toll-free arrangements can be an expensive alternative to cable modems and asymmetric digital subscriber line (ADSL). An ISDN line is limited to

Most hardware/software guard implementations use which of the following approaches? a. Private network b. Dual network c. Public network d. Backbone network

b. Most hardware/software guard implementations use a dual network approach, which physically separates the private and public sides from each other. A backbone network is a central network to which other networks connect. Hardware and/or software guards enable users to exchange data between private and public networks, which is normally prohibited because of information confidentiality. A combination of hardware and/or software guards is used to allow secure local-area network (LAN) connectivity between enclave boundaries operating at different security classification levels (i.e., one private and the other public).

Which of the following uses spanning tree algorithm? a. Firewalls, sensors, and instant messaging (IM) servers b. Routers, bridges, and Internet relay chat (IRC) servers c. Switches, guards, and instant messaging (IM) servers d. Gateways, proxies, and Internet relay chat (IRC) servers

b. Multicast and broadcast routing is performed using spanning tree algorithm, which makes excellent use of bandwidth where each router knows which of its lines belong to the tree. The spanning tree algorithm is used to build plug-and-play bridges and Internet relay chat (IRC) servers. Each IRC server must have exactly one path to any other server. Therefore, routers, bridges, and IRC servers use the spanning tree algorithm and the other three choices do not deal with the spanning tree algorithm.

Which of the following needs to be protected for a failsafe performance? a. Virus scanners b. Firewalls c. Blocking filters d. Network ports

b. Network firewalls are devices or systems that control the flow of network traffic between networks employing differing security postures. A failsafe is the automatic termination and protection of programs when a hardware or software failure is detected. Because firewalls provide a critical access control security service, multiple firewalls should be employed for failsafe performance. Depending on a person's viewpoint, firewalls provide either the first line of defense or the last line of defense in accessing a network. Virus scanners look for common viruses and macro viruses. Blocking filters can block Active- X and Java applets. Network ports provide access points to a network. These are not that important when compared to the firewall to have a failsafe performance.

Which of the following can provide a seamless failover option for firewalls? a. Heartbeat solution b. Network switches c. Back-end system d. Custom network interface

b. Network switches that provide load-balancing and failover capabilities are the newest and most advanced solution currently available. In a failover configuration, these switches monitor the responsiveness of the production firewall and shift all traffic over to a backup firewall if a failure on the production system occurs. The primary advantage to this type of solution is that the switch masquerades both firewalls behind the same media access control (ISO/OSI Layer 2) address. This functionality enables seamless failover; that is, established sessions through the firewall are not impacted by a production system failure. The heartbeat-based solutions typically involve a backend or custom network interface that exists to notify the backup system in the event of a primary system failure. These systems rely on established, reliable technology to handle failover. The primary drawback with this approach is that established sessions traversing the production firewalls are almost always lost in the transition from production to backup resources. The decision on which failover method to implement is often reduced to cost and the network switch-based failover solution is generally more expensive than a heartbeat-based system.

Which of the following refers to open-loop control to handle network congestion problems? 1. Good design principles 2. Preventive actions 3. Detective actions 4. Corrective actions a. 2 only b. 1 and 2 c. 2 and 3 d. 3 and 4

b. Open-loop control includes good design principles and preventive actions whereas closed-loop control includes detective actions and corrective actions. Tools for open-loop controls include deciding when to accept new traffic, deciding when to discard packets and which ones, and making scheduling decisions at various points in the network.

For sources of network traffic data, which of the following provides the starting point for examining suspicious activity? a. Firewalls b. IDS software c. Proxy servers d. Remote access servers

b. Organizations typically have many different sources of network traffic data. Intrusion detection system (IDS) data is often the starting point for examining suspicious activity. Unfortunately, IDS software produces false positives, so IDS alerts need to be validated. By itself, data from these sources (e.g., firewalls, routers, proxy servers, and remote access servers) is usually of little value. Examining data over time may indicate overall trends, such as an increase in blocked connection attempts. However, because these sources typically record little information about each event, the data provides little insight as to the nature of the events.

Which of the following techniques to improve network quality-of-service (QoS) provides an easy and expensive solution? a. Buffering b. Over-provisioning c. Traffic shaping d. Packet scheduling

b. Over-provisioning is providing higher levels of router capacity, buffer space, and bandwidth for the network packets to flow from source to destination. Because of this, an overprovisioning technique is an easy but an expensive solution. The other three choices do not incur costs the way over-provisioning does. Network flows can be buffered on the receiving side before being delivered. Buffering the flow does not affect the reliability, delay, or bandwidth, but it does smooth out the jitter often found in audio and video on demand applications. Traffic shaping, also called traffic policing, is achieved through the use of a leaky bucket algorithm or token bucket algorithm to smooth traffic between routers and to regulate the host output. Packet scheduling algorithms such as fair queuing and weighted fair queuing are available to schedule the flow of packets through the router so that one flow does not dominate the other.

Which of the following network connectivity devices use rules that could have a substantial negative impact on the device's performance? a. Sensors and switches b. Routers and firewalls c. Guards and gateways d. Connectors and concentrators

b. Rules or rulesets are used in routers and firewalls. Adding new rules to a router or firewall could have a substantial negative impact on the device's performance, causing network slowdowns or even a denial-of-service (DoS). The information security management should carefully consider where filtering should be implemented (e.g., border router, boundary router, and firewall). A boundary router is located at the organization's boundary to an external network. The other three choices do not use rules or rulesets. A sensor is an intrusion detection and prevention system (IDPS) component that monitors and analyzes network activity. A switch is a mechanical, electromechanical, or electronic device for making, breaking, or changing the connections in or among circuits. A hardware/software guard is designed to provide a secure information path for sharing data between multiple system networks operating at different security levels. A gateway transfers information and converts it to a form compatible with the receiving network's protocols. A connector is an electromechanical device on the ends of cables that permit them to be connected with, and disconnected from, other cables. A concentrator gathers together several lines in one central location.

Secure remote procedure call (RPC) uses which of the following algorithms? a. DES b. DH c. 3DES d. IDEA

b. Secure remote procedure call (RPC) uses the Diffie-Hellman (DH) key generation method. Under this method, each user has a private/public key pair. Secure RPC does not use the other three choices.

Which of the following does not perform "prefix filtering" services? a. Border gateway protocol b. Sensors c. Routers d. Firewalls

b. Sensors (intrusion detection systems) are composed of monitors and scanners, and they do not perform prefix filtering services. Sensors identify and stop unauthorized use, misuse, and abuse of computer systems by both internal network users and external attackers in near real time. Sensors do not perform permit and deny actions as do the border gateway protocol (BGP), routers, and firewalls. Prefix filtering services are provided by BGP, routers, and firewalls in that they perform permit and deny actions. Prefix filtering is the most basic mechanism for protecting BGP routers from accidental or malicious disruption, thus limiting the damage to the routes. Filtering of both incoming prefixes (ingress filtering) and outgoing prefixes (egress filtering) is needed. Router filters are specified using syntax similar to that for firewalls. Two options exist. One option is to list ranges of IP prefixes that are to be denied and then permit all others. The other option is to specify a range of permitted prefixes, and the rest are denied. The option of listing a range of permitted prefixes provides greater security.

In sliding window protocols, a protocol is said to be in the stop-and-wait mode under which of the following conditions? a. When the sequence number for a sender's window is greater than 1, a receiver can discard all data frames. b. When the sequence number for a sender's window and a receiver's window is equal to 1 c. When the sequence number for a sender's window is greater than 1, a receiver can buffer out-of-order data frames. d. When two separate physical circuits are used for forward channel and reverse channel.

b. Sliding window protocols are bit-oriented and bidirectional protocols that use the same physical circuit for data frame transmission in both directions. When the sequence number for a sender's window and a receiver's window is equal to 1, the protocol is said to be in the stopand- wait mode. The other three choices do not operate in a stop-and-wait mode. When the sequence number for a sender's window is greater than 1, the receiver can either discard all data frames or buffer out-of-order data frames. When two separate physical circuits are used for forward channel and reverse channel, it represents a full-duplex data transmission, which is inefficient because only once circuit is used for the forward channel and the circuit for the reverse channel is not used. The full-duplex transmission uses two circuits and wastes resources whereas the sliding window protocol uses only one circuit.

Which of the following cannot defend the enclave boundary? a. Firewalls b. Switches and routers c. Virtual private networks d. Software/hardware guards

b. Switches and routers defend the networks and their infrastructures such as LANs, campus area networks (CANs), MANs, and WANs. The other three choices defend the enclave boundary, which defines a clear separation between inside and outside of a network where local computing environment (LAN) is inside the enclave and connection to external networks and remote users (e.g., dial-up access, ISP connection, and dedicated line) is outside the enclave. Boundary protection is provided by software/hardware guards, firewalls, and other devices, which control access into the local computing environment (LAN). Remote access protection is provided by communications server, encryption, VPN, and others. A single enclave may span a number of geographically separate locations with connectivity via commercially purchased point-to-point communications (e.g., T-1, T-3, and ISDN) along with WAN connectivity such as the Internet. An enclave is a collection of information systems connected by one or more internal networks under the control of a single organization and security policy. These systems may be structured by physical proximity or by function, independent of location. An enclave boundary is a point at which an enclave's internal network service layer connects to an external network's service layer (i.e., to another enclave or to a wide-area network).

Which of the following network connectivity devices require in-band and out-of-band management services such as administrative access to distributed local-area networks (LANs)? a. Firewalls and gateways b. Switches and routers c. Sensors and bridges d. Repeaters and modems

b. Switches and routers require in-band and out-of-band management services. In in-band management, a secure shell (SSH) session is established with the connectivity device (e.g., switches and routers) in a distributed local-area network (LAN). This method is fast and convenient but less secure due to use of Telnet, line sniffing, and interception of privileged passwords. In out-of-band management, the communications device is accessed via a dial-up circuit with a modem, directly connected terminal device, or LANs dedicated to managing traffic. Whether inband or out-of-band, network paths and sessions used to access the device should be protected. The other three choices do not require in-band and out-of-band management services such as administrative access because they have their own access methods.

Which of the following protocols use many network ports? a. SNMP and SMTP b. TCP and UDP c. ICMP and IGMP d. ARP and RARP

b. TCP and UDP protocols are part of the TCP/IP suite operating at the transport layer of the ISO/OSI model. Network ports are used by TCP and UDP, each having 65,535 ports. Attackers can reconfigure these ports and listen in for valuable information about network systems and services prior to attack. SNMP and SMTP are application layer protocols, which use few ports. ICMP and IGMP are network layer protocols, which do not use any ports. ARP and RARP are data link layer protocols, which do not use any ports. Network ports 0 through 1,023 are assigned for service contact used by server processes. The contact ports are sometimes called "well-known" ports. These service contact ports are used by system (or root) processes or by programs executed by privileged users. Ports from 1,024 through 65,535 are called registered ports. All incoming packets that communicate via ports higher than 1,023 are replies to connections initiated by internal requests. For example, Telnet service operates at port #23 with TCP and X Windows operate at port #6,000 with TCP.

Which of the following is not a security goal of a domain name system (DNS)? a. Source authentication b. Confidentiality c. Integrity d. Availability

b. The DNS data provided by public DNS name servers is not deemed confidential. Therefore, confidentiality is not one of the security goals of DNS. Ensuring authenticity of information and maintaining the integrity of information in transit is critical for efficient functioning of the Internet, for which DNS provides the name resolution service. The DNS is expected to provide name resolution information for any publicly available Internet resource.

The wireless local-area network (WLAN) using the IEEE 802.11i standard for a robust security network (RSN) does not support the protection of which of the following? a. Stations and access points b. Access points and authentication servers c. Extensible authentication protocol and transport layer security d. Stations and authentication servers

b. The WLAN IEEE 802.11 and its related standards explicitly state that protection of the communications between the access points and authentication server is not available. Therefore, it is important to ensure that communications between each access point and its corresponding authentication servers are protected sufficiently through cryptography. In addition, the authentication servers should be secured through operating system configuration, firewall rules, and other security controls. The data confidentiality and integrity protocol, such as the counter mode with cipher block chaining message authentication code protocol (CCMP), protects communications between stations and access points. The extensible authentication protocol (EAP) with transport layer security (TLS) is considered the most secure EAP method because it enables strong mutual cryptographic authentications of both stations and authentication servers using public key certificates.

A system administrator for an entertainment company is estimating the storage capacity of a video server to distribute movies on-demand for its customers. Which of the following law applies to the video servers? a. Moore's law b. Zipf's law c. Brooke's law d. Pareto's law

b. The Zipf's law states that the most popular movie is seven times as popular as the number seven movie. It is assumed that most customers will order the most popular movie more frequently. The other three choices are not related to video servers. The Moore's law states that the number of transistors per square inch on an integrated circuit chip doubles every 18 months or the performance of a computer doubles every 18 months. The Brooke's law states that adding more people to a late system development project (or to any project) makes the project even later. The Pareto's law, as it applied to IT, states that 80 percent of IT-related problems are the result of 20 percent of IT-related causes.

Which of the following provides a dynamic mapping of an Internet Protocol (IP) address to a physical hardware address? a. PPP b. ARP c. SLIP d. SKIP

b. The address resolution protocol (ARP) provides a dynamic mapping of a 32-bit IP address to a 48-bit physical hardware address. Other protocols such as point-to-point protocol (PPP), serial line interface protocol (SLIP), and simple key management for Internet protocol (SKIP) do not fit the description.

Which of the following ISO/OSI layers provide nonrepudiation services? a. Presentation layer b. Application layer c. Transport layer d. Data link layer

b. The application layer provides nonrepudiation services, meaning that entities involved in a communication cannot deny having participated. It is a technique that assures genuine communication and that cannot subsequently be refuted. The presentation layer is incorrect because it provides authentication and confidentiality services but not nonrepudiation. The presentation layer defines and transforms the format of data to make it useful to the receiving application. It provides a common means of representing a data structure in transit from one end system to another. The transport layer is incorrect because it provides confidentiality, authentication, data integrity, and access control services but not nonrepudiation. It ensures an error-free, insequence exchange of data between end points. It is responsible for transmitting a message between one network user and another. The data link layer is incorrect because it provides confidentiality service but not nonrepudiation. The data link layer provides a reliable transfer of data across physical links, an error flow control, a link-level encryption and decryption, and synchronization. It handles the physical transmission of frames over a single data link.

Which of the following is not an example of block cipher encryption algorithms used by the encapsulating security payload (ESP) mode of Internet Protocol security (IPsec)? a. AES-Cipher block chaining (AES-CBC) b. Hash message authentication code (HMAC) c. AES Counter mode (AES-CTR) d. Tripe DES (3DES)

b. The authentication header (AH) of IPsec uses HMAC. ESP uses symmetric cryptography to provide encryption for IPsec packets. When an endpoint encrypts data, it divides the data into small blocks and then performs multiple sets of cryptographic operations (known as rounds) using the data blocks and key. Encryption algorithms that work in this way are known as block cipher algorithms. Examples of encryption algorithms used by ESP are AES-CBC, AES-CTR, and 3DES.

Which of the following models is used for formally specifying and verifying protocols? a. Markov model b. Finite state machine model c. Protocol stack d. Protocol data unit

b. The finite state machine (FSM) model is used for formally specifying and verifying protocols. In the FSM model, mathematical techniques are used in specifying and verifying the protocol correctness because it defines or implements the control structure of a system. The other three choices do not deal with formally specifying and verifying protocols. The Markov model is used to model a system regarding its failure states to evaluate the reliability, safety, and availability of the system. A protocol stack is a list of protocols used by a system (e.g., TCP/IP suite). A protocol data unit is a unit of data specified in a protocol and includes user data and other information.

From a security viewpoint, which of the following should be the goal for a virtual private network (VPN)? a. Make only one exit point from a company's network to the Internet. b. Make only one entry point to a company's network from the Internet. c. Make only one destination point from a company's network to the Internet. d. Make only one transmission point from the Internet to a company's network.

b. The goal for a virtual private network (VPN) should be to make it the only entry point to an organization's network from the Internet. This requires blocking all the organization's systems or making them inaccessible from the Internet unless outside users connect to the organization's network via its VPN.

Which of the following causes an increase in the attack surface of a public cloud computing environment? a. Paging b. Hypervisor c. Checkpointing d. Migration of virtual machines

b. The hypervisor or virtual machine monitor is an additional layer of software between an operating system and hardware platform used to operate multitenant virtual machines. Compared with a traditional nonvirtualized implementation, the addition of a hypervisor causes an increase in the attack surface. Paging, checkpointing, and migration of virtual machines can leak sensitive data to persistent storage, subverting protection mechanisms in the hosted operating system intended to prevent such occurrences.

Network address translation (NAT) protocol operates at what layer of the ISO/OSI reference model? a. Presentation Layer 6 b. Network Layer 3 c. Transport Layer 4 d. Session Layer 5

b. The network address translation (NAT) protocol operates at the Layer 3 (network) of the ISO/OSI reference model.

Which of the following is the primary type of domain name system (DNS) data? a. Configuration file b. Zone file c. File system d. Zone transfer

b. The primary type of domain name system (DNS) data is zone file, which contains information about various resources in that zone. The information about each resource is represented in a record called a Resource Record (RR). Logically, a zone file is made up of several RR sets. Configuration file is incorrect because it is a secondary type of DNS data. File system is incorrect because it is a part of the DNS hosting environment. Zone transfer is incorrect because it is a part of DNS transactions.

The extensible authentication protocol (EAP) method with tunneled transport layer security (EAP-TTLS) used in a robust security network (RSN) such as wireless local-area network (WLAN) using the IEEE 802.11i standard does not prevent which of the following? a. Eavesdropping attack b. Man-in-the-middle attack c. Replay attack d. Dictionary attack

b. The root certificate may not be delivered securely to every client to prevent man-in-themiddle (MitM) attacks, thus not providing strong assurance against MitM attacks. Because passwords sent to the Web server are encrypted, EAP-TTLS protects the eavesdropping attack. The TLS tunnel protects the inner applications from replay attacks and dictionary attacks.

Which of the following firewalls is most secure? a. Packet filtering firewall b. Screened subnet firewall c. Screened host firewall d. Dual-homed gateway firewall

b. The screened subnet firewall adds an extra layer of security by creating a network where the bastion host resides. Often called a perimeter network, the screened subnet firewall separates the internal network from the external. This leads to stronger security.

Which of the following is a part of transport layer security policies and is not a part of data link layer security policies to prevent network congestion problems? a. Retransmission policy b. Timeout determination policy c. Out-of-order caching policy d. Flow control policy

b. The timeout determination policy is a part of the transport layer security policies but not a part of the data link layer security policies. The other three choices are the same between these two layer's policies.

Which of the following merits most protection in the use of wireless technologies? 1. Privacy of location 2. Privacy of equipment 3. Privacy of transmission contents 4. Privacy of third parties a. 1 and 2 b. 1 and 3 c. 3 and 4 d. 2 and 3

b. There are two main types of information that merit most protection in the wireless context: the contents of a call or transmission and the location of the sender or recipient. Privacy of equipment and third parties are not relevant here.

Which of the following ensures that all Web network traffic dealing with a firewall system is secured from an administration viewpoint? a. DES b. SSL c. HTTP d. SSH

b. There should be a policy stating that all firewall management functions take place over secure links. For Web-based interfaces, the security should be implemented through secure sockets layer (SSL) encryption, along with a user ID and password. If neither internal encryption nor SSL are available, tunneling solutions such as the Secure Shell (SSH) are usually appropriate. HTTP and DES are not appropriate here as they do not provide strong security.

Countermeasures against time-of-check to time-of-use (TOC-TOU) attacks include which of the following? 1. Use traffic padding techniques. 2. Apply task sequence rules. 3. Apply encryption tools. 4. Implement strong access controls. a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1 and 3

b. Time-of-check to time-of-use (TOC-TOU) attack is an example of asynchronous attacks where it takes advantage of timing differences between two events. Applying task sequence rules combined with encryption tools are effective against such attacks. Traffic padding technique is effective against traffic analysis attacks, and access controls are good against data inference attacks.

User datagram protocol (UDP) is a part of which of the following TCP/IP layers? a. Applications layer b. Transport layer c. Network layer d. Data link layer

b. User datagram protocol (UDP) is a part of the transport layer, along with TCP. This layer provides connection-oriented or connectionless services for transporting application layer services between networks. The application layer is incorrect because it sends and receives data for particular applications. The network layer is incorrect because it routes packets across networks. The data link layer is incorrect because it handles communications on the physical network components.

Major vulnerabilities stemming from the use of the World Wide Web (WWW) are associated with which of the following? a. External websites and hypertext markup language (HTML) b. Web browser software and Web server software c. External websites and hypertext transfer protocol (HTTP) d. Internal websites and Web pages

b. Vulnerabilities stemming from the use of the Web are associated with browser software and server software. Although browser software can introduce vulnerabilities to an organization, these vulnerabilities are generally less severe than the threat posed by servers. Many organizations now support an external website describing their products and services. For security reasons, these servers are usually posted outside the organization's firewall, thus creating more exposure. Web clients, also called Web browsers, enable a user to navigate through information by pointing and clicking. Web servers deliver hypertext markup language (HTML) and other media to browsers through the hypertext transfer protocol (HTTP). The browsers interpret, format, and present the documents to users. The end result is a multimedia view of the Internet.

Wireless local-area networks (WLANs) are connected to wired local-area networks (LANs) through the use of which of the following? a. Repeaters b. Bridges c. Brouters d. Routers

b. Wireless LANs are often connected to wired LANs through a bridge, or they depend on a central hub to pass messages between nodes. These devices make good targets to alter traffic passing between wireless nodes. A repeater is incorrect because it simply extends the range of one LAN. It rebuilds all the signals it hears on one LAN segment and passes them on to the other. A router connects LANs of different hardware types. They examine network addresses for forwarding packets on to another LAN. A brouter is incorrect because it is a combination of bridge and router that operates without protocol restrictions, routes data using a protocol it supports, and bridges data it cannot route.

