Missed QBank Questions - Domain 2

The protocols given use these default ports: * Port 20 - FTP * Port 23 - Telnet * Port 25 - SMTP * Port 53 - DNS * Port 80 - HTTP FTP also uses port 21, but it was not listed in this scenario.

Match: Port 20 Port 23 Port 25 Port 53 Port 80 SMTP FTP HTTP DNS Telnet

A) 80 Only port 80 should be opened on the Internet side of the demilitarized zone (DMZ) firewall. The firewall will allow only HTTP traffic to enter the DMZ; all other port traffic will be prevented from entering the DMZ. Port 20 is used by File Transfer Protocol (FTP) to send data. Port 110 is used by Post Office Protocol (POP), and port 443 is used by Secure Sockets Layer (SSL). The Web server on the DMZ only serves Web pages, so only HTTP services should be activated on the Web server. All other services on the Web server should be deactivated, which will strengthen security on the Web server.

A Web server is located on a DMZ segment. The Web server only serves HTTP pages, and there are no other computers on the DMZ segment. You need to configure the DMZ to ensure that communication can occur. Which port should be opened on the Internet side of the DMZ firewall? A) 80 B) 110 C) 20 D) 443

A)support ownership B)patch management C)application white-listing and black-listing D)data ownership All of the listed options should be included as part of a corporate BYOD security policy. While BYOD is becoming more popular today, experienced security professionals should consider all of the ramifications of allowing these devices on your network. Security issues with BYOD include: * Data ownership - Organizations should ensure that BYOD users understand who owns the data that resides on the user's device. While the device will contain mostly user-owner information, any data that is downloaded to the device from the corporate network will still belong to the company. Users should be given guidance on how to ensure this corporate data is protected. * Support ownership - Depending on the issue, users may contact an organization's support staff for help with their mobile device. All organizations should specifically state which issues will be addressed by their technical staff and which issues should be the responsibility of the mobile device vendor or owner. If you do not set a policy for this support, you may find that your technical staff's time is being wasted on non-organizational issues. * Patch management - Like any other device, mobile devices require patch management. In most cases, mobile devices and the applications that are running on them can be configured to automatically install any vendor patches. An organizational BYOD policy should include guidance on patch management. It may also be helpful if you document the devices used by your personnel and send them reminders when vital patches are released by the mobile device vendors. * Anti-virus management - No mobile device is immune from viruses. Any BYOD policy implemented by an organization should include clauses regarding the use of anti-virus software. While you cannot control which product that a user implements, your policy can ensure that anti-virus software is used. * Forensics - All organizations that allow the use of personal mobile devices should ensure that the users will allow investigators access to their private devices if attacks occur. Security professionals that perform the forensic investigations should receive training on the proper forensic procedures for mobile devices. * Privacy - If your organization allows personal mobile device usage on its network, the organization must still ensure that personal user information is protected. Any BYOD policy that is adopted should specifically state which data the organization can collect from the device and which data the organization cannot collect. * On-boarding/off-boarding - A procedure for adding the personal devices to the network should be formally adopted. In addition, the human resources' employee termination policies should be edited to include notification to remove any access granted to the user's personal device. * Adherence to corporate policies - While a user's personal device usually does not adhere to all corporate policies, you should ensure that your company's BYOD policy includes any corporate policies that are vital for security. Also, you need to consider implementing corporate policies that control the usage of personal devices. If users are able to save company data on their mobile devices, you should provide maximum security by configuring the devices to disable removable media use. * User acceptance - Many users may be reluctant to use their personal devices on a corporate network. Any user security awareness training should include training on all facets of mobile device security, including reassurance that your organization will not collect personal data from mobile devices unless absolutely necessary. * Architecture/infrastructure considerations - Adding mobile devices to your organization's network may create performance issues. You should regularly monitor the changes to the performance of your resources to ensure that you maintain the appropriate service level after the BYOD policy is implemented. * Legal concerns - Your organization should obtain legal counsel on the implications of allowing the use of personal devices. If the proper policies are not in place, corporate data that is placed on the mobile device can be compromised. This can result in damage to the company's reputation and even legal action taken against the company. * Acceptable use policy - An acceptable use policy will ensure that users understand what they are allowed to do with the mobile devices on the corporate network. The acceptable use policy should include information on all of the security issues in this list. * On-board camera/video - Because mobile devices today include on-board camera/video, it is important to specifically state to the users their limitations on using the camera in a corporate setting.

Your company has recently decided to implement a BYOD policy for the network. Management has asked you to write the initial BYOD security policy. Which of the following should be included as part of this policy? (Choose all that apply.) A)support ownership B)patch management C)application white-listing and black-listing D)data ownership

B) 20 FTP uses ports 20 and 21 by default, so port 20 should be opened on the Internet side of the demilitarized zone (DMZ) firewall to enable the server to provide FTP services. The firewall will then allow FTP traffic through, but no other port traffic will be allowed to enter the DMZ. Only necessary ports should be opened on the Internet side of a DMZ firewall in order to limit hackers' abilities to access the internal network. Port 80 is used by Hypertext Transfer Protocol (HTTP) to transfer Web pages. Port 110 is used by the Post Office Protocol (POP), and port 443 is used by Secure Sockets Layer (SSL).

* A server is located on a DMZ segment. The server only provides FTP service, and there are no other computers on the DMZ segment. You need to configure the DMZ to ensure that communication can occur. Which port should be opened on the Internet side of the DMZ firewall? A) 443 B) 20 C) 80 D) 110

A)Ensure that TCP and UDP ports are managed properly. B)Ensure that wiring closets are locked. C)Ensure that the MAC address of connected devices are monitored. Port security is implemented on switches to ensure unauthorized devices cannot connect to the network through that port. Valid methods of port security include the following: * Ensure wiring closets are locked - This ensures that rogue devices cannot be plugged into your network. * Ensure that TCP and UDP ports are managed properly - This ensures that hackers cannot access your network via open TCP or UDP ports. * Ensure that the MAC address of connected devices are monitored - This ensures that devices that connect to the network are identified. Media access control (MAC) addresses are used to uniquely identify network devices, including computers. Port knocking does provide some level of port security. The option regarding port knocking is incorrect because it states that you should NOT implement port knocking.

* Management has recently expressed concern over port security. You have been asked to ensure that all network ports are as secure as possible. Which of the following methods of port security should you implement? (Choose all that apply.) A)Ensure that TCP and UDP ports are managed properly. B)Ensure that wiring closets are locked. C)Ensure that the MAC address of connected devices are monitored. D)Ensure that port knocking is not implemented.

The antennas and their descriptions should be matched in the following manner: * Omni - a multi-directional antenna that radiates radio wave power uniformly in all directions in one plane with a radiation pattern shaped like a doughnut * Yagi - a directional antenna with high gain and narrow radiation pattern * Sector - a directional antenna with a circle measured in degrees of arc radiation pattern * Dipole - the earliest, simplest, and most widely used antenna with a radiation pattern shaped like a doughnut

* Match the wireless antenna types on the left with the descriptions given on the right. Descriptions * a multi-directional antenna that radiates radio wave power uniformly in all directions in one plane with a radiation pattern shaped like a doughnut * a directional antenna with a circle measured in degrees of arc radiation pattern * a directional antenna with high gain and narrow radiation pattern * the earliest, simplest, and most widely used antenna with a radiation pattern shaped like a doughnut Antenna Types - Omni - Yagi - Sector - Dipole

B) a device that filters Web content A Web security gateway is a device that filters Web content. An all-in-one security appliance is a device that filters all types of unwanted traffic. A spam filter is a device that blocks unwanted messages. A VPN concentrator is a device that tunnels private communication over the Internet.

* What is a Web security gateway? A) a device that tunnels private communication over the Internet B) a device that filters Web content C) a device that blocks unwanted messages D) a device that filters all types of unwanted traffic

C) to search for malicious code or behavior The purpose of content inspection is to search for malicious code or suspicious behavior. The purpose of load balancing is to distribute the workload across multiple devices. Often DNS servers are load balanced to ensure that DNS clients can obtain DNS information as needed. Other services are load balanced as well. Load balancers optimize and distribute data workloads across multiple computers or networks. The purpose of an Internet or Web proxy is to filter and forward Web content anonymously. The purpose of a spam filter is to identify and block unwanted messages. Spam filters should be configured to prevent employees from receiving unsolicited e-mail messages. Another type of hardware that is similar to a spam filter is an all-in-one security appliance. This device filters all types of malicious, wasteful, or otherwise unwanted traffic. Many all-in-one security appliances include a component that performs content inspection and malware inspection. These appliances usually also include a URL filter feature that allows administrators to block and allow certain Web sites. For example, the URL filter in an all-in-one security appliance could be configured to restrict access to peer-to-peer file sharing Web sites.

