Security+ Mod 3 Questions

From the list of ports, select two that are used for e-mail. (Select the two best answers.) a)110 b)3389 c)143 d)389

Answer: A and C. Explanation: POP3 uses port 110; IMAP uses port 143; 3389 is used by the Remote Desktop Protocol; and 389 is used by LDAP.

Which of the following requires a baseline? (Select the two best answers.) a)Behavior-based monitoring b)Performance Monitor c)Anomaly-based monitoring d)Signature-based monitoring

Answer: A and C. Explanation: Behavior-based monitoring and anomaly-based monitoring require creating a baseline. Many host-based IDS systems will monitor parts of the dynamic behavior and the state of the computer system. An anomaly-based IDS will classify activities as either normal or anomalous; this will be based on rules instead of signatures. Both behavior-based and anomaly-based monitoring require a baseline to make a comparative analysis. Signature-based monitoring systems do not require this baseline because they are looking for specific patterns or signatures and are comparing them to a database of signatures. Performance Monitor can be used to create a baseline on Windows computers, but it does not necessarily require a baseline.

What are some of the drawbacks to using a HIDS instead of a NIDS on a server? (Select the two best answers.) a)A HIDS may use a lot of resources, which can slow server performance. b)A HIDS cannot detect operating system attacks. c)A HIDS has a low level of detection of operating system attacks. d)A HIDS cannot detect network attacks.

Answer: A and D. Explanation: Host-based intrusion detection systems (HIDSs) run within the operating system of a computer. Because of this, they can slow a computer's performance. Most HIDS do not detect network attacks well (if at all). However, a HIDS can detect operating system attacks and will usually have a high level of detection for those attacks.

One of your co-workers complains to you that he cannot see any security events in the Event Viewer. What are three possible reasons for this? (Select the three best answers.) a)Auditing has not been turned on. b)The log file is only 10 MB. c)The co-worker is not an administrator. d)Auditing for an individual object has not been turned on.

Answer: A, C, and D. Explanation: To audit events on a computer, an administrator would need to enable auditing within the computer's policy, then turn on auditing for an individual object (folder, file, and so on), and then view the events within the Security log of the Event Viewer. The size of the log file won't matter in this case—aside from events being overwritten. However, the person should still be able to see some events if all the other criteria have been met because 10 MB is big enough for many events to be written to it.

Which of the following would you set up in a multifunction SOHO router? a)DMZ b)DOS c)OSI d)ARP

Answer: A. Explanation: A DMZ, or demilitarized zone, can be set up on a SOHO router (in the firewall portion) to create a sort of safe haven for servers. It is neither the LAN nor the Internet, but instead, a location in between the two.

Which of the following should be placed between the LAN and the Internet? a)DMZ b)HIDS c)Domain controller d)Extranet

Answer: A. Explanation: A demilitarized zone, or DMZ, can be placed between the LAN and the Internet; this is known as a back-to-back perimeter configuration. This allows external users on the Internet to access services but segments access to the internal network. In some cases, it will be part of a 3-leg firewall scheme. Host-based intrusion detection systems are placed on an individual computer, usually within the LAN. Domain controllers should be protected and are normally on the LAN as well. An extranet can include parts of the Internet and parts of one or more LANs; normally it connects two companies utilizing the power of the Internet.

What is a device doing when it actively monitors data streams for malicious code? a)Content inspection b)URL filtering c)Load balancing d)NAT

Answer: A. Explanation: A device that is actively monitoring data streams for malicious code is inspecting the content. URL filtering is the inspection of the URL only (for example, https://www.comptia.org). Load balancing is the act of dividing up workload between multiple computers; we'll discuss that more in Chapter 16, "Redundancy and Disaster Recovery." NAT is network address translation, which is often accomplished by a firewall or IP proxy.

Which device's log file will show access control lists and who was allowed access and who wasn't? a)Firewall b)Smartphone c)Performance Monitor d)IP proxy

Answer: A. Explanation: A firewall contains one or more access control lists (ACLs) defining who is enabled to access the network. The firewall can also show attempts at access and whether they succeeded or failed. A smartphone might list who called or e-mailed, but as of the writing of this book does not use ACLs. Performance Monitor analyzes the performance of a computer, and an IP proxy deals with network address translation, hiding many private IP addresses behind one public address. Although the function of an IP proxy is often built into a firewall, the best answer would be firewall.

You have implemented a technology that enables you to review logs from computers located on the Internet. The information gathered is used to find out about new malware attacks. What have you implemented? a)Honeynet b)Protocol analyzer c)Firewall d)proxy

Answer: A. Explanation: A honeynet has been employed. This is a group of computers on the Internet, or on a DMZ (and sometimes on the LAN), that is used to trap attackers and analyze their attack methods, whether they are network attacks or malware attempts. A protocol analyzer captures packets on a specific computer in order to analyze them but doesn't capture logs per se. A firewall is used to block network attacks but not malware. A proxy is used to cache websites and act as a filter for clients.

Jason is a security administrator for a company of 4000 users. He wants to store 6 months of security logs to a logging server for analysis. The reports are required by upper management due to legal obligations but are not time-critical. When planning for the requirements of the logging server, which of the following should not be implemented? a)Performance baseline and audit trails b)Time stamping and integrity of the logs c)Log details and level of verbose logging d)Log storage and backup requirements

Answer: A. Explanation: A performance baseline and audit trails are not necessarily needed. Security logs are usually not performance-oriented. For example, you might get this list from a Windows Server's Security log in the Event Viewer. Auditing this much information could be unfeasible for one person. However, it is important to implement time stamping of the logs and store log details. Before implementing the logging server, Jason should check whether he has enough storage and backup space to meet his requirements.

Which of the following can determine which flags are set in a TCP/IP handshake? a)Protocol analyzer b)Port scanner c)SYN/ACK d)Performance Monitor

Answer: A. Explanation: A protocol analyzer can look inside the packets that make up a TCP/IP handshake. Information that can be viewed includes SYN, which is synchronize sequence numbers, and ACK, which is acknowledgment field significant. Port scanners and Performance Monitor do not have the capability to view flags set in a TCP/IP handshake, nor can they look inside packets in general.