Which of the following classes of attacks focus on breaking security protection features? a. Passive b. Active c. Close-in d. Insider

b. With an active attack, an intruder modifies the intercepted messages. Breaking security protection features is an example of active attack. With a passive attack, an intruder intercepts messages to view the data. It includes traffic and packet analysis to disclose personal information such as credit card numbers and medical files. A close-in attack is where an unauthorized individual is in physical close proximity to networks and systems, or facilities for the purpose of modifying, gathering, or denying access to information. Insider attacks can be malicious or nonmalicious. Using information in a fraudulent manner is an example of a malicious insider attack.

Which of the following is not an example of domain name system (DNS) host platform threats? a. Buffer overflow attack b. Zone drift error c. Packet flooding attack d. Address resolution protocol spoofing attack

b. Zone drift error is a threat due to domain name system (DNS) data contents, not from DNS host platform threats. Zone drift error results in incorrect zone data at the secondary name servers when there is a mismatch of data between the primary and secondary name servers. A buffer overflow attack, a packet flooding attack, and an Address Resolution Protocol (ARP) spoofing attack are examples of DNS host platform threats.

From a network data analysis perspective, what do many Web-based applications use? a. Two-tiered client/server model b. Three-tiered client/server model c. Four-tiered client/server model d. Five-tiered client/server model

c. A client/server application is designed to split among multiple systems. Examples of typical client/server applications are medical records systems, e-commerce applications, and inventory systems. Many Web-based applications use four-tier client/server models: Web browser, Web server, application server, and database server. Each tier interacts only with the adjacent tiers, so in three- and four-tier models, the client does not directly interact with the database server. A two-tiered client/server model is incorrect because the application stores its code, configuration settings, and supporting files on each user's workstation, and its data on one or more central servers accessed by all users. Programs are stored on a workstation, and data is stored on a central server. Logs are most likely stored on the workstations only. This model includes client workstations and a central server. A three-tiered client/server model is incorrect because the application separates the user interface from the rest of the application, and also separates the data from the other components. The classic three-tier model places the user interface code on the client workstation, the rest of the application code on an application server, and the data on a database server. This model includes client workstations, application server, and database server. A five-tiered client/server model is incorrect because it is complex to configure, operate, and manage.

Which of the following statements about red teams are not true? 1. They can be effective when insider work is suspected. 2. They represent another independent attack on the system. 3. They prove that a computer system is secure. 4. They are a substitute for methodical testing. a. 1 and 2 b. 1 and 3 c. 3 and 4 d. 2 and 4

c. A red team is a team of independent experts hired to attempt to breach a system's security. The red team cannot prove that a system is secure. Also, the red team's approach is not a substitute for methodical security testing. What it can do is be effective when insider work is suspected because it can show the areas of vulnerability. Also, the red team approach should be viewed as another independent attack on the system's integrity and security. If the system has not been thoroughly tested prior to red team testing, it is a waste of effort and money because the approach will be ineffective.

A peer-to-peer (P2P) networking is similar to which of the following? a. Content delivery network b. Value-added network c. Ad-hoc network d. Wide-area network

c. Ad-hoc networks are similar to peer-to-peer (P2P) networking in that they both use decentralized networking, in which the information is maintained at the end user location rather than in a centralized database. The networks mentioned in the other three choices use centralized networking with centralized databases.

For information system monitoring, which of the following anomaly within an information system is most risky? a. Large file transfers b. Unusual protocols and ports in use c. Attempted communications with suspected external addresses d. Long-time persistent connections

c. Anomalies at selected interior points within a system (e.g., subnets and subsystems) include large file transfers, unusual protocols and ports in use, long-time persistent connections, and attempted communications with suspected external addresses. Of these, the attempted communications with suspected (malicious) external addresses is most risky. The other three choices are less risky.

For network data acquisition, which of the following is the major downside to the victim organization of a network attack? a. ISPs requiring a court order b. Preserves privacy of the ISPs c. Slows down the investigative process d. Reduces the liability of the ISPs

c. As privacy becomes a greater concern to organizations, many have become less willing to share information with each other, including network data. For example, most Internet service providers (ISPs) now require a court order before providing any information related to suspicious network activity that might have passed through their network infrastructures. Although this preserves privacy of the ISPs and reduces the burden and liability of the ISPs, it also slows down the investigative process. This is a major downside to the victim organization because it wants a speedy investigative process with a clear and quick resolution to the attack.

Which of the following border gateway protocol (BGP) attacks does not use Time To Live (TTL) hack as a countermeasure? a. Peer spoofing and TCP resets b. Denial-of-service via resource exhaustion c. Route flapping d. Session hijacking

c. Because border gateway protocol (BGP) runs on transmission control protocol/Internet protocol (TCP/IP), any TCP/IP attack can be applied to BGP. Route flapping is a situation in which BGP sessions are repeatedly dropped and restarted, normally as a result of router problems. Examples of countermeasures for route flapping attacks include graceful restart and BGP route-flap damping method, not TTL hack. Route-flap damping is a method of reducing route flaps by implementing an algorithm that ignores the router sending flapping updates for a configurable period of time. Each time a flapping event occurs, peer routers add a penalty value to a total for the flapping router. As time passes, the penalty value decays gradually; if no further flaps are seen, it reaches a reuse threshold, at which time the peer resumes receiving routes from the previously flapping router. The other three choices use TTL hack. The Time To Live (TTL) or hop count is an 8-bit field in each IP packet that prevents packets from circulating endlessly in the Internet. TTL is based on the generalized TTL security mechanism (RFC 3682), often referred to as the TTL hack, which is a simple but effective defense that takes advantage of TTL processing. At each network node, the TTL is decremented by one and is discarded when it is reduced to zero without reaching its destination point. In peer spoofing attack, the goal is to insert false information into a BGP peer's routing tables. A special case of peer spoofing, called a reset attack, involves inserting TCP RESET messages into an ongoing session between two BGP peers. Examples of countermeasures against peer spoofing and TCP resets include using strong sequence number randomization and TTL hack. In a denial-of-service attack via resource exhaustion, routers use a large amount of storage for path prefixes. These resources are exhausted if updates are received too rapidly or if there are too many path prefixes to store due to malicious prefixes. Examples of countermeasures against denial-of-service via resource exhaustion attacks include using rate limit synchronization processing, increasing queue length, route filtering, and TTL hack. In a session hijacking attack, the attack is designed to achieve more than simply bringing down a session between BGP peers. The objective is to change routes used by the peer, to facilitate eavesdropping, blackholing, or traffic analysis. Examples of countermeasures against session hijacking attacks include using strong sequence number randomization, IPsec authentication, and TTL hack.

What is an effective security control over an intranet? a. Callback b. Static passwords c. Firewalls d. Dynamic passwords

c. Because intranets connect between customers, suppliers, and the organization, access to information is a vital concern. Firewalls and routers keep intruders out of the intranets. A callback is incorrect because it is a security mechanism used mostly on mainframe and midrange computers. The static passwords are incorrect because they are not changed often, and as such, they are ineffective security controls. The dynamic passwords are not correct because they change each time a user is logged on to the system and are most effective security controls. All the other three choices are incorrect because they are most widely used in a mainframe computer environment. They are not used for intranets.

For network data analysis, remote access servers (RAS) do not do which of the following? a. Connect external systems to internal systems b. Connect internal systems to external systems c. Record application-specific data d. Provide packet-filtering functions

c. Because the remote access servers (RASs) have no understanding of the application's functions, they usually do not record any application-specific data. The other three choices are proper functions of RAS. The RASs are devices such as VPN gateways and modem servers that facilitate connections between networks. This often involves external systems connecting to internal systems through the RAS but could also include internal systems connecting to external or internal systems. Some RASs also provide packet-filtering functions; this typically involves logging similar to that for firewalls and routers.

Which of the following configurations for private servers hosting instant messaging (IM) data can lead to man-in-the middle (MitM) attack when it is not installed, installed incorrectly, or implemented improperly? a. Enclave perimeter b. Demilitarized zone c. Encrypted communication channel d. Server services

c. Client-to-server architecture protects data by storing it on private servers as opposed to client computers or public servers. Private servers hosting instant messaging (IM) data will be configured with a network infrastructure that protects the servers from unauthorized access using an enclave perimeter with a firewall, a demilitarized zone (DMZ) for a gateway server, encryption for communication channel, and server services. Using protocols that do not encrypt network traffic can easily be hijacked, resulting in the man-in-the-middle (MitM) attack. The IM server services provide activities such as user registration, authentication, account management, logging, and software downloads for users. Those services not required for operation should be disabled to prevent the potential risk of attack on those services.

Commonly used protocols for audio and video communications include which of the following? 1. H.323 protocols 2. Session Initiation Protocol (SIP) 3. Internet relay chat (IRC) protocol 4. Wired Equivalent Privacy (WEP) protocol a. 1 only b. 2 only c. 1 and 2 d. 3 and 4

c. Commonly used protocols for audio and video communications include H.323 and SIP. H.323 is a suite of different protocols. Technologies such as voice over IP (VoIP) permit people to conduct telephone conversations over networks such as the Internet. Video technologies can be used to hold teleconferences or have "video phone" communications between two individuals. The most popular group chat protocol, IRC is a standard protocol that uses relatively simple text-based communications. IRC also provides a mechanism for users to send and receive files. WEP is a security protocol that encrypts data sent to and from wireless devices within a network. WEP is not as strong as Wi-Fi protected access (WPA) protocol.

Which of the following is an example of connectionless data communications? a. X.25 b. TCP c. Ethernet d. WAN

c. Connectionless data communications does not require that a connection be established before data can be sent or exchanged. X.25, TCP, and WAN are examples of connectionoriented data communications that requires that a connection first be established.

For active attacks on hardware/software guards, which of the following are countermeasures against modification of data in transit? 1. Timestamps 2. Sequence numbers 3. Digital signatures 4. Keyed hash integrity checks a. 1 and 2 b. 1 and 3 c. 3 and 4 d. 1, 2, 3, and 4

c. Countermeasures against modification of data in transit include the use of digital signatures or keyed hash integrity checks to detect unauthorized modification to the data in transit. E-mail, real-time messaging, and file transfers are all susceptible to interception and modification while in transit. Timestamps and sequence numbers are examples of countermeasures against active attacks such as the insertion of data or reinsertion of previous messages.

In a distributed computing environment, system security takes on an important role. Two types of network attacks exist: passive and active attacks. Which of the following is the best definition of active attack? 1. Nonpreventable 2. Preventable 3. Detectable 4. Correctable a. 1 only b. 3 only c. 1 and 3 d. 2, 3, and 4

c. Data communication channels are often insecure, subjecting messages transmitted over the channels to passive and active threats or attacks. An active attack is where the threat makes an overt change or modification to the system in an attempt to take advantage of vulnerability. Active attacks are nonpreventable and detectable. A passive attack occurs when the threat merely watches information move across the system and when information is siphoned off the network. Passive attacks are preventable but difficult to detect because no modification is done to the information, and audit trails do not exist. All attacks are correctable with varying degrees of effort and cost.

All the following are best practice protection approaches for domain name system (DNS) software except: a. Running name server software with restricted privileges b. Isolating name server software c. Developing the zone file integrity checker software d. Removing name server software from nondesignated hosts

c. Developing the zone file integrity checker software is a DNS data content control protection approach, not a DNS software protection approach. The other three choices are incorrect because they are examples of DNS software protection approaches.

All the following are countermeasures against software distribution attacks on software guards except: a. Conducting third-party testing and evaluations b. Complying with Common Criteria Guidelines c. Reviewing audit logs d. Implementing high-assurance configuration controls

c. Distribution attacks can occur anytime during the transfer of a guard's software or hardware. The software or hardware could be modified during development or before production. The software is also susceptible to malicious modification during production or distribution. Audit log is a countermeasure against insider attacks on hardware/software guards such as modification of data by insiders. Audit logs need to be generated and diligent reviews must be conducted in a timely manner. Countermeasures protecting the software guards include implementing strong software development processes, performing continuous risk management, conducting third-party testing and evaluation of software, following trusted product evaluation program and Common Criteria guidelines, high-assurance configuration control, cryptographic signatures over tested software products, use of tamper detection technologies during packaging, use of authorized couriers and approved carriers, and use of blind-buy techniques.

A user datagram protocol (UDP) packet is associated with which of the following when sending domain name system (DNS) queries? 1. Truncation 2. Little or no truncation 3. Higher overhead 4. Lower overhead a. 1 only b. 4 only c. 1 and 4 d. 2 and 3

c. Domain name system (DNS) queries are sent in a single UDP packet. The response usually is a single UDP packet as well, but data size may result in truncation. UDP consumes lower overhead of resources. On the other hand, TCP packet results in little or no truncation but consumes higher overhead of resources.

Sources of legal rights and obligations for privacy over electronic mail do not include which of the following? a. Law of the country b. Employer practices c. Employee practices d. Employer policies

c. E-mail networks function as decentralized systems. Independent, unconnected systems at multiple locations are decentralized. An electronic message flows through the system, going from one machine to another. Eventually the message reaches the correct machine and is placed in the targeted person's e-mail box. Because e-mail crosses many state and national boundaries and even continents, it is advised to review the principal sources of legal rights and obligations. These sources include the law of the country and employer policies and practices. Employee practices have no effect on the legal rights and obligations.

Which of the following are the primary security goals of a domain name system (DNS)? 1. Source authentication 2. Confidentiality 3. Integrity 4. Availability a. 1 and 2 b. 2 and 3 c. 1 and 3 d. 3 and 4

c. Ensuring information authenticity and maintaining information integrity in transit is critical for efficient functioning of the Internet, for which DNS provides the name resolution service. Hence, integrity and source authentication are the primary DNS security goals. Confidentiality is not one of the security goals of DNS, and availability is a secondary security goal.

Regarding Voice over Internet Protocol (VoIP), packets loss is not resulting from which of the following? a. Latency b. Jitter c. Speed d. Bandwidth congestion

c. Every facet of network traversal must be completed quickly in VoIP, so speed is not an issue. The other three choices can cause packet loss. The latency often associated with tasks in data networks will not be tolerated. Jitters are caused by low-bandwidth situations, leading to bandwidth congestion.

All the following services and application traffic should always be blocked inbound by a firewall except: a. RPC b. NFS c. FTP d. SNMP

c. File transfer protocol (FTP) should be restricted to specific systems using strong authentication. Services such as remote procedure call (RPC), network file sharing (NFS), and simple network management protocol (SNMP) should always be blocked.

For network data analysis, a host computer can be identified by which of the following? a. Analyzing physical components b. Reviewing logical aspects c. Mapping an IP address to the MAC address of a NIC d. Mapping multiple IP addresses

c. For events within a network, an analyst can map an Internet protocol (IP) address (i.e., logical identifiers at the IP layer) to the media access control/medium access control (MAC) address of a particular network interface card (NIC) (i.e., physical identifier at the physical layer), thereby identifying a host of interest. Analyzing physical components and reviewing logical aspects are a partial approach. Mapping multiple IP addresses does not identify a host.

What is the most frequent source of local-area network (LAN) hardware failures? a. Repeater b. Server disk drives c. Network cabling d. Server software

c. Hardware failures are grouped as follows: network cabling (60 to 80 percent), repeater (10 to 20 percent), and server disk drive (10 to 20 percent). Cables should be tested before their first use, rather than after a problem surfaces. Testing an installed cable is a tedious job, particularly when there are many network connections (drops) and the organization is large. Failures result when electrical conductors either break open, short together, or are exposed to electromagnetic forces. Failures are also caused when cables are poorly routed. Cabling, unlike other computer equipment, is not protected from heat, electrical charges, physical abuse, or damage. Repeaters, server disk drives, and server software are incorrect. A repeater repeats data packets or electrical signals between cable segments. It receives a message and then retransmits it, regenerating the signal at its original strength. Server disk drives and server software are comparatively safe and trouble-free devices compared with cabling.

Which of the following is not used in creating static Web documents? a. Hypertext markup language (HTML) b. Joint photographic experts group (JPEG) c. Hypertext preprocessor (PHP) d. Extensible style language (XSL)

c. Hypertext preprocessor (PHP) is used in creating a dynamic Web document along with JavaScript and Active X controls. Static Web documents (pages) are written in HTML, XHTML, ASCII, JPEG, XML, and XSL.

Which of the following technologies enables phone calls and facsimile transmissions to be routed over the same network used for data? a. File transfer protocol b. Content streaming c. Voice over Internet Protocol d. Instant messaging

c. In a Voice over Internet Protocol (VoIP) technology, voice and data are combined in the same network. The other three choices cannot combine voice and data. File transfer protocol (FTP) is used to copy files from one computer to another. Content streaming is a method for playing continuous pictures and voice from multimedia files over the Internet. It enables users to browse large files in real time. Instant messaging (IM) technology provides a way to send quick notes or text messages from PC to PC over the Internet, so two people who are online at the same time can communicate instantly.

In electronic auctions, which of the following auction models has a minimal security mechanism that can lead to security breaches and fraud? a. Business-to-business (B2B) b. Government-to-business (G2B) c. Consumer-to-consumer (C2C) d. Consumer-to-business (C2B)

c. In the consumer-to-consumer (C2C) electronic auction model, consumers buy and sell goods with other consumers through auction sites. The C2C auction model has minimal security mechanism (i.e., no encryption and possibility of fraud in shipping defective products). The B2B, G2B, and C2B auction models are reasonably secure due to the use of private telephone lines (leased lines) and encryption.

All the following are work elements of penetration testing of security controls except: a. Pretest analysis of the target system b. Pretest identification of potential vulnerabilities c. Independent verification and validation of vulnerabilities d. Systematic determination of exploitability of identified vulnerabilities

c. Independent verification and validation of vulnerabilities is a form of security assurance testing, not the work element of security penetration testing. The other three choices are work elements of the penetration testing.

Information systems security testing is a part of which of the following? a. Directive controls b. Preventive controls c. Detective controls d. Corrective controls

c. Information systems security testing is a part of detective controls because it includes vulnerability scanners, penetration tests, and war dialing. Detective controls enhance security by monitoring the effectiveness of preventive controls and by detecting security incidents where preventive controls were circumvented. Directive controls are broad-based controls to handle security incidents, and they include management's policies, procedures, and directives. Preventive controls deter security incidents from happening in the first place. Corrective controls are procedures to react to security incidents and to take remedial actions on a timely basis. Corrective controls require proper planning and preparation because they rely more on human judgment.

Which of the following enhances an instant messaging (IM) authentication process? a. Active directory service b. Lightweight directory access protocol c. Two-factor authentication d. Role-based access permissions

c. Instant messaging (IM) systems authenticate users for communication by linking user accounts to directory services (i.e., Active Directory and Lightweight Directory Access Protocol, LDAP) to associate with valid accounts and provide role-based access permissions. IM authentication could be enhanced using two-factor authentication because it is more secure. Two-factor authentication identifies users using two distinctive factors such as something they have (e.g., token or smart card), something they know (e.g., password or PIN), or something they are (e.g., a biometric sample). Requiring two forms of electronic identification reduces the risk of fraud.

A primary firewall has been compromised. What is the correct sequence of action steps to be followed by a firewall administrator? 1. Deploy the secondary firewall. 2. Bring down the primary firewall. 3. Restore the primary firewall. 4. Reconfigure the primary firewall. a. 1, 2, 3, and 4 b. 2, 3, 4, and 1 c. 2, 1, 4, and 3 d. 4, 1, 2, and 3

c. Internal computer systems should not be connected to the Internet without a firewall. There should be at least two firewalls in place: primary and secondary. First, the attacked (primary) firewall should be brought down to contain the damage (i.e., damage control), and the backup (secondary) firewall should be deployed immediately. After the primary firewall is reconfigured, it must be brought back or restored to an operational state. You should not deploy the secondary firewall first until the primary firewall is completely brought down to contain the risk due to its compromised state and to reduce the further damage. The elapsed time between these two actions can be very small.

Which of the following protocols are the most likely to be spoofed? 1. ICMP 2. UDP 3. TCP 4. Ethernet a. 1 only b. 2 only c. 1 and 2 d. 3 and 4

c. Internet control message protocol (ICMP) and user datagram protocol (UDP) are connectionless protocols, thus most likely to be spoofed. Transmission control protocol (TCP) and Ethernet are incorrect because they are connection-oriented protocols, thus least likely to be spoofed. Many attacks use spoofed IP addresses. Spoofing is far more difficult to perform successfully for attacks that require connections to be established because the attacker needs an insight into sequence numbers and connection status.

Internet control message protocol (ICMP) is a part of which of the following TCP/IP layers? a. Applications layer b. Transport layer c. Network layer d. Data link layer

c. Internet control message protocol (ICMP) is a part of the network layer, along with IP, RAS, and IGMP. The network layer routes packets across networks. The application layer is incorrect because it sends and receives data for particular applications. The transport layer is incorrect because it provides connection-oriented or connectionless services for transporting application layer services between networks. The data link layer is incorrect because it handles communications on the physical network components.

Most electronic commerce server applications use which of the following? a. One-tier architecture b. Two-tier architecture c. Three-tier architecture d. Four-tier architecture

c. Most electronic commerce applications use the three-tier architecture, representing three different classes of computers. The user tier consists of computers that have browsers that request and process Web pages. The server tier consists of computers that run Web servers and process application programs. The database tier consists of computers that run a database management system (DBMS) that process structured query language (SQL) requests to retrieve and store data.

Which of the following is not used to accomplish network address translation (NAT)? a. Static network address translation b. Hiding network address translation c. Dynamic network address translation d. Port address translation

c. Network address translation (NAT) is accomplished in three schemes: (i) In a static network address translation, each internal system on the private network has a corresponding external, routable IP address associated with it. (ii) With hiding network address translation, all systems behind a firewall share the same external, routable IP address. (iii) In a port address translation (PAT) schema, the implementation is similar to hiding network address translation, with two primary differences. First, port address translation is not required to use the IP address of the external firewall interface for all network traffic. Second, with port address translation, it is possible to place resources behind a firewall system and still make them selectively accessible to external users.

