Midterm 2

Which of the following can affect the confidentiality of documents stored on a server?

A server breach

In preserving the confidentiality of users on a corporate network, which party is responsible for setting up security policies to guarantee users' privacy?

Administrator

Elissa is a network technician. She is configuring firewall rules for one of her company's branch offices, which supports online retail sales of the company's products. She is configuring rules to block traffic based on a traditional model but need to allow a particular type of traffic. What should she allow?

All traffic from port 80 originating from the office's web server, which is in a protected subnet

Before an Internet user can access a demilitarized zone (DMZ), extranet, or private network resource, it first encounters an entity that is sturdy enough to withstand any sort of attack. What is that entity called?

Bastion host operating system

What is the first step in deploying a firewall?

Construct a firewall policy

Hyon is a network consultant. She was hired by a client company to examine the effectiveness of its IT infrastructure. She discovers that the company's Internet-facing firewall is not capable of automatically handling and adjusting for random source ports when a session is being established to its web and gaming servers. How should she correct this?

Create a custom rule to manage random source ports

A social networking website has been gathering a great deal of personal information on its users for years. This presents the potential danger of exposure if the site is hacked. In addition, the data could be sold by the social networking platform without the users' knowledge or consent. What technology does the social media company most likely use to gather data, such as users' buying preferences?

Data mining

A potential loophole is created when the wrong rule is positioned last in a firewall rule set.

False

Allow-by-default automatically prevents most malicious communications by default.

False

Fair queuing is the distribution of the firewall filtering workload across multiple parallel firewalls.

False

Firewalking is a technique to learn the configuration of a firewall from the inside.

False

Multiple firewalls in a series is considered diversity of defense but not defense in depth.

False

The goal of the Electronic Privacy Information Center (EPIC) is to preserve consumer privacy in the state of California.

False

The less complex a solution, the more room there is for mistakes, bugs, flaws, or oversights by security administrators.

False

The pfSense firewall is a border firewall.

False

The source address and the port address of inbound firewall rules are often set to Deny, unless the rule is to apply to specific systems or ports.

False

To avoid confusion, an organization should have a written security policy for a minimum number of security components.

False

pfSense can be installed on a local firewall only.

False

Rachel is a cybersecurity engineer for a company that fulfills government contracts on Top Secret projects. She needs to find a way to send highly sensitive information by email in a way that won't arouse the suspicion of malicious parties. If she encrypts the emails, everyone will assume they contain confidential information. What is her solution?

Hide messages in the company's logo within the email.

What is the basic service of a reverse proxy?

Hides the identity of a web server accessed by a client over the Internet

What does a digital signature provide?

Nonrepudiation

Reid is a network security trainer for a mid-sized company. He is demonstrating alternative methods of protecting a network using unconventional means. The IT department's "sandbox" network is used for testing and is not connected to the production network. Using the sandbox, Reid shows how to protect a network from external threats without using a firewall. What is Reid's approach?

Packet sniffer

Leandro is writing a firewall policy. He needs to define which type of firewall he needs for each portion of the infrastructure based on differing areas of risk and trust. What are these areas called?

Security zones

A best practice for firewall rules is to keep the rule set as simple as possible.

True

A best practice is to define a complete firewall rule set for each prescribed firewall in a written firewall policy.

True

A best practice is to use strong authentication and nonrepudiation methods for all transactions over the Internet.

True

A best practice when troubleshooting issues is to make one change at a time, and then test the change before making any other changes.

True

A buffer overflow is a condition in which a memory buffer exceeds its capacity and the extra content "overflows" into adjacent memory.

True

A change control mechanism tracks and monitors the changes to a system.

True

A default-allow firewall stance assumes that most traffic is benign.

True

A default-deny firewall stance assumes that all traffic is potentially unauthorized.

True

A web server between two firewalls is considered to be in a demilitarized zone (DMZ).

True

An access control list (ACL) focuses on controlling a specific user's or client's access to a protocol or port.

True

An intrusion detection system (IDS) serves as a companion mechanism to a firewall.

True

An intrusion prevention system (IPS) does not replace an intrusion detection system (IDS).

True

Depending on the firewall, a single rule can sometimes define outbound and inbound communication parameters.

True

Firewall filtering is an effective protection against fragmentation attacks.

True

Firewall implementation documentation should include every action taken from the moment the firewall arrives on site through the point of enabling the filtering of production traffic.

True

Firewall logging helps to ensure that defined filters or rule are sufficient and functioning as expected.