You suspect a broadcast storm on the LAN. Which tool is required to diagnose which network adapter is causing the storm? a)Protocol analyzer b)Firewall c)Port scanner d)Network intrusion detection system e)Port mirror

Answer: A. Explanation: A protocol analyzer should be used to diagnose which network adapter on the LAN is causing the broadcast storm. It is also useful for detecting flooding attacks and fragmented packets. A firewall cannot diagnose attacks perpetuated on a network. A port scanner is used to find open ports on one or more computers. A network intrusion detection system (NIDS) is implemented to locate and possibly quarantine some types of attacks but will not be effective when it comes to broadcast storms. A port mirror copies all packets from one or more ports to the monitoring port. It is preferred if you are doing a diagnosis of a broadcast storm, but it is not required, and may not even be possible in some cases.

You want to reduce network traffic on a particular network segment to limit the amount of user visibility. Which of the following is the best device to use in this scenario? a)Switch b)Hub c)Router d)Firewall

Answer: A. Explanation: A switch can reduce network traffic on a particular network segment. It does this by keeping a table of information about computers on that segment. Instead of broadcasting information to all ports of the switch, the switch selectively chooses where the information goes.

One of the programmers in your organization complains that he can no longer transfer files to the FTP server. You check the network firewall and see that the proper FTP ports are open. What should you check next? a)ACLs b)NIDS c)AV definitions d)FTP permissions

Answer: A. Explanation: Access control lists can stop specific network traffic (such as FTP transfers) even if the appropriate ports are open. A NIDS will detect traffic and report on it but not prevent it. Antivirus definitions have no bearing on this scenario. If the programmer was able to connect to the FTP server, the password should not be an issue. FTP permissions might be an issue, but since you are working in the firewall, you should check the ACL first; then later you can check on the FTP permissions, passwords, and so on.

You receive complaints about network connectivity being disrupted. You suspect that a user connected both ends of a network cable to two different ports on a switch. What can be done to prevent this? a)Loop protection b)DMZ c)VLAN segregation d)Port forwarding

Answer: A. Explanation: Loop protection should be enabled on the switch to prevent the looping that can occur when a person connects both ends of a network cable to the same switch. A DMZ is a demilitarized zone that is used to keep servers in a midway zone between the Internet and the LAN. VLAN segregation (or VLAN separation) is a way of preventing ARP poisoning. Port forwarding refers to logical ports associated with protocols.

You have established a baseline for your server. Which of the following is the best tool to use to monitor any changes to that baseline? a)Performance Monitor b)Anti-spyware c)Antivirus software d)Vulnerability assessments software

Answer: A. Explanation: Performance monitoring software can be used to create a baseline and monitor for any changes to that baseline. An example of this would be the Performance console window within Windows Server. (It is commonly referred to as Performance Monitor.) Antivirus and anti-spyware applications usually go hand-in-hand and are not used to monitor server baselines. Vulnerability assessing software such as Nessus or Nmap is used to see whether open ports and other vulnerabilities are on a server.

Which port number is ultimately used by SCP? a)22 b)23 c)25 d)443

Answer: A. Explanation: SCP (Secure Copy) uses SSH, which runs on port 22 by default. Port 23 is Telnet, port 25 is SMTP, and port 443 is HTTPS (SSL/TLS).

Which of the following is the best option if you are trying to monitor network devices? a)SNMP b)Telnet c)FTPS d)IPsec

Answer: A. Explanation: SNMP (Simple Network Management Protocol) is the best protocol to use to monitor network devices. Telnet is a deprecated protocol that is used to remotely administer network devices. FTPS provides for the secure transmission of files from one computer to another. IPsec is used to secure VPN connections and other IP connections.

The IT director has asked you to install agents on several client computers and monitor them from a program at a server. What is this known as? a)SNMP b)SMTP c)SMP d)Performance Monitor

Answer: A. Explanation: SNMP (Simple Network Management Protocol) is used when a person installs agents on client computers to monitor those systems from a single remote location. SMTP is used by e-mail clients and servers. SMP is symmetric multiprocessing, which is not covered in the Security+ exam objectives. Performance Monitor enables a person to monitor a computer and create performance baselines.

Which of the following statements best describes a static NAT? a)Static NAT uses a one-to-one mapping. b)Static NAT uses a many-to-many mapping. c)Static NAT uses a one-to-many mapping. d)Static NAT uses a many-to-one mapping.

Answer: A. Explanation: Static network address translation normally uses a one-to-one mapping when dealing with IP addresses.

Which port number does the Domain Name System use? a)53 b)80 c)110 d)88

Answer: A. Explanation: The Domain Name System (DNS) uses port 53. Port 80 is used by HTTP; port 110 is used by POP3; and port 88 is used by Kerberos.

Which TCP port does LDAP use? a)389 b)80 c)443 d)143

Answer: A. Explanation: The Lightweight Directory Access Protocol (LDAP) uses port TCP 389. Note: If you are working with secure LDAP, then you will be using port 636. Port 80 is used by HTTP. Port 443 is used by HTTPS. Port 143 is used by IMAP.

You have three e-mail servers. What is it called when one server forwards e-mail to another? a)SMTP relay b)Buffer overflows c)POP3 d)Cookies

Answer: A. Explanation: The SMTP relay is when one server forwards e-mail to other e-mail servers. Buffer overflows are attacks that can be perpetuated on web pages. POP3 is another type of e-mail protocol, and cookies are small text files stored on the client computer that remember information about that computer's session with a website.

You are implementing a testing environment for the development team. They use several virtual servers to test their applications. One of these applications requires that the servers communicate with each other. However, to keep this network safe and private, you do not want it to be routable to the firewall. What is the best method to accomplish this? a)Use a virtual switch. b)Remove the virtual network from the routing table. c)Use a standalone switch. d)Create a VLAN without any default gateway.