A network-based intrusion detection system (IDS) does not do or contain which of the following? a. Perform packet sniffing b. Analyze network traffic c. Possess correction capabilities d. Possess prevention capabilities

c. Network-based intrusion detection systems (IDS) perform packet filtering and analyze network traffic to identify suspicious activity and record relevant information such as type of attack (e.g., buffer overflow), the targeted vulnerability, the apparent success or failure of the attack, and the pointers to more information on the attack. Some IDSs also have intrusion prevention capabilities, not correction capabilities.

As the packet filtering rules become more complex, they can lead to which of the following? a. Authentication errors b. Cryptographic errors c. Configuration errors d. Performance errors

c. One caveat in the packet filter is that the more complex the packet filtering rules become, the more likely it is that a configuration error may occur, which could permit traffic to traverse networks without sufficient controls.

Which of the following is not susceptible to electronic interferences? a. Twisted-pair wire b. Coaxial cable c. Fiber-optical cable d. Copper-based cable wire

c. Optical fiber is relatively secured, expensive, and is not susceptible to electronic interferences. The other three choices are subject to such interferences with varying degrees.

Countermeasures against sniffers do not include which of the following? a. Using recent version of secure shell protocol. b. Applying end-to-end encryption. c. Using packet filters. d. Implementing robust authentication techniques.

c. Packet filters are good against flooding attacks. Using either recent version of secure shell (e.g., SSHv2) or IPsec protocol, using end-to-end encryption, and implementing robust authentication techniques are effective against sniffing attacks.

Packet sniffers are commonly used to capture network traffic data for which of the following purposes? 1. Troubleshooting purposes 2. Investigative purposes 3. Marketing purposes 4. Strategic purposes a. 1 only b. 2 only c. 1 and 2 d. 3 and 4

c. Packet sniffers are designed to monitor network traffic on wired or wireless networks and capture packets. Packet sniffers are commonly used to capture a particular type of traffic for troubleshooting (operational) or investigative (legal) purposes, which are technical purposes. For example, if IDS alerts indicate unusual network activity between two hosts, a packet sniffer could record all the packets between the hosts, potentially providing additional information for analysts. The marketing and strategic purposes are not relevant here because the question refers to the operational and legal purposes.

Which of the following cannot provide effective security at the endpoints of a network? a. Antimalware software b. Personal firewalls c. Strong password policies d. Host-based intrusion detection and prevention system

c. Password policies, even if they are strong, are difficult to implement and enforce at the personal computer and workstation levels due to unpredictable behavior of end users. If password policies are implemented incorrectly or used poorly, an attacker can undermine the best security configuration. The other three choices provide effective security at the endpoints of a network because they are technical security controls and do not deal with end users.

Which of the following might be unsuccessful at identifying infected hosts running personal firewalls? a. Network login scripts b. Packet sniffers c. Host scans d. File scans

c. Personal firewalls can block the host scans, therefore making it unsuccessful in identifying the infected hosts. The other three choices are incorrect because they all can help to identify the possible infection on those hosts.

Which of the following models is used for formally specifying and verifying protocols? a. Protocol converter b. Protocol tunneling c. Petri net model d. Seeding model

c. Petri net model is used for formally specifying and verifying protocols. Petri nets are a graphical technique used to model relevant aspects of the system behavior and to assess and improve safety and operational requirements through analysis and redesign. The other three choices do not deal with formally specifying and verifying protocols. A protocol converter is a device that changes one type of coded data to another type of coded data for computer processing. Protocol tunneling is a method to ensure confidentiality and integrity of data transmitted over the Internet. A seeding model is used to indicate software reliability in terms of error detection power of a set of test cases.

Which of the following is not an example of centralized authentication protocols? a. RADIUS b. TACACS c. SSO d. DIAMETER

c. RADIUS, TACACS, and DIAMETER are examples of centralized authentication protocols to improve remote access security. Centralized authentication servers are flexible, inexpensive, and easy to implement. Single sign-on (SSO) is an example of decentralized or distributed access control methodologies along with Kerberos, SESAME, security domains, and thin-client systems. SSO means the user is not prompted to enter additional authentication information for the session after the initial log-on is successfully completed.

The penetration testing of security controls does not focus on which of the following? a. Technical controls b. Physical controls c. Management controls d. Procedural controls

c. Security controls are of three types: management, technical, and operational. Physical controls and procedural controls are part of operational controls. Penetration testing does not focus on management controls, such as policies and directives. Instead, it focuses on technical and operational controls dealing with ports, protocols, system services, and devices.

The Internet Protocol version 6 (IPv6) is not related to which of the following? a. Session-less protocols b. Datagram-based protocols c. Session initiation protocol (SIP) d. Simple Internet Protocol Plus (SIPP)

c. Session initiation protocol (SIP) is a text-based protocol, like simple mail transfer protocol (SMTP) and hypertext transfer protocol (HTTP), for initiating interactive communication sessions between users. Such sessions include voice, video, data, instant messaging, chat, interactive games, and virtual reality. SIP is the protocol used to set up conferencing, telephony, multimedia, and other types of communication sessions on the Internet. SIP has nothing to do with and is not related to the Internet Protocol version 6 (IPv6). Both the IPv4 and IPv6 are session-less and datagram-based protocols. The IPv6 security features include encryption, user authentication, end-to-end secure transmission, privacy, and automatic network configuration (automatically assigning IP addresses to hosts). IPv6 also handles real-time and delay-sensitive traffic. IPv6 runs on high-speed networks, those using asynchronous transfer mode (ATM) and wireless networks. Simple Internet Protocol Plus (SIPP) is used in IPv6.

Countermeasures against Internet Protocol (IP) address spoofing attacks do not include which of the following? a. Using firewalls b. Disabling active-content c. Using smart tokens d. Using timestamps

c. Smart tokens are part of robust authentication techniques to authenticate a user accessing a computer system. IP address spoofing is using various techniques to subvert IP-based access control by masquerading as another system by using their IP address. Countermeasures include (i) using firewalls, (ii) disabling active-content code (e.g., Active-X and JavaScript) from the Web browser, and (iii) using timestamps. Access control lists (ACLs) can also be used to block inbound traffic with source addresses matching the internal addresses of the target network.

For instant messaging (IM) systems, a virtual (remote) meeting moderator should configure which of the following properly to prevent potential exploits? a. Grant access based on need-to-know principle. b. Implement role-based access controls. c. Use application sharing capability. d. Require a password to attend the meeting.

c. Some instant messaging (IM) systems enable two or more online users to communicate immediately over a network using shared applications (virtual meetings), presentations, white boards, and text messaging. Virtual meetings must have user access controls and virtual data classifications, and be restricted to authorized users only. Virtual users will be granted access based on the need-to-know principle established by the information owner and enforced by role-based access controls, and required by a password to participate in the meeting. Application sharing allows the virtual meeting participants to simultaneously run the same application with the same capability as remote control software. To limit this capability of application sharing and to prevent potential exploits, the meeting moderator should configure the application identifying so that users can use the application sharing feature.

The Internet Control Message Protocol (ICMP) does not do or does not have which of the following? 1. Respond 2. Ports 3. Message types 4. Message codes a. 1 only b. 2 only c. 1 and 2 d. 3 and 4

c. The Internet Control Message Protocol (ICMP) does not have ports and most ICMP messages are not intended to elicit a response. ICMP has message types, which indicate the purpose of each ICMP message. Some message types also have message codes, which can be thought of as subtypes.

Which of the following can be either an internal network or an external network? a. Internet b. Local-area network c. Virtual private network d. Wide-area network

c. The Internet is an example of external network. Local-area network (LAN), campus-area network (CAN), wide-area network (WAN), intranet, and extranet are examples of internal networks. The virtual private network (VPN) can be either an internal network or external network. The VPN is considered an internal network only if the end user organization establishes the VPN connection between organization-controlled endpoints and does not depend on any external network to protect the confidentiality and integrity of information transmitted across the network. In other words, the VPN is considered an internal network only when it is adequately equipped with appropriate security controls by the end user organization, and no external organization exercises control over the VPN.

For network data analysis, which of the following is difficult when trying to identify and validate the identity of a suspicious host involving the Internet Protocol (IP) address spoofing? a. Contact the IP address owner. b. Research the history of the IP address. c. Seek the assistance of Internet service provider. d. Look for clues in application content.

c. The Internet service provider's (ISP's) assistance is needed when traffic passes through several ISPs. ISPs generally require a court order before providing any information to an organization on suspicious network activity. The other three choices are incorrect because they are examples of other possible ways of attempting to validate the identity of a suspicious host. A WHOIS query mechanism can identify the organization or person that owns a particular IP address. Multiple IP addresses generating suspicious activity could have been registered to the same owner. Analysts can look for previous suspicious activity associated with the same IP address or IP address block. Internet search engines and online incident databases can be useful. Application data packets related to an attack may contain clues to the attacker's identity. Besides IP addresses, other valuable information could include an e-mail address or an Internet relay chat (IRC) nickname.

Which of the following does not provide confidentiality protection for Web services? a. Extensible markup language (XML) encryption b. Web services security (WS-Security) c. Advanced encryption standard (AES) d. Hypertext transfer protocol secure (HTTPS)

c. The advanced encryption standard (AES) does not provide confidentiality protection for Web services. However, the AES is used for securing sensitive but unclassified information. The other three choices provide confidentiality protection for Web services because most Web service data is stored in the form of extensible markup language (XML). Using XML encryption before storing data should provide confidentiality protection while maintaining compatibility. Web services security (WS-Security) and HTTPS are generally used to protect confidentiality of simple object access protocol (SOAP) messages in transit, leaving data at rest vulnerable to attacks.

Which of the following ISO/OSI layers provide both confidentiality and data integrity services? a. Data link layer b. Physical layer c. Application layer d. Presentation layer

c. The application layer is the only layer listed in the question that proves both confidentiality and data integrity services. The application layer provides services directly to users such as file transfer protocols. It consists of query software where a person could request a piece of information and the system display the answer. The data link layer and physical layer are incorrect because they provide confidentiality service only, not data integrity. The data link layer provides a reliable transfer of data across physical links, error flow control, link-level encryption and decryption, and synchronization. It handles the physical transmission of frames over a single data link. The physical layer provides for the transmission of unstructured bit streams over the communications channel. The presentation layer is incorrect because it provides authentication and confidentiality services but not data integrity and confidentiality. The presentation layer defines and transforms the format of data to make it useful to the receiving application.

For active attacks on hardware/software guards, which of the following are countermeasures against manipulation of data on the private network? 1. Encryption algorithms 2. Key management processes 3. Cryptographic authentication 4. Data-separation methods a. 1 and 2 b. 1 and 3 c. 3 and 4 d. 1, 2, 3, and 4

c. The appropriate countermeasure against manipulation of data on the private network is to permit only authorized users to access the data, through file transfers, on the private network using cryptographic authentication and data separation techniques. Encryption algorithms and key management processes are countermeasures against active attacks such as decrypting weakly encrypted traffic.

What is an attacker connecting a covert computer terminal to a data communication line between the authorized terminal and the computer called? a. Tunneling attack b. Salami attack c. Session hijacking attack d. Asynchronous attack

c. The attacker waits until the authorized terminal is online but not in use and then switches control to the covert terminal. The computer thinks it is still connected to the authorized user, and the attacker has access to the same files as the authorized user. Because a session was hijacked in the middle, it is called a session hijacking attack. A tunneling attack is incorrect because it uses one data transfer method to carry data for another method. A salami attack is incorrect because it is an automated form of abuse using the Trojan horse method or secretly executing an unauthorized program that causes the unnoticed or immaterial debiting of small amounts of financial assets from a large number of sources or accounts. An asynchronous attack is incorrect because it takes advantage of the asynchronous functioning of a computer operating system. This may include a programmer (i) penetrating the job queue and modifying the data waiting to be processed or printed or (ii) disrupting the entire system by changing commands so that data is lost or programs crash.

Security problems associated with network device passwords, network devices (e.g., routers and switches), and managing access points (APs) configuration in a legacy wireless local-area network (WLAN) environment require which of the following security controls to solve all these security problems? a. Switch Telnet to SSH b. Switch HTTP to HTTPS c. Switch SNMP to SNMPv3 d. Switch FTP to SFTP

c. The basic simple network management protocol (SNMP) should be switched to SNMP version 3 (SNMPv3) because the latter provides strong security feature enhancements to basic SNMP, including encryption and message authentication and therefore should be used. The earlier versions of SNMP, SNMPv1, and SNMPv2 should not be used because they are fundamentally insecure because they support only trivial authentication based on default plaintext community strings. SNMP version 3 handles all the security problems listed in the question. The other three choices mostly solve the password-related security problem after the protocol switch is made but do not solve all the other security problems listed. That is, Telnet should be switched to secure shell (SSH), HTTP should be switched to HTTPS using TLS, and FTP should be switched to secure FTP (SFTP).

Which of the following is the best backup strategy for firewalls? a. Incremental backup b. Centralized backup c. Day Zero backup d. Differential backup

c. The conduct and maintenance of backups are key points to any firewall administration policy. It is critical that all firewalls are subject to a Day Zero backup (full backup), i.e., all firewalls should be backed up immediately prior to production release. As a general principle, all firewall backups should be full backups, and there is no need for incremental, centralized, or differential backups because the latter are less than full backups.

Which of the following is the long-term solution as a core cryptographic algorithm for the wireless local-area network (WLAN) using the IEEE 802.11i standard to ensure a robust security network (RSN)? a. Wired equivalent privacy (WEP) b. Temporal key integrity protocol (TKIP) c. Counter mode with cipher block chaining message authentication code protocol (CCMP) d. Wi-Fi protected access 2 (WPA2)

c. The counter mode with cipher block chaining message authentication code protocol (CCMP) is considered the long-term solution for IEEE 802.11 WLANs because it requires hardware updates and replaces pre-RSN equipment. Of all the four choices, only CCMP uses the advanced encryption standard (AES) as the core cryptographic algorithm. For legacy IEEE 802.11 equipment that does not provide CCMP, IPsec VPN can be used as auxiliary security protection. WEP is an original standard as a data confidentiality and integrity protocol with several security problems. Later, WPA2 was designed as the interim solution as an upgrade to existing WEP-enabled equipment to provide a higher level of security, primarily through the use of TKIP and MIC (message integrity code). TKIP is intended as an interim solution along with WEP and WPA2. TKIP can be implemented through software updates and does not require hardware replacement of access points and stations.

Which of the following extensible authentication protocol (EAP) methods does not fully satisfy the security requirements for a robust security network (RSN) such as wireless local-area network (WLAN) using the IEEE 802.11i standard? a. EAP transport layer security (EAP-TLS) b. EAP tunneled TLS (EAP-TTLS) c. EAP flexible authentication via secure tunneling (EAP-FAST) d. Protected EAP (PEAP)

c. The extensible authentication protocol (EAP) provides the authentication framework for IEEE 802.11 RSNs that use IEEE 802.11X port-based access control. The EAP provides mutual authentication between an access point (AP), a station (STA), and an authentication server (AS). EAP-FAST is especially suitable for unsophisticated devices (e.g., household appliances, vending machines, and other small devices not connected to WLANs) that might not have the computing power to perform TLS handshakes, and as such its security is limited for robust WLANs. The other three EAP methods are secure. It is important that organizations should select the EAP methods based on a risk assessment of the target environment.

Which of the following is the most important feature when evaluating Internet Protocol security (IPsec) client software for hosts? a. Encryption b. Authentication c. Split tunneling d. Compression

c. The most important Internet Protocol security (IPsec) client software feature is the capability to prevent split tunneling. Split tunneling occurs when an IPsec client on an external network is not configured to send all its traffic to the organization's IPsec gateway. Requests with a destination on the organization's network are sent to the IPsec gateway, and all other requests are sent directly to their destination without going through the IPsec tunnel. Prohibiting split tunneling can limit the potential impact of a compromise by preventing the attacker from taking advantage of the IPsec connection to enter the organization's network; the attacker could connect only to the compromised system when it is not using IPsec. Hosts should be configured so that only the network interface used for IPsec is enabled when IPsec is in use. Encryption, authentication, and compression are important features but not as important as the split tunneling, due to the risk it poses.

Which of the following functions of the Internet Control Message Protocol (ICMP) of TCP/IP model cause a buffer overflow on the target machine? a. Detecting unreachable destinations b. Redirecting messages c. Checking remote hosts d. Controlling traffic flow

c. The ping command is used to send an Internet Control Message Protocol (ICMP) echo message for checking the status of a remote host. When large amounts of these messages are received from an intruder, they can cause a buffer overflow on the target host machine, resulting in a system reboot or total system crash. This is because the recipient host cannot handle the unexpected data and size in the packet, thereby possibly triggering a buffer overflow condition. The other three choices do not cause a buffer overflow on the target machine.

Which of the following is not a solution to the network congestion problems in terms of increasing the system resources? a. Splitting traffic over multiple routes b. Having spare routers available online c. Having users schedule their work at nonpeak times d. Increasing the transmission power for satellite systems

c. The presence of network congestion problems means that the network load is temporarily greater than the system resources can handle. Solutions include either increasing the system resources or decreasing the network load. Having users schedule their work at nonpeak times is a solution to decrease the network load, which may not go well with the good principles of customer service. The other three choices are solutions to increase the system resources.

The screened subnet firewall acts as which of the following? a. Fast packet network b. Digital network c. Perimeter network d. Broadband network

c. The screened subnet firewall acts as a perimeter network. If there is an attack on the firewall, the attacker is restricted to the perimeter (external) network and therefore is not attacking the internal network.

Storing and hosting data on which of the following instant messaging (IM) architectures increases the risk of information theft, unauthorized access, and data tampering? 1. Private hosting 2. Public hosting 3. Client-to-client 4. Public-switched network a. 1 and 2 b. 1 and 4 c. 2 and 3 d. 3 and 4

c. There are four possible architectural designs for IM systems: private hosting, public hosting, client-to-client, and public-switched network. The difference between the four architectures is the location of the session data. In the private hosting design (i.e., client-to-server), the data is located behind a firewall for internal users, which is safe and secure. In public hosting design, the data is placed on public servers out on the Internet, which is vulnerable to attacks. Two types of client-to-client (peer-to-peer) designs include pure and hybrid, which should be prohibited because they bypass the security and auditing policies within the enclave. Because the data in public-switched network is not stored on a server, store and forward is not a security issue. However, data in transit is vulnerable to man-in-the-middle (MitM) attacks between the source and destination. The Internet has private global switched networks that deliver IM communications where data is not persistently stored on servers. In other words, the public-switched network is secure in terms of data storage on its servers. It is the data stored on public servers and client-to-client that increases the risk of information theft, unauthorized access, and data tampering. To protect the IM data, IM systems should implement client-toserver architecture (i.e., private hosting).

Which of the following Internet Protocol security (IPsec) components is compatible with network address translation (NAT) implementations? a. AH tunnel mode b. ESP transport mode c. ESP tunnel mode d. AH transport mode

c. There are known incompatibilities between IPsec and NAT because NAT modifies the IP addresses in the packet, which directly violates the packet integrity-assurance provided by IPsec. In tunnel mode, ESP can provide encryption and integrity protection for an encapsulated IP packet and authentication of the ESP header. Therefore, ESP tunnel mode can be compatible with NAT. However, protocols with embedded addresses (e.g., FTP, IRC, and SIP) can present additional complications. The AH tunnel mode and the AH transport mode are incorrect because AH is not compatible with NAT implementations. This is because AH includes source and destination IP addresses in its integrity protection calculations. The ESP transport mode is incorrect because it is not compatible with NAT. In transport mode, ESP can provide encryption and integrity protection for the payload of an IP packet and integrity protection for the ESP header.

Which of the following is the true purpose of "ping" in cellular wireless technologies? a. The pinging tells the filters on the network. b. The pinging tells the frequencies of the network. c. The pinging tells the location of a phone user. d. The pinging tells the troubles on the network.

c. To monitor the state of the network and to respond quickly when calls are made, the main cellular controlling switch periodically "pings" all cellular telephones. This pinging lets the switch know which users are in the area and where in the network the telephone is located. This information can be used to give a rough idea of the location of the phone user to help catch the fraud perpetrator. Vehicle location service is an application of the ping technology. The other three choices are not true.

Which of the following supports the secure sockets layer (SSL) to perform client-toserver authentication process? a. Application layer security protocol b. Session layer security protocol c. Transport layer security protocol d. Presentation layer security protocol

c. Transport layer security (TLS) protocol supports the SSL to perform client-to-server authentication process. The TLS protocol enables client/server application to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The TLS protocol provides communication privacy and data integrity over the Internet.

Data link layer VPN protocols such as the Cisco Layer 2 Forwarding (L2F) do not provide which of the following services? a. RADIUS b. TACACS+ c. Encryption d. Protects the traffic between the ISP and the organization

c. Unlike PPTP and L2TP, L2F is intended for use between network devices, such as an ISP's network access server and an organization's VPN gateway. Like L2TP, L2F can use authentication protocols such as RADIUS and TACACS+. However, L2F does not support encryption.

The Internet Protocol security (IPsec) is usually implemented in which of the following? a. Bridge b. Gateway c. Firewall d. Backbone

c. Usually, Internet Protocol security (IPsec) is implemented on a firewall for VPNs. The IPsec in tunnel mode, not in transport mode, encrypts and encapsulates IP packets, so outsiders cannot observe the true source and destinations. VPNs enable a trusted network to communicate with another network over untrusted networks such as the Internet. A policy is needed for use of firewalls with VPNs. Any connection between firewalls over public networks should use encrypted VPNs to ensure the privacy and integrity of the data passing over the public network. Bridges, gateways, and backbones do not have the access control mechanism as the firewall.