* What is the purpose of content inspection? A) to filter and forward Web content anonymously B) to identify and block unwanted messages C) to search for malicious code or behavior D) to distribute the workload across multiple devices

A) An NIDS analyzes encrypted information. The primary disadvantage of an NIDS is its inability to analyze encrypted information. For example, the packets that traverse through a Virtual Private Network (VPN) tunnel cannot be analyzed by the NIDS. An NIDS would most likely be used to detect, but not react to, behavior on the network. An NIDS can monitor either a complete network or some portions of a segregated network. It remains passive while acquiring the network data. For example, an intrusion detection system (IDS) can monitor real-time traffic on the internal network or a de-militarized zone (DMZ). In a DMZ, public servers, such as e-mail, DNS, and FTP servers, are hosted by an organization to segregate these public servers from the internal network. An NIDS monitors real-time traffic over the network, captures the packets, and analyzes them either through a signature database or against the normal traffic pattern behavior to ensure that there are no intrusion attempts or malicious threats. NIDS finds extensive commercial implementation in most organizations. An NIDS can help identify smurf attacks. NIDS does not monitor specific workstations. A host-based IDS (HIDS) monitors individual workstations on a network. An intrusion detection agent should be installed on each individual workstation of a network segment to monitor any security breach attempt on a host.

* Which statement is NOT a characteristic of a network-based intrusion detection system (NIDS)? A) An NIDS analyzes encrypted information. B) An NIDS monitors real-time traffic. C) An NIDS does not monitor individual workstations in a network. D) An NIDS analyzes network packets for intrusion.

C) Snort Snort is an intrusion detection system (IDS). Nessus is a vulnerability assessment tool. Tripwire is a file integrity checker. Ethereal is a network protocol analyzer.

* Which tool is an intrusion detection system (IDS)? A) Tripwire B) Nessus C) Snort D) Ethereal

B) application-level proxy firewall An application-level proxy firewall is most detrimental to network performance because it requires more processing per packet. The packet-filtering firewall provides high performance. Stateful and circuit-level proxy firewalls, while slower than packet-filtering firewalls, offer better performance than application-level firewalls. Kernel proxy firewalls offer better performance than application-level firewalls. This type of firewall is a firewall that is built into the operating system kernel. An application-level firewall creates a virtual circuit between the firewall clients. Each protocol has its own dedicated portion of the firewall that is concerned only with how to properly filter that protocol's data. Unlike a circuit-level firewall, an application-level firewall does not examine the IP address and port of the data packet. Often these types of firewalls are implemented as a proxy server. A proxy-based firewall provides greater network isolation than a stateful firewall. A stateful firewall provides greater throughput and performance than a proxy-based firewall. In addition, a stateful firewall provides some dynamic rule configuration with the use of the state table.

* Which type of firewall is most detrimental to network performance? A) circuit-level proxy firewall B) application-level proxy firewall C) stateful firewall D) packet-filtering firewall

A) behavior-based A behavior-based IDS looks for behavior that is not allowed and acts accordingly. When you define a rule that prevents an e-mail client from executing the cmd.exe command and alerts you when this is attempted, you are using behavior-based monitoring. A misuse-detection-based IDS is the same as signature-based monitoring. A signature-based IDS requires that updates be regularly obtained to ensure effectiveness. Signature-based monitoring watches for intrusions that match a known identity or signature when checked against a database that contains the identities of possible attacks. This database is known as the signature database. An anomaly-based IDS detects any changes or deviations in network traffic. With this type of monitoring, there is an initial learning period before anomalies can be detected. Once the baselines are established, anomaly-based monitoring can detect anomalous behavior. Sometimes the baseline is established through a manual process. Another type of IDS that you need to understand is a heuristic IDS. This type of monitoring uses artificial intelligence (AI) to detect intrusions.

* You are creating an IDS solution for your company's network. You define a rule that prevents an e-mail client from executing the cmd.exe command and alerts you when this is attempted. Which type of IDS are you using? A) behavior-based B) signature-based C) anomaly-based D) misuse-detection-base

The tools and their descriptions should be matched in the following manner: * Wireshark - Network protocol analyzer * Nessus - Vulnerability scanner * Snort - Network intrusion detection system * Cain and Abel - Password recovery tool There are many tools that can be used to manage security and network components. You should familiarize yourself with the function that the tools provide. A good place to start is with the reference provided in the References section of this question.

* You have access to several tools as part of your IT technician job. You need to understand what the tools are used for. Match the tools on the left with the descriptions given on the right. Tools * Cain and Abel * Wireshark * Nessus * Snort Descriptions - Password recovery tool - Network protocol analyzer - Network intrusion detection system - Vulnerability scanner

A)Disable SSID broadcast. B)Configure the WEP protocol to use a 128-bit key. C)Change the default Service Set Identifier (SSID). D)Configure the network to use authenticated access only. You should complete all of the following steps to protect against war-driving attacks: * Change the default SSID - This prevents hackers from being able to use the wireless network based on the access point's default settings. * Disable SSID broadcast - This prevents the SSID from being broadcast. Although there are other ways to discover the SSID, disabling the broadcast will cut down on attacks. * Configure the network to use authenticated access only - This ensures that no unauthenticated connections can occur. * Configure the WEP protocol to use a 128-bit key - WEP using 128-bit key is better than the default WEP. However, it is even BETTER to implement some forms of WPA. Some other suggested steps include the following: * Implement Wi-Fi Protected Access (WPA) or WPA2 instead of WEP - WPA is stronger than WEP. WPA2 is stronger than both WPA and WEP. * Reduce the access point signal strength or power level controls - This allows you to reduce the area that is covered by the access point. War driving is a method of discovering 802.11 wireless networks by driving around with a laptop and looking for open wireless networks. NetStumbler is a common war-driving tool.

* You have discovered that hackers are gaining access to your WEP wireless network. After researching, you discover that the hackers are using war driving. You need to protect against this type of attack. What should you do? (Choose all that apply.) A)Disable SSID broadcast. B)Configure the WEP protocol to use a 128-bit key. C)Change the default Service Set Identifier (SSID). D)Configure the network to use authenticated access only.

B) to restrict the clients that can access a wireless network The purpose of MAC filtering is to restrict the clients that can access a wireless network. Access is restricted based on the client's media access control (MAC) address, which is the unique identifier that is encoded on the network interface card (NIC). MAC filtering is not used to restrict the clients that can access a Web site. This is most often done using access control lists (ACLs). 802.1x provides port authentication for a wireless network using Extensible Authentication Protocol (EAP). 802.1x can used Protected EAP (PEAP) or Lightweight EAP (LEAP). PEAP is the more secure of the two. Both of these implementations require a server certifiate on the RADIUS server. If the RADIUS server certificate expires, then clients will be unable to connect until the RADIUS server obtains a new certificate. To ensure that unused ports are not accessible by clients, you should disable all unused ports. To increase network security, you should use the following mitigation and deterrent techniques: * MAC limiting and filtering * 802.1x * Disable unused interfaces, applications, and services. * Rogue machine detection You should always monitor system logs, including the audit logs, event logs, security logs, and access logs. Often by monitoring these logs, a security professional can discover issues or attacks and can take measures to prevent the issues. Security professionals should understand an organization's security posture. Security professionals should perform certain mitigation and deterrent activities including recording an initial baseline configuration, continually monitoring security, and performing remediation as necessary. You should also ensure that a good reporting system is set up to notify appropriate personnel if certain actions occur. This reporting system should include alarms and alerts. Security professionals should also perform periodic trending analysis to identify any new organizational trends. Mitigation controls help to mitigate security issues. Deterrent controls help to deter attacks. Prevention controls help to prevent attacks. Detective controls help to detect any attack when it occurs. Any security policy should employ all of these types of controls to be most effective. Cameras and intrusion detection systems (IDSs) are detective controls. Intrusion prevention systems (IPSs) and guards are preventive controls.

