Network and Communications Security (Domain 6)
What speed is Category 3 UTP cable rated for? 5 Mbps 10 Mbps 100 Mbps 1000 Mbps
10 Mbps. Category 3 UTP cable is primarily used for phone cables and was also used for early Ethernet networks where it provided 10 Mbps of throughput. Cat 5 cable provides 100 Mbps (and 1000 Mbps if it is Cat 5e). Cat 6 cable can also provide 1000 Mbps.
Ben has deployed a 1000BaseT 1 gigabit network and needs to run a cable to another building. If Ben is running his link directly from a switch to another switch in that building, what is the maximum distance Ben can cover according to the 1000BaseT specification? 2 kilometers 500 meters 185 meters 100 meters
100 meters1000BaseT is capable of a 100-meter run according to its specifications. For longer distances, a fiber-optic cable is typically used in modern networks.
Lauren wants to provide port-based authentication on her network to ensure that clients must authenticate before using the network. What technology is an appropriate solution for this requirement? 802.11a 802.3 802.15.1 802.1x
802.1x provides port-based authentication and can be used with technologies like EAP, the Extensible Authentication Protocol. 802.11a is a wireless standard, 802.3 is the standard for Ethernet, and 802.15.1 was the original Bluetooth IEEE standard.
What network topology is shown in the following image? A ring A star A bus A mesh
A bus can be linear or tree-shaped and connects each system to trunk or backbone cable. Ethernet networks operate on a bus topology.
What network technology is best described as a token-passing network that uses a pair of rings with traffic flowing in opposite directions? A ring topology Token Ring FDDI SONET
FDDI, or Fiber Distributed Data Interface, is a token-passing network that uses a pair of rings with traffic flowing in opposite directions. It can bypass broken segments by dropping the broken point and using the second, unbroken ring to continue to function. Token Ring also uses tokens, but it does not use a dual loop. SONET is a protocol for sending multiple optical streams over fiber, and a ring topology is a design, not a technology.
During a port scan using nmap, Joseph discovers that a system shows two ports open that cause him immediate worry: 21/open 23/open What services are likely running on those ports? SSH and FTP FTP and Telnet SMTP and Telnet POP3 and SMTP
FTP and Telnet. Joseph may be surprised to discover FTP (TCP port 21) and Telnet (TCP port 23) open on his network since both services are unencrypted and have been largely replaced by SSH, and SCP or SFTP. SSH uses port 22, SMTP uses port 25, and POP3 uses port 110.
Why should passive scanning be conducted in addition to implementing wireless security technologies like wireless intrusion detection systems? It can help identify rogue devices. It can test the security of the wireless network via scripted attacks. Their short dwell time on each wireless channel can allow them to capture more packets. They can help test wireless IDS or IPS systems.
It can help identify rogue devices. Passive scanning can help identify rogue devices by capturing MAC address vendor IDs that do not match deployed devices, by verifying that systems match inventories of organizationally owned hardware by hardware address, and by monitoring for rogue SSIDs or connections.
Which OSI layer includes electrical specifications, protocols, and interface standards? The Transport layer The Device layer The Physical layer The Data Link layer
The Physical layer. The Physical layer includes electrical specifications, protocols, and standards that allow control of throughput, handling line noise, and a variety of other electrical interface and signaling requirements. The OSI layer doesn't have a Device layer. The Transport layer connects the Network and Session layers, and the Data Link layer packages packets from the network layer for transmission and receipt by devices operating on the Physical layer.
Match each of the numbered TCP ports listed with the associated lettered protocol provided: TCP ports: 23 25 143 515 Protocols: SMTP LPD IMAP Telnet
The TCP ports match with the protocols as follows: TCP port 23: D. Telnet TCP port 25: A. SMTP TCP port 143: C. IMAP TCP port 515: B. LPD
Segmentation, sequencing, and error checking all occur at what layer of the OSI model that is associated with SSL, TLS, and UDP? The Transport layer The Network layer The Session layer The Presentation layer
The Transport layer. The Transport layer provides logical connections between devices, including end-to-end transport services to ensure that data is delivered. Transport layer protocols include TCP, UDP, SSL, and TLS.
In the OSI model, when a packet changes from a datastream to a segment or a datagram, what layer has it traversed? The Transport layer The Application layer The Data Link layer The Physical layer
The Transport layer. When a data stream is converted into a segment (TCP) or a datagram (UDP), it transitions from the Session layer to the Transport layer. This change from a message sent to an encoded segment allows it to then traverse the Network layer.
WPA2's Counter Mode Cipher Block Chaining Message Authentication Mode Protocol (CCMP) is based on which common encryption scheme? DES 3DES AES TLS
AES. WPA2's CCMP encryption scheme is based on AES. As of the writing of this book, there have not been any practical real-world attacks against WPA2. DES has been successfully broken, and neither 3DES nor TLS is used for WPA2.
Place the layers of the OSI model shown here in the appropriate order, from layer 1 to layer 7. Application Data Link Network Physical Presentation Session Transport
The OSI layers in order from layer 1 to layer 7 are: D. Physical B. Data Link C. Network G. Transport F. Session E. Presentation A. Application
One of Susan's attacks during a penetration test involves inserting false ARP data into a system's ARP cache. When the system attempts to send traffic to the address it believes belongs to a legitimate system, it will instead send that traffic to a system she controls. What is this attack called? RARP flooding ARP cache poisoning A denial-of-ARP attack ARP buffer blasting
ARP cache poisoning.ARP cache poisoning occurs when false ARP data is inserted into a system's ARP cache, allowing the attacker to modify its behavior. RARP flooding, denial-of-ARP attacks, and ARP buffer blasting are all made-up terms.