Answer: A. Explanation: The virtual switch is the best option. This virtual device will connect the virtual servers together without being routable to the firewall (by default). Removing the virtual network from the routing table is another possibility; but if you have not created a virtual switch yet, it should not be necessary. A physical standalone switch won't be able to connect the virtual servers together; a virtual switch (or individual virtual connections) is required. Creating a VLAN would also require a physical switch. In that scenario, you can have multiple virtual LANs each containing physical computers (not virtual computers), and each working off of the same physical switch. That answer would keep the VLAN from being routable to the firewall, but not virtual servers.

Eric wants to install an isolated operating system. What is the best tool to use? a)Virtualization b)UAC c)HIDS d)NIDS

Answer: A. Explanation: Virtualization enables a person to install operating systems (or applications) in an isolated area of the computer's hard drive, separate from the computer's main operating system.

Which of the following is a security reason to implement virtualization in your network? a)To isolate network services and roles b)To analyze network traffic c)To add network services at lower costs d)To centralize patch management

Answer: A. Explanation: Virtualization of computer servers enables a network administrator to isolate the various network services and roles that a server may play. Analyzing network traffic would have to do more with assessing risk and vulnerability and monitoring and auditing. Adding network services at lower costs deals more with budgeting than with virtualization, although, virtualization can be less expensive. Centralizing patch management has to do with hardening the operating systems on the network scale.

You have been tasked with segmenting internal traffic between layer 2 devices on the LAN. Which of the following network design elements would most likely be used? a)VLAN b)DMZ c)NAT d)Routing

Answer: A. Explanation: You would most likely use a virtual LAN (VLAN). This allows you to segment internal traffic within layer 2 of the OSI model, by using either a protocol-based scheme or a port-based scheme. The DMZ is used to create a safe haven for servers that are accessed by outside traffic. NAT is network address translation, which is a layer 3 option used on routers. Because we are dealing with a layer 2 scenario, routing in general is not necessary.

What are the two ways in which you can stop employees from using USB flash drives? (Select the two best answers.) a)Utilize RBAC. b)Disable USB devices in the BIOS. c)Disable the USB root hub. d)Enable MAC filtering.

Answer: B and C. Explanation: By disabling all USB devices in the BIOS, a user cannot use his flash drive. Also, the user cannot use the device if you disable the USB root hub within the operating system. RBAC, which stands for role-based access control, defines access to networks by the person's role in the organization. MAC filtering is a method of filtering out computers when they attempt to access the network (using the MAC addresses of those computers).

Your boss wants you to properly log what happens on a database server. What are the most important concepts to think about while you do so? (Select the two best answers.) a)The amount of virtual memory that you will allocate for this task b)The amount of disk space you will require c)The information that will be needed to reconstruct events later d)Group Policy information

Answer: B and C. Explanation: It is important to calculate how much disk space you will require for the logs of your database server and verify that you have that much disk space available on the hard drive. It is also important to plan what information will be needed in the case that you need to reconstruct events later. Group Policy information and virtual memory are not important for this particular task.

Of the following, which two security measures should be implemented when logging a server? (Select the two best answers.) a)Cyclic redundancy checks b)The application of retention policies on log files c)Hashing of log files d)Storing of temporary files

Answer: B and C. Explanation: The log files should be retained in some manner either on this computer or on another computer. By hashing the log files, the integrity of the files can be checked even after they are moved. Cyclic redundancy checks, or CRCs, have to deal with the transmission of Ethernet frames over the network. Temporary files are normally not necessary when dealing with log files.

Which of the following protocols allow for the secure transfer of files? (Select the two best answers.) a)SNMP b)SFTP c)TFTP d)SCP e)ICMP

Answer: B and D. Explanation: The Secure FTP (SFTP) and Secure Copy (SCP) protocols provide for the secure transfer of files. The Simple Network Management Protocol (SNMP) is used to monitor various parts of the network. Trivial FTP (TFTP) is not secure by default. The Internet Control Message Protocol (ICMP) is the protocol initiated by ping to invoke responses from other computers.

You have been tasked with protecting an operating system from malicious software. What should you do? (Select the two best answers.) a)Disable the DLP b)Update the HIPS signatures c)Install a perimeter firewall d)Disable unused services e)Update the NIDS signatures

Answer: B and D. Explanation: Updating the host-based intrusion prevention system is important. Without the latest signatures, the HIPS will not be at its best when it comes to protecting against malware. Also, disabling unused services will reduce the attack surface of the OS, which in turn makes it more difficult for attacks to access the system and run malicious code. Disabling the data loss prevention (DLP) device would not aid the situation, and it would probably cause data leakage from the computer. Installing a perimeter firewall won't block malicious software from entering the individual computer. A personal firewall would better reduce the attack surface of the computer, but it is still not meant as an anti-malware tool. Updating the NIDS signatures will help the entire network, but might not help the individual computer. In this question, we want to focus in on the individual computer, not the network. In fact, given the scenario of the question, you do not even know if a network exists.

Which of the following should a security administrator implement to limit web based traffic that is based on the country of origin? (Select the three best answers.) a)AV software b)Proxy server c)Spam filter d)Load balancer e)Firewall f)URL filter g)NIDS

Answer: B, E, and F. Explanation: The security administrator should implement a proxy server, a firewall, and/or a URL filter. These can all act as tools to reduce or limit the amount of traffic based on a specific country. AV software checks for, and quarantines, malware. Spam filters will reduce the amount of spam that an e-mail address or entire e-mail server receives. A load balancer spreads out the network load to various switches, routers, and servers. A NIDS is used to detect anomalies in network traffic.

You are tasked with implementing a solution that encrypts the CEO's laptop. However, you are not allowed to purchase additional hardware or software. Which of the following solutions should you implement? a)HSM b)TPM c)HIDS d)USB encryption

Answer: B. Explanation: A TPM, or trusted platform module, is a chip that resides on the motherboard of the laptop. It generates cryptographic keys that allow the entire disk to be encrypted, as in full disk encryption (FDE). Hardware security modules (HSMs) and USB encryption require additional hardware. A host-based intrusion detection system requires either additional software or hardware.