True

Firewall rules are instructions that evaluate and take action on traffic traversing the network.

True

Firewalls filter traffic using rules or filters.

True

It is often more difficult to preserve a user's privacy on the Internet than in the physical world.

True

Security systems configured by the same security administrator can potentially have the same misconfiguration or design weakness

True

The collection of disparate log information from systems on a network is called aggregation.

True

The source address and the port address of outbound firewall rules are often set as ANY, unless the rule is to apply to specific systems or ports.

True

The universal Deny rule should be the last and final rule in a firewall rule set.

True

Under the universal participation security stance, every employee, consultant, vendor, customer, business partner, and outsider must be forced to work within the security policy's limitations.

True

Users with the minimum level of access to resources needed to complete their assigned tasks follow the principle of least privilege.

True

When a firewall functions at wire speed, the firewall does not introduce any delay or latency in communications because it operates at the same speed as the network.

True

When the defense in depth security strategy is followed, a single component failure does not result in compromise or intrusion.

True

With diversity of defense, most layers use a different security mechanism.

True

You can check firewall connectivity using the ping and traceroute commands

True

Bill is a network technician. He is currently configuring the infrastructure's Internet-facing firewalls. He knows that the Internet Control Message Protocol (ICMP) echo type often referred to as "ping" is used by malicious persons to probe networks. He wants to set up a rule that will deny ping attempts from outside the network. What does he deny?

Type 8

A company vice president (VP) finds that the network security restrictions imposed by the security manager are too confining. To counter them, the VP habitually uses weak passwords, shares accounts with his assistant, and installed unapproved software. What security principle is the VP violating?

Universal participation

Fumiko is a network technician. She is configuring rules on one of her company's externally facing firewalls. Her network has a host address range of 192.168.42.140-190. She wants to allow all hosts access to a certain port except for hosts 188, 189, and 190. What rule or rules must she write?

A single rule allowing hosts 140-187 is all that is necessary; the default-deny rule takes care of blocking the remaining nonincluded hosts.

Alphonse is a networking contractor who has been hired by a small to medium-sized company to configure its firewall. The firewall comes preconfigured with a common rule set that allows web, email, instant messaging, and file transfer traffic using default ports. The company wants to allow access to secure websites and common website protocols but block access to insecure Internet websites. Which of the following is the best solution?

Allow access to HTTPS, SQL, and Java, but deny access to HTTP

Torri is a network technician. She needs to configure the edge firewalls for her company's IT infrastructure. Her supervisor has told her she must find a configuration method that assumes all network traffic is safe and, as malicious traffic is identified, it is added to a list of exceptions. Which of the following configuration methods does Torri select?

Allow by default/deny by exception

Teodora is the procurement manager for her company's IT department. She is researching firewalls that come with enhancements beyond basic traffic filtering. Which of the following is considered a firewall enhancement?

Anti-malware scanning

Duncan runs a small writing and editing business. He employs two people in his small office/home office (SOHO). He also has general knowledge of networking, including how to configure a basic firewall to protect the network. His off-the-shelf firewall has rule sets built in with several main elements. Duncan is currently setting rules for TCP and UDP. What element is he working with?

Base protocol

Nina is a corporate attorney for a San Francisco firm. The chief information and security officer (CISO) told her that the firm's data center had been hacked 24 hours ago. The personal information of more than 3 million users was accessed, including their full names, addresses, and login credentials. Nina discusses the company's liability under the law, including the requirement to implement and maintain reasonable security procedures and practices. If it can be proven that the firm was negligent, it may need to pay damages. Which of the following regulates this issue?

California Consumer Privacy Act (CCPA)

Jiang is a network technician. He is programming a web server to provide clients with dynamically produced web content in real time based on several attributes that the connecting user enters. This includes any forms the user may fill out. Martha is the cybersecurity chief. She says that the technology Jiang is using could expose sensitive customer data to hackers if it were ever accessed. What web server technology is Jiang using?

Common Gateway Interface (CGI)

Which of the following can be described as putting each resource on a dedicated subnet behind a demilitarized zone (DMZ) and separating it from the internal local area network (LAN)?

N-tier deployment

Chang is a network engineer. He is revising the company's firewall implementation procedure. He is reviewing the procedural element requiring placement of network firewalls at chokepoints and mapping out the network structure to pinpoint the location where firewalls are to be placed. Which of the following is he focusing on?

Network design

Carl is a networking student who is reading about methods of encryption and how they work with firewalls. Right now, he is studying a form of encryption that encrypts the entire original payload and header of a packet. However, because the header contains only information about endpoints, it is not useful for a firewall filtering malicious traffic. Which of the following is the encryption method being described?