Lauren's and Nick's PCs simultaneously send traffic by transmitting at the same time. What network term describes the range of systems on a network that could be affected by this same issue? The subnet The supernet A collision domain A broadcast domain
A collision domain is the set of systems that could cause a collision if they transmitted at the same time. Systems outside a collision domain cannot cause a collision if they send at the same time. This is important, as the number of systems in a collision domain increases the likelihood of network congestion due to an increase in collisions. A broadcast domain is the set of systems that can receive a broadcast from each other. A subnet is a logical division of a network, while a supernet is made up of two or more networks.
Arnold is receiving reports from end users that their Internet connections are extremely slow. He looks at the firewall and determines that there are thousands of unexpected inbound connections per second arriving from all over the world. What type of attack is most likely occurring? A worm A denial-of-service attack A virus A smurf attack
A denial-of-service attack is an attack that causes a service to fail or to be unavailable. Exhausting a system's resources to cause a service to fail is a common form of denial-of-service attack. A worm is a self-replicating form of malware that propagates via a network, a virus is a type of malware that can copy itself to spread, and a smurf attack is a distributed denial-of-service (DDoS) that spoofs a victim's IP address to systems using an IP broadcast, resulting in traffic from all of those systems to the target.
What type of attack is most likely to occur after a successful ARP spoofing attempt? A DoS attack A Trojan A replay attack A man-in-the-middle attack
A man-in-the-middle attack.ARP spoofing is often done to replace a target's cache entry for a destination IP, allowing the attacker to conduct a man-in-the-middle attack. A denial-of-service attack would be aimed at disrupting services rather than spoofing an ARP response, a replay attack will involve existing sessions, and a Trojan is malware that is disguised in a way that makes it look harmless.
What type of key does WEP use to encrypt wireless communications? An asymmetric key Unique key sets for each host A predefined shared static key Unique asymmetric keys for each host
A predefined shared static key.WEP has a weak security model that relies on a single, predefined, shared static key. This means that modern attacks can break WEP encryption in less than a minute.
What network tool can be used to protect the identity of clients while providing Internet access by accepting client requests, altering the source addresses of the requests, mapping requests to clients, and sending the modified requests out to their destination? A gateway A proxy A router A firewall
A proxy. A proxy is a form of gateway that provide clients with a filtering, caching, or other service that protects their information from remote systems. A router connects networks, while a firewall uses rules to limit traffic permitted through it. A gateway translates between protocols.
What network topology is shown in the following image? A ring A bus A star A mesh
A ring. A ring connects all systems like points on a circle. A ring topology was used with Token Ring networks, and a token was passed between systems around the ring to allow each system to communicate. More modern networks may be described as a ring but are only physically a ring and not logically using a ring topology.
In her role as an information security professional, Susan has been asked to identify areas where her organization's wireless network may be accessible even though it isn't intended to be. What should Susan do to determine where her organization's wireless network is accessible? A site survey Warwalking Wardriving A design map
A site survey. Wardriving and warwalking are both processes used to locate wireless networks but are not typically as detailed and thorough as a site survey, and design map is a made-up term.
Chris needs to design a firewall architecture that can support a DMZ, a database, and a private internal network in a secure manner that separates each function. What type of design should he use, and how many firewalls does he need? A four-tier firewall design with two firewalls A two-tier firewall design with three firewalls A three-tier firewall design with at least one firewall A single-tier firewall design with three firewalls
A three-tier firewall design with at least one firewall. A three-tier design separates three distinct protected zones and can be accomplished with a single firewall that has multiple interfaces. Single- and two-tier designs don't support the number of protected networks needed in this scenario, while a four-tier design would provide a tier that isn't needed.
What type of firewall design does the following image show? A single-tier firewall A two-tier firewall A three-tier firewall A fully protected DMZ firewall
A two-tier firewall. A two-tier firewall uses a firewall with multiple interfaces or multiple firewalls in series. This image shows a firewall with two protected interfaces, with one used for a DMZ and one used for a protected network. This allows traffic to be filtered between each of the zones (Internet, DMZ, and private network).
Chris is designing layered network security for his organization. What type of firewall design is shown in the diagram? A single-tier firewall A two-tier firewall A three-tier firewall A four-tier firewall
A two-tier firewall. The firewall in the diagram has two protected zones behind it, making it a two-tier firewall design.
When a host on an Ethernet network detects a collision and transmits a jam signal, what happens next? The host that transmitted the jam signal is allowed to retransmit while all other hosts pause until that transmission is received successfully. All hosts stop transmitting, and each host waits a random period of time before attempting to transmit again. All hosts stop transmitting, and each host waits a period of time based on how recently it successfully transmitted. Hosts wait for the token to be passed and then resume transmitting data as they pass the token.
All hosts stop transmitting, and each host waits a random period of time before attempting to transmit again.Ethernet networks use Carrier-Sense Multiple Access/Collision Detection (CSMA/CD) technology. When a collision is detected and a jam signal is sent, hosts wait a random period of time before attempting retransmission.