Which of the following best describes an IPS? a)A system that identifies attacks b)A system that stops attacks in progress c)A system that is designed to attract and trap attackers d)A system that logs attacks for later analysis

Answer: B. Explanation: An IPS (intrusion prevention system) is a system that prevents or stops attacks in progress. A system that only identifies attacks would be an IDS. A system designed to attract and trap attackers would be a honeypot. A system that logs attacks would also be an IDS or one of several other devices or servers.

Which of the following is a record of the tracked actions of users? a)Performance Monitor b)Audit trails c)Permissions d)System and event logs

Answer: B. Explanation: Audit trails are records showing the tracked actions of users. Performance Monitor is a tool in Windows that enables you to track the performance of objects such as CPU, RAM, network adapter, physical disk, and so on. Permissions grant or deny access to resources. To see whether permissions were granted, auditing must be enabled. The System log and other logs record events that happened in other areas of the system—for example, events concerning the operating system, drivers, applications, and so on.

A person attempts to access a server during a zone transfer to get access to a zone file. What type of server is that person trying to manipulate? a)Proxy server b)DNS server c)File server d)Web server

Answer: B. Explanation: DNS servers are the only types of servers listed that do zone transfers. The purpose of accessing the zone file is to find out what hosts are on the network.

Which of the following devices should you employ to protect your network? (Select the best answer.) a)Protocol analyzer b)Firewall c)DMZ d)Proxy server

Answer: B. Explanation: Install a firewall to protect the network. Protocol analyzers do not help to protect a network but are valuable as vulnerability assessment and monitoring tools. Although a DMZ and a proxy server could possibly help to protect a portion of the network to a certain extent, the best answer is firewall.

Which of these hides an entire network of IP addresses? a)SPI b)NAT c)SSH d)FTP

Answer: B. Explanation: NAT (network address translation) hides an entire network of IP addresses. SPI, or Stateful Packet Inspection, is the other type of firewall that today's SOHO routers incorporate. Secure Shell (SSH) is a protocol used to log in to remote systems securely over the network. The File Transfer Protocol (FTP) is used to copy files from one system to a remote system.

Don must configure his firewall to support TACACS+. Which port(s) should he open on the firewall? a)Port 53 b)Port 49 c)Port 161 d)Port 22

Answer: B. Explanation: Port 49 is used by TACACS+. Port 53 is used by DNS, port 161 is used by SNMP, and port 22 is used by SSH.

Where is the optimal place to have a proxy server? a)In between two private networks b)In between a private network and a public network c)In between two public networks d)On all of the servers

Answer: B. Explanation: Proxy servers should normally be between the private network and the public network. This way they can act as a go-between for all the computers located on the private network. This applies especially to IP proxy servers but might also include HTTP proxy servers.

Your organization uses VoIP. Which of the following should be performed to increase the availability of IP telephony by prioritizing traffic? a)NAT b)QoS c)NAC d)Subnetting

Answer: B. Explanation: Quality of Service (QoS) should be configured on the router to prioritize traffic, promoting IP telephony traffic to be more available. You'll get some detractors of QoS, especially for the SOHO side of networks, but if used on the right device and configured properly, it can make a difference. This might sound like more of a networking question, but it ties in directly to the CIA triad of security. Data confidentiality and integrity are important, but just as important is availability—the ability for users to access data when required. NAT is network address translation, which interprets internal and external IP networks to each other. NAC is network access control—for example, 802.1X. Subnetting is when a network is divided into multiple logical areas through IP addressing/planning and subnet mask configuring.

In what way can you gather information from a remote printer? a)HTTP b)SNMP c)CA d)SMTP

Answer: B. Explanation: SNMP (Simple Network Management Protocol) enables you to gather information from a remote printer. HTTP is the Hypertext Transfer Protocol that deals with the transfer of web pages. A CA is a certificate authority, and SMTP is the Simple Mail Transfer Protocol.

What is a secure way to remotely administer Linux systems? a)SCP b)SSH c)SNMP d)SFTP

Answer: B. Explanation: SSH (Secure Shell) is used to remotely administer Unix/Linux systems and network devices. SCP (Secure Copy) is a way of transferring files securely between two hosts—it utilizes SSH. SNMP is used to remotely monitor network equipment. SFTP is used to securely transfer files from host to host—it also uses SSH.

What is the main reason to frequently view the logs of a DNS server? a)To create aliases b)To watch for unauthorized zone transfers c)To defend against denial-of-service attacks d)To prevent domain name kiting

Answer: B. Explanation: Security administrators should frequently view the logs of a DNS server to monitor any unauthorized zone transfers. Aliases are DNS names that redirect to a hostname or FQDN. Simply viewing the logs of a DNS server will not defend against denial-of-service attacks. Domain name kiting is the process of floating a domain name for up to five days without paying for the domain name.

Your boss (the IT director) wants to move several internally developed software applications to an alternate environment, supported by a third party, in an effort to reduce the footprint of the server room. Which of the following is the IT director proposing? a)PaaS b)IaaS c)SaaS d)Community cloud

Answer: B. Explanation: The IT director is most likely proposing that you use infrastructure as a service (IaaS). A cloud-based service, IaaS is often used to house servers (within virtual machines) that store developed applications. It differs from PaaS in that it is the servers, and already developed applications, that are being moved from the server room to the cloud. However, PaaS might also be required if the applications require further development. The most basic cloud-based service, software as a service (SaaS), is when users work with applications (often web-based) that are provided from the cloud. A community cloud is when multiple organizations share certain aspects of a public cloud.

To find out when a computer was shut down, which log file would an administrator use? a)Security b)System c)Application d)DNS

Answer: B. Explanation: The System log will show when a computer was shut down (and turned on, for that matter, or restarted). The Security log shows any audited information on a computer system. The Application log deals with OS apps and third-party apps. The DNS log shows events that have transpired on a DNS server.