Which of the following statements is not true about wireless local-area networks (WLANs)? a. Wireless LANs will not replace wired LANs. b. Wireless LANs will augment the wired LANs. c. Wireless LANs will substantially eliminate cabling. d. Wireless LANs will serve as a direct replacement for the wired LANs.

c. Wireless LANs augment and do not replace wired LANs. In some cases, wireless LANs serve as a direct replacement for the wired LANs when starting from scratch. In most cases, a wireless LAN complements a wired LAN and does not replace it. Due to poor performance and high-cost reasons, wireless LANs do not take over the wired LANs. Wireless LANs do not substantially eliminate cabling because bridges rely on cabling for interconnection. Wireless LANs provide unique advantages such as fast and easy installation, a high degree of user mobility, and equipment portability.

Most common attacks against wireless technologies include which of the following? a. Spamming and loss of availability b. Spoofing and loss of integrity c. Eavesdropping and loss of confidentiality d. Cracking and loss of authenticity

c. Wireless technologies invite privacy and fraud violations more easily than wired technologies due to their broadcast nature. The privacy implications of widespread use of mobile wireless technologies are potentially serious for both individuals and businesses. There will be a continuing need to guard against eavesdropping and breaches of confidentiality, as hackers and scanners develop ways to listen in and track wireless communications devices. For example, wired equivalent privacy (WEP) protocol can be attacked, and Wi-Fi protected access (WPA) and its version 2 (WPA2) can be attacked using rainbow tables. Attacks mentioned in the other three choices are not that common, but they do happen.

Which of the following protocols provides cellular/mobile wireless security? a. WSP b. WTP c. WTLS d. WDP

c. Wireless transport layer security (WTLS) is a communications protocol that enables cellular/mobile phones to send and receive encrypted information over the Internet, thus providing wireless security. Wireless session protocol (WSP), wireless transaction protocol (WTP), WTLS, and wireless datagram protocol (WDP) are part of wireless access protocol (WAP). WAP is an Internet protocol that defines the way in which cell phones and similar devices can access the Internet.

In a domain name system (DNS) environment, who is responsible for the configuration and operation of the name servers? a. Security administrators b. System administrators c. Zone administrators d. Database administrators

c. Zone administrators are also called DNS administrators, and they are responsible for the configuration and operation of the name servers.

What is the best way to handle bot attacks in an organization? a. Install antivirus software. b. Install antispyware software. c. Update software with patches. d. Develop and train a white team.

d. A white team is an internal team that initiates action to respond to security incidents on an emergency basis. The scope of a white team's work includes diagnosing attacks, profiling attacks, notifying law enforcement authorities and the Internet service provider (ISP), measuring the impact of the attack on customer service, and developing application systems to filter the bogus incoming data packets. There is no single preventive solution to handle the bot attack problems because new bots are created all the time. The best method is to respond on an afterthe- fact basis with a white team supplemented by installing antivirus and spyware software and updating software with patches and fixes.

A stronger barrier control around insecure application software is which of the following? a. Firewalls b. Intrusion detection systems c. Virus checkers d. Operating system's security features

d. Application software often contains numerous vulnerabilities. Many security systems (e.g., firewalls, intrusion detection systems, and virus checkers) attempt to protect these insecure applications by monitoring and filtering the application's interactions with users. Ultimately, however, these barrier techniques are inadequate because users must be allowed to interface directly with the vulnerable applications software. The best defense is to install everstronger barriers around the applications software. The operating system is the best place for such a barrier.

Which of the following is a major risk in network traffic involving services running on unexpected port numbers? a. Capturing b. Monitoring c. Analyzing d. Detecting

d. Applications such as intrusion detection systems and protocol analyzers often rely on port numbers to identify which service is in use for a given connection. Unfortunately, most services can be run on any port number. Traffic involving services running on unexpected port numbers may not be captured, monitored, or analyzed properly, causing unauthorized services usage (e.g., providing Web services on an atypical port) to be undetected. Another motivation is to slip traffic through perimeter devices that filter based on port numbers. Many Trojans create services on atypical ports for sending SPAM.

The transport mode of an authentication header (AH) of Internet Protocol security (IPsec) is used in which of the following virtual private network (VPN) architectures? a. Gateway-to-gateway b. Host-to-gateway c. Contractor-to-company d. Host-to-host

d. Authentication header (AH) has two modes: tunnel and transport. In tunnel mode, AH creates a new IP header for each packet. In transport mode, AH does not create a new IP header. This is because transport mode cannot alter the original IP header or create a new IP header. Transport mode is generally used in host-to-host architectures. AH is not used in the other three choices.

In a legacy wireless local-area network (WLAN) environment using the IEEE 802.11 standard, which of the following provides a defense-in-depth strategy? 1. Wi-Fi protected access 2 (WPA2) 2. Wired equivalent privacy (WEP) 3. IPsec VPNs and SSL VPNs 4. Dedicated wired network or a VLAN a. 1 only b. 1 and 2 c. 3 only d. 3 and 4

d. Both WPA2 and WEP do not provide a defense-in-depth strategy because they are weak in security. An alternative method for WPA2 and WEP for achieving confidentiality and integrity protection is to use virtual private network (VPN) technologies such as Internet Protocol security (IPsec) VPNs and secure sockets layer (SSL) VPNs. Because VPNs do not eliminate all risk from wireless networking, it is good to place the WLAN traffic on a dedicated wired network or a virtual local-area network (VLAN) as an option to VPN technologies. VLAN can also protect against denial-of-service (DoS) attacks. Therefore, IPsec VPNs, SSL VPNs, dedicated wired network, or a VLAN provides a defense-in-depth strategy.

Transaction signature (TSIG) is used in which of the following types of domain name system (DNS) transactions? 1. DNS query/response 2. DNS NOTIFY message 3. Zone transfer 4. Dynamic update a. 1 only b. 2 only c. 1 and 2 d. 3 and 4

d. Both zone transfer and dynamic update transactions use transaction signature (TSIG). In TSIG, mutual identification of servers is based on a shared secret key. A DNS query/response is incorrect because IETF's DNSSEC standard is used in a DNS query/response transaction. A DNS NOTIFY message is incorrect because IETF specifies hosts from which messages can be received for DNS NOTIFY message transactions.

Challenge handshake authentication protocol (CHAP) requires which of the following for remote users? a. Initial authentication b. Pre-authentication c. Post-authentication d. Re-authentication

d. CHAP supports re-authentication to make sure the users are still who they were at the beginning of the session. The other authentication methods mentioned would not achieve this goal.

Virtual private network (VPN) protocols provide a viable option for protecting networks running with non-IP protocols in which of the following TCP/IP layers? a. Applications layer b. Transport layer c. Network layer d. Data link layer

d. Data link layer VPN protocols function below the network layer in the TCP/IP model. This means that various network protocols, such as IP, IPX, and NetBEUI, can usually be used with a data link layer VPN. Most VPN protocols including IPsec support only IP, so data link layer VPN protocols may provide a viable option for protecting networks running non-IP protocols. As the name implies, IPsec is designed to provide security for IP traffic only.

Virtual private network (VPN) protocols are used in environments requiring high physical security in which of the following TCP/IP layers? a. Application layer b. Transport layer c. Network layer d. Data link layer

d. Data link layer virtual private network (VPN) protocols are used in high security environments to secure particular physical links, such as a dedicated circuit between two buildings, when there is concern for unauthorized physical access to the link's components. However, network performance should be considered.

In domain name system (DNS) transactions, which of the following is not a threat against DNS query/response transactions? a. Forged response b. Removal of resource records in responses c. Incorrect application of wildcard expansion rules d. Denial-of-service

d. Denial-of-service (DoS) is a threat against zone transfer transaction. The other three choices are incorrect because they are examples of threats in a DNS query/response transaction.

Which of the following statements about media access control/medium access control (MAC) address are true? 1. Each frame contains two MAC addresses. 2. Each frame contains either IP or ARP. 3. A MAC address does not uniquely identify an IP address. 4. NICs can be made with duplicate MAC addresses. a. 1 and 2 b. 2 and 3 c. 1 and 4 d. 1, 2, 3, and 4

d. Each frame of media access control/medium access control (MAC) contains two MAC addresses, which indicate the MAC address of the NIC that just routed the frame and the MAC address of the next NIC that the frame is being sent to. Besides the MAC addresses, each frame's payload contains either Internet protocol (IP) or address resolution protocol (ARP). When IP is used, each IP address maps to a particular MAC address. Multiple IP addresses can map to a single MAC address, so a MAC address does not uniquely identify an IP address. There have been cases in which manufacturers have accidentally created network interface cards (NICs) with duplicate MAC addresses, leading to networking problems and spoofing attacks.

Ethernet is a part of which of the following TCP/IP layers? a. Application layer b. Transport layer c. Network layer d. Data link layer

d. Ethernet is a part of the data link layer, along with address resolution protocol (ARP), network interface card (NIC), and media/medium access control (MAC). The data link layer handles communications on the physical network components. The application layer is incorrect because it sends and receives data for particular applications. The transport layer is incorrect because it provides connection-oriented or connectionless services for transporting application layer services between networks. The network layer is incorrect because it routes packets across networks.

Which of the following does not cause false positives and false negatives? a. Antivirus software b. Spyware detection and removal utility software c. Host-based intrusion detection systems d. Firewalls

d. False positives occur when a tool reports a security weakness when no weakness is present. False negatives occur when a tool does not report a security weakness when one is present. Firewalls do not cause false positives and false negatives due to use of rulesets and the practice of deny-by-default privileges. Antivirus software is incorrect because it has the capability to cause false positives and false negatives due to use of heuristic techniques to detect new malware. Spyware detection and removal utility software is incorrect because it can cause false positives and false negatives. Host-based intrusion detection systems are incorrect because they can cause false positives and false negatives (false warnings and alerts in the form of alarms) due to malfunctioning sensors and that network activity is not visible to host-based sensors.

For network traffic data sources, firewalls and routers do not typically record which of the following? a. Date and time the packet was processed b. Source IP address c. Destination IP address d. Packet contents

d. Firewalls and routers do not record the contents of packets. Instead, they are usually configured to log basic information for most or all denied connection attempts and connectionless packets; some log every packet. Information logged typically includes the date and time the packet was processed, the source and destination IP addresses, and the transport layer protocol (e.g., TCP, UDP, and ICMP) and basic protocol information (e.g., TCP or UDP port numbers and ICMP type and code).

Which of the following is an example of a boundary access control? a. Gateway b. Bridge c. Modem d. Firewall

d. Firewalls monitor network traffic that enters and leaves a network. A firewall controls broad access to all networks and resources that lie "inside" it. By limiting access to host systems and services, firewalls provide a necessary line of perimeter defense against attack; that is, they form a boundary control. A gateway is incorrect because it is an interface between two networks. A bridge is incorrect because it is a device used to link two or more homogeneous local-area networks (LANs). A modem is incorrect because it is a device that converts analog signals to digital signals and vice versa. The devices mentioned in the three incorrect choices do not have the ability to perform as a boundary access control.

In Web services, which of the following can lead to a flooding-based denial-of-service (DoS) attack? a. Source IP address b. Network packet behavior c. SOAP/XML messages d. Business behavior

d. Flooding attacks most often involve copying valid service requests and re-sending them to a provider. The attacker may issue repetitive SOAP/XML messages in an attempt to overload the Web service. The user behavior (business behavior) in using the Web service transactions may not be legitimate and is detected, thus constituting a DoS attack. The other three choices may not be detected because they are legitimate where the source IP address is valid, the network packet behavior is valid, and the SOAP/XML message is well formed.

Hardware/software guards provide which of the following functions and properties? 1. Data-filtering 2. Data-blocking 3. Data-sanitization 4. Data-regrading a. 1 and 2 b. 2 and 3 c. 1 and 4 d. 1, 2, 3, and 4

d. Hardware/software guard technology can bridge across security boundaries by providing some of the interconnectivity required between systems operating at different security levels. Several types of guard exist. These protection approaches employ various data processing, data filtering, and data-blocking techniques in an attempt to provide data sanitization (e.g., downgrade) or separation between networks. Some approaches involve human review of the data flow and support data flow in one or both directions. Guards can be used to counteract attacks made on the enclave. Information flowing from public to private networks is considered as a data upgrade. This type of transfer may not require a review cycle but should always require a verification of the integrity of the information originating from the public source system and network. Information flowing from private to public networks is considered as data regrade and requires a careful review.

Analyzing data protection requirements for installing a local-area network (LAN) does not include: a. Uninterruptible power source b. Backups c. Fault tolerance d. Operating systems

d. Identifying information or data protection requirements involves reviewing the need for an uninterruptible power source, backups, and fault tolerance. Selection of an operating system is a part of operational constraints, not data protection requirements.

Which of the following cannot prevent login spoofing? a. Providing a secure channel between the user and the system b. Installing hardware-reset button for passwords c. Implementing cryptographic authentication techniques d. Installing input overflow checks

d. Input overflow checks ensure that input is not lost during data entry or processing and are good against input overflow attacks. These attacks can be avoided by proper program design. Providing a secure channel between the user and the system can defend login spoofing. A hardware-reset button on a personal computer can be effective in removing password-based spoofing attacks. Cryptographic authentication techniques can increase security but only for complex systems.

It has been said that no system is completely secure and can handle all disasters. Which one of the following items is needed most, even when all the other three items are working properly, to ensure online operation and security? a. Intrusion detection systems (IDSs) b. Firewalls c. Antivirus software d. File backups

d. Intrusion detection systems (IDSs), firewalls, and antivirus software are critical to online security. But no system is completely secure and can handle all disasters. Important files stored on a computer must be copied onto a removable disc and kept in a safe and secure place (i.e., file backups). IDS has detection features, but this is not enough in case of a disaster. Firewalls have protection features, but this is not enough in case of a disaster. Antivirus software has dis-infection features, but this is not enough in case of a disaster.

Data link layer VPN protocols, such as Layer 2 Tunneling Protocols (L2TP), provide which of the following services? 1. RADIUS 2. TACACS+ 3. Encryption 4. Key management services a. 1 and 2 b. 3 only c. 4 only d. 1, 2, 3, and 4

d. Like PPTP, L2TP protects communications between an L2TP-enabled client and an L2TP-enabled server, and it requires L2TP client software to be installed and configured on each user system. L2TP can use RADIUS and TACACS+ protocols for authentication, and often uses IPsec to provide encryption and key management services.

Which of the following are examples of major problems associated with network address translation (NAT)? 1. Cannot abide by the IP architecture model 2. Cannot locate the TCP source port correctly 3. Cannot work with the file transfer protocol 4. Cannot work with the H.323 Internet Telephony Protocol a. 1 and 2 b. 1 and 3 c. 2 and 4 d. 1, 2, 3, and 4

d. Major problems associated with network address translation (NAT) include (i) it violates the architectural model of IP, which states that every IP address must uniquely identify a single computer worldwide, (ii) it will not locate the TCP source port correctly, (iii) it violates the rules of protocol layering in that a lower-level layer should not make any assumptions about the next higher-level layer put into the payload field, and (iv) it needs to be patched every time a new application is introduced because it cannot work with file transfer protocol (FTP) or H.323 Internet Telephony Protocol. The FTP and H.323 protocols will fail because NAT does not know the IP addresses and cannot replace them.

Which of the following are especially needed to provide a trustworthy cloud computing infrastructure? 1. ISO/IEC 27001 certification 2. AICPA/SAS 70 attestation 3. Security training 4. Risk management a. 1 and 2 b. 1 and 3 c. 3 and 4 d. 1, 2, 3, and 4

d. Microsoft, for example, has achieved a trustworthy cloud computing infrastructure by earning the International Organization for Standardization/International Society of Electrochemistry 27001:2005 (ISO/IEC 27001:2005) certification and American Institute of Certified Public Accountants/Statement on Auditing Standards (AICPA/SAS)70 Type I and Type II attestation. The Type I attestation report states that information systems at the service organizations for processing user transactions are suitably designed with internal controls to achieve the related control objectives. The Type II attestation report states that internal controls at the service organizations are properly designed and operating effectively. These two accomplishments of certification and attestation were combined with security training, adequate and effective security controls, continuous review and management of risks, and rapid response to security incidents and legal requests.

Which of the following factors contribute to network congestion problems? 1. Low-speed CPU and low memory for computers 2. Low-bandwidth lines for communications 3. More memory for routers 4. Long queues of packets a. 1 only b. 2 only c. 4 only d. 1, 2, 3, and 4

d. Network congestion problems occur when too many packets are present in the subnet (i.e., too much traffic), thus degrading the network performance in terms of some lost packets or all packets undelivered. When a queue is built up for packets and the CPU memory for computers is insufficient to hold all of them, some packets will be lost. When there is an imbalance between the routers with more memory and computers with less memory, duplicate packets are sent due to the timeout feature. Also, routers with slow CPU processors and low bandwidth lines can cause congestion problems.

Which of the following is not a function of host-based scanners? a. Identify outdated software versions b. Identify outdated patches c. Identify outdated system upgrades d. Identify open ports

d. Network-based scanners identify open ports. The other three choices are incorrect because they are functions of host-based scanners. Another tool is a port scanner, which is a program that attempts to determine remotely which ports on systems are open (i.e., whether systems enable connections through those ports). Port scanners help attackers to identify potential targets.

Intrusion detection system (IDS) software attempts to identify malicious network traffic at which of the following Transmission Control Protocol/Internet Protocol (TCP/IP) layers? 1. Application layer 2. Transport layer 3. Network layer 4. Data link layer a. 1 only b. 2 only c. 3 only d. 1, 2, 3, and 4

d. Not only does the intrusion detection system (IDS) software typically attempt to identify malicious network traffic at all TCP/IP layers, but it also logs many data fields (and sometimes raw packets) that can be useful in validating events and correlating them with other data sources.

A serious and strong attack on a network is just initiated. The best approach against this type of attack is to: a. Prevent and detect b. Detect and recover c. Prevent and correct d. Prevent and intervene

d. On any attack, preventing network attacks from occurring is the first priority. For serious and strong attacks, prevention should be combined with intervening techniques to minimize or eliminate negative consequences of attacks that may occur. Intervening actions start right after full prevention and right before full detection, correction, and recovery actions by installing decoy systems (e.g., honeypot), vigilant network administrators, and alerts/triggers from central network monitoring centers. In other words, intervening actions face the attacker head on right after the initial signs and symptoms of attack detection but do not wait until the full detection to take place as in a normal case of detection, thus halting the attacker to proceed further. These intervening actions stop the attack right at the beginning by diverting or stalling the attacker. For serious and strong attacks, normal detection alone is not enough, correction alone or combined with detection is not enough, recovery alone or combined with detection and correction is not enough because they may not contain the serious and strong attacks quickly as they are too late to be of any significant use. However, they are very useful in normal attacks. Intervening is pro-active and action-oriented, whereas detecting, correcting, and recovering are re-active and passive-oriented.

Which of the following is difficult to achieve during the Internet Protocol security (IPsec) implementation? a. Control over all entry points into networks b. Control over all exit points from networks c. Security of all IPsec endpoints d. Incorporating IPsec considerations into organizational policies

d. Organizations should implement technical, operational, and management controls that support and complement IPsec implementations. Examples include having control over all entry and exit points for the protected networks, ensuring the security of all IPsec endpoints, and incorporating IPsec considerations into organizational policies. Incorporating IPsec considerations into organizational policies is incorrect because it is difficult to achieve due to an organization's culture, work habits, and politics.

Which of the following is not a primary component or aspect of firewall systems? a. Protocol filtering b. Application gateways c. Extended logging capability d. Packet switching

d. Packet switching is not related to a firewall system. It is a message delivery technique in which small units of information (packets) are relayed through stations in a computer network along the best route currently available between the source and the destination. A packetswitching network handles information in small units, breaking long messages into multiple packets before routing. Although each packet may travel along a different path, and the packets composing a message may arrive at different times or out of sequence, the receiving computer reassembles the original message. Packet-switching networks are considered to be fast and efficient. To manage the tasks of routing traffic and assembling or disassembling packets, such networks require some "intelligence" from the computers and software that control delivery. Protocol filtering is incorrect because it is one of the primary components or aspects of firewall systems. A firewall filters protocols and services that are either not necessary or that cannot be adequately secured from exploitation. Application gateways are incorrect because they are one of the primary components or aspects of firewall systems. A firewall requires inside or outside users to connect first to the firewall before connecting further, thereby filtering the protocol. Extending logging capability is incorrect because it is one of the primary components or aspects of firewall systems. A firewall can concentrate extended logging of network traffic on one system.

A major problem with Serial Line Internet Protocol (SLIP) is which of the following? a. The protocol does not contain address information. b. The protocol is used on point-to-point connections. c. The protocol is used to attach non-IP devices to an IP network. d. The protocol does not provide error detection or correction mechanism.

d. SLIP is a protocol for sending IP packets over a serial line connection. Because SLIP is used over slow lines (56kb), this makes error detection or correction at that layer more expensive. Errors can be detected at a higher layer. The addresses are implicitly defined, which is not a major problem. Point-to-point connections make it less vulnerable to eavesdropping, which is strength. SLIP is a mechanism for attaching non-IP devices to an IP network, which is an advantage.

Which of the following protects the confidentiality of data in transit in a file-sharing environment? a. Network file sharing (NFS) b. Apple filing protocol (AFP) c. Server message block (SMB) d. Secure file transfer protocol (SFTP)

d. Secure FTP (SFTP) and Secure Copy (SCP) encrypt their network communications to protect the confidentiality of data in transit. Examples of commonly used client/server file sharing services are file transfer protocol (FTP), network file sharing, Apple filing protocol, and server message block. These are standardized protocols without encryption that do not protect the confidentiality of the data in transit, including any supplied authentication credentials such as passwords.