Chris is designing layered network security for his organization. If Chris wants to stop cross-site scripting attacks against the web server, what is the best device for this purpose, and where should he put it? A firewall, location A An IDS, location A An IPS, location B A WAF, location C
An IPS, location B. An intrusion protection system can scan traffic and stop both known and unknown attacks. A web application firewall, or WAF, is also a suitable technology, but placing it at location C would only protect from attacks via the organization's VPN, which should only be used by trusted users. A firewall typically won't have the ability to identify and stop cross-site scripting attacks, and IDS systems only monitor and don't stop attacks.
Please refer to a stateful inspection firewall running the rulebase shown here. What value should be used to fill in the source port for rule 3? 25 465 80 Any
Any.The firewall should be configured to accept inbound connections from any port selected by the source system. The vast majority of inbound firewall rules allow access from any source port.
What type of firewall is capable of inspecting traffic at layer 7 and performing protocol-specific analysis for malicious traffic? Application firewall Stateful inspection firewall Packet filtering firewall Bastion host
Application firewalls add layer 7 functionality to other firewall solutions. This includes the ability to inspect Application-layer details such as analyzing HTTP, DNS, FTP, and other application protocols.
The DARPA TCP/IP model's Application layer matches up to what three OSI model layers? Application, Presentation, and Transport Presentation, Session, and Transport Application, Presentation, and Session There is not a direct match. The TCP model was created before the OSI model.
Application, Presentation, and SessionThe DARPA TCP/IP model was used to create the OSI model, and the designers of the OSI model made sure to map the OSI model layers to it. The Application layer of the TCP model maps to the Application, Presentation, and Session layers, while the TCP and OSI models both have a distinct Transport layer.
John's network begins to experience symptoms of slowness. Upon investigation, he realizes that the network is being bombarded with TCP SYN packets and believes that his organization is the victim of a denial-of-service attack. What principle of information security is being violated? Availability Integrity Confidentiality Denial
Availability. A smurf attack is an example of a denial-of-service attack, which jeopardizes the availability of a targeted network.
Which information security goal is impacted when an organization experiences a DoS or DDoS attack? Confidentiality Integrity Availability Denial
Availability. Denial-of-service (DoS) attacks and distributed denial-of-service (DDoS) attacks try to disrupt the availability of information systems and networks by flooding a victim with traffic or otherwise disrupting service.
Lisa is attempting to prevent her network from being targeted by IP spoofing attacks as well as preventing her network from being the source of those attacks. Which one of the following rules is not a best practice that Lisa can configure at her network border? Block packets with internal source addresses from entering the network. Block packets with external source addresses from leaving the network. Block packets with private IP addresses from exiting the network. Block packets with public IP addresses from entering the network.
Block packets with public IP addresses from entering the network. This question is asking you to identify the blocking rule that should not be set on the firewall. Packets with public IP addresses will routinely be allowed to enter the network, so you should not create a rule to block them, making this the correct answer. Packets with internal source addresses should never originate from outside the network, so they should be blocked from entering the network. Packets with external source addresses should never be found on the internal network, so they should be blocked from leaving the network. Finally, private IP addresses should never be used on the Internet, so packets containing private IP addresses should be blocked from leaving the network.
During a penetration test, Lauren is asked to test the organization's Bluetooth security. Which of the following is not a concern she should explain to her employers? Bluetooth scanning can be time-consuming. Many devices that may be scanned are likely to be personal devices. Bluetooth passive scans may require multiple visits at different times to identify all targets. Bluetooth active scans can't evaluate the security mode of Bluetooth devices.
Bluetooth active scans can't evaluate the security mode of Bluetooth devices. Bluetooth active scans can determine both the strength of the PIN and what security mode the device is operating in. Unfortunately, Bluetooth scans can be challenging because of the limited range of Bluetooth and the prevalence of personally owned Bluetooth-enabled devices. Passive Bluetooth scanning only detects active connections and typically requires multiple visits to have a chance of identifying all devices.
Which of the following is not a potential problem with active wireless scanning? Accidently scanning apparent rogue devices that actually belong to guests Causing alarms on the organization's wireless IPS Scanning devices that belong to nearby organizations Misidentifying rogue devices
Causing alarms on the organization's wireless IPS. Not only should active scanning be expected to cause wireless IPS alarms, but they may actually be desired if the test is done to test responses. Accidentally scanning guests or neighbors or misidentifying devices belonging to third parties are all potential problems with active scanning and require the security assessor to carefully verify the systems that she is scanning.
During troubleshooting, Chris uses the nslookup command to check the IP address of a host he is attempting to connect to. The IP he sees in the response is not the IP that should resolve when the lookup is done. What type of attack has likely been conducted? DNS spoofing DNS poisoning ARP spoofing A Cain attack
DNS poisoning.DNS poisoning occurs when an attacker changes the domain name to IP address mappings of a system to redirect traffic to alternate systems. DNS spoofing occurs when an attacker sends false replies to a requesting system, beating valid replies from the actual DNS server. ARP spoofing provides a false hardware address in response to queries about an IP, and Cain & Abel is a powerful Windows hacking tool, but a Cain attack is not a specific type of attack.
What technology could Lauren's employer implement to help prevent confidential data from being emailed out of the organization? DLP IDS A firewall UDP
DPL. A data loss prevention (DLP) system or software is designed to identify labeled data or data that fits specific patterns and descriptions to help prevent it from leaving the organization. An IDS is designed to identify intrusions. Although some IDS systems can detect specific types of sensitive data using pattern matching, they have no ability to stop traffic. A firewall uses rules to control traffic routing, while UDP is a network protocol.