Which of the following firewall rules only denies DNS zone transfers? a)Deny IP any any b)Deny TCP any any port 53 c)Deny UDP any any port 53 d)Deny all dns packets

Answer: B. Explanation: The firewall rule listed that only denies DNS zone transfers is deny TCP any any port 53. As mentioned in Chapter 7, "Networking Protocols and Threats," DNS uses port 53, and DNS zone transfers specifically use TCP. This rule will apply to any computer's IP address initiating zone transfers on the inbound and outbound sides. If you configured the rule for UDP, other desired DNS functionality would be lost. Denying IP in general would have additional unwanted results. When creating a firewall rule (or ACL), you need to be very specific so that you do not filter out desired traffic.

One of the developers in your organization installs a new application in a test system to test its functionality before implementing into production. Which of the following is most likely affected? a)Application security b)Initial baseline configuration c)Application design d)Baseline comparison

Answer: B. Explanation: The initial baseline configuration is most likely affected. Because the application has just been installed, there is only an initial baseline, but no other baselines to yet compare with. Since it is a testing environment, and the developer has just installed the application, security is not a priority. The developer probably wants to see what makes the application tick, and possibly reverse engineer it, but is not yet at the stage of application design, and probably won't be until a new application or modification of the current application is designed.

Your manager wants you to implement a type of intrusion detection system (IDS) that can be matched to certain types of traffic patterns. What kind of IDS is this? a)Anomaly-based IDS b)Signature-based IDS c)Behavior-based IDS d)Heuristic-based IDS

Answer: B. Explanation: When using an IDS, particular types of traffic patterns refer to signature-based IDS.

Your manager wants you to implement a type of intrusion detection system (IDS) that can be matched to certain types of traffic patterns. What kind of IDS is this? a)Anomaly-based IDS b)Signature-based IDS c)Behavior-based IDS d)Inline-IDS

Answer: B. Explanation: When using an IDS, particular types of traffic patterns refer to signature-based IDS. Anomaly-based and behavior-based systems use different methodologies. Inline IDS means that the device exists on the network (often between a firewall and the Internet) and directly receives packets and forwards those packets to the intended destination.

As you review your firewall log, you see the following information. What type of attack is this? S=207.50.135.54:53 - D=10.1.1.80:0 S=207.50.135.54:53 - D=10.1.1.80:1 S=207.50.135.54:53 - D=10.1.1.80:2 S=207.50.135.54:53 - D=10.1.1.80:3 S=207.50.135.54:53 - D=10.1.1.80:4 S=207.50.135.54:53 - D=10.1.1.80:5 a)Denial-of-service b)Port scanning c)Ping scanning d)DNS spoofing

Answer: B. Explanation: The information listed is an example of a port scan. The source IP address perpetuating the port scan should be banned or blocked on the firewall. The fact that the source computer is using port 53 is of no consequence during the port scan and does not imply DNS spoofing. It is not a denial-of-service attack; note that the destination IP address ends in 80, but the number 80 is part of the IP address and is not the port.

Your boss has asked you to implement a solution that will monitor users and limit their access to external websites. Which of the following is the best solution? a)NIDS b)Proxy server c)Block all traffic on port 80 d)honeypot

Answer: B. Explanation: You should implement a proxy server. This can limit access to specific websites, and monitor who goes to which websites. Also, it can often filter various HTML and website content. A NIDS is used to report potentially unwanted data traffic that is found on the network. Blocking all traffic on port 80 is something you would accomplish at a firewall, but that would stop all users from accessing any websites that use inbound port 80 (the great majority of them!). A honeypot is a group of computers used to lure attackers in and trap them for later analysis.

Which of the following is a private IPv4 address? a)11.16.0.1 b)127.0.0.1 c)172.16.0.1 d)208.0.0.1

Answer: C. Explanation: 172.16.0.1 is the only address listed that is private. The private assigned ranges can be seen in Table 6-2 earlier in the chapter. 11.16.0.1 is a public IPv4 address, as is 208.0.0.1. 127.0.0.1 is the IPv4 loopback address.

Which of the following devices would detect but not react to suspicious behavior on the network? (Select the most accurate answer.) a)NIPS b)Firewall c)NIDS d)HIDS e)UTM

Answer: C. Explanation: A NIDS, or network intrusion detection system, will detect suspicious behavior but most likely will not react to it. To prevent it and react to it, you would want a NIPS. Firewalls block certain types of traffic but by default do not check for suspicious behavior. HIDS is the host-based version of an IDS; it checks only the local computer, not the network. A UTM is an all-inclusive security product that will probably include an IDS or IPS—but you don't know which, so you can't assume that a UTM will function in the same manner as a NIDS.

Which of the following will detect malicious packets and discard them? a)Proxy server b)NIDS c)NIPS d)PAT

Answer: C. Explanation: A NIPS, or network intrusion prevention system, detects and discards malicious packets. A NIDS only detects them and alerts the administrator. A proxy server acts as a go-between for clients sending data to systems on the Internet. PAT is port-based address translation.

Which of the following is a layer 7 device used to prevent specific types of HTML tags from passing through to the client computer? a)Router b)Firewall c)Content filter d)NIDS

Answer: C. Explanation: A content filter is an application layer (layer 7) device that is used to prevent undesired HTML tags, URLs, certificates, and so on, from passing through to the client computers. A router is used to connect IP networks. A firewall blocks network attacks. A NIDS is used to detect anomalous traffic.

Of the following, which is a collection of servers that was set up to attract attackers? a)DMZ b)Honeypot c)Honeynet d)VLAN

Answer: C. Explanation: A honeynet is a collection of servers set up to attract attackers. A honeypot is usually one computer or one server that has the same purpose. A DMZ is the demilitarized zone that is in between the LAN and the Internet. A VLAN is a virtual LAN.

Which of the following should you implement to fix a single security issue on the computer? a)Service pack b)Support website c)Patch d)Baseline

Answer: C. Explanation: A patch can fix a single security issue on a computer. A service pack addresses many issues and rewrites many files on a computer; it may be overkill to use a service pack when only a patch is necessary. Also, only older Windows operating systems (for example, Windows 7 and Windows Server 2008 R2 and previous) use service packs. You might obtain the patch from a support website. A baseline can measure a server or a network and obtain averages of usage.