* You have recently been hired as a network administrator. The CIO informs you that their wireless networks are protected using firewalls. He has asked that you implement MAC filtering on all access points. What is the purpose of using this technology? A) to provide port authentication for a wireless network B) to restrict the clients that can access a wireless network C) to restrict the clients that can access a Web site D) to ensure that unused ports are not accessible by clients

D) Use S-HTTP. You should use Secure HTTP (S-HTTP) to encrypt a single document from your Web server. This will allow the two computers to negotiate an encryption connection if this document needs to be transmitted. You should not use ActiveX. ActiveX customizes controls, icons, and other Web-enabled systems to increase their usability. ActiveX components and controls are downloaded to the client. JavaScript is a programming language that allows access to resources on the system running the JavaScript. JavaScript scripts can be downloaded from a Web site and executed. HTTP Secure (HTTPS) is used to encrypt an entire channel using private key encryption. It is used to encrypt all information between two computers.

* You need to ensure that a single document transmitted from your Web server is encrypted. What should you do? A) Use ActiveX. B) Use JavaScript. C) Use S-HTTP. D) Use HTTPS.

A) protocol analyzer A protocol analyzer provides information regarding traffic flow and statistical information for your network. A protocol analyzer is also referred to as a network analyzer or packet sniffer. None of the other tools can provide this information. A port scanner provides a list of open ports and services on your network. A penetration test determines whether network security is properly configured to rebuff hacker attacks. A vulnerability test or vulnerability scanner checks your network for known vulnerabilities and provides methods for protection against the vulnerabilities. A vulnerability scan would allow a security administrator to test the lack of security controls for applications with the least impact to the system as compared to a penetration test, load test, or port scan.

* Your manager suspects that your network is under attack. You have been asked to provide information regarding traffic flow and statistical information for your network. Which tool should you use? A) protocol analyzer B) port scanner C) penetration test D) vulnerability test

D) SSL operates at the Network layer of the OSI model. The secure sockets layer (SSL) protocol does not operate at the Network layer (Layer 3) of the Open Systems Interconnection (OSI) model. It operates at the Transport layer (Layer 4). It works in conjunction with the Hypertext Transfer Protocol (HTTP) that operates at the Session layer to provide secure HTTP connections. SSL is used to protect Internet transactions. It was developed by Netscape. When SSL is used, the browser address will have the https:// prefix, instead of the http:// prefix. SSL version 2 provides client-side authentication. SSL with TLS supports both server and client authentication. SSL uses public key or symmetric encryption, and provides data encryption and sever authentication. To enable SSL to operate, the server and the client browser must have SSL enabled. SSL has two possible session key lengths: 40 bit and 128 bit. The main advantage of SSL is that SSL supports additional application layer protocols, such as FTP and NNTP. HTTP does not. SSL establishes a secure communication connection between two TCP-based computers. Transport layer security (TLS) is a security protocol that combines SSL and other security protocols. A common implementation of SSL is wireless transport layer security (WTLS) for wireless networks. WTLS transmission is required to traverse both wired and wireless networks. Therefore, the packets that are decrypted at the gateway are required to be re-encrypted with SSL for use over wired networks. This is a security loophole referred to as the Wap Gap security issue. If SSL is being used to encrypt messages that are transmitted over the network, a major concern of the security professional is the networks that the message will travel that the company does not control. Worldwide Internet security achieved a milestone with the signing of certificates associated with SSL.

A small business owner wants to be able to sell products over the Internet. A security professional suggests the owner should use SSL. Which statement is NOT true of this protocol? A) SSL is used to protect Internet transactions. B) SSL version 2 provides client-side authentication. C) SSL has two possible session key lengths: 40 bit and 128 bit. D) SSL operates at the Network layer of the OSI model. E) SSL with TLS supports both server and client authentication.

B) SSH You should implement Secure Shell (SSH). SSH creates an encrypted remote terminal connection with a UNIX computer. File Transfer Protocol (FTP) is used to transfer files on a TCP/IP network. FTP transmits data in clear text. Secure Copy (SCP) enables users to transfer files over a secure connection. Telnet is a protocol that enables a user to establish terminal connections with UNIX computers. Telnet transmits data in clear text.

A user contacts you regarding his UNIX computer. He wants to remotely connect to his UNIX computer via a terminal connection. The company security policy states that all remote connections with internal resources must use encrypted connections. Which technology should you implement? A) Telnet B) SSH C) FTP D) SCP

D) Network Routers operate at the Network layer (Layer 3) of the OSI networking model. They use source and destination addresses, which are located at the Network layer, to route packets. Switches use MAC addresses, which are located at the Data Link layer, to forward frames. The Data Link layer is Layer 2. The Session layer (Layer 5) starts, maintains, and stops sessions between applications on different network devices. The Physical layer (Layer 1) provides the functions to establish and maintain the physical link between network devices. Repeaters work at the Physical layer. The Transport layer (Layer 4) of the OSI model segments and reassembles data into a data stream and provides reliable and unreliable end-to-end data transmission. Bridges work at the Data Link layer (Layer 2).

At which layer of the OSI model do routers operate? A) Data-link B) Physical C) Session D) Network E) Transport

A) It limits the traffic that is allowed through. Filters on a Web server limit the traffic that is allowed through. Access control lists (ACLs) limit the users that are allowed connections. A protocol analyzer can be used to locate suspicious traffic. An anti-virus application would prevent a Web server from being infected with viruses.

During a recent security audit, you discovered that several company servers are not adequately protected. You are working to harden your Web servers. As part of the hardening of the Web servers, you implement filters. What is the purpose of a filter in this scenario? A) It limits the traffic that is allowed through. B) It locates suspicious traffic. C) It prevents the Web server from being infected with viruses. D) It limits the users that are allowed connections.

D) on both the host computer and all virtual computers You should install the antivirus application on both the host computer and all virtual computers. Virtual machines can be compromised with viruses just like a physical computer. Virtualization allows you to implement virtual computers on your network without purchasing the physical hardware to implement the server. Virtualization allows you to isolate the individual virtual machines in whatever manner you need. However, all virtual machines located on a virtual host are compromised if the virtual host is compromised. Therefore, it is important to not limit your implementation of the appropriate security measures to the virtual host. You should also implement the appropriate security measures on each virtual machine, including implementing antivirus software and using the principle of least privilege. You should not install the antivirus application on the host computer only, on each virtual computer only, or on the physical computer only. Because virtual machines can be compromised with viruses just like a physical computer, you should ensure that the antivirus software is installed on both the host computer and each virtual computer.

Last year, a new anti-virus application was purchased for your company. The application was installed on all servers and client computers. Recently, you discovered that the anti-virus application was not installed in your company's virtualization environment. You have been asked to install the antivirus application in your virtualization environment. Where should you install the antivirus application? A) on each virtual computer only B) on the physical computer only C) on the host computer only D) on both the host computer and all virtual computers

D) Permit all inbound TCP connections. The Permit all inbound TCP connections filter will most likely result in a security breach. This rule is one you will not see in most firewall configurations. By simply allowing all inbound TCP connections, you are not limiting remote hosts to certain protocols. Security breaches will occur because of this misconfiguration. You should only allow those protocols that are needed by remote hosts, and drop all others. In most cases, permitting all traffic to and from local hosts is a common firewall rule. If you configure firewall rules regarding local host traffic, you should use extreme caution. It is hard to predict the type of traffic originating with your local hosts. If you decide to drop certain types of traffic, users may complain about being unable to reach remote hosts. Limiting certain types of traffic, such as SSH and SMTP traffic, to certain computers is a common firewall configuration. By using this type of rule, you can protect the other computers on your network from security breaches using those protocols or ports. Other common firewall packet filters include dropping inbound packets with the Source Routing option set, dropping router information exchange protocols, and dropping inbound packets with an internal source IP address. For the most part, filters blocking outbound packets with a specific external destination IP address are not used. Any time rules are implemented on a network, you are using rules-based management. With these rules, you specifically allow or deny traffic based on IP address, MAC address, protocol used, or some other factor.

Management has requested that you ensure all firewalls are securely configured against attacks. You examine one of your company's packet-filtering firewalls. You have configured the following rules on the firewall: * Permit all traffic to and from local hosts. * Permit all inbound TCP connections. * Permit all SSH traffic to linux1.kaplanit.com. * Permit all SMTP traffic to smtp.kaplanit.com. Which rule will most likely result in a security breach? A) Permit all SMTP traffic to smtp.kaplanit.com. B) Permit all SSH traffic to linux1.kaplanit.com. C) Permit all traffic to and from local hosts. D) Permit all inbound TCP connections.