Which of the following provides stronger security in administering the network devices, such as routers or switches? a. Simple network management protocol (SNMP) b. SNMP version 1 c. SNMP version 2 d. SNMP version 3

d. Simple network management protocol (SNMP) version 3 provides security feature enhancements to basic SNMP, including encryption and message authentication. SNMP, SNMP version 1, and SNMP version 2 rely on default clear-text community strings (e.g., public and private) across the network without cryptographic protection. Therefore, SNMP, SNMP version 1, and SNMP version 2 should not be used to configure network devices over untrusted networks. The default community strings should be removed before real community strings are put into place. If both of these string types are present on the device at any time, an attacker could retrieve real community strings from the device using the default community strings. Hence, SNMP version 3 provides stronger security than the other three choices for administering the network devices such as routers or switches.

Which of the following provides stronger security in managing access point (AP) configuration in a legacy wireless local-area network (WLAN) environment? a. Simple network management protocol (SNMP) b. SNMP version 1 c. SNMP version 2 d. SNMP version 3

d. Simple network management protocol (SNMP) version 3 provides strong security feature enhancements to basic SNMP, including encryption and message authentication, and therefore should be used. The earlier versions of SNMP, SNMPv1, and SNMPv2 should not be used because they are fundamentally insecure as they support only trivial authentication based on default plaintext community strings. The default SNMP community string that SNMPv1 and SNMPv2 agents commonly use is the word "public" with assigned "read" or "read and write" privileges; using this string leaves devices vulnerable to attack. If an unauthorized user were to gain access and had read/write privileges, that user could write data to the AP, compromising its original configuration. Organizations using SNMPv1 or SNMPv2 should change the community string as often as needed, taking into consideration that the string is transmitted in plaintext. For all versions of SNMP, privileges should be set to the least required (e.g., read only).

Some attackers use anonymizers to validate the Internet Protocol (IP) address, which are: a. DHCP servers b. Remote access servers c. Directory servers d. Intermediary servers

d. Some attackers use anonymizers to validate the Internet Protocol (IP) address, which are intermediary servers that perform activity on a user's behalf to preserve the user's privacy. DHCP servers are incorrect because they typically can be configured to log each IP address assignment and the associated MAC address, along with a timestamp. Remote access servers (RAS) are incorrect because they are devices such as VPN gateway and modem servers that facilitate connections between networks. Directory servers are incorrect because they are used for external authentication services.

Which of the following is used to encrypt the bulk of the data being sent over a virtual private network (VPN)? 1. Symmetric cryptography 2. Private key cryptography 3. Asymmetric cryptography 4. Public key cryptography a. 1 only b. 3 only c. 4 only d. 1 and 2

d. Symmetric cryptography (also known as private key cryptography) is generally more efficient and requires less processing power than asymmetric cryptography, which is why it is typically used to encrypt the bulk of the data being sent over a VPN. One problem with symmetric cryptography is with the key exchange process; keys must be exchanged out-of-band to ensure confidentiality. Out-of-band refers to using a separate communications mechanism to transfer information. For example, the VPN cannot be used to exchange the keys securely because the keys are required to provide the necessary protection. Asymmetric cryptography (also known as public key cryptography) uses two separate keys to exchange data.

Transmission control protocol (TCP) packet is associated with which of the following when sending domain name system (DNS) queries? 1. Truncation 2. Little or no truncation 3. Higher overhead 4. Lower overhead a. 1 only b. 4 only c. 1 and 4 d. 2 and 3

d. TCP is used when DNS queries result in little or no truncation, but it is subjected to higher overhead of resources. On the other hand, DNS requests using UDP result in truncation and utilizes a lower overhead of resources.

Internet Protocol security (IPsec) protocols uses which of the following modes? a. Main mode and agressive mode b. Quick mode and informational mode c. State mode and user mode d. Transport mode and tunnel mode

d. The Internet Key Exchange (IKE) of IPsec protocol consists of two phases: Phase 1 exchange includes main mode and aggressive mode. Phase 2 exchange includes quick mode and information exchange mode. If Authentication Header (AH) or Encapsulating Security Payload (ESP) is added to an IP packet following the existing IP header, it is referred to as a transport mode. A tunnel mode requires inserting an additional IP header to the packet but offers increased inflexibility. State mode and user mode are not relevant here.

Which of the following are the primary software components of a domain name system (DNS)? 1. Operating system 2. File system 3. Name server 4. Resolver a. 1 and 2 b. 1 and 3 c. 2 and 3 d. 3 and 4

d. The domain name system (DNS) software primary components include the name server and the resolver. The operating system, file system, and communication stack are part of a DNS hosting environment.

The Internet Protocol security (IPsec) implementation typically supports which of the following authentication methods? 1. Preshared keys 2. Digital signatures 3. Kerberos 4. TACACS and RADIUS a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4

d. The endpoints of an IPsec connection use the same authentication method to validate each other. IPsec implementations typically support preshared keys and digital signatures, and in some implementations external authentication services, such as Kerberos. Some IPsec implementations also support the use of legacy asymmetric authentication servers such as terminal access controller access control system (TACACS) and remote authentication dial-in user service (RADIUS).

In a fully networked topology, if there are five nodes, how many direct paths does it result in? a. 2 b. 3 c. 5 d. 10

d. The equation for the number of direct paths in a fully connected network is n (n-1)/2, where "n" is the number of nodes. Applying the equation results in 10 (i.e., 5(5-1)/2). The answer 2 is obtained by using the equation as (n-1)/2. The answer 3 is obtained by using the equation as (n+1)/2.

Which of the following is the most important step to be followed by a firewall administrator when upgrading the firewall system? a. Analyze and upgrade b. Evaluate and upgrade c. Monitor and upgrade d. Upgrade and test

d. The firewall administrator must analyze and evaluate each new release of the firewall software to determine whether an upgrade is required. Prior to upgrade, the firewall administrator must verify with the vendor that an upgrade is required. The most important step occurs after an upgrade; the firewall must be tested to ensure proper functioning prior to making it fully operational.

Which of the following is not one of the actions taken by a firewall on a packet? a. Accept b. Deny c. Discard d. Destroy

d. The firewall examines a packet's source and destination addresses and ports, and determines what protocol is in use. From there, it starts at the top of the rule base and works down through the rules until it finds a rule that permits or denies the packet. It takes one of the three actions: (i) The firewall passes the packet through the firewall as requested (accept), (ii) the firewall drops the packets, without passing it through the firewall (deny) or (iii) the firewall not only drops the packet, but it does not return an error message to the source system (discard). Destroy is not one of the actions taken by a firewall.

Which of the following does not require network address translation services? a. Internet Protocol (IP) version 2 b. Internet Protocol (IP) version 3 c. Internet Protocol (IP) version 4 d. Internet Protocol (IP) version 6

d. The network address translation (NAT) services are not needed in the Internet Protocol (IP) version 6 but are needed in the IPv2, IPv3, and IPv4. IP addresses are in a limited supply. NAT is the process of converting between IP addresses used within an intranet or other private network (called a stub domain) and the Internet IP addresses. This approach makes it possible to use a large number of addresses within the stub domain without depleting the limited number of available numeric Internet IP addresses. In the IP version 6, the NAT services are not needed because this version takes care of the problem of insufficient IP addresses with automatically assigning the IP addresses to hosts.

Which of the following factors should be considered during the placement of an Internet Protocol security (IPsec) gateway? 1. Device performance 2. Traffic examination 3. Gateway outages 4. Network address translation a. 2 only b. 3 only c. 4 only d. 1, 2, 3, and 4

d. The placement of an IPsec gateway has potential security, functionality, and performance implications. Specific factors to consider include device performance, traffic examination, gateway outages, and network address translation.

In secure remote procedure call (RPC), which of the following provides the public and private keys to servers and clients? a. Users b. Clients c. Servers d. Authentication servers

d. The principals involved in the secure remote procedure call (RPC) authentication systems are the users, clients, servers, and authentication server. The authentication server provides the public and private keys to servers and clients.

The purpose of the packet filter is not based on which of the following? a. IP addresses b. Protocols c. Port numbers d. Applications

d. The purpose of the packet filter is to specify how each type of incoming and outgoing traffic should be handled—whether the traffic should be permitted or denied (usually based on IP addresses, protocols, and port numbers), and how permitted traffic should be protected. The type of application does not matter for the packet filter.

Which of the following can prevent both session hijacking and eavesdropping attacks? a. SET b. PPP c. FTP d. SSL

d. The secure sockets layer (SSL) protocol is the technology used in most Web-based applications. When both the Web client and the Web server are authenticated with SSL, the entire session is encrypted providing protection against session hijacking and eavesdropping attacks. The other three choices are incorrect because SET is a secure electronic transaction protocol, PPP is a point-to-point protocol, and FTP is a file transfer protocol, and as such they cannot prevent session hijacking and eavesdropping attacks.

Which of the following ISO/OSI layers does not provide confidentiality services? a. Presentation layer b. Transport layer c. Network layer d. Session layer

d. The session layer does not provide confidentiality service. It establishes, manages, and terminates connections between applications and provides checkpoint recovery services. It helps users interact with the system and other users. The presentation layer is incorrect because it provides authentication and confidentiality services. It defines and transforms the format of data to make it useful to the receiving application. It provides a common means of representing a data structure in transit from one end system to another. The transport layer is incorrect because it provides confidentiality, authentication, data integrity, and access control services. It ensures an error-free, in-sequence exchange of data between end points. It is responsible for transmitting a message between one network user and another. The network layer is incorrect because it provides confidentiality, authentication, data integrity, and access control services. It is responsible for transmitting a message from its source to the destination. It provides routing (path control) services to establish connections across communications networks.

Which of the following applications are used on local-area networks (LANs) with user datagram protocol (UDP)? 1. X.25 2. SMDS 3. DHCP 4. SNMP a. 1 only b. 2 only c. 1 and 2 d. 3 and 4

d. User datagram protocol (UDP) is used for applications that are willing to take responsibility for ensuring reliable delivery of data, such as DNS, and applications that are intended for use only on LANs, such as Dynamic Host Configuration Protocol (DHCP) and Simple Network Management Protocol (SNMP). Like TCP, each UDP packet contains a source port and a destination port. X.25 and SMDS are incorrect because they are protocols used in a wide-area network (WAN). X.25 is an international standard that defines the interface between a computing device and a packet-switched data network. Switched multi-megabit data service (SMDS) provides an effective vehicle for connecting LANs in a metropolitan or larger area.

Both Internet Protocol security (IPsec) and a virtual private network (VPN) can be implemented with which of the following? 1. Using the symmetric cryptography 2. Protecting the data 3. Using the asymmetric cryptography 4. Authenticating the parties a. 1 and 2 b. 1 and 3 c. 3 and 4 d. 1, 2, 3, and 4

d. VPNs can use both symmetric and asymmetric forms of cryptography. Symmetric cryptography uses the same key for both encryption and decryption, whereas asymmetric cryptography uses separate keys for encryption and decryption, or to digitally sign and verify a signature. Most IPsec implementations use both symmetric and asymmetric cryptography. Asymmetric cryptography is used to authenticate the identities of both parties, whereas symmetric encryption is used for protecting the actual data because of its relative efficiency.

Packet-switching networks use which of the following protocol standards? a. X9.63 b. X9.44 c. X9.17 d. X.25

d. X.25 protocol standard is used in packet-switching networks. It operates at the network and data link levels of a communications network. X9.63 is used for key establishment schemes that employ asymmetric techniques. X9.44 is the transport of symmetric algorithm keys using reversible public key cryptography. X9.17 is used for cryptographic key management, especially for financial institution key management.

In domain name system (DNS) transactions, which of the following is not a threat against dynamic update transaction? a. Unauthorized updates b. Tampering of messages c. Spurious notifications d. Replay attacks

c. Spurious notifications are a threat against a DNS NOTIFY message transaction. The other three choices are incorrect because they are examples of threats against dynamic update transactions.

Which of the following characterizes the operation of a Bluetooth device? a. Content delivery network b. Local-area network c. Ad-hoc network d. Wide-area network

c. A Bluetooth device operates under the ad-hoc network standard because it has no fixed network infrastructure, such as base stations or access points as in the wired network or other wireless networks. Bluetooth devices maintain random network configurations formed on-thefly, relying on mobile routers connected by wireless links that enable devices to communicate with each other. The other three choices have a fixed network infrastructure.

Which of the following refers to closed-loop control to handle network congestion problems? 1. Mid-course corrections are not made. 2. Current state of the network is ignored. 3. Feedback loop is provided. 4. Mid-course corrections are made. a. 1 only b. 1 and 2 c. 4 only d. 3 and 4

d. With the open-loop control, when the system is up and running, mid-course corrections are not made, thus ignoring the current states of the network. On the other hand, the closed-loop control is based on the concept of feedback loop with mid-course corrections allowed.

Conducting a periodic network monitoring to verify proper operations does not normally include: a. Detecting network layers b. Detecting line errors c. Detecting terminal errors d. Detecting modem errors

a. A network is composed of distinct layers, which is a network design issue, with each layer providing a specific function for the network. Periodic monitoring of the network does not normally include detection of the network layers where covert channels in ICMP or DNS can be found. For example, the ISO/OSI reference model has seven layers: application layer, presentation layer, session layer, transport layer, network layer, data link layer, and physical layer. Detecting line errors, terminal errors, and modem errors are routinely detected and monitored to ensure proper network operations.

Routers, which are network connectivity devices, use which of the following? a. Sink tree and spanning tree b. Finger table and routing table c. Fault tree and decision tree d. Decision table and truth table

a. A sink tree shows the set of optimal routes from all sources to a given destination, rooted at the destination. A sink tree does not contain any loops, so each packet is delivered within a finite and bounded number of hops. The goal of all routing algorithms is to identify and use the sink trees for all routers. A spanning tree uses the sink tree for the router initiating the broadcast. A spanning tree is a subset of the subnet that includes all the routers but does not contain any loops. A finger table is used for node lookup in peer-to-peer (P2P) networks. Routers use routing tables to route messages and packets. A fault tree is used in analyzing errors and problems in computer software. A decision tree is a graphical representation of the conditions, actions, and rules in making a decision with the use of probabilities in calculating outcomes. A decision table presents a tabular representation of the conditions, actions, and rules in making a decision. A truth table is used in specifying computer logic blocks by defining the values of the outputs for each possible set of input values.

Attackers use which of the following to distribute their warez files? a. File transfer protocol server b. SOCKS server c. Web proxy server d. E-mail server

a. A warez server is a file server used to distribute illegal content such as copies of copyrighted songs, movies, and pirated software. Attackers often exploit vulnerabilities in file transfer protocol (FTP) servers to gain unauthorized access so that they can use the server to distribute their warez files. The socket security (SOCKS) server is a networking-proxy protocol that enables full access across the SOCKS server from one host to another without requiring direct IP reachability. Web proxy servers are used to access external websites. E-mail servers can be used to do proper things such as sending normal messages and sending malicious code.

Which of the following is risky for transmission integrity and confidentiality when a network commercial service provider is engaged to provide transmission services? a. Commodity service b. Cryptographic mechanisms c. Dedicated service d. Physical measures

a. An information system should protect the integrity and confidentiality of transmitted information whether using a network service provider. If the provider transmits data as a commodity service rather than a fully dedicated service, it is risky. Cryptographic mechanisms that include use of encryption and physical measures include a protected distribution system.

Which of the following supports the cloud computing infrastructure most? a. Virtualization technology b. Service-oriented architecture c. Web 2.0 services d. Utility computing

a. Cloud computing, an emerging form of distributed computing, is an amalgamation of technologies, including virtualization, service-oriented architecture, Web 2.0 services, and utility computing. Out of these technologies, virtualization has taken a prominent role due to use of multiple virtual machines and guest virtual machines. Virtualization technology enables multiple operating systems (OSs) to coexist on a computing platform. In virtualization, special purpose software successfully replicates the behavior of hardware. Through such methods, a single physical host computer can run multiple virtual machines, each with a distinct guest OS and associated applications. Various virtualization products exist that can be used to provide an isolated virtual machine environment for systems and applications to execute. Risky functions, such as Web browsing, may be confined to a virtual system designated and configured exclusively for that purpose. Should the virtual system be compromised, it can easily be restored to a known-good state. Service-oriented architecture is a collection of services, which communicate with each other. The communication can involve either simple data passing or it could involve two or more services coordinating some activity. Web 2.0 service is the second-generation of Internet-based services that enables people to collaborate and create information online in new ways, such as social networking sites, wikis, and communication tools. Utility computing deals with ondemand network access and self-service facilities for subscribers.

Which of the following identifies calls originating from nonexistent telephone extensions to detect voice-mail fraud? a. Antihacker software b. Call-accounting system c. Antihacker hardware d. Toll-fraud monitoring system

b. A call-accounting system can indicate calls originating from nonexistent "phantom" telephone extensions or trunks. Along with misconfigured voice-mail systems, unused telephone extensions and uncontrolled maintenance ports are key reasons for voice-mail fraud. Call-accounting systems provide information about hacking patterns. Antihacker software and hardware can provide multilevel passwords and a self-destruct feature that enables users to delete all messages in their mailboxes if they forget their password. Toll-fraud monitoring systems enable you to catch the voice hacker's activities quickly as the fraud is taking place.

What is determining what components to include in the network configuration called? a. Configuration identification b. Configuration control c. Configuration requirements tracing d. Configuration status accounting

a. Configuration management provides a valuable baseline for controlling maintenance and enhancement activity. Configuration management typically has four major functions: identification, control, requirements tracing, and status accounting. Configuration identification determines what components to include in the configuration and develops unique identifiers for tracking individual components and adding new ones. Configuration control imposes discipline on the change process to ensure that items changed or added to the configuration complete all the necessary testing and approval steps before inclusion. Configuration requirements tracing ensures that the configuration changes are traceable back to user requirements either directly (e.g., a user-requested change) or indirectly (e.g., better user support through improved system performance). Configuration status accounting reports the current status of components in the configuration and components undergoing change or about to be added.

What is a data communication switch that enables many computer terminals to share a single modem and a line called? a. Bypass switch b. Fallback switch c. Crossover switch d. Matrix switch

a. Data communications switches are useful for routing data, online monitoring, fault diagnosis, and digital/analog testing. A switch is a mechanical, electromechanical, or electronic device for making, breaking, or changing the connection in or among circuits. It is used to transfer a connection from one circuit to another. There are four basic types of switches: bypass, fallback, crossover, and matrix. A bypass switch enables many terminals to share a single modem and line. A fallback switch turns network components from online to standby equipment when there is a problem in the circuit. A crossover switch provides an easy method of interchanging data flows between two pairs of communications components. With a matrix switch a user can interconnect any combination of a group of incoming interfaces to any combination of a group of outgoing interfaces.

Use of preshared keys (PSKs) in a wireless local-area network (WLAN) configuration leads to which of the following? 1. Dictionary attack 2. Rainbow attack 3. Online attack 4. Offline attack a. 1 and 2 b. 1 and 3 c. 2 and 3 d. 2 and 4

a. Dictionary attack is a form of guessing attack in which the attacker attempts to guess a password using a list of possible passwords that is not exhaustive. Rainbow attacks occur in two ways: utilizing rainbow tables, which are used in password cracking, and using preshared keys (PSKs) in a WLAN configuration. The use of PSK should be avoided. In PSK environments, a secret passphrase is shared between stations and access points. The PSK is generated by combining the WLAN's name and service set identifier (SSID) with a passphrase and then hashing this multiple times. Keys derived from a passphrase shorter than approximately 20 characters provide relatively low levels of security and are subject to dictionary and rainbow attacks. Changing the WLAN name or SSID will not improve the strength of the 256-bit PSK. An online attack is an attack against an authentication protocol where the attacker either assumes the role of a claimant with a genuine verifier or actively alters the authentication channel. An offline attack is an attack where the attacker obtains some data through eavesdropping that he can analyze in a system of his own choosing. The goal of these attacks may be to gain authenticated access or learn authentication secrets.

Which of the following statements about data gateways is not correct? a. Data gateways cannot standardize communication protocols. b. Data gateways are devices to adapt heterogeneous clients to servers. c. Data gateways absorb diversity in implementation details. d. Data gateways provide access control and authentication mechanisms.

a. Gateways translate between incompatible protocols, such as between IBM's SNA and TCP/IP. Data gateways, then, are devices to adapt heterogeneous clients and servers. They may simply absorb diversity in implementation details and provide access control and authentication mechanisms. It is incorrect to say that data gateways cannot standardize communication protocols.

Which of the following statements is not true? Intranets differ from the GroupWare concept in that intranets a. Are platform-dependent. b. Are platform-independent. c. Use layered communication protocols. d. Are easy to set up.

a. Groupware is an alternative to intranets, where the former is good for document sharing, mail exchange, and group discussion. On the other hand, intranets facilitate external and internal communications more efficiently. One major advantage of the intranet over GroupWare is the Internet's inherent platform independence. For example, Web pages written on a Macintosh computer look the same when viewed from a Sun workstation. In addition to being easy to set up, intranets use the concept of layered communication protocols. There are seven layers between the physical network media and the applications running on the host machines.

Which of the following network architectures is designed to provide data services using physical networks that are more reliable and offer greater bandwidth? a. Integrated services digital network (ISDN) b. Transmission control protocol/Internet Protocol (TCP/IP) c. File transfer protocol (FTP) d. The open system interconnection (OSI) protocol

a. Integrated services digital network (ISDN) was designed to provide both voice and a wide variety of data services, initially using the existing phone network. Broadband ISDN was designed to provide a more sophisticated set of services using reliable high-speed networks that can be provided using optical fiber physical networks of higher bandwidth. Both the TCP/IP and OSI protocol suites are designed to provide communications between heterogeneous systems. These two platforms support applications, such as file transfer, e-mail, and virtual terminal protocols. Interoperability between TCP/IP and OSI cannot be accomplished without building special software, or gateways, to translate between protocols. However, these architectures were designed to provide data services using physical networks that were not always reliable and offered limited bandwidth.