What does a bluesnarfing attack target? Data on IBM systems An outbound phone call via Bluetooth 802.11b networks Data from a Bluetooth-enabled device
Data from a Bluetooth-enabled device. Bluesnarfing targets the data or information on Bluetooth-enabled devices. Bluejacking occurs when attackers send unsolicited messages via Bluetooth.
Which of the following does not describe data in motion? Data on a backup tape that is being shipped to a storage facility Data in a TCP packet Data in an e-commerce transaction Data in files being copied between locations
Data on a backup tape that is being shipped to a storage facility. The correct answer is the tape that is being shipped to a storage facility. You might think that the tape in shipment is "in motion," but the key concept is that the data is not being accessed and is instead in storage. Data in a TCP packet, in an e-commerce transaction, or in local RAM is in motion and is actively being used.
Ben has configured his network to not broadcast an SSID. Why might Ben disable SSID broadcast, and how could his SSID be discovered? Disabling SSID broadcast prevents attackers from discovering the encryption key. The SSID can be recovered from decrypted packets. Disabling SSID broadcast hides networks from unauthorized personnel. The SSID can be discovered using a wireless sniffer. Disabling SSID broadcast prevents issues with beacon frames. The SSID can be recovered by reconstructing the BSSID. Disabling SSID broadcast helps avoid SSID conflicts. The SSID can be discovered by attempting to connect to the network.
Disabling SSID broadcast hides networks from unauthorized personnel. The SSID can be discovered using a wireless sniffer.Disabling SSID broadcast can help prevent unauthorized personnel from attempting to connect to the network. Since the SSID is still active, it can be discovered by using a wireless sniffer. Encryption keys are not related to SSID broadcast, beacon frames are used to broadcast the SSID, and it is possible to have multiple networks with the same SSID.
Ben is troubleshooting a network and discovers that the NAT router he is connected to has the 192.168.x.x subnet as its internal network and that its external IP is 192.168.1.40. What problem is he encountering? 192.168.x.x is a nonroutable network and will not be carried to the Internet. 192.168.1.40 is not a valid address because it is reserved by RFC 1918. Double NATing is not possible using the same IP range. The upstream system is unable to de-encapsulate his packets, and he needs to use PAT instead.
Double NATing isn't possible with the same IP range; the same IP addresses cannot appear inside and outside a NAT router. RFC 1918 addresses are reserved, but only so they are not used and routable on the Internet, and changing to PAT would not fix the issue.
Please refer to a stateful inspection firewall running the rulebase shown here. What type of server is running at IP address 10.1.0.26? Email Web FTP Database
Email.SMTP uses ports 25 and 465. The presence of an inbound rule allowing SMTP traffic indicates that this is an email server.
What topology correctly describes Ethernet? A ring A star A mesh A bus
Ethernet uses a bus topology. While devices may be physically connected to a switch in a physical topology that looks like a star, systems using Ethernet can all transmit on the bus simultaneously, possibly leading to collisions.
Kim is troubleshooting an application firewall that serves as a supplement to the organization's network and host firewalls and intrusion prevention system, providing added protection against web-based attacks. The issue the organization is experiencing is that the firewall technology suffers somewhat frequent restarts that render it unavailable for 10 minutes at a time. What configuration might Kim consider to maintain availability during that period at the lowest cost to the company? High availability cluster Failover device Fail open Redundant disks
Fail open.A fail open configuration may be appropriate in this case. In this configuration, the firewall would continue to pass traffic without inspection while it is restarting. This would minimize downtime, and the traffic would still be protected by the other security controls described in the scenario. Failover devices and high availability clusters would indeed increase availability, but at potentially significant expense. Redundant disks would not help in this scenario because no disk failure is described.
Jim is building a research computing system that benefits from being part of a full mesh topology between systems. In a five-node full mesh topology design, how many connections will an individual node have? Two Three Four Five
Four. A full mesh topology directly connects each machine to every other machine on the network. For five systems, this means four connections per system.
What network topology is shown here? A ring A bus A star A mesh
Fully connected mesh networks provide each system with a direct physical link to every other system in the mesh. This is expensive but can provide performance advantages for specific types of computational work.
Lauren's organization has used a popular messaging service for a number of years. Recently, concerns have been raised about the use of messaging. Using the following diagram, answer questions 29-31 about messaging. What protocol is the messaging traffic most likely to use based on the diagram? SLACK HTTP SMTP HTTPS
HTTP. The use of TCP port 80 indicates that the messaging service is using the HTTP protocol. Slack is a messaging service that runs over HTTPS, which uses port 443. SMTP is an email protocol that uses port 25.
Chris uses a cellular hot spot (modem) to provide Internet access when he is traveling. If he leaves the hot spot connected to his PC while his PC is on his organization's corporate network, what security issue might he cause? Traffic may not be routed properly, exposing sensitive data. His system may act as a bridge from the Internet to the local network. His system may be a portal for a reflected DDoS attack. Security administrators may not be able to determine his IP address if a security issue occurs.
His system may act as a bridge from the Internet to the local network.When a workstation or other device is connected simultaneously to both a secure and a nonsecure network like the Internet, it may act as a bridge, bypassing the security protections located at the edge of a corporate network. It is unlikely that traffic will be routed improperly leading to the exposure of sensitive data, as traffic headed to internal systems and networks is unlikely to be routed to the external network. Reflected DDoS attacks are used to hide identities rather than to connect through to an internal network, and security administrators of managed systems should be able to determine both the local and wireless IP addresses his system uses.