B) TFTP The Trivial File Transfer Protocol (TFTP) provides the least amount of security. TFTP provides no authentication or encryption mechanism. TFTP uses port 69, by default. File Transfer Protocol (FTP) is considered more secure than TFTP because it can provide authentication and encryption mechanisms. FTP uses ports 20 and 21, by default. File Transfer Protocol Secure (FTPS) is a more secure version of FTP. FTPS uses the same commands as FTP. FTPS uses Secure Sockets Layer (SSL) for security. FTPS uses ports 989 and 990, by default. Secure File Transfer Protocol (SFTP) is the most secure version of FTP. This version is actually Secure Shell (SSH) with FTP capabilities. FTPS is more widely known than SFTP, but SFTP is more secure. SFTP uses port 22, by default.

Management of your company wants to allow the departments to share files using some form of File Transfer Protocol (FTP). You need to explain the different FTP deployments. By default, which FTP solution provides the LEAST amount of security? A) FTPS B) TFTP C) SFTP D) FTP

The tests and their descriptions should be matched in the following manner: * Vulnerability scan - a test carried out by internal staff that discovers weaknesses in systems to improve or repair them before a breach occurs * Penetration test - a form of vulnerability scan performed using an automated tool by a trained white hat security team rather than by internal security staff * Black box test - a test conducted with the assessor having no knowledge about the systems being tested * White box test - a test conducted with the assessor having all of the knowledge about the systems being tested * Gray box test - a test conducted with the assessor having a little of the knowledge about the systems being tested

Match the tests on the left with the descriptions given on the right. Descriptions * a test conducted with the assessor having no knowledge about the systems being tested * a test conducted with the assessor having a little of the knowledge about the systems being tested * a form of vulnerability scan performed using an automated tool by a trained white hat security team rather than by internal security staff * a test carried out by internal staff that discovers weaknesses in systems to improve or repair them before a breach occurs * a test conducted with the assessor having all of the knowledge about the systems being tested Tests - Vulnerability scan - Penetration test - Black box test - White box test - Gray box test

C) SCP You should suggest that the department use Secure Copy (SCP). This protocol is used on UNIX networks to transfer files over a secure connection and operates at OSI layer 7. SCP uses SSH and operates over port 22 by default. File Transfer Protocol (FTP) is used to transfer files in clear text, which is not secure. FTP also transfers authentication information in clear text. FTP operates over ports 20 and 21 by default. Secure Shell (SSH) enables users to establish secure terminal connections with Unix computers, but does not allow the transfer of files. It requires SCP to transfer files. SSH operates over port 22 by default. Telnet enables users to establish nonsecure clear text terminal connections with UNIX computers. Telnet also transmits authentication information in clear text. Telnet operates over port 23 by default. To enhance network security, you should disable all unnecessary services and protocols on all server and client computers on a network because they pose a risk.

One department in your company needs to be able to easily transfer files over a secure connection. All of the files are stored on a UNIX server. You have been asked to suggest a solution. Which protocol should you suggest? A) SSH B) Telnet C) SCP D) FTP

B) an ACL An access control list (ACL) is a security mechanism used to designate those users who can gain various types of access, such as read, write, and execute access, to resources on a network. An ACL provides security as granular as the file level. The DAC model uses ACL to identify the users who have permissions to a resource. If a user is unable to access remote resources and you have ensured that the firewall is not blocking the user's communication, it could be that the ACL for the resource needs to be checked to ensure that user has the appropriate permission. An ACL is also configured at the remote access server to grant or deny remote access. A firewall allows and denies network access through communications ports. A NAT server presents public Internet Protocol (IP) addresses to the Internet on behalf of computers on a private network. A proxy server can be used to enable hosts to access Internet resources. A proxy server can increase the performance of a network by caching Web pages, which can reduce the amount of time required for clients to access Web pages. A proxy server is often used to cache and filter content.

Recently, an IT administrator contacted you regarding a file server. Currently, all users are granted access to all of the files on this server. You have been asked to change the configuration and designate which users can access the files. What should you use to do this? A) a firewall B) an ACL C) a proxy server D) a NAT server

D) SNMP You should deploy Simple Network Management Protocol (SNMP) to monitor network devices and the devices' parameters. It uses port 161 to communicate. SNMP allows an administrator to set device traps. Simple Mail Transfer Protocol (SMTP) is used for e-mail over port 25 by default. Dynamic Host Configuration Protocol (DHCP) is used to dynamically assign IP addresses over ports 67 and 68 by default. Domain Name System (DNS) is used to manage IP address to host name mappings. If a power failure or attack occurs, administrators should have a plan for restoring the servers. In most cases, you should bring your DNS or BIND server up first to ensure that Internet communication is restored and that the other servers can connect to the Internet.

Recently, your company's network has been attacked from outside the organization. The attackers then changed the configuration of several network devices. Management has asked you to monitor network devices on a regular basis. Which protocol should you deploy? A) SMTP B) DHCP C) DNS D) SNMP

B) System Monitor You should use System Monitor to determine if the performance of the server has degraded. System Monitor can monitor particular counters. These counter statistics can be compared to the original performance baseline to determine if performance degradation has occurred. Prior to Windows 2000, Performance Monitor would provide this information. In Windows 2000, System Monitor replaced Performance Monitor. You should not use a port scanner. A port scanner will provide information on the ports and services that are available on your network. You should not use a network analyzer. A network analyzer can provide network statistical information, but cannot provide performance information for a single computer. You should not use a vulnerability test. A vulnerability test checks your network for known vulnerabilities and provides methods for protection against the vulnerabilities. For security purposes, you should establish a security baseline in addition to the performance baseline. A security baseline ensures that all devices follow certain security standards. To do this, you should capture the initial security baseline. You should continuously monitor security settings to ensure that the security configuration does not fall below the baseline. In addition, remediation should be performed if a security issue is discovered. Baseline reporting is used to identify an application's security posture.

Users report that your company's Windows Server 2008 terminal server is experiencing performance issues. You have a performance baseline for the server. You suspect that the terminal server is under attack from a hacker. Which tool should you use to determine if the performance of the server has degraded? A) a vulnerability test B) System Monitor C) a port scanner D) a network analyzer

C) It has a fixed number of available interfaces. A hardware firewall is purchased with a fixed number of interfaces available. With a software firewall, adding interfaces is as easy as adding and configuring another network interface card (NIC). A hardware firewall outperforms a software firewall. It is easier to make configuration errors in a software firewall, not a hardware firewall. Most hardware firewalls are advertised as "turn-key" solutions, meaning software installation and configuration issues are minimal. Hardware firewalls generally provide increased security over software firewalls.

What is a disadvantage of a hardware firewall compared to a software firewall? A) It provides decreased security as compared to a software firewall. B) It has lower performance capability than a software firewall. C) It has a fixed number of available interfaces. D) It is easier to make configuration errors than in a software firewall.

B) an application that identifies security issues on a network and gives suggestions on how to prevent the issues A vulnerability scanner is an application that identifies security issues on a network and gives suggestions on how to prevent the issues. It is a management control type. A port scanner is an application that identifies ports and services that are at risk on a network. An intrusion detection system (IDS) is an application that detects when network intrusions occur and identifies the appropriate personnel. A virus scanner is an application that protects a system against viruses.

What is a vulnerability scanner? A) an application that protects a system against viruses B) an application that identifies security issues on a network and gives suggestions on how to prevent the issues C) an application that identifies ports and services that are at risk on a network D) an application that detects when network intrusions occur and identifies the appropriate personnel

A) a firewall that is integrated into a router An embedded firewall is integrated into a router. A software firewall is installed on a server operating system, such as Windows XP or Linux. A hardware firewall is a black box device, which is designed to be deployed on a network with a minimum of configuration and installation effort. An application firewall is an example of a component added to a hardware firewall. An application firewall is designed to filter traffic at the Application layer of the Open Systems Interconnection (OSI) model.

What is an embedded firewall? A) a firewall that is integrated into a router B) a component that is added to a hardware firewall C) a black box device D) a firewall that is installed on a server operating system

A) a system's ability to terminate processes when a failure is identified Fail-safe systems provide the ability to automatically terminate the processes in response to a failure. An example would be an automated locking system that defaults to unlock in case of power failure. A controlled system reboot refers to the ability of the system to recover automatically through a reboot. A controlled system is a part of the trusted recovery procedures. Fail-secure state, sometimes called fail-close state, refers to the ability of a system to maintain and preserve the secure state of the system in the event of a system failure. A fail-secure state implies that a system should be able to protect itself and its information assets if critical processes are terminated and if a system becomes unusable. An example would be an automated locking system that defaults to lock in case of power failure. If a system has high security requirements, you should ensure that the system is configured to fail close. If a system has high availability, you should ensure that the system is configured to fail open. Fail-over systems provide the ability to recover by switching over to backup systems in the event of the failure of a primary system. This is also known as recovery control.