Legacy IEEE 802.11 wireless local-area networks (WLANs) operate in which of the following layers of the ISO/OSI reference model? a. Physical and data layers b. Data and network link layers c. Transport and presentation layers d. Application and session layers

a. Legacy IEEE 802.11 wireless LANs (WLANs) operate in the physical layer and the data link layer of the ISO/OSI reference model because they define the physical characteristics and access rules for the network. The physical layer addresses areas such as frequencies used and modulation techniques employed. The data link layer deals with how the network is shared between nodes. It defines rules such as who can talk on the network and how much they can say.

A major risk involving the use of packet-switching networking is that: a. It is possible that some packets can arrive at their destinations out of sequence. b. It is not possible to vary the routing of packets depending on network conditions. c. Terminals attached to a public data network may not have enough intelligence. d. Terminals attached to a public data network may not have enough storage capacity.

a. Most packet-switching networks can vary the routing of packets depending on network conditions. Because of this, it is possible that some packets can arrive at their destinations out of sequence while most packets can arrive at their destination in normal sequence because they are reassembled at the receiver end. The reason for some packets not reaching their destinations is that there is a potential security risk in that a smart attacker can change the packet sequence numbers in the middle of the stream and divert the packet to his own site for later attack and then change the sequence numbers back to the original condition or forget to do it in the right way thus breaking the sequence. Even worse yet, a malicious attacker can insert fake sequence numbers so the packet would not reach its destination point. Here, the attacker's goal is to steal valuable information from these packets for his own benefit. Terminals attached directly to a public data network must have enough intelligence and storage capacity to break large messages into packets and to reassemble them into proper sequence. A packet assembly and disassembly (PAD) facility can help accommodate intelligence and storage problems.

Which of the following security practices is supported by most remote control program (RCP) products when accessing a host workstation on a local-area network (LAN)? a. Matching user ID and name with password b. Controlling reboot options c. Limiting access to local drives and directories d. Controlling file transfer rights

a. Some remote control products provide minimal security support, whereas others provide varying degrees of support. Matching a user ID and name with a password and callback modem support are handled by most products. Other security mechanisms, such as the ability to limit access to local drives and directories to limit the use of host hardware (such as printer ports) and to control reboot options and file transfer rights are not widely supported.

Which of the following effectively facilitates telecommuting? a. Integrated services digital network b. Regular modems c. Facsimile/modems d. Intelligent modems

a. Telecommuting enables employees to work from a remote location. An integrated services digital network (ISDN) can be considered as an "intermediate" step between the current analog local loop and the use of fiber optics. Because of the cost of deploying fiber, it may take a long time before homes are connected. ISDN is cheaper than fiber, can be deployed sooner, and although its capacity is only a fraction of fiber, represents a significant improvement over the current analog local loop. To connect to the office computers, employees need a device called a modem, which enables them to send digital computer data over the analog local loop. ISDN provides higher bits-per-second channels than modems. This would enable videoconferencing of reasonable quality, faster transfer of graphics information, and better quality fax transmission. It would also permit much-improved access to the Internet for home users. Regular modems, facsimile/modems, and intelligent modems do not have the bits-per-secondchannel capacity as that of ISDN. A modem is a device that modulates and demodulates. Modems are primarily used for converting digital signals into quasi-analog signals for transmission over analog communication channels and reconverting the quasi-analog signals into digital signals. Facsimile/modem combines the features of fax and modem. Intelligent modems are intelligent because they add random-access memory, read-only memory, and erasable programmable readonly memory. Some major functions of intelligent modems include automatic dialing, negotiation of the method of modulation used to communicate with a distant modem, error detection and correction operations to ensure data integrity, and responses to status requests. Regular modems do not have the intelligence so that they cannot perform fax operations.

The Internet uses which of the following? a. Mesh topology b. Star topology c. Bus topology d. Ring topology

a. The Internet uses the mesh topology with a high degree of fault tolerance. Dial-up telephone services and PBX systems (switched networks) use the star topology, Ethernet mostly uses the bus topology, and FDDI uses the ring topology.

The Voice over Internet Protocol (VoIP) technology can lead to which of the following? a. Converged network b. Ad hoc network c. Content delivery network d. Wireless sensor network

a. The Voice over Internet Protocol (VoIP) technology can lead to a converged network, where the latter combines two different networks such as data and voice networks, similar to the VoIP. Ad hoc network is a network of nodes near each other. Content delivery network delivers the contents of music, movie, sports, and/or news from a content owner's website to end users. Wireless sensor network is used to provide security over buildings, machinery, vehicle operation, and environmental changes in a building (e.g., humidity, voltage, and temperature).

What is the most important element of intranet security? a. Monitoring b. Encryption c. Authentication d. Filtering

a. The basic elements of intranet security tools are encryption, authentication, and filtering. For example, encryption may use pretty good privacy (PGP) for encrypting e-mail, digital certificates for code signing, and site certificates for Secure Socket Layers securing of intranet servers. Authentication deals with user and group-specific access. Firewalls act as filtering devices. In addition to the use of these tools, vigilant monitoring of all network connections is required on a regular basis. Each time a new feature is added to a network, the security implications should be reviewed. These three security tools are highly technical and automated whereas monitoring is a human activity, which is better than automation most of the time.

Regarding worldwide interoperability for microwave access (WiMAX) security, which of the following is not a weakness of data encryption standard-cipher block chaining (DESCBC) algorithm? a. Replay attack b. Denial-of-service attack c. Eavesdropping attack d. Man-in-the-middle attack

a. The weaknesses of data encryption standard-cipher block chaining (DES-CBC) are well documented, and include denial-of-service (DoS), eavesdropping, and man-in-the-middle (MitM) attacks. Replay attacks occur when adversaries reuse expired traffic encryption keys (TEKs). Replay attacks lead to unauthorized disclosure of information and compromise of the TEK.

Which of the following reduces the need to secure every user endpoint? 1. Diskless nodes 2. Thin client technology 3. Client honeypots 4. Thick client technology a. 1 only b. 1 and 2 c. 3 only d. 3 and 4

b. A deployment of information system components with minimal functionality (e.g., diskless nodes and thin client technology) reduces the need to secure every user endpoint and may reduce the exposure of data/information, information systems, and services to a successful attack. Client honeypots are devices that actively seek out Web-based malicious code by posing as clients. Thick client technology is not recommended because it cannot protect the user endpoints, and it is less secure than the thin client technology in the way encryption keys are handled.

When constructing the communications infrastructure for moving data over a widearea network, the major implementation choices involve decisions about all the following except which of the following? a. Multiplexers b. Network interface cards c. Concentrators d. Front-end processors

b. A network interface card (NIC) is used in implementing local-area networks (LANs), not wide-area networks (WANs). It is a device used primarily within a LAN to enable a number of independent devices, with varying protocols, to communicate with each other. This communication is accomplished by converting each device protocol into a common transmission protocol. A multiplexer is incorrect because it is a device that combines the functions of multiplexing and demultiplexing of digital signals. It combines two or more information channels onto a common transmission medium. A concentrator is incorrect because it is a device that connects a number of circuits, which are not all used at once, to a smaller group of circuits for economy. It usually provides communication capability between many low-speed, usually asynchronous, channels and one or more high-speed, usually synchronous channels. Different speeds, codes, and protocols can be accommodated on the low-speed side. The low-speed channels operate in contention and require buffering. A concentrator permits a common path to handle more data sources than there are channels currently available within the path. A front-end processor is incorrect because it is a programmed-logic or stored-program device that interfaces data communication equipment with the input/output bus or memory of a data processing computer.

Network management, operations, and user support for a large distributed system together represent a complex undertaking. Which of the following issues most increases the complexity of network management? a. Multiple topologies b. Multiple transmission media c. Multiple protocols d. Multiple accesses

b. A number of issues affect network management in a large distributed system. They result from multiple network topologies (i.e., structures), multiple transmission media (e.g., wiring), multiple protocols (i.e., rules that govern communications across a network), and multiple network owners. Increases in the number of transmission media increase the complexity of large distributed system network management. For example, each medium may require different protocols, equipment, and software, with additional expertise in a network administrator. An increased number of transmission media may complicate the standardization of management procedures across a large distributed system. Using different transmission media may result in different costs, system reliability, or performance. A number of network "owners" may support a large distributed system. The sense of ownership can result from a variety of factors, including different organizations involved, functionality included, and geographic areas covered. Increases in the number of owners increase the complexity of network management due to coordination and communication required. The other three choices are incorrect. A topology is a pattern of interconnection between nodes (i.e., end points) in a network. A large distributed system may require the use of one or more topologies to support the varying needs of subsystems, organizations, and individual users or to accommodate existing network architectures. Factors to consider include applications supported, robustness required, network architecture supported, protocols required, and local and remote connections needed. Multiple protocols establish the rules that govern data transmission and generally cover the method to represent and code data; the method to transmit and receive data; and the method of nonstandard information exchange. Multiple access is a scheme that allows temporary access to the network by individual users, on a demand basis, for the purpose of transmitting information. Multiple topologies and protocols are a necessary part of the infrastructure and are dictated by multiple transmission media and network owners.

Which of the following establishes accountability in a local-area network environment? a. Network monitoring tools b. Access logs c. Lock and key systems d. Card key systems

b. Access logs along with user IDs and passwords provide a reasonable amount of accountability in a local-area network (LAN) environment because user actions are recorded. Network monitoring tools are an example of a detective control used by network management. As such they do not show any accountability of the user. They watch the network traffic and develop trends. Lock and key systems and card key systems are examples of preventive controls as a part of physical security. Keys can be lost or stolen, and, therefore, accountability is difficult to prove and control.

Security mechanisms implement security services. Which of the following security mechanisms do not implement the confidentiality security service? a. Encryption b. Access control c. Traffic padding d. Routing control

b. An access control security mechanism provides access control security service only. This mechanism controls access to authenticated entities to resources. They may be based upon security labels (tags), the time of attempted access, the route of attempted access, and the duration of access. Encryption is incorrect because it implements confidentiality security service. Encryption refers to cryptographic technology using keys. Two classes of encryption exist: symmetric (using secret key) and asymmetric (using public key). Traffic padding is incorrect because it provides confidentiality services. It is the observation of traffic patterns, even when enciphered, which may yield information to an intruder. This mechanism may be used to confound the analysis of traffic patterns. Routing control is incorrect because it provides confidentiality service. With routing control, routes can be chosen so as to use only secure links in the communication line.

What do terminating network connections with internal and external communication sessions include? 1. De-allocating associated TCP/IP addresses and port pairs at the operating system level 2. Logically separating user functionality from system management functionality 3. De-allocating networking assignments at the application system level 4. Isolating security functions from nonsecurity functions at boundaries a. 1 and 2 b. 1 and 3 c. 2 and 4 d. 1, 2, 3, and 4

b. An information system should terminate the internal and external network connection associated with a communications session at the end of the session or after a period of inactivity. This is achieved through de-allocating addresses and assignments at the operating system level and application system level.

Which of the following is not a server-side script used in dynamic hypertext markup language (HTML)? a. Common gateway interface (CGI) b. ActiveServer page (ASP) c. JavaApplets d. Perl

c. A JavaApplet is a client-side script. Dynamic hypertext markup language (dynamic HTML) is a collection of dynamic HTML technologies for generating Web page contents onthe- fly. It uses the server-side scripts (e.g., CGI, ASP, JSP, PHP, and Perl) and the client-side scripts (e.g., JavaScript, JavaApplets, and Active -X controls).

Network security and integrity do not depend on which of the following controls? a. Logical access controls b. Business application system controls c. Hardware controls d. Procedural controls

b. Application system controls include data editing and validation routines to ensure integrity of the business-oriented application systems such as payroll and accounts payable. It has nothing to do with the network security and integrity. Logical access controls prevent unauthorized users from connecting to network nodes or gaining access to applications through computer terminals. Hardware controls include controls over modem usage, the dial-in connection, and the like. A public-switched network is used to dial into the internal network. Modems enable the user to link to a network from a remote site through a dial-in connection. Procedural controls include (i) limiting the distribution of modem telephone numbers on a need to know basis, (ii) turning the modem off when not in use, and (iii) frequent changes of modem telephone numbers.

A sender in a transmission control protocol (TCP) network plans to transmit message packets of sizes 1,024, 2,048, 4,096, and 8,192 bytes to a receiver. The receiver's granted window size is 16,384 bytes and the timeout size is set at 8,192 bytes. What should be the sender's congestion window size to avoid network bursts or congestion problems? a. 2,048 bytes b. 4,096 bytes c. 8,192 bytes d. 16,384 bytes

b. As long as the congestion window size remains at 4,096, which is less than the timeout size, no bursts take place, regardless of the receiver's granted window size. Network bursts can occur at a transmission of 8,192 bytes or higher because 8,192 bytes are the timeout limit. To be safe, the optimum size of the sender's congestion window must be set at less than the receiver's granted window size or the timeout size, whichever is smaller.

From a corporation viewpoint, which of the following design objectives is most important for a local-area network? a. Productivity b. Availability c. Throughput d. Responsiveness

b. Availability is the ratio of the total time a functional unit is capable of being used during a given interval to the length of the interval. It is the time during which a functional unit can be used. What good are productivity, throughput, and response time if the system is shut down and not available? Therefore, system availability is the most important objective for a local-area network (LAN) or any other network.

Which of the following voice-mail fraud prevention controls can be counterproductive and at the same time counterbalancing? 1. Turning off direct inward system access ports during nonworking hours 2. Separating internal and external call-forwarding privileges 3. Implementing call vectoring 4. Disconnecting dial-in maintenance ports a. 1 and 2 b. 1 and 4 c. 3 and 4 d. 2 and 3

b. Direct inward system access (DISA) is used to enable an inward calling person access to an outbound line, which is a security weakness when not properly secured. Because hackers work during nonworking hours (evenings and weekends), turning off DISA appears to be a preventive control. However, employees who must make business phone calls during these hours cannot use these lines. They have to use their company/personal credit cards when the DISA is turned off. Similarly, disconnecting dial-in maintenance ports appears to be a preventive control; although, hackers can get into the system through these ports. Emergency problems cannot be handled when the maintenance ports are disabled. Turning off direct inward system access (DISA) ports during nonworking hours and disconnecting dial-in maintenance ports are counterproductive and counterbalancing. By separating internal and external call-forwarding privileges for internal lines, an inbound call cannot be forwarded to an outside line unless authorized. Call vectoring can be implemented by answering a call with a recorded message or nothing at all, which may frustrate an attacker. Separating internal and external call-forwarding privileges and implementing call vectoring are counterproductive and balancing.

Communications between computers can take several approaches. Which of the following approaches is most secure? a. Public telephone network b. Fiber optic cables c. Direct wiring of lines between the computer and the user workstation d. Microwave transmission or satellites

b. Due to their design, fiber optic cables are relatively safer and more secure than other types of computer links. A dial-up connection through a public telephone network is not secure unless a dial-back control is established. Direct wiring of lines between the computer and the user workstation is relatively secure when compared to the public telephone network. Microwave transmissions or satellites are subject to sabotage, electronic warfare, and wiretaps.

Which of the following devices can enforce strict adherence to protocol formats to prevent unauthorized exfiltration of information across managed interfaces using boundary protection devices? 1. Deep packet inspection firewalls 2. XML gateways 3. Routers 4. Bridges a. 1 only b. 1 and 2 c. 1 and 3 d. 3 and 4

b. Examples of devices enforcing strict adherence to protocol formats are deep packet inspection firewalls (also known as stateful protocol analysis capability) and extensible markup language (XML) gateways. These devices verify adherence to the protocol specification at the application layer and serve to identify vulnerabilities that cannot be detected by devices operating at the network layer or transport layer. Routers operate at the network layer and bridges operate at the data link layer. In addition, XML gateways are used to prevent and detect XML-based denial-of-service (DoS) attacks. Managed interfaces using boundary protection devices include proxies, gateways, routers, firewalls, software/hardware guards, and encrypted tunnels.

For worldwide interoperability for microwave access (WiMAX) security, when an adversary drains a client node's battery by sending a constant series of management messages to the subscriber station/mobile subscriber (SS/MS), what is it called? a. Man-in-the-middle attack b. Water torture attack c. Radio frequency jamming attack d. Radio frequency scrambling attack

b. Exploitation of unencrypted management messages can result in subtle denial-of-service (DoS), replay, or manipulation attacks that are difficult to detect. These attacks spoof management messages. A water torture attack is an example of subtle DoS attack in which an adversary drains a client node's battery by sending a constant series of management messages to the SS/MS. Radio frequency (RF) jamming is classified as a DoS attack. RF scrambling attacks are the precise injections of RF interference during the transmission of specific management messages. A man-in-the-middle (MitM) attack occurs when an adversary deceives an SS/MS to appear as a legitimate base station (BS) while simultaneously deceiving a BS to appear as a legitimate SS/MS.

Which of the following is not used in creating dynamic Web documents? a. Common gateway interface (CGI) b. Extensible markup language (XML) c. JavaServer page (JSP) d. ActiveServer page (ASP)

b. Extensible markup language (XML) is used in creating a static Web document. Dynamic Web documents (pages) are written in CGI, JSP, and ASP.

For worldwide interoperability for microwave access (WiMAX) security, a countermeasure for man-in-the-middle (MitM) attack is: a. DES-CBC b. AES-CCM c. AES only d. VPN only

b. If a WiMAX system is not using the advanced encryption standard Counter with CBC message authentication code (AES-CCM), it can open up the possibility of a MitM attack. Data encryption standard-cipher block chaining (DES-CBC) is a weak algorithm that cannot ensure confidentiality of data and may lead to MitM attack. Virtual private network (VPN) is a mature technology and cannot defend against the MitM attacks. The advanced encryption standard (AES) is not as strong as the AES-CCM.

Wireless local-area networks (LANs) have greater risks than wired LANs in which of the following areas? a. Masquerading and modification/substitution b. Modification/substitution of messages and theft of equipment c. Eavesdropping and masquerading d. Eavesdropping and theft of equipment

b. In wireless LANs, the stronger node could block the weaker one, substitute its own messages, and even acknowledge responses from other nodes. Similarly, theft of equipment is a major risk in wireless LANs due to their portability. When equipment moves around, things can easily become missing. Eavesdropping and masquerading are common to both the wired and wireless LANs. Eavesdropping is an unauthorized interception of information. Masquerading is an attempt to gain access to a computer system by posing as an authorized user.

All the following are examples of performance measures of quality-of-service (QoS) for a communications network except: a. Signal-to-noise ratio b. Mean time between failures c. Bit error ratio d. Call blocking probability

b. Mean time between failures (MTBF) is an indicator of expected system reliability based on known failure rates, which are expressed in hours. MTBF is mostly applied to equipment whereas QoS is applied to services. The other three choices, along with message throughput rate, are examples of channel or system performance parameters, measuring QoS. Signal-to-noise ratio is the ratio of the amplitude of the peak signal to the amplitude of peak noise signals at a given point in time in a telecommunications system. Bit error ratio is the number of erroneous bits divided by the total number of bits transmitted, received, or processed over some stipulated time period in a telecommunications system. Call blocking probability is the probability that an unwanted incoming call would be blocked from going forward.

Which of the following is an operational issue in data communications networks? a. Network modularity and adaptability b. Network performance and throughput c. Network availability and redundancy d. Network size and interoperability

b. Performance management consists of day-to-day system requirements and evaluation to assess current performance and to identify and implement system adjustments that can improve performance. To ensure efficiency, the performance management staff must know the workloads imposed by users, the levels of service required to satisfy workloads, and current capacity. The other three choices are incorrect because they are examples of network planning and design issues.

Radio frequency identification technologies rely on which of the following to ensure security? a. Defense-in-depth strategy b. Defense-in-breadth strategy c. Defense-in-time strategy d. Defense-in-technology strategy

b. Radio frequency identification (RFID) technologies are used in supply chain systems which, in turn, use defense-in-breadth strategy for ensuring security. Defense-in-depth strategy considers layered defenses to make security stronger. Defense-in-time strategy considers different time zones in the world where information systems operate. Defense-in-technology strategy deals with making technology less complicated and more secure.

For worldwide interoperability for microwave access (WiMAX) security, replay attacks occur due to which of the following? 1. Injection of reused traffic encryption key 2. Insecure unicast messages 3. Unencrypted management messages 4. Insecure nonunicast messages a. 1 and 2 b. 1 and 3 c. 2 and 3 d. 3 and 4

b. Replay attacks occur due to injection of reused traffic encryption key (TEK) and unencrypted management messages. Integrity checks are added to unicast messages to prevent replay attacks. Nonunicast messages are open to DoS attacks.

For Web services, which of the following uses binary tokens for authentication, digital signatures for integrity, and content-level encryption for confidentiality? a. Web service interoperability (WS-I) b. Web services security (WS-Security) c. Web services description languages (WSDL) d. Web-Oriented architecture (WOA)

b. The Web service is a software component or system designed to support an interoperable machine or application-oriented interaction over a network. The Web service has an interface described in a machine-processable format (specifically WSDL). Other systems interact with the Web service in a manner prescribed by its description using simple object access protocol (SOAP) messages, typically conveyed using hypertext transfer protocol (HTTP) with an extensible markup language (XML) serialization with other Web-related standards. Web services security (WS-Security) is a mechanism for incorporating security information into SOAP messages. WS-Security uses binary tokens for authentication, digital signatures for integrity, and content-level encryption for confidentiality. The other three choices do not provide the same security services as the WS-Security. The Web service interoperability (WS-I) basic profile is a set of standards and clarifications to standards that vendors must follow for basic interoperability with SOAP products. The Web services description language (WSDL) is an XML format for describing network services as a set of endpoints operating on messages containing either document-oriented or procedure-oriented information. WSDL complements the universal description, discovery, and integration (UDDI) standard by providing a uniform way of describing the abstract interface and protocol bindings and deployment details of arbitrary network services. The Web-oriented architecture (WOA) is a set of Web protocols (e.g., HTTP and plain XML) to provide dynamic, scalable, and interoperable Web services.

The normal client/server implementation uses which of the following? a. One-tier architecture b. Two-tier architecture c. Three-tier architecture d. Four-tier architecture

b. The normal client/server implementation is a two-tiered architecture for simple networks (i.e., one client and one server). Multitiered architectures use one client and several servers.