Tunnel mode

What is an example of security through obscurity?

Using a nonstandard operating system for workstations such as FreeBSD

The network infrastructure supervisor is designing a firewall placement strategy that will protect the organization's Internet-facing web and email servers and the internal network. Which design will provide the best protection?

Using two firewalls to create a demilitarized zone (DMZ); one firewall is placed between the Internet and the servers, the other firewall is located behind the first firewall and the servers protecting the internal network.

Joaquin is a senior network technician for a mid-sized company who has been assigned the task of improving security for the IT infrastructure. He has been given a limited budget and must increase security without redesigning the network or replacing all internetworking security devices. He focuses on an approach that will identify a single vulnerability. What does he recommend?

Weakest link

Which of the following is an authentication method that supports smart cards, biometrics, and credit cards, and is a fully scalable architecture?

802.1x

Which of the following is needed when determining what firewall traffic to allow and what to block?

A complete inventory of all needed or desired network communications

Hajar is a network administrator. She is inventorying firewalls in her company. She finds one that has a management interface lacking something and makes a note to replace it immediately. What critical security measure is the management interface missing?

Encryption

Which of the following is a protocol that allows web servers to complete secure transactions over the Internet?

Hypertext Transfer Protocol Secure (HTTPS)

Werner is a security manager for a health insurance company. He is examining the organization's compliance with patient privacy. While investigating how staff handle verbal and email communications, he discovers that some staff members are lax about how well they protect details that, when combined, might be used to reveal sensitive details about customers. What is the focus of his concern?

Personally identifiable information (PII)

The design of firewall placement and configuration in a network infrastructure has many aspects. Which of the following concerns is most likely relate to an upper management decision that does NOT conform with existing security policy?

Political

Which of the following is a concern when considering the use of a demilitarized zone (DMZ) firewall solution to access high-value data on an internal network?

Poorly constructed firewall rules

Which of the following records every connection outside the network on the Internet by IP address and URL requested?

Proxy server

Tiffany is a network engineer for her company. To enhance the performance of the network, she uses a method that assigns incoming transactions as they arrive in sequence to each of the infrastructure's three firewalls. Transaction 1 goes to firewall 2, transaction 2 goes to firewall 3, transaction 3 goes to firewall 2, and so on. What technique is Tiffany using?

Round-robin

All firewalls, including those using static packet filtering, stateful inspection, and application proxy, have one thing in common. What is that?

Rules

The combination of certain techniques allows for relevant information collected by this solution from multiple systems and processes to be aggregated and analyzed for use in decision making. What is the name of this solution?

Security information and event management (SIEM)

Which of the following is described as an approach to network security in which each administrator is given sufficient privileges only within a limited scope of responsibility?

Separation of duties

Landon is a network contractor. He has been hired to design security for the network of a small company. The company has a limited budget. Landon is asked to create a system that will protect the company's workstations and servers without undo expense. Landon decides to deploy one hardware firewall between the Internet and the local area network (LAN). What is the solution called?

Single defense

Demetrice is a network consultant. She has been hired to design security for a network that hosts 25 employees, many of whom need remote access. The client recently opened another small office in a neighboring community and wants to be able to routinely establish secure network connections between two locations. The client often deals with customer bank information and requires a particularly secure solution. What is her response to these requirements?

Small office/home office (SOHO) virtual private network (VPN)

Lenita is a network technician. She is setting up a rule set for a firewall in her company's demilitarized zone (DMZ). For email, she creates an allow-exception rule permitting Simple Mail Transfer Protocol (SMTP) traffic on port 25 to leave the internal network for the Internet. Her supervisor examines Lenita's work and points out a possible problem. What is it?

The allow-exception rule could create a loophole threatening internal communications on the same port.

A filter pathway is designed to:

make it hard to bypass a network filtering system and force all traffic through one route.

Tonya is redesigning her company's network infrastructure to accommodate rapid growth. Several departments are highly specialized. Tonya needs to allow Network News Transfer Protocol (NNTP) on some, but not all, subnets. Her budget is limited. Which of the following is the best solution?

Configure existing routers to filter NNTP packets.

Reverse proxy is a firewall service that allows external users access to internally hosted web resources.

True

A malicious party has discovered the IP address of a host inside a network she wants to hack. She employs a form of port scanning, attempting to establish a connection with the host using multiple different ports. Which technique is she using?