You are setting up auditing on a Windows computer. If set up properly, which log should have entries? a)Application log b)System log c)Security log d)Maintenance log

Answer: C. Explanation: After auditing is turned on and specific resources are configured for auditing, you need to check the Event Viewer's Security log for the entries. These could be successful logons or misfired attempts at deleting files; there are literally hundreds of options. The Application log contains errors, warnings, and informational entries about applications. The System log deals with drivers, system files, and so on. A System Maintenance log can be used to record routine maintenance procedures.

Which of the following displays a single public IP address to the Internet while hiding a group of internal private IP addresses? a)HTTP proxy b)Protocol analyzer c)IP proxy d)SMTP proxy e)PAC

Answer: C. Explanation: An IP proxy displays a single public IP address to the Internet while hiding a group of internal private IP addresses. It sends data back and forth between the IP addresses by using network address translation (NAT). This functionality is usually built into SOHO routers and is one of the main functions of those routers. HTTP proxies store commonly accessed Internet information. Protocol analyzers enable the capture and viewing of network data. SMTP proxies act as a go-between for e-mail. PAC stands for proxy auto-config, a file built into web browsers that allows the browser to automatically connect to a proxy server.

If your ISP blocks objectionable material, what device would you guess has been implemented? a)Proxy server b)Firewall c)Internet content filter d)NIDS

Answer: C. Explanation: An Internet content filter, usually implemented as content-control software, can block objectionable material before it ever gets to the user. This is common in schools, government agencies, and many companies.

Virtualization technology is often implemented as operating systems and applications that run in software. Often, it is implemented as a virtual machine. Of the following, which can be a security benefit when using virtualization? a)Patching a computer will patch all virtual machines running on the computer. b)If one virtual machine is compromised, none of the other virtual machines can be compromised. c)If a virtual machine is compromised, the adverse effects can be compartmentalized. d)Virtual machines cannot be affected by hacking techniques.

Answer: C. Explanation: By using a virtual machine (which is one example of a virtual instance), any ill effects can be compartmentalized to that particular virtual machine, usually without any ill effects to the main operating system on the computer. Patching a computer does not automatically patch virtual machines existing on the computer. Other virtual machines can be compromised, especially if nothing is done about the problem. Finally, virtual machines can definitely be affected by hacking techniques. Be sure to secure them!

Which of the following techniques enables an already secure organization to assess security vulnerabilities in real time? a)Baselining b)ACLs c)Continuous monitoring d)Video surveillance

Answer: C. Explanation: Continuous monitoring will help an already secure organization to assess security vulnerabilities and weaknesses in real time. Baselining and ACLs are things that have happened, or were configured in the past. Video surveillance is surely in real time, but it is doubtful as to whether it can assess security vulnerabilities in real time, even if someone is watching the video stream as it happens.

Which of the following is the most secure protocol for transferring files? a)FTP b)SSH c)FTPS d)Telnet

Answer: C. Explanation: FTPS (FTP Secure) is the most secure protocol (listed) for transferring files. It uses SSL or TLS to secure FTP transmissions utilizing ports 989 and 990. FTP by itself is inherently insecure and uses port 21 by default. The truly distracting answer here, SSH, allows a person to remotely access another computer securely, but it's the Secure FTP (SFTP) protocol that works on top of SSH that is considered a secure way of transferring files. Telnet is outdated and insecure. Because of this it is not found on most of today's operating systems, but if it is, it should be removed, or at least stopped and disabled.

Allowing or denying traffic based on ports, protocols, addresses, or direction of data is an example of what? a)Port security b)Content inspection c)Firewall rules d)honeynet

Answer: C. Explanation: Firewall rules (ACLs) are generated to allow or deny traffic. They can be based on ports, protocols, IP addresses, or which way the data is headed. Port security deals more with switches and the restriction of MAC addresses that are allowed to access particular physical ports. Content inspection is the filtering of web content, checking for inappropriate or malicious material. A honeynet is a group of computers or other systems designed to attract and trap an attacker.

John needs to install a web server that can offer SSL-based encryption. Which of the following ports is required for SSL transactions? a)Port 80 inbound b)Port 80 outbound c)Port 443 inbound d)Port 443 outbound

Answer: C. Explanation: For clients to connect to the server via SSL, the server must have inbound port 443 open. The outbound ports on the server are of little consequence for this concept, and inbound port 80 is used by HTTP.

Which of the following should be done if an audit recording fails? a)Stop generating audit records. b)Overwrite the oldest audit records. c)Send an alert to the administrator. d)Shut down the server.

Answer: C. Explanation: If an audit recording fails, there should be sufficient safeguards employed that can automatically send an alert to the administrator, among other things. Audit records should not be overwritten and in general should not be stopped.

Which of the following is the best practice to implement when securing logs files? a)Log all failed and successful login attempts. b)Deny administrators access to log files. c)Copy the logs to a remote log server. d)Increase security settings for administrators.

Answer: C. Explanation: It is important to copy the logs to a secondary server in case something happens to the primary log server; this way you have another copy of any possible security breaches. Logging all failed and successful login attempts might not be wise, because it will create many entries. The rest of the answers are not necessarily good ideas when working with log files.

An administrator wants to reduce the size of the attack surface of a Windows Server. Which of the following is the best answer to accomplish this? a)Update antivirus software. b)Install updates. c)Disable unnecessary services. d)Install network intrusion detection systems.

Answer: C. Explanation: Often, operating system manufacturers such as Microsoft refer to the attack surface as all the services that run on the operating system. By conducting an analysis of which services are necessary and which are unnecessary, an administrator can find out which ones need to be disabled, thereby reducing the attack surface. Updates, service packs, antivirus software, and network intrusion detection systems (NIDSs) are good tools to use to secure an individual computer and the network but do not help to reduce the size of the attack surface of the operating system.