What is meant by the term fail-safe? A) a system's ability to terminate processes when a failure is identified B) a system's ability to preserve a secure state before and after failure C) a system's ability to switch over to a backup system in the event of a failure D) a system's ability to recover automatically through a reboot

B) low maintenance The primary advantage of an NIDS is the low maintenance involved in analyzing traffic in the network. An NIDS is easy and economical to manage because the signatures are not configured on all the hosts in a network segment. Configuration usually occurs at a single system, rather than on multiple systems. By contrast, host-based intrusion detection systems (HIDSs) are difficult to configure and monitor because the intrusion detection agent should be installed on each individual workstation of a given network segment. HIDSs are configured to use the operating system audit logs and system logs, while NIDSs actually examine the network packets. Individual hosts do not need real-time monitoring because intrusion is monitored on the network segment on which the NIDS is placed, and not on individual workstations. An NIDS is not capable of analyzing encrypted information. For example, the packets that travel through a Virtual Private network Tunnel (VPN) cannot be analyzed by the NIDS. The lack of this capability is a primary disadvantage of an NIDS. The high throughput of the workstations in a network does not depend on the NIDS installed in the network. Factors such as the processor speed, memory, and bandwidth allocated affect the throughput of workstations. The performance of an NIDS can be affected in a switched network environment because the NIDS will not be able to properly analyze all the traffic that occurs on the network on which it does not reside. An HIDS is not adversely affected by a switched network because it is primarily concerned with monitoring traffic on individual computers.

What is the primary advantage of using a network-based intrusion detection system (NIDS)? A) no counterattack on the intruder B) low maintenance C) ability to analyze encrypted information D) high throughput of the individual workstations on the network

B) after the patch has been tested A patch should be installed on a server after it has been tested on a non-production server and by the computing community. A security patch is a major, crucial update for the OS or product for which it is intended, and consists of a collection of patches released to date since the OS or product was shipped. A security patch is mandatory for all users. It addresses a new vulnerability and should be deployed as soon as possible. Security patches are usually small. A patch should not be installed immediately after it is released or when it is in beta format because a patch that is not thoroughly tested might contain bugs that could be detrimental to server operation. A patch should typically not be deployed before it has been tested on a test server. Patches should not be tested on production servers. Application patch management should follow these same guidelines. A hotfix is a software fix that addresses a specific issue being experienced by certain customers, but has not been fully tested in all environments. Patch management involves installing patches on a test system, verifying the new software changes on the test system, and then installing the patch in the live environment if no undesired outcomes occurred in the test environment. Patch management is the most efficient way to combat operating system vulnerabilities.

When should you install a software patch on a production server? A) immediately after the patch is released B) after the patch has been tested C) before the patch has been tested D) when the patch is in beta format

C)fe80::200:f8ff:fe21:67cf D)00-0C-F1-56-98-AD The fe80::200:f8ff:fe21:67cf address is an IPv6 address. The 00-0C-F1-56-98-AD address is a MAC address, which is hard-coded into the network interface card (NIC) by the manufacturer. The 169.254.0.10 and 192.1.0.1 addresses are both valid IPv4 addresses.

You have been hired as a company's network administrator. The company's network currently uses statically configured IPv4 addresses. You have been given a list of addresses that are used on the network that include the addresses listed in the options. However, you are sure that some of these addresses are NOT IPv4 addresses. Which addresses are not valid? A)169.254.0.10 B)192.1.0.1 C)fe80::200:f8ff:fe21:67cf D)00-0C-F1-56-98-AD

C) ActiveX ActiveX uses Authenticode for security. Authenticode is a certificate technology that allows ActiveX components to be validated by a server. Users need to be careful when confirming the installation of ActiveX components or controls. Automatically accepting an ActiveX component or control creates an opportunity for security breaches. None of the other options uses Authenticode for security. Cross-site scripting (XSS) is a type of security vulnerability typically found in Web applications that allows code injection by hackers into the Web pages viewed by other users. It is used to trick a user into visiting a site and having code execute locally. Cross-site scripting prevention is best accomplished by using an automated tool to test for XSS. This attack can only be prevented by carefully sanitizing all input that is not known to be secure, Java is a self-contained script that is downloaded from a server to a client and runs within a Web browser. CGI is a scripting method that was used extensively in older Web servers. CGI scripts captured data from users using simple forms.

Which Web browser add-in uses Authenticode for security? A) Common Gateway Interface (CGI) B) Cross-site scripting (XSS) C) ActiveX D) Java

C) a router A router is a device that is designed to transmit all data that is not specifically denied between networks, and to do so in the most efficient manner possible. A router enables connectivity between two or more networks and can connect multiple network segments into one network. A firewall is a mechanism that is designed to deny transmission of data that is not specifically allowed. For example, a firewall can be configured to ensure that messages on a TCP/IP subnet stay local to the subnet. Additionally, a firewall can be used to restrict access to a private network from the Internet. A hub and a repeater are central network connection devices that are designed to transmit data between computers on the same subnet. Hubs and repeaters are not used to transmit data between subnets.

Which device is designed to provide the most efficient transmission of traffic that is NOT specifically denied between networks? A) a repeater B) a hub C) a router D) a firewall

C) dual-homed firewall A dual-homed firewall has two network interfaces. One interface connects to the public network, usually the Internet. The other interface connects to the private network. The forwarding and routing function should be disabled on the firewall to ensure that network segregation occurs. A bastion host is a computer that resides on a network that is locked down to provide maximum security. These types of hosts reside on the front line in a company's network security systems. The security configuration for this entity is important because it is exposed to un-trusted entities. Any server that resides in a demilitarized zone (DMZ) should be configured as a bastion host. A bastion host has firewall software installed, but can also provide other services. A screened host is a firewall that resides between the router that connects a network to the Internet and the private network. The router acts as a screening device, and the firewall is the screen host. Screened subnet is another term for a demilitarized zone (DMZ). Two firewalls are used in this configuration: one firewall resides between the public network and DMZ, and the other resides between the DMZ and private networ

Which firewall architecture has two network interfaces? A) bastion host B) screened subnet C) dual-homed firewall D) screened host

A) NAC Network Access Control (NAC) ensures that the computer on the network meet an organization's security policies. NAC user policies can be enforced based on the location of the network user, group membership, or some other criteria. Media access control (MAC) filtering is a form of NAC. Network Address Translation (NAT) is an IEEE standard that provides a transparent firewall solution between an internal network and outside networks. Using NAT, multiple internal computers can share a single Internet interface and IP address. Internet Protocol Security (IPsec) is a protocol that secures IP communication over a private or public network. IPSec allows a security administrator to implement a site-to-site VPN tunnel between a main office and a remote branch office. A demilitarized zone (DMZ) is a section of a network that is isolated from the rest of the network with firewalls. Servers in a DMZ are more secure than those on the regular network. When connecting to a NAC, the user should be prompted for credentials. If the user is not prompted for credentials, the user's computer is missing the authentication agent.

Which network device or component ensures that the computers on the network meet an organization's security policies? A) NAC B) NAT C) IPsec D) DMZ

B) packet sniffing Packet sniffing is synonymous with protocol analyzing. Both terms refer to the process of monitoring data transmitted on the network. They can also be called network analyzers. Packet sniffing can occur by installing the software on a network device. However, it can also occur by installing a rogue wireless access point, router, or switch on the network. If any hidden network devices are found, it is most likely the source of a packet sniffing attack. Vulnerability testing is the process of testing a computer or network for known vulnerabilities to discover security holes. Often security administrators perform vulnerability tests to discover security issues. They then use the reports from the tests to implement new security policies to protect against the issues found. Port scanning is the process of scanning TCP/IP ports to discover which network services are being used. Password cracking is the process of testing the strength of passwords. It is also referred to as password checking.

Which term is synonymous with protocol analyzing? A) vulnerability testing B) packet sniffing C) port scanning D) password cracking

C) packet-filtering firewall A packet-filtering firewall only looks at a data packet to obtain the source and destination addresses and the protocol and port used. This information is then compared to the configured packet-filtering rules to decide if the packet will be dropped or forwarded to its destination. A packet-filtering firewall only examines the packet header information. Packet-filtering firewalls are based on access control lists (ACLs). They are application independent and operate at the Network layer of the OSI model. They cannot keep track of the state of the connection. A stateful firewall usually examines all layers of the packet to compile all the information for the state table. A kernel proxy firewall examines every layer of the packet, including the data payload. An application-level proxy firewall examines the entire packet.