The World Wide Web (WWW) can be protected against the risk of eavesdropping in an economical and convenient manner through the use of which of the following? a. Link and document encryption b. Secure sockets layer and secure HTTP c. Link encryption and secure socket layer d. Document encryption and secure HTTP

b. The risk of eavesdropping occurs on the Internet in at least two ways: traffic analysis and stealing of sensitive information such as credit card numbers. Secure sockets layer (SSL) provides an encrypted TCP/IP pathway between two hosts on the Internet. SSL can be used to encrypt any TCP/IP, such as HTTP, TELNET, or FTP. SSL can use a variety of public key and token-based systems for exchanging a session key. SHTTP (secure HTTP) is an encryption system designed for HTTP and works only with HTTP. Link encryption provides encryption for all traffic, but it can be performed only with prior arrangement. It is expensive. Document encryption is cumbersome because it requires the documents to be encrypted before they are placed on the server, and they must be decrypted when they are received. Link and document encryption can use either TCP/IP or other protocols.

Host-based firewalls can have a serious negative effect on system usability and user satisfaction with which of the following? a. Deny-by-default rulesets for incoming traffic b. Deny-by-default rulesets for outgoing traffic c. Deny-by-default rulesets for servers d. Deny-by-default rulesets for desktops

b. To prevent malware incidents, organizations should configure host-based firewalls with deny-by-default rulesets for incoming traffic. Organizations should also use deny-by-default rulesets for outgoing traffic, if feasible; however, such rulesets can have a serious negative effect on system usability and user satisfaction. Servers, desktops, and laptops use similar rulesets as host-based firewalls do.

Which of the following functions is similar to a host firewall? a. Authentication header b. TCP wrappers c. Encapsulating security payload d. Security parameters index

b. Transmission control protocol (TCP) wrappers are a freely available application that functions similarly to a firewall. It can be used to restrict access and configured in such a way that only specified user IDs or nodes can execute specified server processes. An authentication header is one part of IPsec's two security headers: (i) the authentication header and (ii) the encapsulating security payload. The authentication header provides source authentication and integrity to the IP datagram, and the payload provides confidentiality. A security parameter index consists of cryptographic keys and algorithms, and the authentication header contains the index.

Web content filtering software is related to which of the following? a. Web bug b. Blacklisting c. RED d. BLACK

b. Web content filtering software is a program that prevents access to undesirable websites, typically by comparing a requested website address to a list of known bad websites (i.e., blacklisting). Blacklisting is a hold placed against IP addresses to prevent inappropriate or unauthorized use of Internet resources. The other three choices are not related to the Web content filtering software. Web bug is a tiny image, invisible to a user, placed on Web pages in such a way to enable third parties to track use of Web servers and collect information about the user, including IP addresses, host name, browser type and version, operating system name and version, and cookies. The Web bug may contain malicious code. RED refers to data/information or messages that contain sensitive or classified information that is not encrypted, whereas BLACK refers to information that is encrypted.

Which of the following worldwide interoperability for microwave access (WiMAX) operating topologies uses a concept of security zone? a. Point-to-point b. Point-to-multipoint c. Multihop relay d. Mobile

c. A multihop relay topology, also referred to as mesh networking, is used to extend a base station's (BS) coverage area by permitting subscriber stations (SSs) or mobile subscribers (MSs) to replay traffic by acting as a relay station. A multihop uses a security zone concept where it is a set of trusted relationships between a BS and a group of relay stations (RSs). An RS can forward traffic to only RSs or SSs within its security zone. The other three choices, which are also examples of WiMAX operating topologies, do not use the concept of security zone. A point-to-point topology consists of a dedicated long-range, high-capacity wireless link between two sites. This topology is used for high-bandwidth wireless backhaul services at maximum operating ranges using either line-of-sight (LOS) or no-line-of-sight (NLOS) signal propagation. It uses a backhaul as a high-capacity line from a remote site or network to a central site or network. A point-to-multipoint topology is composed of a central BS supporting multiple SSs, providing network access from one location to many locations. It is commonly used for last-mile broadband access, private enterprise connectivity to remote offices, and long-range wireless backhaul services for multiple sites. Last-mile broadband access refers to communications technology that bridges the transmission distance between the broadband service provider and the customer premises equipment. A mobile topology is similar to a cellular network because multiple BSs collaborate to provide seamless communications over a distributed network to both SSs and MSs.

The least effective control in mitigating communication network failures would be which of the following? a. Network contingency plans b. Network capacity planning c. Network application system d. Network performance monitoring

c. A network application system that collects traffic statistics and provides reports to alert the network management does not help in minimizing communication network failures. The other three choices are important to minimize losses from a network failure. Network contingency plans deal with redundant switching equipment, parallel physical circuits, and standby power supplies to address network disasters. Network capacity plans assist in forecasting computer resource requirements to ensure that adequate capacity exists when needed. For example, the capacity studies may call for higher bandwidth to accommodate newer technologies such as multimedia and videoconferencing. Capacity planning activities use current system performance data as a starting point to predict future resource needs. Network performance monitoring involves analyzing the performance of a computer system to determine how resources are currently utilized and how such utilization can be improved.

Which of the following performs application content filtering? a. Sensors b. Gateway c. Proxy d. Hardware/software guard

c. A software proxy agent performs application content filtering to remove or quarantine viruses that may be contained in e-mail attachments, to block specific MIME types, or to filter other active content (e.g., Java, JavaScript, and ActiveX Controls). The proxy accepts certain types of traffic entering or leaving a network, processes it, and forwards it. The other three choices are not related to application content filtering. Sensors are composed of network monitors and network scanners, where the former performs intrusion detection, and the latter performs vulnerability scanning. A gateway is an interface providing compatibility between networks by converting transmission speeds, protocols, codes, or security measures. A hardware/software guard enables users to exchange data between private and public networks, which is normally prohibited because of information confidentiality.

All the following are examples of media access control (MAC) sublayer protocols except: a. Carrier sense multiple access (CSMA) b. Ethernet c. Advanced data communications control procedure (ADCCP) d. Logical link control (LLC)

c. Advanced data communications control procedure (ADCCP) is an example of a sliding window protocol. The other three choices are examples of media access control protocols. ADCCP is a modified synchronous data link control (SDLC), which became high-level data link control (HDLC), and later became link access procedure B (LAPB) to make it more compatible with HDLC. Carrier sense multiple access (CSMA) protocols listen to the channel for a transmitting carrier and act accordingly. If the channel is busy, the station waits until it becomes idle. When the station detects an idle channel, it transmits a frame. If collision occurs, the station waits a random amount of time and starts all over again. The goal is to avoid a collision or detect a collision (CSMA/CA and CSMA/CD). The CSMA/CD is used on LANs in the MAC sublayer and is the basis of Ethernet. Logical link control (LLC) protocol hides the differences between the various kinds of IEEE 802 networks by providing a single format and interface to the network layer. LLC forms the upper half of the data link layer with the MAC sublayer below it.

Which of the following is not an example of race condition attacks? a Symbolic links b. Object-oriented c. Deadlock d. Core-file manipulation

c. Allowing exclusive access to a dedicated input/output device (e.g., printer, plotter, and disk) in response to a user request can lead to a deadlock situation in the absence of spooling. Deadlocks are not related to race condition attacks because the latter is called timing attacks. A symbolic link (symlink) is a file that points to another file. Often, there are programs that can change the permissions granted to a file. If these programs run with privileged permission, a user could strategically create symlinks to trick these programs into modifying or listing critical system files. Symlink attacks are often coupled with race condition attacks. Symbolic links are links on UNIX, MINIX, and LINUX systems that point from one file to another file. A symlink vulnerability is exploited by making a symbolic link from a file an attacker does have access to a file to which the attacker does not have access. Symlinks do not exist on Windows systems, so symlink attacks cannot be performed against programs or files on those systems. MINIX is a variation of UNIX and is small in size. A major difference between MINIX and UNIX is the editor where the former is faster and the latter is slower. In object-oriented programming, race conditions occur due to the sharing of common variables among object instances, which could be verified within the program code. For each file access, the program should be written to verify that the file is free before opening it and to check for object-in-use errors. Core-file manipulation is another example of a race condition where a program or process enters into a privileged mode before the program or process has given up its privileged mode. If an attacker successfully manages to compromise the program or process during its privileged state, then the attacker has won the race.

Which of the following is not an example of information system entry and exit points to protect from malicious code? a. Firewalls b. Electronic mail servers c. Workstations d. Web servers

c. An organization employs malicious code protection mechanisms at critical information system entry and exit points such as firewalls, e-mail servers, Web servers, proxy servers, and remote access servers. Workstations are internal to an organization and do not provide direct entry and exit points.

Which of the following attacks take advantage of dynamic system actions and the ability to manipulate the timing of those actions? a. Active attacks b. Passive attacks c. Asynchronous attacks d. Tunneling attacks

c. Asynchronous attacks take advantage of dynamic system activity to get access. User requests are placed into a queue and are satisfied by a set of predetermined criteria. An attacker can penetrate the queue and modify the data that is waiting to be processed or printed. He might change a queue entry to replace someone else's name or data with his own or to subvert that user's data by replacing it. Here, the time variable is manipulated. With an active attack, the intruder modifies the intercepted messages with the goal of message modification. An effective tool for protecting messages against both active and passive attacks is cryptography. With a passive attack, an intruder intercepts messages to view the data. This intrusion is also known as eavesdropping. Tunneling attacks use one data transfer method to carry data for another method. It may carry unauthorized data in legitimate data packets. It exploits a weakness in a system at a low level of abstraction.

Regarding instant messaging (IM), which of the following is an effective countermeasure to ensure that the enclave users cannot connect to public messaging systems? a. Disable file-sharing feature b. Restrict IM chat announcements c. Block ports at the enclave firewall d. Install antivirus software

c. Blocking ports at the enclave firewall ensures that enclave users cannot connect to public messaging systems. Although a firewall can be effective at blocking incoming connections and rogue outgoing connections, it can be difficult to stop all instant messaging (IM) traffic connected to commonly allowed destination ports (e.g., HTTP, Telnet, FTP, and SMTP), thus resulting in a bypass of firewalls. Therefore, domain names or IP addresses should be blocked in addition to port blocking at a firewall. IM also provides file-sharing capabilities, which is used to access files on remote computers via a screen name which could be infected with a Trojan horse. To launch malware and filesharing attacks, an attacker may use the open IM ports because he does not need new ports. Therefore, the file-sharing feature should be disabled on all IM clients. Restricting IM chat announcements to only authorized users can limit attackers from connecting to computers on the network and sending malicious code. IM is a potential carrier for malware because it provides the ability to transfer text messages and files, thereby becoming an access point for a backdoor Trojan horse. Installing antivirus software with plug-ins to IM clients and scanning files as they are received can help control malware.

Which of the following can provide a false sense of security? 1. Encryption protocols 2. Digital signatures 3. Firewalls 4. Certified authorities a. 1 and 2 b. 2 and 3 c. 1 and 3 d. 2 and 4

c. Both encryption protocols and firewalls can provide a false sense of security. Encryption is used to provide confidentiality of data from the point of leaving the end user's software client to the point of being decrypted on the server system. After the data is stored "in the clear" on the server, data confidentiality is no longer ensured. Data confidentiality aside, encryption cannot prevent malicious attackers from breaking into the server systems and destroying data and transaction records. Firewalls have been used to protect internal computer systems from outside attacks and unauthorized inside users. The effectiveness of a firewall is usually in providing a deterrent for would be attacks. However, the bigger issue with firewalls is misconfiguration. Digital signatures and certified authorities provide a good sense of security because they work together to form a trusted relationship. A digital signature stamped by the certifying authority can certify that the client and the server can be trusted.

Enforcing effective data communications security requires other types of security such as physical security. Which of the following can easily compromise such an objective? a. Smart cards with PINs b. Nonreusable passwords c. Network cabling d. Last login messages

c. Data communications security requires physical security and password controls. The network cables that carry data are vulnerable to intruders. It is a simple matter to tap into cabling and relatively easy to cut the wiring. Therefore, a basic physical security control such as locking up the wiring closet is important. Smart cards with PINs are incorrect because they do not compromise data communications. They enhance security by using cryptographic keys. Nonreusable passwords are used only once. A series of passwords are generated by a cryptographic secure algorithm and given to the user for use at the time of login. Each password expires after its initial use and is not repeated or stored anywhere. Last login messages are incorrect because they alert unauthorized uses of a user's password and ID combination.

Extrusion detection at the information system boundary does not include which of the following? a. Looking for internal threats b. Analyzing outgoing network traffic c. Looking for external threats d. Analyzing incoming network traffic

c. Detecting internal actions that may pose a security threat to external information systems is called extrusion detection. It is also referred to as data loss prevention. Its scope includes the analysis of incoming and outgoing network traffic looking for indications of an internal threat (not an external threat) to the security of external systems.

Which of the following is a detective control in a local-area network (LAN) environment? a. File backup b. Contingency plan c. Electronic surveillance d. Locks and keys

c. Electronic surveillance is an example of detective controls. File backup is incorrect because it is an example of recovery controls. A contingency plan is incorrect because it is an example of recovery controls. Locks and keys are incorrect because they are examples of preventive controls.

Which of the following security threats is not applicable to wireless local-area networks (WLANs)? a. Message interception b. System unavailability c. System unreliability d. Theft of equipment

c. Even with wireless local-area networks (WLANs), message interception is possible, the system can go down, thus making it unavailable, and equipment can be stolen. However, the wireless LAN is more reliable than the wired LAN due to lack of wiring problems. Cable cuts and wire jams are the most common problems with the wired LANs. Therefore, system unreliability is not a threat for wireless LANs. This is because of the overlapping coverage of wireless access points (APs) provides some level of network redundancy from an end user standpoint; that is, if one AP goes down, the other one's wireless coverage may make the reliability failure seem minimal.

Which of the following is a disadvantage of satellite communications versus a conventional communications method? a. User-owned stations b. Cost c. Frequency bands d. Broadcast ability

c. Frequency bands are of two types: low and high frequency. All the lower frequency bands have become increasingly crowded, and developing higher frequencies is difficult and expensive. Also, transmission problems typically worsen at higher frequencies. In satellite systems, power must be increased at both the original transmission site (uplink) on earth and on the satellite. Increased satellite power generally increases costs. The other three choices are advantages. Users purchase their own sending and receiving equipment. Satellites have a low-cost, point-to-multipoint broadcast capability that is most expensive to duplicate with conventional techniques.

What is a physical security control that uses a network configuration mechanism to minimize theft or damage to computer equipment? a. Web server b. Terminal server c. Server farm d. Redundant server

c. In a server farm, all servers are kept in a single, secure location, and the chances of theft or damage to computer equipment are lower. Only those individuals who require physical access should be given a key. A redundant server concept is used in contingency planning and disaster recovery, which is kept away from the server farm.

Which of the following is an example of an asynchronous attack? a. Data diddling attack b. Data leakage attack c. TOC-TOU attack d. Salami attack

c. In a time-of-check to time-of-use (TOC-TOU) attack, a print job under one user's name is exchanged with a print job for another user. Asynchronous attacks take advantage of time differentials between two events. A data diddling attack is changing data before or during input to computers or during output from a computer system (e.g., forging a document). A data leakage attack is the removal of data from a computer system by covert means. A salami attack is a theft of small amounts of money from a number of bank accounts and customers (e.g., stealing a few cents from each customer's bank account and spreading over many customers).

In a wireless local-area network (WLAN) environment, what is a technique used to ensure effective data security called? a. Message authentication code and transponder b. Transmitting in different channels and message authentication code c. Transmitting on different channels and enabling encryption d. Encryption and transponder

c. In a wireless local-area network (WLAN) environment, transmitting in different channels at the same time or different times ensures that an intruder cannot predict the transmission patterns. Data can be compared from different channels for completeness and accuracy. In addition, data encryption techniques can be used for encrypting all wireless traffic and for highly secure applications. It is true that anyone with the appropriate receiver device can capture the signal transmitted from one unit to another. A message authentication code is not applicable here because it is a process for detecting unauthorized changes made to data transmitted between users or machines or to data retrieved from storage. A transponder is not applicable here because it is used in satellites to receive a signal, to change its frequency, and to retransmit it.

One of the goals of penetration testing security controls is to determine: a. The time between the flaw identification and the flaw remediation process b. The time between the vulnerability identification and the vulnerability remediation process c. The time between the vulnerability identification and the vulnerability exploitation d. The time between the weaknesses is discovered and the time to eliminate the weaknesses

c. One of the goals of penetration testing is to determine exploitability of identified vulnerability. It is called time-to-exploitation, where the penetration testers (i.e., red team and blue team) determine the time to exploit. The other three choices require a corrective action in terms of a plan of action and milestones.

Frame relay and X.25 networks are part of which of the following? a. Circuit-switched services b. Cell-switched services c. Packet-switched services d. Dedicated digital services

c. Packet-switched services are better suited to handle bursts of traffic. In packet-switched services, connections do not need to be established before data transmission begins. Instead, each packet is transmitted separately, and each may take a separate path through the mesh of network. X.25 networks are slow and are not suitable for most LAN-to-LAN traffic because of the time and bandwidth required for error checking by X.25. Frame relays, which are similar to X.25, provide faster and more efficient services. Frame relay does not employ the extensive error checking of X.25. Circuit-switched services are incorrect because they are better suited for delay-sensitive traffic. They establish a virtual connection before transmitting data. They do not use X.25 and frame relay protocols. Cell-switched services are incorrect because they use a fixed-size cell rather than a variablesize packet (e.g., asynchronous transfer mode networks). This type of switching is faster and less expensive. They do not use X.25 and frame relay protocols either. Dedicated digital services are incorrect because they handle voice, video, and data. The dedicated lines are usually leased and installed between two points to provide dedicated, fulltime service. T1 and T3 are examples of dedicated digital lines.

Possible security threats inherent in a local-area network (LAN) environment include passive and active threats. Which of the following is a passive threat? a. Denial of message service b. Masquerading c. Traffic analysis d. Modification of message service

c. Passive threats do not alter any data in a system. They simply read information for the purpose of gaining some knowledge. Because there is no alteration of data and consequently no audit trail exists, passive threats are difficult to detect. Examples of passive threats include traffic analysis. If an attacker can read the packet header, then the source and destination of the message is known, even when the message is encrypted. Through traffic analysis, the attacker knows the total volume in the network and the amount of traffic entering and leaving selected nodes. Although encryption can limit the reading of header information and messages, traffic padding is also needed to counteract the traffic analysis. Traffic padding requires generating a continuous stream of random data or cipher text and padding the communication link so that the attacker would find it difficult to differentiate the useful data from the useless data. Padded data in traffic is useless. The other three choices are incorrect because they are examples of active threats. Active threats generate or alter the data or control signals rather than to simply read the contents of those signals. A denial of message service results when an attacker destroys or delays most or all messages. Masquerading is an attempt to gain access to a computer system by posing as an authorized client or host. An attacker poses as an authentic host, switch, router, or similar device to communicate with a peer to acquire data or services. Modification of message service occurs when an attacker modifies, deletes, delays, reorders existing real messages, and adds fake messages.

What do most effective security controls over remote maintenance ports include? a. Legal contracts and dial-back systems b. Dial-back systems and modem pools c. Legal contracts and modem pools d. Dial-back systems and disconnecting unneeded connections

c. Remote maintenance ports enable the vendor to fix operating problems. The legal contract with the vendor should specify that there be no trap doors and that any maintenance ports should be approved by both parties. Modem pools consist of a group of modems connected to a server (e.g., host, communications, or terminal). This provides a single point of control. Attackers can target the modem pool, so protect it by installing an application gateway-based firewall control. Dial-back security controls over remote maintenance ports are not effective because they are actually authenticating a place, not a person. It is good practice to disconnect unneeded connections to the outside world, but this makes it difficult for a maintenance contractor to access certain ports when needed in an emergency.

A website has been vandalized. Which of the following should be monitored closely? a. Illegal logging b. Illegal privilege usage c. Illegal file access d. Illegal Web server shutdown

c. Selecting the illegal file access addresses the vandalism issue because that is what the attacker can benefit from the most. Files have critical data useful to an attacker. The other three choices are incidental.

When a nonremote user connection is established with a remote device using a virtual private network (VPN), the configuration settings generally prevent which of the following? a. Split knowledge b. Split domain name service c. Split tunneling d. Split gateway

c. Split tunneling is a method that routes organization-specific traffic through the secure sockets layer (SSL) VPN tunnel, but other traffic uses the remote user's default gateway. Remote users normally use split tunneling to communicate with the information system as an extension of that system and to communicate with local resources such as a printer or file server. The remote device, when connected by a nonremote connection, becomes an extension of the information system, enabling a dual communications path (i.e., split tunneling), which, in effect, enables unauthorized external connections into the system. Here the use of VPN for nonremote connection generally prevents the split tunneling, depending on the configuration settings and traffic types.

Which of the following questions must be answered first when planning for secure telecommuting? a. What data is confidential? b. What systems and data do employees need to access? c. What type of access is needed? d. What is the sensitivity of systems and data?

c. Telecommuting is the use of telecommunications to create a virtual office away from the established (physical) office. The telecommuting office can be in an employee's home, a hotel room or conference center, an employee's travel site, or a telecommuting center. In planning for secure telecommuting, management must first determine what type of access is needed (i.e., end user, IT user, system/security administrator, permanent/temporary access, guest/contractor access, global/local access, read, write, update add, delete, or change, view, print, or collaborate). The type of access drives most of access control decisions, including the other three choices. The other three choices come later, although they are important in their own way and support the type of access. What systems and data do employees need? What is the sensitivity of these systems and data? Do they need system administrator privileges? Do they need to share files with other employees? Is the data confidential?