Which of the following is one example of verifying new software changes on a test system? a)Application hardening b)Virtualization c)Patch management d)HIDS

Answer: C. Explanation: Patch management is an example of verifying any new changes in software on a test system (or live systems for that matter). Verifying the changes (testing) is the second step of the standard patch management strategy. Application hardening might include updating systems, patching them, and so on, but to be accurate, this question is looking for that particular second step of patch management. Virtualization is the creating of logical OS images within a working operating system. HIDS stands for host-based intrusion detection system, which attempts to detect malicious activity on a computer.

Which of the following cloud computing services offers easy-to-configure operating systems? a)SaaS b)IaaS c)PaaS d)VM

Answer: C. Explanation: Platform as a service (PaaS) is a cloud computing service that offers many software solutions, including easy-to-configure operating systems and on-demand computing. SaaS is software as a service, used to offer solutions such as webmail. IaaS is infrastructure as a service, used for networking and storage. VM stands for virtual machine, which is something that PaaS also offers.

For a remote tech to log in to a user's computer in another state, what inbound port must be open on the user's computer? a)21 b)389 c)3389 d)8080

Answer: C. Explanation: Port 3389 must be open on the inbound side of the user's computer to enable a remote tech to log in remotely and take control of that computer. Port 21 is the port used by FTP, and 389 is used by LDAP. 8080 is another port used by web browsers that takes the place of port 80.

Which of the following ports is used by Kerberos by default? a)21 b)80 c)88 d)443

Answer: C. Explanation: Port 88 is used by Kerberos by default. Port 21 is used by FTP, port 80 is used by HTTP, and port 443 is used by HTTPS (TLS/SSL).

You have been tasked with providing daily network usage reports of layer 3 devices without compromising any data during the information gathering process. Which of the following protocols should you select to provide for secure reporting in this scenario? a)ICMP b)SNMP c)SNMPv3 d)SSH

Answer: C. Explanation: SNMPv3 should be used because it provides a higher level of security (encryption of packets, message integrity, and authentication), allowing you to gather information without fear of the data being compromised. SNMPv1 and v2 do not have the elaborate security of SNMPv3. ICMP is the Internet Control Message Protocol used with the ping utility, among other things. It has little to do with monitoring. SSH is Secure Shell, which is a more secure way of remotely controlling systems; it acts as a secure alternative to Telnet.

Which of following is the most basic form of IDS? a)Anomaly-based b)Behavior-based c)Signature-based d)Statistical-based

Answer: C. Explanation: Signature-based IDS is the most basic form of intrusion detection system, or IDS. This monitors packets on the network and compares them against a database of signatures. Anomaly-based, behavioral-based, and statistical-based are all more complex forms of IDS. Anomaly-based and statistical-based are often considered to be the same type of monitoring methodology.

Where are software firewalls usually located? a)On routers b)On servers c)On clients d)On every computer

Answer: C. Explanation: Software-based firewalls, such as Windows Firewall, are normally running on the client computers. Although a software-based firewall could also be run on a server, it is not as common. Also, a SOHO router might have a built-in firewall, but not all routers have firewalls.

What is the best definition for ARP? a)Resolves IP addresses to DNS names b)Resolves IP addresses to hostnames c)Resolves IP addresses to MAC addresses d)Resolves IP addresses to DNS addresses

Answer: C. Explanation: The Address Resolution Protocol, or ARP, resolves IP addresses to MAC addresses. DNS resolves from IP addresses to hostnames, and vice versa. RARP is Reverse ARP; it resolves MAC addresses to IP addresses.

You ping a hostname on the network and receive a response including the address 2001:4560:0:2001::6A. What type of address is listed within the response? a)MAC address b)Loopback address c)IPv6 address d)IPv4 address

Answer: C. Explanation: The address in the response is a truncated IPv6 address. You can tell it is an IPv6 address because of the hexadecimal numbering, the separation with colons, and the groups of four digits. You can tell it is truncated because of the single zero and the double colon. A MAC address is also hexadecimal and can use colons to separate the groups of numbers (though hyphens often are used), but the numbers are grouped in twos. An example is 00-1C-C0-A1-54-15. The loopback address is a testing address for the local computer. In IPv6 it is simply ::1, whereas in IPv4 it is 127.0.0.1. Finally, IPv4 addresses in general are 32-bit dotted-decimal numbers such as 192.168.1.100.

You oversee compliance with financial regulations for credit card transactions. You need to block out certain ports on the individual computers that do these transactions. What should you implement to best achieve your goal? a)HIPS b)Antivirus updates c)Host-based firewall d)NIDS

Answer: C. Explanation: To meet regulations, a properly configured host-based firewall will be required on the computers that will be transacting business by credit card over the Internet. All of the other answers—antivirus updates, NIDS, and HIPS—are good ideas to secure the system (and/or network), but they do not address the core issue of filtering ports, which is the primary purpose of the firewall. Also, a network-based firewall will often not be secure enough to meet regulations, thus the need for the extra layer of protection on the individual computers.

Which of the following protocols are you observing in the packet capture below? 16:42:01 - SRC 192.168.1.5:3389 - DST 10.254.254.57:8080 - SYN/ACK a)HTTP b)HTTPS c)RDP d)SFTP

Answer: C. Explanation: You are observing a Remote Desktop Protocol (RDP) acknowledgement packet. You can tell because the source IP address (192.168.1.5) is using port 3389, the default port for RDP, and is sending the ACK to 10.254.254.57 (which was connecting on the secondary HTTP port 8080). So the client is using an HTTP port, but that is inconsequential because the packet is being generated by the source (SRC) IP. HTTPS (port 443) is not involved in this packet capture. Neither is SFTP, as it rides on SSH using port 22.

Your organization wants to implement a secure e-mail system using the POP3 and SMTP mail protocols. All mail connections need to be secured with SSL. Which of the following ports should you be using? (Select the two best answers.) a)25 b)110 c)143 d)465 e)993 f)995

Answer: D and F. Explanation: To implement SSL encrypted e-mail communications you would use port 465 for SMTP (or perhaps 587) and port 995 for POP3. Other ports can be assigned by the admin, but they would have to be configured properly at the server side and the client side, and must not conflict with any other well-known ports or other ports currently in use within the organization's network. Port 25 is the default port for regular SMTP. Port 110 is the default for POP3. Port 143 is the default for IMAP. Port 993 is used by IMAP encrypted with SSL/TLS.