Which type of firewall only examines the packet header information? A) kernel proxy firewall B) application-level proxy firewall C) packet-filtering firewall D) stateful firewall

A) anomaly-based Anomaly-based monitoring is most likely to produce a false alert. With anomaly-based monitoring, alerts occur where there are any deviations from normal behavior. Deviations from normal behavior will normally occur but are not always indications of a possible attack. With this type of monitoring, there is an initial learning period before anomalies can be detected. Once the baselines are established, anomaly-based monitoring can detect anomalies. Sometimes the baseline is established through a manual process. Misuse-detection-based monitoring is the same as signature-based monitoring. Signature-based monitoring is more likely to give you a false sense of security rather than a false alert. Signature-based monitoring relies upon a database that contains the identities of possible attacks. This database is known as the signature database. Signature-based monitoring watches for intrusions that match a known identity or signature. Signature-based monitoring requires that updates be regularly obtained to ensure effectiveness. Behavior-based monitoring is not likely to produce a false alert because you defined non-acceptable behavior. It is more susceptible to giving you a false sense of security. It is only as strong as the behaviors you have defined. If you do not properly define inappropriate behaviors, then attacks can occur. Behavior-based monitoring looks for behavior that is not allowed and acts accordingly. When you define a rule that prevents an e-mail client from executing the cmd.exe command and alerts you when this is attempted, you are using behavior-based monitoring.

Which type of monitoring is most likely to produce a false alert? A) anomaly-based B) behavior-based C) signature-based D) misuse-detection-based

C) pre-validation controls Pre-validation controls can be placed on the client side. Parameter validation occurs when the parameter values entered into the application are validated before they are submitted to the application to ensure that the values lie within the server's defined limits. Pre-validation controls are input controls that are implemented prior to submission to the application. These controls can occur on the client, the server, or both. Client-side validation is usually faster than server-side validation because the data does not have to be transmitted to the server. Access controls are not validation controls. Access controls are the controls of limiting access to resources to authorized users. Post-validation controls occur when an application's output is validated to be within certain constraints. Input validation is not a type of validation control. Input validation verifies the values entered by the user. Input validation is the required remediation if a Web application is vulnerable to SQL injection attacks because it ensures that certain characters and commands entered on a Web server are not interpreted as legitimate, nor passed on to back-end servers. Input validation and exception handling are secure coding concepts. With exception handling, the programmer uses exceptions to handle logic and runtime errors. When data integrity is critical to the organization, input validation in a client-server architecture should be performed on the server side. Parameter validation validates parameters that are defined within the application.

Which type of validation controls can be placed on the client side? A) post-validation controls B) input validation C) pre-validation controls D) access controls

B) hotfix A hotfix makes repairs to a computer during its normal operation so that the computer can continue to operate until a permanent repair can be made. It usually involves replacing files with an updated version. A hotfix can also be referred to as a bug fix. A service pack or support pack is a comprehensive set of fixes combined into a single product. Service packs generally include all hotfixes and patches. A support pack is another term used for service packs. Patches are temporary fixes to a program. Once more data is known about an issue, a service pack or hotfix may be issued to fix the problem on a larger scale.

Which update type makes repairs to a computer during its normal operation so that the computer can continue to operate until a permanent repair can be made? A) support pack B) hotfix C) patch D) service pack

C) Implement every computer on the DMZ as a bastion host. You should implement every computer on the demilitarized zone (DMZ) as a bastion host because any system on the DMZ can be compromised. A bastion host is, in essence, a system that is hardened to resist attacks. A bastion host is not attached to any firewall software. However, every firewall should be hardened like a bastion host.

You are aware that any system in the demilitarized zone (DMZ) can be compromised because the DMZ is accessible from the Internet. What should you do to mitigate this risk? A) Implement the DMZ firewall that connects to the private network as a bastion host. B) Implement both DMZ firewalls as bastion hosts. C) Implement every computer on the DMZ as a bastion host. D) Implement the DMZ firewall that connects to the Internet as a bastion host.

A) HTTPS Hypertext Transfer Protocol Secure (HTTPS) should be used because it securely transmits Web pages over Secure Sockets Layer (SSL). HTTPS operates over port 443 by default. Sequenced Packet Exchange (SPX) is the connection-oriented transport protocol provided on Internetwork Packet Exchange (IPX)/SPX networks. Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) create secure tunnels through the public Internet. PPTP operates over port 1723 by default. L2TP operates over port 1701 by default.

You have been hired as a security consultant by a new small business. The business owner wants to implement a secure Web site. You suggest that the Web pages be secured using SSL. Which protocol should be used? A) HTTPS B) SPX C) L2TP D) PPTP

The protocols should be matched with the descriptions in the following manner: * IPSec - A tunneling protocol that provides secure authentication and data encryption * SNMP - A network management protocol that allows communication between network devices and the management console * SFTP - A file transferring protocol that uses SSH for security * FTPS - A file transferring protocol that uses SSL for security

You are responsible for managing security for a network that supports multiple protocols. You need to understand the purpose of each of the protocols that are implemented on the network. Match each description with the protocol that it BEST fits. Descriptions * A file transferring protocol that uses SSL for security * A network management protocol that allows communication between network devices and the management console * A tunneling protocol that provides secure authentication and data encryption * A file transferring protocol that uses SSH for security Protocols - IPSec - SNMP - SFTP - FTPS

The protocols should be matched with the descriptions in the following manner: * SSH - A protocol that uses a secure channel to connect a server and a client * SSL - A protocol that secures messages between the Application and Transport layer * SCP - A protocol that allows files to be copied over a secure connection * ICMP - A protocol used to test and report on path information between network devices

You are responsible for managing the security for a network that supports multiple protocols. You need to understand the purpose of each of the protocols that are implemented on the network. Match each description with the protocol that it BEST fits. Descriptions * A protocol used to test and report on path information between network devices * A protocol that uses a secure channel to connect a server and a client * a protocol that secures messages between the Application and Transport layer * A protocol that allows files to be copied over a secure connection Protocols - SSH - SSL - SCP - ICMP

C) Isolate the host computer and each virtual computer from each other. You should isolate the host computer and each virtual computer from each other. None of the other statements is correct when managing virtual computers. You should update the operating system and application on the host computer and all virtual computers. You should implement a firewall on the host computer and all virtual computers. You should install and update the antivirus program on the host computer and all virtual computers.

You are responsible for managing the virtual computers on your network. You need to ensure that the host and virtual computers are secure from attacks. Which guideline is important when managing these computers? A) Install and update the antivirus program only on the host computer. B) Update the operating system and applications only on the host computer. C) Isolate the host computer and each virtual computer from each other. D) Implement a firewall only on the host computer.

The IDS types should be matched with the descriptions in the following manner: * Behavior-based - An IDS that uses a learned activity baseline to identify intrusion attempts * Signature-based - An IDS that maintains an attack profile database to identify intrusion attempts * Host-based - An IDS that only monitors a single particular device for intrusion attempts * Network-based - An IDS that monitors an entire network segment for intrusion attempts Many IDS solutions actually employ multiple types to provide the greatest protection. Keep in mind that an IDS only detects intrusion attempts and employs the configured alerts to ensure that the intrusion attempts is recorded and reported. An intrusion prevention system (IPS) detects the intrusions and carries out steps to prevent the attack from being successful.

You are trying to decide which type of intrusion detection system (IDS) you should deploy to improve network security. Match the IDS description from the left with their appropriate IDS type on the right. Descriptions * Uses a learned activity baseline to identify intrusion attempts * Maintains an attack profile database to identify intrusion attempts * Monitors a single particular device for intrusion attempts * Monitors an entire network segment for intrusion attempts IDS Types - Behavior-based - Signature-based - Host-based - Network-based

B) S/MIME Secure Multipurpose Internet Mail Extension (S/MIME) version 3 is an e-mail security method that is defined in Request for Comments (RFC) 2632 and RFC 2634. S/MIME 3 provides non-repudiation, authentication, and integrity for e-mail messages. Privacy Enhanced Mail (PEM) and MIME Object Security Services (MOSS) are older proposals for e-mail security standards that have not been adopted. Pretty Good Privacy (PGP) is the current de facto e-mail security standard. The Internet Engineering objective Force (IETF) is currently developing a version of PGP known as Open-PGP.