Lauren uses the ping utility to check whether a remote system is up as part of a penetration testing exercise. If she does not want to see her own ping packets, what protocol should she filter out from her packet sniffer's logs? UDP TCP IP ICMP
ICMP.Ping uses ICMP, the Internet Control Message Protocol, to determine whether a system responds and how many hops there are between the originating system and the remote system. Lauren simply needs to filter out ICMP to not see her pings.
Which one of the following security tools is not capable of generating an active response to a security event? IPS Firewall IDS Antivirus software
IDS. Intrusion detection systems (IDSs) provide only passive responses, such as alerting administrators to a suspected attack. Intrusion prevention systems and firewalls, on the other hand, may take action to block an attack attempt. Antivirus software also may engage in active response by quarantining suspect files.
Lauren's organization has used a popular messaging service for a number of years. Recently, concerns have been raised about the use of messaging. Using the following diagram, answer questions 29-31 about messaging. How could Lauren's company best address a desire for secure messaging for users of internal systems A and C? Use a third-party messaging service. Implement and use a locally hosted service. Use HTTPS. Discontinue use of messaging and instead use email, which is more secure.
Implement and use a locally hosted service. If a business need requires messaging, using a local messaging server is the best option. This prevents traffic from traveling to a third-party server and can offer additional benefits such as logging, archiving, and control of security options like the use of encryption.
Please refer to a stateful inspection firewall running the rulebase shown here. Which one of the following rules is not shown in the rulebase but will be enforced by the firewall? Stealth Implicit deny Connection proxy Egress filter
Implicit deny. All stateful inspection firewalls enforce an implicit deny rule as the final rule of the rulebase. It is designed to drop all inbound traffic that was not accepted by an earlier rule. Stealth rules hide the firewall from external networks, but they are not included by default. This firewall does not contain any egress filtering rules, and egress filtering is not enforced by default. Connection proxying is an optional feature of stateful inspection firewalls and would not be enforced without a rule explicitly implementing it.
Chris is building an Ethernet network and knows that he needs to span a distance of more than 150 meters with his 1000BaseT network. What network technology should he use to help with this? Install a repeater or a concentrator before 100 meters. Use Category 7 cable, which has better shielding for higher speeds. Install a gateway to handle the distance. Use STP cable to handle the longer distance at high speeds.
Install a repeater or a concentrator before 100 meters. A repeater or concentrator will amplify the signal, ensuring that the 100-meter distance limitation of 1000BaseT is not an issue. A gateway would be useful if network protocols were changing, while Cat7 cable is appropriate for a 10Gbps network at much shorter distances. STP cable is limited to 155 Mbps and 100 meters, which would leave Chris with network problems.
Lauren's organization has used a popular messaging service for a number of years. Recently, concerns have been raised about the use of messaging. Using the following diagram, answer questions 29-31 about messaging. What security concern does sending internal communications from A to B raise? The firewall does not protect system B. System C can see the broadcast traffic from system A to B. It is traveling via an unencrypted protocol. Messaging does not provide nonrepudiation.
It is traveling via an unencrypted protocol. HTTP traffic is typically sent via TCP 80. Unencrypted HTTP traffic can be easily captured at any point between A and B, meaning that the messaging solution chosen does not provide confidentiality for the organization's corporate communications.
Which of the following options includes standards or protocols that exist in layer 6 of the OSI model? NFS, SQL, and RPC TCP, UDP, and TLS JPEG, ASCII, and MIDI HTTP, FTP, and SMTP
JPEG, ASCII, and MIDI.Layer 6, the Presentation layer, transforms data from the Application layer into formats that other systems can understand by formatting and standardizing the data. That means that standards like JPEG, ASCII, and MIDI are used at the Presentation layer for data. TCP, UDP, and TLS are used at the Transport layer; NFS, SQL, and RPC operate at the Session layer; and HTTP, FTP, and SMTP are Application layer protocols.
The Address Resolution Protocol (ARP) and the Reverse Address Resolution Protocol (RARP) operate at what layer of the OSI model? Layer 1 Layer 2 Layer 3 Layer 4
Layer 2. ARP and RARP operate at the Data Link layer, the second layer of the OSI model. Both protocols deal with physical (MAC) hardware addresses, which are used above the Physical layer (layer 1) and below the Network layer (layer 3), thus falling at the Data Link layer.
SMTP, HTTP, and SNMP all occur at what layer of the OSI model? Layer 4 Layer 5 Layer 6 Layer 7
Layer 7.Application-specific protocols are handled at layer 7, the Application layer of the OSI model.
In what type of attack do attackers manage to insert themselves into a connection between a user and a legitimate website? Man-in-the-middle Fraggle Wardriving Meet-in-the-middle
Man-in-the-middle. In a man-in-the-middle attack, attackers manage to insert themselves into a connection between a user and a legitimate website, relaying traffic between the two parties while eavesdropping on the connection. Although similarly named, the meet-in-the-middle attack is a cryptographic attack that does not necessarily involve connection tampering. Fraggle is a network-based denial-of-service attack using UDP packets. Wardriving is a reconnaissance technique for discovering open or weakly secured wireless networks.
John deploys his website to multiple regions using load balancers around the world through his cloud infrastructure as a service provider. What availability concept is he using? Multiple processing sites Warm sites Cold sites A honeynet
Multiple processing sites. John's design provides multiple processing sites, distributing load to multiple regions. Not only does this provide business continuity and disaster recovery functionality, but it also means that his design will be more resilient to denial-of-service attacks.