Firewalking

Which of the following is closely associated with maintaining data integrity?

Hash

What is an intrusion detection system/intrusion prevention system (IDS/IPS) that uses patterns of known malicious activity similar to how antivirus applications work?

Database-based detection

Which of the following is unlikely to support at-firewall authentication?

Demilitarized zone (DMZ) firewall

Brianna is an IT technician. She is studying a threat that holds the communication channel open when a TCP handshake does not conclude. What kind of attack does this involve?

Denial of service (DoS) attack

Which of the following is a firewall implementation best practice?

Different firewall products should be used depending on firewall placement, such as different products for border firewalls versus internal host firewalls.

Alejandro is a cybersecurity contractor. He was hired by a Fortune 500 company to redesign its network security system, which was originally implemented when the company was a much smaller organization. The company's current solution is to use multiple firewall platforms from different vendors to protect internal resources. Alejandro proposes an infrastructure security method that, in addition to firewalls, adds tools such as an intrusion detection system (IDS), antivirus, strong authentication, virtual private network (VPN) support, and granular access control. What it this solution called?

Diversity of defense

Which of the following can a delay in firewall software patching cause?

Exploitation of the firewall

All firewalls provide network perimeter security.

False

An intrusion detection system (IDS) false positive occurs when the IDS fails to detect an attack.

False

An intrusion detection, anomaly-based detection looks for differences from normal traffic based on a recording of real-world traffic that establishes a baseline.

False

Hashing does not verify the integrity of messages.

False

Hypertext Transfer Protocol Secure (HTTPS) does NOT encrypt private transactions made over the Internet.

False

The weakest link security strategy gains protection by using abnormal configurations.

False

Protecting computers, hard disks, databases, and other computer equipment from unauthorized Internet access can be categorized as what kind of security area?

Network security

Israel is a network technician who has just deployed a new firewall. Before putting it in production, he wants to test the firewall's ability to filter traffic according to its rule set, without risking the internal network. What is the best solution?

Place the firewall in a virtual network environment and simulate traffic.

Which of the following is a firewall, proxy, and routing service that does NOT support caching, encryption endpoint, or load balancing? Note that this service can be found on almost any service or device that supports network address translation.

Port forwarding

Which operating system (OS) for a bastion host runs on most appliance firewalls as well as many Internet service providers (ISP) connection devices?

Proprietary OS

Shoshana is a network technician for a mid-sized organization. She is configuring firewall rules. She is in a firewall's graphical interface and sets a rule as TCP, 192.168.42.0/24, ANY, ANY, 443, Allow. In what order is this rule organizing protocols, source addresses, source and target ports, and actions?

Protocol, source address, source port, target address, target port, action

Amy is a network engineering consultant. She is redesigning security for a small to medium-sized government contractor working on a project for the military. The government contractor's network is comprised of 30 workstations plus a wireless printer, and it needs remote authentication. Which of the following is a type of authentication solution she should deploy?

RADIUS

Jacob is a network technician who works for a publishing company. He is setting up a new hire's access permissions. The new hire, Latisha, is an editor. She needs access to books that have been accepted for publication but are in the review stage. Jacob gives her access to the network drive containing only books in review, but not access to administrative or human resources network drives. What principle is Jacob applying?

The principle of least privlege

Carl is a network engineer for a mid-sized company. He has been assigned the task of positioning hardware firewalls in the IT infrastructure based on common pathways of communication. After analyzing the problem, on which aspect of the network does he base his design?

Traffic patterns

A drawback of multiple-vendor environments is the amount of network staff training that is typically needed.

True

A firewall allows you to restrict unauthorized access between the Internet and an internal network.

True

A firewall best practice is to document every action taken during troubleshooting.

True

A small office/home office (SOGO) virtual private network (VPN) hardware firewall provides remote access.

True

A small office/home office (SOHO) firewall may include intrusion detection.

True

Basic packet filtering provided by routers can be used to protect subnets within a network.

True

Firewalls should be considered a part of a security infrastructure, not the totality of security.

True

If a server has a public IP address, it is a potential target for hacker attacks.

True

In an N-tier deployment, multiple subnets are deployed in series to separate private resources from public.

True

In the fail-safe security stance, when any aspect of security fails, the best result of that failure is to fail into a state that supports or maintains essential security protections.

True

Including photos of configuration screens in firewall procedures can speed up restoration after a network incident.

True

One common firewall event that usually warrants an alert is a firewall reboot.

True

The pfSense firewall requires the host to have at least two network interface controllers (NICs).

True