You have been asked to implement the e-mail security method that is defined in RFC 2632 and RFS 2634. Which e-mail security method should you implement? A) PGP B) S/MIME C) MOSS D) PEM

A) HTTPS Of the options given, HTTPS provides the highest level of security. The HTTP Secure (HTTPS) protocol provides a secure connection between two computers. The connection is protected, and all traffic between the two computers is encrypted. HTTPS uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS). It uses private key encryption to encrypt the entire channel. Secure HTTP (S-HTTP) is different from HTTPS. S-HTTP allows computers to negotiate an encryption connection and is not as secure as HTTPS. It uses document encryption to protect the HTTP document's contents only. ActiveX is very vulnerable to attacks because users can configure their computer to automatically access an ActiveX component or control. JavaScript scripts can be downloaded from a Web site and executed, causing damage to systems.

You have been hired as a Web security practitioner. Your organization implements several different Web security mechanisms to protect multiple Web sites. Which Web technology provides the highest level of security A) HTTPS B) S-HTTP C) ActiveX D) JavaScript

The protocols and descriptions should be matched up as follows: * File transfer over SSL - FTPS * Secure e-mail - Secure IMAP * Secure voice and video - SRTP * Secure directory services - LDAPS * File transfer over SSH - SFTP

You have been hired as a security consultant for a new company named Verigon. Verigon needs guidance on which protocols to implement on the network. Match each protocol on the left with the correct description on the right. Protocols * LDAPS * SFTP * Secure IMAP * SRTP * FTPS Service Provided - File transfer over SSL - Secure email - Secure voice and video - Secure directory services - File transfer over SSH

The protocols and descriptions should be matched up as follows: * Cryptographic communication protocol - SSL/TLS * Secure encryption and digital signatures for email - S/MIME * Routing and switching management - SNMPv3 * Secure remote access - SSH

You have been hired as a security consultant for a new company named Verigon. Verigon needs guidance on which protocols to implement on the network. Match the protocols on the left with the correct description on the right. Protocols * SSH * SSL/TLS * S/MIME * SNMPv3 Service Provided - Cryptographic communication protocol - Secure encryption and digital signatures for email - Routing and switching management - Secure remote access

The protocols and descriptions should be matched up as follows: * Cryptographic communication protocol - SSL/TLS * Secure encryption and digital signatures for email - S/MIME * Routing and switching management - SNMPv3 * Secure remote access - SSH

You have been hired as a security consultant for a new company named Verigon. Verigon needs guidance on which protocols to implement on the network. Match the protocols on the left with the correct description on the right. Protocols - SSL/TLS - SSH - SNMPv3 - S/MIME Service Provided - Cryptographic communication protocol - Secure encryption and digital signatures for email - Routing and switching management - Secure remote access

The protocols and descriptions should be matched as follows: - Secure web access - HTTPS - Secure time synchronization - Secure NTP - Secure email download - Secure POP3 - Secure domain name resolution - DNSSEC - Network address allocation - DHCP

You have been hired as a security consultant for a new company named Verigon. Verigon needs guidance on which protocols to implement on the network. Match the protocols on the left with the correct description on the right. Protocols - DHCP - Secure POP3 - HTTPS - DNSSEC - Secure NTP Service Provided - Secure web access - Secure time synchronization - Secure email download - Secure domain name resolution - Network address allocation

C) HTTPS Of the options given, HTTPS provides the highest level of security. The HTTP Secure (HTTPS) protocol provides a secure connection between two computers. The connection is protected, and all traffic between the two computers is encrypted. HTTPS uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS). It uses private key encryption to encrypt the entire channel. HTTPS uses port 443 by default. Secure HTTP (S-HTTP) is different from HTTPS. S-HTTP allows computers to negotiate an encryption connection and is not as secure as HTTPS. It uses document encryption to protect the HTTP document's contents only. ActiveX is very vulnerable to attacks because users can configure their computer to automatically access an ActiveX component or control. JavaScript scripts can be downloaded from a Web site and executed, causing damage to systems.

You have been hired to assess the security needs for an organization that uses several Web technologies. During the assessment, you discover that the organization uses HTTPS, S-HTTP, ActiveX, and JavaScript. You need to rank these technologies based on the level of security they provide. Which of the technologies listed provides the highest level of security? A) ActiveX B) S-HTTP C) HTTPS D) JavaScript

B) Event ID 539 Event ID 539 occurs when a user account is locked out. Implementing account lockout ensures that repeated attempts to guess a user's password is not possible beyond the lockout threshold. Event ID 531 occurs when a user account is disabled. A security policy should be in place that ensures that the user account of all terminated employees is immediately disabled so that the user can no longer access the network. Event ID 532 occurs when a user account has expired. Account expirations ensure that accounts are not used beyond a certain date and/or time. Event ID 535 occurs when the account's password has expired. Password expirations ensure that users periodically change their account passwords.

You have configured several auditing events for your Windows Server 2008 network. You are concerned that hackers have obtained a list of user names. You suspect that the hackers are causing user accounts to be locked out. Which event ID in the Security log should you examine? A) Event ID 535 B) Event ID 539 C) Event ID 531 D) Event ID 532

The protocols given use these default ports: - Port 21 - FTP - Port 110 - POP3 - Port 143 - IMAP - Port 443 - HTTPS - Port 3389 - RDP FTP also uses port 20, but it was not listed in this scenario

You must configure the routers on your network to ensure that appropriate communication is allowed between the subnetworks. Your configuration must allow multiple protocols to communicate across the routers. Match the protocol from the left with the default port it uses on the right. Move the correct items from the left column to the column on the right to match the protocol with the correct default port. Protocols - FTP - IMAP - RDP - HTTPS - POP3 Default Ports - Port 21 - Port 110 - Port 143 - Port 443 - Port 3389

A)Replace or disable embedded logins and passwords. B)Use strong authentication on the remote maintenance ports. C)Turn off the remote maintenance features when not needed. D)Keep PBX terminals in a locked, restricted area. You should implement all of the given policies to provide protection against remote maintenance PBX attacks. You should turn off the remote maintenance features when not needed and implement a policy whereby local interaction is required for remote administration. You should use strong authentication on the remote maintenance ports. This will ensure that authentication traffic cannot be compromised. You should keep PBX terminals in a locked, restricted area. While this is more of a physical security issue, it can also affect remote maintenance attacks. If the physical security of a PBX system is compromised, the attacker can then reconfigure the PBX system to allow remote maintenance. You should replace or disable embedded logins and passwords. These are usually configured by the manufacturer to allow back door access to the system.

You need to implement security countermeasures to protect from attacks being implemented against your PBX system via remote maintenance. Which policies provide protection against remote maintenance PBX attacks? (Choose all that apply.) A)Replace or disable embedded logins and passwords. B)Use strong authentication on the remote maintenance ports. C)Turn off the remote maintenance features when not needed. D)Keep PBX terminals in a locked, restricted area.

C) Go to the vendor's Web site to download the security patch. You should go to the vendor's Web site to download the security patch. This ensures that you are obtaining the security patch directly from the vendor. If you do not find any information about a new security patch on the vendor's Web site, you are likely the victim of an e-mail scam. You should not click the link embedded in the e-mail message to test or install the security patch. A common method for hackers to infect your systems is to send an official-looking e-mail about software that you need. The only way to ensure that a patch or service pack comes from the vendor is to go the vendor's Web site. You should not insert the application's installation CD to install the security patch. Original installation CDs will not contain the latest security patches or service packs.

You receive an unsolicited e-mail from an application vendor stating that a security patch is available for your application. Your company's security policy states that all applications must be updated with security patches and service packs. What should you do? A) Insert the application's installation CD to install the security patch. B) Click the link embedded in the e-mail message to test the security patch. C) Go to the vendor's Web site to download the security patch. D) Click the link embedded in the e-mail message to install the security patch.

B) port scanning You should use port scanning to determine which Transmission Control Protocol (TCP) ports are open on your network. A port scanner is a device that automatically attempts to communicate with different protocols over all ports and records which ports are open to which protocols. For example, File Transfer Protocol (FTP) generally communicates over port 21. For security reasons, however, an administrator might close port 21 and map FTP traffic to a different port. By attempting FTP communications over all ports, a port scanner might allow a hacker to find the open FTP port and bypass the security measure. A hacker can also use stealth scanning and port scanning to determine which operating systems are being used on a network. Stealth scanning is more general in nature and usually does not include determining which ports are open. A hacker can use wardialing to determine the telephone numbers of the modems on a company network. Whois can be used to determine information about a Domain Name Service (DNS) domain, such as contact information for domain administrators and the DNS name servers that are used to resolve a domain name to an Internet Protocol (IP) address.