During a review of her organization's network, Angela discovered that it was suffering from broadcast storms and that contractors, guests, and organizational administrative staff were on the same network segment. What design change should Angela recommend? Require encryption for all users. Install a firewall at the network border. Enable spanning tree loop detection. Segment the network based on functional requirements.
Network segmentation can reduce issues with performance as well as diminish the chance of broadcast storms by limiting the number of systems in a segment. This decreases broadcast traffic visible to each system and can reduce congestion. Segmentation can also help provide security by separating functional groups who don't need to be able to access each other's systems. Installing a firewall at the border would only help with inbound and outbound traffic, not cross-network traffic. Spanning tree loop prevention helps prevent loops in Ethernet networks (for example, when you plug a switch into a switch via two ports on each), but it won't solve broadcast storms that aren't caused by a loop or security issues. Encryption might help prevent some problems between functional groups, but it won't stop them from scanning other systems, and it definitely won't stop a broadcast storm!
There are four common VPN protocols. Which group listed contains all of the common VPN protocols? PPTP, LTP, L2TP, IPsec PPP, L2TP, IPsec, VNC PPTP, L2F, L2TP, IPsec PPTP, L2TP, IPsec, SPAP
PPTP, L2F, L2TP, IPsec.PPTP, L2F, L2TP, and IPsec are the most common VPN protocols. TLS is also used for an increasingly large percentage of VPN connections and may appear at some point in the CISSP® exam. PPP is a dial-up protocol, LTP is not a protocol, and SPAP is the Shiva Password Authentication Protocol sometimes used with PPTP.
Which one of the following protocols is commonly used to provide backend authentication services for a VPN? HTTPS RADIUS ESP AH
RADIUS. The Remote Authentication Dial-in User Service (RADIUS) protocol was originally designed to support dial-up modem connections but is still commonly used for VPN-based authentication. HTTPS is not an authentication protocol. ESP and AH are IPsec protocols but do not provide authentication services for other systems.
Sarah is manually reviewing a packet capture of TCP traffic and finds that a system is setting the RST flag in the TCP packets it sends repeatedly during a short period of time. What does this flag mean in the TCP packet header? RST flags mean "Rest." The server needs traffic to briefly pause. RST flags mean "Relay-set." The packets will be forwarded to the address set in the packet. RST flags mean "Resume Standard." Communications will resume in their normal format. RST means "Reset." The TCP session will be disconnected.
RST means "Reset." The TCP session will be disconnected. The RST flag is used to reset or disconnect a session. It can be resumed by restarting the connection via a new three-way handshake.
During a wireless network penetration test, Susan runs aircrack-ng against the network using a password file. What might cause her to fail in her password-cracking efforts? Use of WPA2 encryption Running WPA2 in Enterprise mode Use of WEP encryption Running WPA2 in PSK mode
Running WPA2 in Enterprise mode.WPA2 enterprise uses RADIUS authentication for users rather than a preshared key. This means a password attack is more likely to fail as password attempts for a given user may result in account lockout. WPA2 encryption will not stop a password attack, and WPA2's preshared key mode is specifically targeted by password attacks that attempt to find the key. Not only is WEP encryption outdated, but it can also frequently be cracked quickly by tools like aircrack-ng.
Which of the following sequences properly describes the TCP three-way handshake? SYN, ACK, SYN/ACK PSH, RST, ACK SYN, SYN/ACK, ACK SYN, RST, FIN
SYN, SYN/ACK, ACKThe TCP three-way handshake consists of initial contact via a SYN, or synchronize flagged packet; which receives a response with a SYN/ACK, or synchronize and acknowledge flagged packet; which is acknowledged by the original sender with an ACK, or acknowledge packet. RST is used in TCP to reset a connection, PSH is used to send data immediately, and FIN is used to end a connection.
A remote access tool that copies what is displayed on a desktop PC to a remote computer is an example of what type of technology? Remote node operation Screen scraping Remote control RDP
Screen scraping. Screen scrapers copy the actual screen displayed and display it at a remote location. RDP provides terminal sessions without doing screen scraping, remote node operation is the same as dial-up access, and remote control is a means of controlling a remote system (screen scraping is a specialized subset of remote control).
What type of firewall design is shown in the following image? Single-tier Two-tier Three-tier Next generation
Single-tier.A single-tier firewall deployment is simple and does not offer useful design options like a DMZ or separate transaction subnets.
Susan sets up a firewall that keeps track of the status of the communication between two systems and allows a remote system to respond to a local system after the local system starts communication. What type of firewall is Susan using? A static packet filtering firewall An application-level gateway firewall A stateful packet inspection firewall A circuit-level gateway firewall
Stateful packet inspection firewalls, also known as dynamic packet filtering firewalls, track the state of a conversation and can allow a response from a remote system based on an internal system being allowed to start the communication. Static packet filtering and circuit-level gateways only filter based on source, destination, and ports, whereas application-level gateway firewalls proxy traffic for specific applications.
What type of networking device is most commonly used to assign endpoint systems to VLANs? Firewall Router Switch Hub
Switch. The assignment of endpoint systems to VLANs is normally performed by a network switch.