Which of the following deals with the standard load for a server? a)Patch management b)Group Policy c)Port scanning d)Configuration baseline

Answer: D. Explanation: A configuration baseline deals with the standard load of a server. By measuring the traffic that passes through the server's network adapter, you can create a configuration baseline over time.

Which tool can be instrumental in capturing FTP GET requests? a)Vulnerability scanner b)Port scanner c)Performance Monitor d)Protocol analyzer

Answer: D. Explanation: A protocol analyzer captures data including things such as GET requests that were initiated from an FTP client. Vulnerability scanners and port scanners look for open ports and other vulnerabilities of a host. Performance Monitor is a Windows program that reports on the performance of the computer system and any of its parts.

Which one of the following can monitor and protect a DNS server? a)Ping the DNS server. b)Block port 53 on the firewall. c)Purge PTR records daily. d)Check DNS records regularly.

Answer: D. Explanation: By checking a DNS server's records regularly, a security admin can monitor and protect it. Blocking port 53 on a firewall might protect it (it also might make it inaccessible depending on the network configuration) but won't enable you to monitor it. Pinging the server can simply tell you whether the server is alive. Purging pointer records (PTR) cannot help to secure or monitor the server.

You see a network address in the command-line that is composed of a long string of letters and numbers. What protocol is being used? a)IPv4 b)ICMP c)IPv3 d)IPv6

Answer: D. Explanation: IPv6 uses a long string of numbers and letters in the IP address. These addresses are 128-bit in length. IPv4 addresses are shorter (32-bit) and are numeric only. ICMP is the Internet Control Message Protocol, which is used by ping and other commands. IPv3 was a test version prior to IPv4 and was similar in IP addressing structure.

Which of the following is likely to be the last rule contained within the ACLs of a firewall? a)Time of day restrictions b)Explicit allow c)IP allow any d)Implicit deny

Answer: D. Explanation: Implicit deny (block all) is often the last rule in a firewall; it is added automatically by the firewall, not by the user. Any rules that allow traffic will be before the implicit deny/block all on the list. Time of day restrictions will probably be stored elsewhere but otherwise would be before the implicit deny as well.

What tool can alert you if a server's processor trips a certain threshold? a)TDR b)Password cracker c)Event Viewer d)Performance Monitor

Answer: D. Explanation: Performance Monitor can be configured in such a way that alerts can be set for any of the objects (processor, RAM, paging file) in a computer. For example, if the processor were to go beyond 90% usage for more than 1 minute, an alert would be created and could be sent automatically to an administrator. A TDR is a time-domain reflectometer, an electronic instrument used to test cables for faults. A password cracker is a software program used to recover or crack passwords; an example would be Cain & Abel. The Event Viewer is a built-in application in Windows that enables a user to view events on the computer such as warnings, errors, and other information events. It does not measure the objects in a server in the way that Performance Monitor does.

Which of the following log files should show attempts at unauthorized access? a)DNS b)System c)Application d)Security

Answer: D. Explanation: The Security log file should show attempts at unauthorized access to a Windows computer. The Application log file deals with events concerning applications within the operating system and some third-party applications. The System log file deals with drivers, system files, and so on. A DNS log will log information concerning the domain name system.

Which of the following needs to be backed up on a domain controller to recover Active Directory? a)User data b)System files c)Operating system d)System State

Answer: D. Explanation: The System State needs to be backed up on a domain controller to recover the Active Directory database in the future. The System State includes user data and system files but does not include the entire operating system. If a server fails, the operating system would have to be reinstalled, and then the System State would need to be restored.

Virtualized browsers can protect the OS that they are installed within from which of the following? a)DDoS attacks against the underlying OS b)Phishing and spam attacks c)Man-in-the-middle attacks d)Malware installation from Internet websites

Answer: D. Explanation: The beauty of a virtualized browser is that regardless of whether a virus or other malware damages it, the underlying operating system will remain unharmed. The virtual browser can be deleted and a new one can be created; or if the old virtual browser was backed up before the malware attack, it can be restored. This concept applies to entire virtual operating systems as well, if configured properly.

In your organization's network you have VoIP phones and PCs connected to the same switch. Which of the following is the best way to logically separate these device types while still allowing traffic between them via an ACL? a)Install a firewall and connect it to the switch. b)Create and define two subnets, configure each device to use a dedicated IP address, and then connect the whole network to a router. c)Install a firewall and connect it to a dedicated switch for each type of device. d)Create two VLANs on the switch connected to a router.

Answer: D. Explanation: The best option is to create two VLANs on the switch (one for the VoIP phones, and one for the PCs) and make sure that the switch is connected to the router. Configure access control lists (ACLs) as necessary on the router to allow or disallow connectivity and traffic between the two VLANs. Installing a firewall and configuring ACLs on that firewall is a possibility, but you would also have to use two separate dedicated switches if VLANs are not employed. This is a valid option, but requires additional equipment, whereas creating the two VLANs requires no additional equipment (as long as the switch has VLAN functionality). While subnetting is a possible option, it is more elaborate than required. The VLAN (in this case port-based) works very well in this scenario and is the best option.

What is the deadliest risk of a virtual computer? a)If a virtual computer fails, all other virtual computers immediately go offline. b)If a virtual computer fails, the physical server goes offline. c)If the physical server fails, all other physical servers immediately go offline. d)If the physical server fails, all the virtual computers immediately go offline.

Answer: D. Explanation: The biggest risk of running a virtual computer is that it will go offline immediately if the server that it is housed on fails. All other virtual computers on that particular server will also go offline immediately.

Which of the following devices would most likely have a DMZ interface? a)Switch b)VoIP phone c)Proxy server d)Firewall

Answer: D. Explanation: The firewall is the device most likely to have a separate DMZ interface. Switches connect computers on the LAN. VoIP phones are used by individuals to make and answer phone calls on a Voice over IP connection. A proxy server acts as a go-between for the clients on the LAN and the web servers that they connect to, and caches web content for faster access.