You recently read an article about hackers using open TCP ports to access corporate networks. You need to ensure that this does not occur at your organization. First, you want to determine which TCP ports are open on your network. Which method should you use? A) stealth scanning B) port scanning C) whois D) wardialing

A)The IPSec framework is used in a virtual private network (VPN) implementation to secure transmissions. B)IPSec can work in either tunnel mode or transport mode. D)IPSec uses Encapsulation Security Payload (ESP) and Authentication Header (AH) as security protocols for encapsulation. Internet Protocol Security (IPSec) can operate in either tunnel mode or transport mode. In transport mode, only the message part of a packet (the payload) is encrypted by Encapsulating Security Payload (ESP). In IPSec tunnel mode, the entire packet including the packet header and the routing information is encrypted. IPSec tunnel mode provides a higher level of security than transport mode. Either of the two modes can be used to secure either gateway-to-gateway or host-to-gateway communication. If used in gateway-to-host communication, the gateway must act as the host. IPSec uses ESP and Authentication Header (AH) as security protocols. AH provides the authentication mechanism, and ESP provides encryption, confidentiality, and message integrity. IPSec sets up a secure channel that uses a strong encryption and authentication method between two network devices, such as routers, VPN concentrators, and firewalls. IPSec can provide security between any two network devices running IPSec, but its chief implementation is in securing virtual private network (VPN) communications. IPSec provides security by protecting against traffic analysis and replay attacks. IPSec is primarily implemented for data communication between applications that transfer data in plain text. IPSec secures the network device against attacks through encryption and encapsulation. The IPSec does not use the L2TP protocol to encrypt messages. L2TP is used for secure communication in VPN networks and is a hybrid of L2F and PPTP. IPSec ensures integrity and confidentiality of IP transmissions, but cannot ensure availability of the information.

You work for a company that installs networks for small businesses. During a recent deployment, you configure a network to use the Internet Protocol Security (IPSec) protocol. The business owner asks you to explain why this protocol is being used. Which three are valid reasons for using this protocol? (Choose three.) A)The IPSec framework is used in a virtual private network (VPN) implementation to secure transmissions. B)IPSec can work in either tunnel mode or transport mode. C)The IPSec framework uses L2TP as the encryption protocol. D)IPSec uses Encapsulation Security Payload (ESP) and Authentication Header (AH) as security protocols for encapsulation. E)IPSec ensures availability of information as a part of the CIA triad.

B)It uses 128-bit addresses C)It has 340 undecillion available addresses IPv6 uses 128-bit IP addresses and allows for the use of 340 undecillion addresses. An IPv6 address uses a mixture of numbers and alphanumeric characters. IPv4 uses 32-bit addresses and allows for the use of 4 billion addresses. Internet Protocol (IP) is one of the protocols included in the Transmission Control Protocol/Internet Protocol (TCP/IP).

Your company currently uses IPv4 addresses on its network. You need to convince your organization to start using IPv6 addresses. Which two reasons for changing should you give management? (Choose two.) A)It has 4 billion available addresses B)It uses 128-bit addresses C)It has 340 undecillion available addresses D)It uses 32-bit addresses

C) DNS You should use the DNS log in Event Viewer to view events on host name registrations. You should log DNS entries so that you can watch for unauthorized DNS clients or servers. Without a DNS log, you would be unable to discover how long an entry was being used. None of the other logs will contain this type of information. The Application log contains events logged by applications. The Security log contains events based on the auditing configuration. Only administrators can configure and view auditing. The System log contains events logged by computer system components.

Your company has been having problems with its host name registrations. You have been asked to determine the problem. You need to view events on host name registrations. Which log in Event Viewer should you view? A) Security B) Application C) DNS D) System

D)Antenna placement E)Access point power F)Antenna selection Antenna selection (such as the use of directional versus omnidirectional antennas) plays an important role in protecting a wireless network. Using a directional antenna can limit the area that is covered by the antenna. Antenna placement will also have an effect on the vulnerabilities of a wireless system. Antennas should be placed as far away from exterior walls as possible. Otherwise, the signal will go outside the building. This allows anyone outside the building to attach to your network. That is why RADIUS and other technologies are required for wireless networks. The power of the access points should be adjusted to a level that is just strong enough for the operation of the network, but not so strong that signals escape to the outside of the building. You should reduce power levels for better security to ensure that the signal does not extend beyond its needed range. The number of users and the speed of the connection will not cause external vulnerabilities to a wireless system. The number of user addresses is, however, a cause of external vulnerabilities. Captive portals are a type of wireless access point that only permits Internet access to authenticated users. While an organization may want to deploy this solution, it is not necessary to assess this as an external vulnerability. You should ensure that any wireless network that you deploy is properly protected from unauthorized users. Usually this just involves deploying the network using the WPA or WPA2 protocol. If you use WEP, unauthorized users can easily gain access to your network. You should also be careful as to which internal resources are connected to the wireless network without deploying the appropriate security hardware, such as a firewall.

Your company has decided to deploy a new wireless network at a branch office. This branch office is located in a busy commercial district. Management has asked you to fully assess the external vulnerabilities of the wireless network before it is deployed. Which three conditions should you assess? (Choose three.) A)Captive portals B)Number of users C)Speed of connection D)Antenna placement E)Access point power F)Antenna selection

D) a signature file To determine whether a file is infected with a virus, a virus scanner application compares that file to a signature file. Signature files contain information about viruses, such as examples of virus code and the types of files that a particular virus infects. A hashing algorithm can be used to produce a checksum, which is sometimes referred to as a message digest. After a message digest is created for a file, if the file needs to be checked for modification, then a second message digest can be created and compared to the original. If the two messages match, then the file was not modified. A private key is used in symmetric and asymmetric encryption. A private key should be kept secret.

Your company has recently implemented a new virus scanner application to prevent virus infections on all of the company computers. Management requests that you provide information on how the virus scanner application will protect the computers. What does this application use to detect viruses? A) a checksum B) a message digest C) a private key D) a signature file

You should deploy spanning tree protocol (STP). The primary loop protection on an Ethernet network is STP. The problem with looping is the waste of network throughput capacity. STP can help mitigate the risk of Layer 2 switches in the network suffering from a DoS style attack caused by staff incorrectly cabling network connections between switches. Time To Live (TTL) is the primary loop protection on an IP network. Flood guards are devices that protect against Denial of Service (DoS) attacks. Network separation is a technique that is used to prevent network bridging. Network bridging can cause performance issues in the network. You can employ network separation by using routers or firewalls to implement IP subnets. Often routers or switches are the main network devices on an Ethernet network. Switches are considered more secure than routers. Secure router configuration is a must when routers are deployed. A secure router configuration is one where malicious or unauthorized route changes are prevented. To do this, complete the following steps: - Configure the router's administrator password to something unique and secret. - Configure the router to ignore all Internet Control Message Protocol (ICMP) type 5 redirect messages. - Implement a secure routing protocol that requires authentication and data encryption to exchange route data. - Configure the router with the IP addresses of other trusted routers with which routing data can be exchanged.

Your company implements an Ethernet network. During a recent analysis, you discover that network throughput capacity has been wasted as a result of the lack of loop protection. What should you deploy to prevent this problem? A) STP B) TTL C) flood guards D) network separation

C) routers The ACLs should be deployed on the routers. The ACLs will improve network security by confining sensitive data traffic to computers on a specific subnet. By implementing ACLs and rules, you can ensure that a secure router configuration is implemented, which will protect the routers and the subnets they manage. Firewalls are typically deployed on the public network interfaces. They typically are not involved in any internal traffic. Therefore, deployment ACLs on firewalls would not confine sensitive internal data traffic to computers on a specific subnet. A firewall is classified as a rule-based access control device. Rules are configured on the firewall to allow or deny packet passage from one network to another. Hubs are typically deployed to connect hosts in a network. Active hubs provide signal regeneration, while passive hubs do not. Hubs do not provide the ability to configure ACLs. Modems are typically deployed to provide phone line connections. Modems cannot control internal data traffic. However, they can provide security on the phone line connection. Another valid answer to the question that was not given is a switch. Switches are typically deployed to create virtual local area networks (VLANs). The switch isolates the VLAN from the rest of the network to provide better security for the VLAN.

Your manager has asked you to improve network security by confining sensitive internal data traffic to computers on a specific subnet using access control lists (ACLs). Where should the ACLs be deployed? A) modems B) firewalls C) routers D) hubs