Chris is configuring an IDS to monitor for unencrypted FTP traffic. What ports should Chris use in his configuration? TCP 20 and 21 TCP 21 only UDP port 69 TCP port 21 and UDP port 21
TCP 20 and 21. The File Transfer Protocol (FTP) operates on TCP ports 20 and 21. UDP port 69 is used for the Trivial File Transfer Protocol, or TFTP, while UDP port 21 is not used for any common file transfer protocol.
A denial-of-service (DoS) attack that sends fragmented TCP packets is known as what kind of attack? Christmas tree Teardrop Stack killer Frag grenade
Teardrop.A teardrop attack uses fragmented packets to target a flaw in how the TCP stack on a system handles fragment reassembly. If the attack is successful, the TCP stack fails, resulting in a denial of service. Christmas tree attacks set all of the possible TCP flags on a packet, thus "lighting it up like a Christmas tree." Stack killer and frag grenade attacks are made-up answers.
During a forensic investigation, Charles is able to determine the Media Access Control address of a system that was connected to a compromised network. Charles knows that MAC addresses are tied back to a manufacturer or vendor and are part of the fingerprint of the system. To which OSI layer does a MAC address belong? The Application layer The Session layer The Physical layer The Data Link layer
The Data Link layer. MAC addresses and their organizationally unique identifiers are used at the Data Link layer to identify systems on a network. The Application and Session layers don't care about physical addresses, while the Physical layer involves electrical connectivity and handling physical interfaces rather than addressing.
Please refer to a stateful inspection firewall running the rulebase shown here. The system at 15.246.10.1 attempts HTTP and HTTPS connections to the web server running at 10.1.0.50. Which one of the following statements is true about that connection? Both connections will be allowed. Both connections will be blocked. The HTTP connection will be allowed, and the HTTPS connection will be blocked. The HTTP connection will be blocked, and the HTTPS connection will be allowed.
The HTTP connection will be allowed, and the HTTPS connection will be blocked.The HTTP connection will be allowed, despite the presence of rule 2, because it matches rule 1. The HTTPS connection will be blocked because there is no rule allowing HTTPS connections to this server.
The Windows ipconfig command displays the following information: BC-5F-F4-7B-4B-7D What term describes this, and what information can usually be gathered from it? The IP address, the network location of the system The MAC address, the network interface card's manufacturer The MAC address, the media type in use The IPv6 client ID, the network interface card's manufacturer
The MAC address, the network interface card's manufacturer. Media Access Control (MAC) addresses are the hardware address the machine uses for layer 2 communications. The MAC addresses include an organizationally unique identifier (OUI), which identifies the manufacturer. MAC addresses can be changed, so this is not a guarantee of accuracy, but under normal circumstances you can tell what manufacturer made the device by using the MAC address.
Match the following numbered wireless attack terms with their appropriate descriptions: Wireless attack terms Descriptions Rogue access point Replay Evil twin War driving A. An attack that relies on an access point to spoof a legitimate access point's SSID and Mandatory Access Control (MAC) address B. An access point intended to attract new connections by using an apparently legitimate SSID C. An attack that retransmits captured communication to attempt to gain access to a targeted system D. The process of using detection tools to find wireless networks
The wireless attack terms match with their descriptions as follows: Rogue access point: B. An access point intended to attract new connections by using an apparently legitimate SSID Replay: C. An attack that retransmits captured communication to attempt to gain access to a targeted system Evil twin: A. An attack that relies on an access point to spoof a legitimate access point's SSID and MAC address War driving: D. The process of using detection tools to find wireless networks
One of the findings that Jim made when performing a security audit was the use of non-IP protocols in a private network. What issue should Jim point out that may result from the use of these non-IP protocols? They are outdated and cannot be used on modern PCs. They may not be able to be filtered by firewall devices. They may allow Christmas tree attacks. IPX extends on the IP protocol and may not be supported by all TCP stacks.
They may not be able to be filtered by firewall devices. While non-IP protocols like IPX/SPX, NetBEUI, and AppleTalk are rare in modern networks, they can present a challenge because many firewalls are not capable of filtering them. This can create risks when they are necessary for an application or system's function because they may have to be passed without any inspection. Christmas tree attacks set all of the possible flags on a TCP packet (and are thus related to an IP protocol), IPX is not an IP-based protocol, and while these protocols are outdated, there are ways to make even modern PCs understand them.
Which one of the following traffic types should not be blocked by an organization's egress filtering policy? Traffic destined to a private IP address Traffic with a broadcast destination Traffic with a source address from an external network Traffic with a destination address on an external network
Traffic with a destination address on an external network.Egress filtering scans outbound traffic for potential security policy violations. This includes traffic with a private IP address as the destination, traffic with a broadcast address as the destination, and traffic that has a falsified source address not belonging to the organization.
Angela uses a sniffer to monitor traffic from a RADIUS server configured with default settings. What protocol should she monitor, and what traffic will she be able to read? UDP, none. All RADIUS traffic is encrypted. TCP, all traffic but the passwords, which are encrypted UDP, all traffic but the passwords, which are encrypted TCP, none. All RADIUS traffic is encrypted.
UDP, all traffic but the passwords, which are encrypted. By default, RADIUS uses UDP and only encrypts passwords. RADIUS supports TCP and TLS, but this is not a default setting.
