IS Quiz 13

You have been alerted to suspicious traffic without a specific signature. Under further investigation, you determine that the alert was a false indicator. Furthermore, the same alert has arrived at your workstation several times. Which security device needs to be configured to disable false alarms in the future? (Select the best answer.) A) Anomaly-based IDS B) Signature-based IPS C) Signature-based IDS D) UTM E) SIEM

A) Anomaly-based IDS

One of your co-workers complains to you that he cannot see any security events in the Event Viewer. What are three possible reasons for this? (Select the three best answers.) A) Auditing has not been turned on B) The log file is only 10 MB C) The co-worker is not an administrator D) Auditing for an individual object has not been turned on

A) Auditing has not been turned on, C) The co-worker is not an administrator and D) Auditing for an individual object has not been turned on

Which of the following requires a baseline? (Select the two best answers.) A) Behavior-based monitoring B) Performance Monitor C) Anomaly-based monitoring D) Signature-based monitoring

A) Behavior-based monitoring and C) Anomaly-based monitoring

What kind of security control do computer security audits fall under? A) Detective B) Preventive C) Corrective D) Protective

A) Detective

You have established a baseline for your server. Which of the following is the best tool to use to monitor any changes to that baseline? A) Performance Monitor B) Anti-spyware C) Antivirus software D) Vulnerability assessments software

A) Performance Monitor

Jason is a security administrator for a company of 4000 users. He wants to store 6 months of security logs to a logging server for analysis. The reports are required by upper management due to legal obligations but are not time-critical. When planning for the requirements of the logging server, which of the following should not be implemented? A) Performance baseline and audit trails B) Time stamping and integrity of the logs C) Log details and level of verbose logging D) Log storage and backup requirements

A) Performance baseline and audit trails

Which of the following can determine which flags are set in a TCP/IP handshake? A) Protocol analyzer B) Port scanner C) SYN/ACK D) Performance Monitor

A) Protocol analyzer

You suspect a broadcast storm on the LAN. Which tool is required to diagnose which network adapter is causing the storm? A) Protocol analyzer B) Firewall C) Port scanner D) Network intrusion detection system E) Port mirror

A) Protocol analyzer

The IT director has asked you to install agents on several client computers and monitor them from a program at a server. What is this known as? A) SNMP B) SMTP C) SMP D) Performance Monitor

A) SNMP (Simple Network Management Protocol) is used when a person installs agents on client computers to monitor those systems from a single remote location

Which of the following is a record of the tracked actions of users? A) Performance Monitor B) Audit trails C) Permissions D) System and event logs

B) Audit trails

One of the developers in your organization installs a new application in a test system to test its functionality before implementing into production. Which of the following is most likely affected? A) Application security B) Initial baseline configuration C) Application design D) Baseline comparison

B) Initial baseline configuration

As you review your firewall log, you see the following information. What type of attack is this? S=207.50.135.54:53 - D=10.1.1.80:0 S=207.50.135.54:53 - D=10.1.1.80:1 S=207.50.135.54:53 - D=10.1.1.80:2 S=207.50.135.54:53 - D=10.1.1.80:3 S=207.50.135.54:53 - D=10.1.1.80:4 S=207.50.135.54:53 - D=10.1.1.80:5 A) Denial-of-service B) Port scanning C) Ping scanning D) DNS spoofing

B) Port scanning

In what way can you gather information from a remote printer? A) HTTP B) SNMP C) CA D) SMTP

B) SNMP SNMP (Simple Network Management Protocol) enables you to gather information from a remote printer

Your manager wants you to implement a type of intrusion detection system (IDS) that can be matched to certain types of traffic patterns. What kind of IDS is this? A) Anomaly-based IDS B) Signature-based IDS C) Behavior-based IDS D) Inline IDS

B) Signature-based IDS

To find out when a computer was shut down, which log file would an administrator use? A) Security B) System C) Application D) DNS

B) System

Your boss wants you to properly log what happens on a database server. What are the most important concepts to think about while you do so? (Select the two best answers.) A) The amount of virtual memory that you will allocate for this task B) The amount of disk space you will require C) The information that will be needed to reconstruct events later D) Group Policy information

B) The amount of disk space you will require and C) The information that will be needed to reconstruct events later

Of the following, which two security measures should be implemented when logging a server? (Select the two best answers.) A) Cyclic redundancy checks B) The application of retention policies on log files C) Hashing of log files D) Storing of temporary files

B) The application of retention policies on log files and C) Hashing of log files

What is the main reason to frequently view the logs of a DNS server? A) To create aliases B) To watch for unauthorized zone transfers C) To defend against denial-of-service attacks D) To prevent domain name kiting

B) To watch for unauthorized zone transfers

Which of the following techniques enables an already secure organization to assess security vulnerabilities in real time? A) Baselining B) ACLs C) Continuous monitoring D) Video surveillance

C) Continuous monitoring

Which of the following is the best practice to implement when securing logs files? A) Log all failed and successful login attempts B) Deny administrators access to log files C) Copy the logs to a remote log server D) Increase security settings for administrators

C) Copy the logs to a remote log server

Which of the following protocols are you observing in the packet capture below? 16:42:01 - SRC 192.168.1.5:3389 - DST 10.254.254.57:8080 - SYN/ACK A) HTTP B) HTTPS C) RDP D) SFTP

C) RDP You are observing a Remote Desktop Protocol (RDP) acknowledgement packet

You have been tasked with providing daily network usage reports of layer 3 devices without compromising any data during the information gathering process. Which of the following protocols should you select to provide for secure reporting in this scenario? A) ICMP B) SNMP C) SNMPv3 D) SSH

C) SNMPv3 SNMPv3 should be used because it provides a higher level of security (encryption of packets, message integrity, and authentication), allowing you to gather information without fear of the data being compromised

You are setting up auditing on a Windows computer. If set up properly, which log should have entries? A) Application log B) System log C) Security log D) Maintenance log

C) Security log

Which of the following should be done if an audit recording fails? A) Stop generating audit records B) Overwrite the oldest audit records C) Send an alert to the administrator D) Shut down the server

C) Send an alert to the administrator

Which of following is the most basic form of IDS? A) Anomaly-based B) Behavioral-based C) Signature-based D) Statistical-based

C) Signature-based

Which of the following deals with the standard load for a server? A) Patch management B) Group Policy C) Port scanning D) Configuration baseline

D) Configuration baseline

What tool can alert you if a server's processor trips a certain threshold? A) TDR B) Password cracker C) Event Viewer D) Performance Monitor

D) Performance Monitor

Which tool can be instrumental in capturing FTP GET requests? A) Vulnerability scanner B) Port scanner C) Performance Monitor D) Protocol analyzer

D) Protocol analyzer

Which of the following log files should show attempts at unauthorized access? A) DNS B) System C) Application D) Security

D) Security

Michael has just completed monitoring and analyzing a web server. Which of the following indicates that the server might have been compromised? A) The web server is sending hundreds of UDP packets B) The web server has a dozen connections to inbound port 80 C) The web server has a dozen connections to inbound port 443 D) The web server is showing a drop in CPU speed and hard disk speed

D) The web server is showing a drop in CPU speed and hard disk speed