Which of the following extensible authentication protocols is not secure? a. EAP-TLS b. EAP-TTLS c. MD5-Challenge d. PEAP

c. The MD5-Challenge is a legacy-based extensible authentication protocol (EAP) method along with a one-time password and generic token card, which are not secure. Although onetime passwords are generally considered secure by themselves, they are not that secure when they are used in conjunction with a generic token because the token could have been duplicated, fake, lost, or stolen. The MD-5 Challenge is based on the challenge-handshake authentication protocol (CHAP), which is not a secure protocol. The other three choices are a part of the transport layer securitybased (TLS-based) EAP methods, which are very secure.

The first step toward securing the resources of a local-area network (LAN) is to verify the identities of system users. Organizations should consider which of the following prior to connecting their LANs to outside networks, particularly the Internet? a. Plan for implementing locking mechanisms. b. Plan for protecting the modem pools. c. Plan for considering all authentication options. d. Plan for providing the user with his account usage information.

c. The best thing is to consider all authentication options, not just using the traditional method of passwords. Proper password selection (striking a balance between being easy to remember for the user but difficult to guess for everyone else) has always been an issue. Password-only mechanisms, especially those that transmit the password in the clear (in an unencrypted form) are susceptible to being monitored and captured. This can become a serious problem if the local-area network (LAN) has any uncontrolled connections to outside networks such as the Internet. Because of the vulnerabilities that still exist with the use of password-only mechanisms, more robust mechanisms such as token-based authentication and use of biometrics should be considered. Locking mechanisms for LAN devices, workstations, or PCs that require user authentication to unlock can be useful to users who must frequently leave their work areas (for a short period of time). These locks enable users to remain logged into the LAN and leave their work areas without exposing an entry point into the LAN. Modems that provide users with LAN access may require additional protection. An intruder that can access the modem may gain access by successfully guessing a user password. The availability of modem use to legitimate users may also become an issue if an intruder is allowed continual access to the modem. A modem pool is a group of modems acting as a pool instead of individual modems on each workstation. Modem pools provide greater security in denying access to unauthorized users. Modem pools should not be configured for outgoing connections unless access can be carefully controlled. Security mechanisms that provide a user with his account usage information may alert the user that the account was used in an abnormal manner (e.g., multiple login failures). These mechanisms include notification such as date, time, and location of the last successful login and the number of previous login failures.

Which of the following is a byproduct of administering the security policy for firewalls? a. Protocol filtering policy b. Connectivity policy c. Firewall implementation d. Protocol filtering rules

c. The role of site security policy is important for firewall administration. A firewall should be viewed as an implementation of a policy; the policy should never be made by the firewall implementation. In other words, agreement on what protocols to filter, what application gateways to use, how network connectivity will be made, and what the protocol filtering rules are all need to be codified beforehand because ad hoc decisions will be difficult to defend and will eventually complicate firewall administration.

Asynchronous transfer mode (ATM) is an example of a fast packet-switching network. Which of the following statements about ATM is not true? a. ATM networks can carry data communications. b. ATM networks can carry video communications. c. ATM networks use long packets with varying sizes. d. ATM networks can carry voice communications.

c. There are two different kinds of fast packet-switching networks: ATM and PTM. Asynchronous transfer mode (ATM) networks use short packets called "cells" that are always the same length. Packet transfer mode (PTM) does not use short cells but more additional packets that can be longer if necessary. Most packet-switching networks use packets that can be long and vary in size depending on the data being carried. The ATM network can carry data communications where packets are broken into several ATM cells. After travelling through the network, the cells are reassembled into packets. It can also carry video communications where the digital video bits are put in cells and sent through the network. At the destination, the bits are removed from the cells. The ATM also carries voice communications, and the voice is handled in the same way as video.

In which of the following remote access methods is a pinholing scheme used to facilitate the network address translation (NAT) contact to occur with internal workstations? a. Tunneling b. Application portals c. Remote desktop access d. Direct application access

c. There are two major styles of remote desktop access: (i) direct between the telework client device (e.g., a consumer device such as a smartphone and PDA or PC used for performing telework) and the internal workstation, and (ii) indirect through a trusted intermediate system. However, direct access is often not possible because it is prevented by many firewalls. For example, if the internal workstation is behind a firewall performing network address translation (NAT), the telework client device cannot initiate contact with the internal workstation unless either the NAT enables such contact or the internal workstation initiates communications with the external telework client device (e.g., periodically checking with the client device to see if it wants to connect). A "pinholing" scheme can be used to facilitate the NAT contact to occur where particular ports are allocated to each internal workstation. The other three choices do not deal with the NAT. Tunneling, which uses IPsec tunnel, SSL tunnel, or SSH tunnel with thick remote access client software, provides more control over the remote access environment. On the other hand, application portals, remote desktop access, and direct application access use thin remote access client software providing less control over the remote access environment. Because the remote desktop access method is less secure, it should be used only for exceptional cases after a careful analysis of the security risk.

Which of the following networks provides for movement of employees within an organization without the associated cabling costs? a. Traditional local-area networks (LANs) b. Metropolitan-area networks (MANs) c. Virtual local-area networks (VLANs) d. Value-added networks (VANs)

c. Virtual LANs are a logical collection of individual LANs, because they link local- and wide-area networks using routers, switches, and backbone equipment and related software so that users at various locations have access to data residing on multiple systems and locations that they would not have otherwise. The virtual network is transparent to users. Virtual LANs reassign users without changing cables when users move from one location to another. Network maintenance costs are lower and equipment moves are done faster. Another benefit of virtual LANs is that all servers in a building can be physically protected in a data center instead of spreading them throughout the building in the user departments. Traditional (wired) LANs are incorrect because they require a change of cabling when users and their equipment move around. Network maintenance costs are higher and moves are slower. MANs and VANs are incorrect because they do not employ cables as traditional LANs do.

The basic protocols would not address which of the following? a. Message size, sequence, and format b. Message routing instructions c. Error detection and correction d. Message authentication

d. A basic protocol is a set of rules governing a specific time sequence of events. It defines the method of formatting bits of data and messages for transmission, routing, and identification of messages including error detection and correction. However, it does not address a message authentication, which is a security feature.

Which of the following actions is not true about prohibiting remote activation for collaborative computing devices? a. Block inbound and outbound traffic between instant messaging clients configured by end users. b. Block inbound and outbound traffic between instant messaging clients configured by external providers. c. Disconnect all unneeded collaborative computing devices physically. d. Block inbound and outbound traffic between instant messaging clients configured by the IT security.

d. Collaborative computing devices are networked white boards and cameras. It is a good security practice to block the inbound and outbound network traffic configured by end users and external service providers, and not block the configurations established by the IT security function.

Which of the following worldwide interoperability for microwave access (WiMAX) operating topologies uses only the non-line-of-sight (NLOS) signal propagation? a. Point-to-point b. Point-to-multipoint c. Multihop relay d. Mobile

d. A mobile topology is similar to a cellular network because multiple base stations (BSs) collaborate to provide seamless communications over a distributed network to both subscriber stations (SSs) and mobile subscribers (MSs). A non-line-of-sight (NLOS) signal propagation is electromagnetic signaling that uses advanced modulation techniques to compensate for signal obstacles and enables indirect communications between transmitting stations. Mobile WiMAX topology operates on NLOS signal propagation, whereas the other three topologies use either LOS or NLOS signal propagation. A line-of-sight (LOS) signal propagation is electromagnetic signaling that is highly sensitive to radio frequency obstacles requiring an unobstructed view between transmitting stations. The other three choices are also examples of WiMAX operating topologies. A point-to-point topology consists of a dedicated long-range, high-capacity wireless link between two sites. This topology is used for high-bandwidth wireless backhaul services at maximum operating ranges using either LOS or NLOS signal propagation. It uses a backhaul as a high-capacity line from a remote site or network to a central site or network. A point-to-multipoint topology is composed of a central BS supporting multiple SSs, providing network access from one location to many locations. It is commonly used for last-mile broadband access, private enterprise connectivity to remote offices, and long-range wireless backhaul services for multiple sites. Last-mile broadband access refers to communications technology that bridges the transmission distance between the broadband service provider and the customer premises equipment. A multihop relay topology, also referred to as mesh networking, is used to extend a BS's coverage area by permitting SSs or MSs to replay traffic by acting as a relay station.

In a distributed computing environment, system security takes on an important role. Two types of network attacks exist: passive and active. Which of the following is an example of a passive attack? a. Attempting to log in to someone else's account b. Installing a wiretap on a network cable to generate false messages c. Denying services to legitimate users d. Sniffing a system password when the user types it

d. A passive attack is an attack where the threat merely watches information move across the system. However, no attempt is made to introduce information to exploit vulnerability. Sniffing a system password when the system user types it is an example of a passive attack. The other three choices are incorrect because they are examples of active attacks. Active attacks occur when the threat makes an overt change or modification to the system in an attempt to take advantage of vulnerability.

If QoS is quality of service, QoP is quality of protection, QA is quality assurance, QC is quality control, DoQ is denial of quality, and DoS is denial of service, which of the following affects a network system's performance? 1. QoS and QoP 2. QA and QC 3. DoQ 4. DoS a. 1 only b. 1 and 4 c. 2 and 3 d. 1, 2, 3, and 4

d. All four items affect a network system performance. QoS parameters include reliability, delay, jitter, and bandwidth, where applications such as e-mail, file transfer, Web access, remote login, and audio/video require different levels of the parameters to operate at different quality levels (i.e., high, medium, or low levels). QoP requires that overall performance of a system should be improved by prioritizing traffic and considering the rate of failure or average latency at the lower layer protocols. QA is the planned systematic activities necessary to ensure that a component, module, or system conforms to established technical requirements. QC is the prevention of defective components, modules, and systems. DoQ results from not implementing the required QA methods and QC techniques for delivering messages, packets, and services. DoS is the prevention of authorized access to resources or the delaying of time-critical operations. DoS results from DoQ. QoS is related to QoP and DoS which, in turn, relates to DoQ. Therefore, QoS, QoP, QA, QC, DoQ, and DoS are related to each other.

Which of the following prevents the unauthorized exfiltration of information across managed interfaces such as proxies and routers? 1. Strict adherence to protocol formats 2. Monitoring for indications of beaconing from the information system 3. Monitoring for use of steganography 4. Disassembling and reassembling packet headers a. 1 only b. 1 and 2 c. 2 and 4 d. 1, 2, 3, and 4

d. All the four items are measures to prevent unauthorized exfiltration of information from the information system. Other preventive measures against exfiltration include disconnecting external network interfaces except when explicitly needed and conducting traffic profile analysis to detect deviations from the volume or types of traffic expected within the organization.

Network-based firewalls should perform or implement which of the following? 1. Ingress filtering 2. Egress filtering 3. Deny-by-default rulesets for incoming traffic 4. Deny-by-default rulesets for outgoing traffic a. 1 and 2 b. 1 and 3 c. 2 and 4 d. 1, 2, 3, and 4

d. Because network-based firewalls can restrict both incoming and outgoing traffic, they can also be used to stop certain worm infections within the organization from spreading to external systems. To prevent malware incidents, organizations should implement deny-by-default rulesets, meaning that the firewalls deny all incoming and outgoing traffic that is not expressly permitted. Organizations should also ensure that their network firewalls perform egress and ingress filtering. Egress filtering is blocking outgoing packets that should not exit a network. Ingress filtering is blocking incoming packets that should not enter a network.

Which of the following wiring schemes makes future network changes easier to implement? a. Post wiring b. Wiring on demand c. Buildings with high ceilings d. Cable conduits

d. Because the cost of wiring an existing building goes up with the height of the ceiling and rises even higher after the tenants have moved in, making the right decisions as early as possible can significantly reduce future costs. Dangling cables can be a safety hazard. Therefore, proactive thinking such as prewiring and cable conduits during building construction should be planned carefully to make future changes easier with less cost. Post-wiring and wiring on demand are reactive in nature, relatively expensive, and disruptive to work.

Which of the following statements is not true about Internet firewalls? a. A firewall can enforce security policy. b. A firewall can log Internet activity. c. A firewall can limit an organization's security exposure. d. A firewall can protect against all computer viruses in PCs.

d. Firewalls (also known as secure gateways) cannot keep personal computer viruses out of a network. There are simply too many types of viruses and too many ways a virus can hide within data. The most practical way to address the virus problem is through host-based virusprotection software and user education concerning the dangers of viruses and precautions to take against them. A firewall enforces the site's security policy, enabling only "approved" services to pass through and those only within the rules set up for them. Because all traffic passes through the firewall, the firewall provides a good place to collect information about system and network use and misuse. As a single point of access, the firewall can record what occurs between the protected network and the external network. A firewall can be used to keep one section of the site's network separate from another section, which also keeps problems in one section isolated from other sections. This limits an organization's security exposure.

An effective way to run a World Wide Web (WWW) service is not by: a. Disabling automatic directory listings b. Placing the standalone WWW computer outside the firewall in the DMZ c. Implementing encryption d. Relying on third-party providers

d. Important security features of WWW include (i) disabling automatic directory listings for names and addresses, (ii) placing the standalone, stripped-down WWW computer outside the firewall in the demilitarized zone (DMZ), and (iii) providing encryption when sensitive or personal information is transmitted or stored. There is a potential risk posed by dependence on a limited number of third-party providers in terms of performance and availability of service.

An intranet can be found in an organization's internal network or shared between organizations over the Internet. Which of the following controls is least suited to establish a secure intranet over the Internet? a. Use encrypted tunnels. b. Install encrypted routers. c. Install encrypted firewalls. d. Implement password controls in the private Web server.

d. Intranets are similar to the organization's own networks, providing internal interaction. You do not need to be connected to the Internet to create an intranet. The infrastructure includes placing policies, procedures, and standards documents on an internal server. The intranet could be connected to the Internet, or an intranet could be created by using a private Web server on the Internet. Effective controls include encryption and firewalls. Private tunnels can be created over the Internet through the use of encryption devices, encrypting firewalls, or encrypting routers. Implementing password controls to the private Web server for each user is a weak control because password administration would be a difficult if not an impossible task. Group passwords would not be effective either.

For worldwide interoperability for microwave access (WiMAX) security, denial-ofservice (DoS) attacks occur due to which of the following? 1. Lack of mutual authentication 2. Use of nonunicast messages 3. Use of wireless technology as a communications medium 4. Use of unencrypted management messages a. 1 and 2 b. 1 and 3 c. 2 and 3 d. 1, 2, 3, and 4

d. Lack of mutual authentication occurs between subscriber's station (SS) and base station (BS). This may enable a rogue BS operator to degrade performance or steal information by conducting denial-of-service (DoS) or forgery attacks against client SSs. In unencrypted management messages, nonunicast messages open WiMAX systems to DoS attacks. In the use of wireless as a communications medium, a DoS attack can be executed by the introduction of a powerful radio frequency (RF) source intended to overwhelm system radio spectrum.

Remote control programs have a number of disadvantages when they are used for remote local-area network (LAN) access. Which of the following disadvantages is most difficult to manage? a. Telephone connect time not minimized b. Manually connect and disconnect operations c. Compatibility with host applications d. Network management time

d. Limited network management for most remote control programs is a major disadvantage. Managing a large number of host workstations is difficult; each station must be managed individually. The remote control program that LAN access method uses does not implicitly minimize telephone connect time; although, it is possible to automate many operations using batch files or other programming mechanisms. Manual connect and disconnect operations are often augmented by timeout options not always found with other remote LAN access methods. Compatibility between the remote control programs and host applications is not guaranteed; often, compatibility must be determined by trial and error.

Which of the following transmission media is unsuitable for handling intra-building data or voice communications? a. Twisted pair b. Coaxial cable c. Optical fiber d. Microwave transmission

d. Microwave transmission is a point-to-point transmission using radio frequency spectrum signals and is commonly used as a substitution for copper or fiber cable. Because of this, it is not suitable for handling intra-building communications and is more appropriate for longdistance transmission. Twisted pair, made of copper wire, is best for low-cost, short-distance local networks linking microcomputers. Coaxial cable is rarely used medium for data transmission in local-area networking. Optical fiber uses light signals to carry a stream of data at extremely high modulation rates and is sturdy and secure.

Which of the following information technologies is better equipped to deliver multimedia applications? a. Integrated services digital network (ISDN) and broadband ISDN b. Narrowband ISDN, central office switches, and copper-based local loops c. Narrowband ISDN, fiber optics, and asynchronous transfer mode (ATM) d. Broadband ISDN, fiber optics, and ATM

d. Multimedia applications take advantage of the capability of high-bandwidth integrated services networks to deliver many different kinds of data such as video, image, audio, and text and numerical data. They also take advantage of the processing power of advanced workstations and other devices attached to the network, enabling users to edit, process, and select data arriving from a variety of sources over the network. The capacity of a network, measured as the number of bits it can transmit every second, is called bandwidth. Narrowband networks are low-bandwidth networks, and broadband networks are high-bandwidth networks. ATM has been chosen as the foundation for the broadband ISDN where the latter is used to carry voice, video, and data traffic to support a range of applications. ATM networks are also suitable for carrying data, video, and voice communications. Fiber optics is an enabling technology for broadband networks. With increased bandwidth, the links can move data more quickly and support the transport of bandwidth-intensive traffic such as video. Broadband ISDN uses different technology from narrowband (ordinary) ISDN. Narrowband ISDN is best viewed as a digital upgrade of the telephone network's copper local loop. Broadband ISDN, by contrast, requires fiber optics and ATM, a new approach to network design. ISDN and broadband ISDN have little in common other than their names. ISDN is a telecommunications industry standard for upgrading local loops to digital service. It enables the existing copper local loops to be used for digital service. However, it requires users to buy new equipment for their end of line, which converts their data to the ISDN format. It also requires that the telephone company's equipment, such as the central office switches, be upgraded. The local loop uses low-capacity analog copper wires.

Which of the following are countermeasures against network weaving? 1. Traffic flow signal 2. Traffic encryption key 3. Tunneling 4. Traffic padding a. 1 and 2 b. 1 and 3 c. 2 and 4 d. 3 and 4

d. Network weaving is a penetration technique in which different communication networks are linked to access an information system to avoid detection and trace-back. Tunneling enables one network to send its data via another network's connections. It works by encapsulating a network protocol within packets carried by the second network. Traffic padding generates mock communications or data units to disguise the amount of real data units being sent. The other two items cannot control network weaving penetration. Traffic flow signal is used to conduct traffic flow analysis. Traffic encryption key is used to encrypt plaintext or to super-encrypt previously encrypted text and/or to decrypt cipher-text.

Security mechanisms implement security services. Which of the following security services is provided by a notarization security mechanism? a. Confidentiality b. Integrity c. Authentication d. Nonrepudiation

d. Nonrepudiation services prevent the parties to a communication from denying that they sent or received it, or disputing its contents. It may provide either proof of origin or proof of delivery. Confidentiality is incorrect because it provides security mechanisms such as encryption, traffic padding, and routing control, not notarization. Confidentiality protects data from unauthorized disclosure. Integrity is incorrect because it provides security mechanisms such as encryption, digital signature, and data integrity, not notarization. Integrity protects against the modification, insertion, deletion, or replay of data. Authentication is incorrect because it provides security mechanisms such as encryption, digital signature, and authentication, not notarization. Authentication services basically provide a reliable answer to the question: With whom am I communicating?

Phishing attacks can occur using which of the following? 1. Cell phones 2. Personal digital assistants 3. Traditional computers 4. Websites a. 3 only b. 4 only c. 1 and 2 d. 1, 2, 3, and 4

d. Phishing attacks are not limited to traditional computers and websites; they may also target mobile computing devices, such as cell phones and personal digital assistants. To perform a phishing attack, an attacker creates a website or e-mail that looks as if it is from a well-known organization, such as an online business, credit card company, or financial institution in the case of cell phones; it is often the SMS/MMS attack vector or calls with spoofed caller-ID.

Synchronization of file updates in a local-area network environment cannot be accomplished by using which of the following? a. File locks b. Record locks c. Semaphores d. Security labels

d. Security labels deal with security and confidentiality of data, not with file updates. A security label is a designation assigned to a system resource such as a file, which cannot be changed except in emergency situations. File updates deal with the integrity of data. The unique concept of a local-area network (LAN) file is its capability to be shared among several users. However, security controls are needed to assure synchronization of file updates by more than one user. File locks, record locks, and semaphores are needed to synchronize file updates. File locks provide a coarse security due to file-level locking. Record locking can be done through logical or physical locks. The PC operating system ensures that the protected records cannot be accessed on the hard disk. Logical locks work by assigning a lock name to a record or a group of records. A semaphore is a flag that can be named, set, tested, changed, and cleared. Semaphores can be applied to files, records, group of records, or any shareable network device, such as a printer or modem. Semaphores are similar to logical locks in concept and can be used for advanced network control functions.

Which of the following is the most important aspect of a remote access? a. User authentication b. Media authentication c. Device authentication d. Server authentication

d. Server authentication is the most important for remote access methods where a user is manually establishing the remote access connections, such as typing a URL into a Web browser. A server is a host computer that provides one or more services for other hosts over a network as a primary function. Hence, the server, especially if it is a central server, provides a major entry point into the network. If the authentication method to the server is weak, it can affect the performance and security of the entire network negatively, and can become a single point of failure, resulting in major security risks. In terms of sequence of actions, the server authentication comes first, user authentication comes next or at the same as the server, and media (e.g., disk) and device (e.g., Phone, PDA, or PC) authentication comes last. Although the other choices are important in their own way, they are not as important as the server authentication in terms of potential security risks at the server.

Which of the following is not a function of a Web server? a. Handling requests b. Supplying documents c. Securing requests d. Navigating information

d. The Web browser is the most common user interface for accessing an intranet. A Web browser provides navigating information. At the heart of an intranet is the Web server. Because an intranet is based on a system of requests and responses, the server controls and administers that flow of information through TCP/IP. Web servers handle requests and return the information in the form of either Web pages or other media types such as pictures, sound, and video. In addition to supplying documents, the Web server is also responsible for ensuring the security of requests from outside the organization or within.