Susan is writing a best practices statement for her organizational users who need to use Bluetooth. She knows that there are many potential security issues with Bluetooth and wants to provide the best advice she can. Which of the following sets of guidance should Susan include? Use Bluetooth's built-in strong encryption, change the default PIN on your device, turn off discovery mode, and turn off Bluetooth when it's not in active use. Use Bluetooth only for those activities that are not confidential, change the default PIN on your device, turn off discovery mode, and turn off Bluetooth when it's not in active use. Use Bluetooth's built-in strong encryption, use extended (eight digits or longer) Bluetooth PINs, turn off discovery mode, and turn off Bluetooth when it's not in active use. Use Bluetooth only for those activities that are not confidential, use extended (eight digits or longer) Bluetooth PINs, turn off discovery mode, and turn off Bluetooth when it's not in active use.
Use Bluetooth only for those activities that are not confidential, change the default PIN on your device, turn off discovery mode, and turn off Bluetooth when it's not in active use.Since Bluetooth doesn't provide strong encryption, it should only be used for activities that are not confidential. Bluetooth PINs are four-digit codes that often default to 0000. Turning it off and ensuring that your devices are not in discovery mode can help prevent Bluetooth attacks.
Sue's organization recently failed a security assessment because their network was a single flat broadcast domain, and sniffing traffic was possible between different functional groups. What solution should she recommend to help prevent the issues that were identified? Use VLANs. Change the subnet mask for all systems. Deploy gateways. Turn on port security.
Use VLANs. A well-designed set of VLANs based on functional groupings will logically separate segments of the network, making it difficult to have data exposure issues between VLANs. Changing the subnet mask will only modify the broadcast domain and will not fix issues with packet sniffing. Gateways would be appropriate if network protocols were different on different segments. Port security is designed to limit which systems can connect to a given port.
Staff from Susan's company often travel internationally. Susan believes that they may be targeted for corporate espionage activities because of the technologies that her company is developing. What practice should Susan recommend that they adopt for connecting to networks while they travel? Only connect to public Wi-Fi. Use a VPN for all connections. Only use websites that support TLS. Do not connect to networks while traveling.
Use a VPN for all connections.While it may be tempting to tell her staff to simply not connect to any network, Susan knows that they will need connectivity to do their work. Using a VPN to connect their laptops and mobile devices to a trusted network and ensuring that all traffic is tunneled through the VPN is her best bet to secure their Internet usage. Susan may also want to ensure that they take "clean" laptops and devices that do not contain sensitive information or documents and that those systems are fully wiped and reviewed when they return.
During a security assessment of a wireless network, Jim discovers that LEAP is in use on a network using WPA. What recommendation should Jim make? Continue to use LEAP. It provides better security than TKIP for WPA networks. Use an alternate protocol like PEAP or EAP-TLS and implement WPA2 if supported. Continue to use LEAP to avoid authentication issues, but move to WPA2. Use an alternate protocol like PEAP or EAP-TLS, and implement Wired Equivalent Privacy to avoid wireless security issues.
Use an alternate protocol like PEAP or EAP-TLS and implement WPA2 if supported.LEAP, the Lightweight Extensible Authentication Protocol, is a Cisco proprietary protocol designed to handle problems with TKIP. Unfortunately, LEAP has significant security issues as well and should not be used. Any modern hardware should support WPA2 and technologies like PEAP or EAP-TLS. Using WEP, the predecessor to WPA and WPA2, would be a major step back in security for any network.
Lauren's organization has deployed VoIP phones on the same switches that the desktop PCs are on. What security issue could this create, and what solution would help? VLAN hopping; use physically separate switches. VLAN hopping; use encryption. Caller ID spoofing; MAC filtering Denial-of-service attacks; use a firewall between networks.
VLAN hopping; use physically separate switches.VLAN hopping between the voice and computer VLANs can be accomplished when devices share the same switch infrastructure. Using physically separate switches can prevent this attack. Encryption won't help with VLAN hopping because it relies on header data that the switch needs to read (and this is unencrypted), while Caller ID spoofing is an inherent problem with VoIP systems. A denial of service is always a possibility, but it isn't specifically a VoIP issue and a firewall may not stop the problem if it's on a port that must be allowed through.
Chris is setting up a hotel network and needs to ensure that systems in each room or suite can connect to each other, but systems in other suites or rooms cannot. At the same time, he needs to ensure that all systems in the hotel can reach the Internet. What solution should he recommend as the most effective business solution? Per-room VPNs VLANs Port security Firewalls
VLANs. VLANs can be used to logically separate groups of network ports while still providing access to an uplink. Per-room VPNs would create significant overhead for support as well as create additional expenses. Port security is used to limit what systems can connect to ports, but it doesn't provide network security between systems. Finally, while firewalls might work, they would add additional expense and complexity without adding any benefits over a VLAN solution.
Chris is designing layered network security for his organization. If the VPN grants remote users the same access to network and system resources as local workstations have, what security issue should Chris raise? VPN users will not be able to access the web server. There is no additional security issue; the VPN concentrator's logical network location matches the logical network location of the workstations. Web server traffic is not subjected to stateful inspection. VPN users should only connect from managed PCs.
VPN users should only connect from managed PCs. Remote PCs that connect to a protected network need to comply with security settings and standards that match those required for the internal network. The VPN concentrator logically places remote users in the protected zone behind the firewall, but that means user workstations (and users) must be trusted in the same way that local workstations are.
Ben is designing a Wi-Fi network and has been asked to choose the most secure option for the network. Which wireless security standard should he choose? WPA2 WPA WEP AES
WPA2, the replacement for WPA, does not suffer from the security issues that WEP, the original wireless security protocol, and WPA, its successor, both suffer from. AES is used in WPA2 but is not specifically a wireless security standard.
