Security+ Practice Test B
Which protocol is based on SSH? A. SFTP B. TFTP C. FTP D. FTPS
Answer A is correct. SFTP is the SSH File Transfer Protocol (also called Secure FTP). It is an extension of the SSH protocol, which uses port 22. Contrast SFTP with FTPS. FTPS is FTP Secure or FTP-SSL, which uses port 443. Plain FTP has no built-in security and is not based on SSH. TFTP is a simple version of FTP.
The IT director asks you to configure security for your network. The network is isolated from the Internet by a perimeter network. The perimeter network contains three web servers and a network intrusion detection system. You need to test the network's capability to detect and respond to a denial-of-service attack against the applications running on the web servers. What method should you use? A. network analysis B. penetration testing C. vulnerability scanning D. port scanning
Answer B is correct. Penetration testing will give you a detailed account of whether a network has the capability to detect and respond to a denial-of-service attack. Penetration testing is a type of active testing that should be performed during off-hours because it uses many resources on the network and on the computer running the test. The other three answers are types of passive analysis. They might tell you whether the network has the capability to detect an attack, but they cannot tell you whether the network has the capability to respond to an attack. The network intrusion detection system (NIDS) only detects attacks and warns an administrator if it finds one. So in actuality, chances are your penetration tests will inform you that the network cannot respond to a DoS attack.
Which of the following refers to the amount of time that users will not be allowed to attempt to log in to the network after they have reached the threshold of account login failures? A. account lockout threshold B. account lockout duration C. minimum password age D. password complexity requirements
Answer B is correct. The account lockout duration is the amount of time that users will not be allowed to attempt to log in to the network after they have reached the threshold of account login failures. By default, this setting is 30 minutes on many security policies. The account lockout threshold is the number of times that the user is allowed to attempt to log in. The default on many policies is five attempts, but often organizations change this to three (known as the three-strikes-and-you're-out rule). Password complexity requirements can be enabled within a policy; if so, the users need to incorporate three of four methods of password complexity, including uppercase characters, numeric characters, special characters, and so on. Minimum password age is the number of days that a password must exist before a user is allowed to change it.
When authenticating with PEAP, what is used to provide mutual authentication between peer computers? A. MSCHAPv1 B. EAP C. MSCHAPv2 D. MD5
Answer C is correct. PEAP uses MSCHAPv2 most commonly. This supports authentication via Microsoft Active Directory databases. MSCHAPv1 does not allow this and is not used in PEAP. MD5 is not an authentication method and is not used by PEAP. However, MD5 is used in EAP-MD5 (as a hashing algorithm), which is also challenge-based. PEAP is a derivative of EAP (Extensible Authentication Protocol).
Which of the following is a removable device that can be used to encrypt in a high-availability, clustered environment? A. biometrics B. cloud computer C. TPM D. HSM
Answer D is correct. An HSM (hardware security module) is a device used to manage digital keys and provide authentication. It can be connected to a computer, a server, or a particular server in a clustered environment. Biometrics is the science of authenticating individuals by their physical traits. A cloud computer is a computer that resides on the Internet and is run by a third-party service provider that offers various computing services to individual users and small to midsized companies. A TPM is a trusted platform module that is similar to an HSM but is internal to the computer, perhaps as a chip on the motherboard.
You have been tasked with providing a staff of 250 employees secure remote access to your corporate network. Which of the following is the best solution? A. Software-based firewall B. Web proxy C. Web security gateway D. VPN concentrator
Answer D is correct. The VPN concentrator is the best solution listed. A hardware device such as this can handle 250 concurrent, secure, remote connections to the network. Web security gateways are used to block access to specific websites. Web proxies cache website content for later use. Software-based firewalls can allow for remote secure access but not for the number of concurrent connections needed. A hardware-based firewall or VPN concentrator is the best solution.
Which of the following security technologies should you provide to allow users remote access to your network? A. subnetting B. NAT C. VPN D. NAC E. firewall
Answers C and E are correct. A firewall can be used in conjunction with a virtual private network (VPN) service to allow users remote access to your network. The firewall might incorporate the VPN, or the VPN might be controlled by a separate server or concentrator. Subnetting is not necessary for remote access, but it is a security method used to compartmentalize networks. Network address translation (NAT) is used to translate LAN addresses through to the Internet. Network access control (NAC) is used to authenticate computers and users in a secure fashion on the LAN.
Which of the following best describes a TPM? A. Hardware chip that stores keys B. High-speed secure removable storage device C. Third-party certificate authority D. USB encryption
Answer A is correct. A TPM (trusted platform module) is a chip that resides on a motherboard that stores encrypted keys used to encrypt the entire hard drive of a computer. A hardware security module (HSM) is an example of a high-speed secure removable storage device. An example of a third-party certificate authority (CA) is a company such as VeriSign that develops and distributes trusted certificates. USB encryption is a removable type of encryption; for example, a USB flash drive might be encrypted with AES-256 to keep data secure.
Which of the following are requirements for a cold site? A. power and connectivity B. patches and updated client computers C. close proximity to the data center D. redundant servers and networking devices
Answer A is correct. A cold site need only have power and data/telco connectivity ready to go in the case of an emergency. The organization is expected to provide and configure servers, other computers, and phones. Warm sites might have computers and servers available but not configured. Hot sites will have redundant servers and networking devices, and patched client computers. Everything will be configured and ready to go at short notice.
Your organization currently uses two-factor authentication but wants to install a third factor of authentication. The existing system uses passwords and software-based PKI tokens. Which of the following would provide the third factor of authentication? A. fingerprint scanner B. elliptic curve C. four-digit pin codes D. passphrases
Answer A is correct. A fingerprint scanner is the only option that can offer a third factor of authentication. An elliptic curve is a type of asymmetric encryption, not a type of authentication. Passphrases and PINs fall into the same category as passwords, so they are not considered a separate type of authentication.
Which of the following would you most likely find in a buffer overflow attack? A. NOP instructions B. sequence numbers C. IV length D. set flags
Answer A is correct. A large number of No Operation instructions (known as NOP or no-op instructions) can be used to overflow a buffer, which could allow unwanted code to be executed or result in a denial of service (DoS). Large numbers of NOP instructions can be used to perform a NOP slide (or NO-OP sled). Sequence numbers are how TCP packets are numbered. IV length has to do with the length of a string in a cipher. Flags are one or more bits that are set to a binary number to indicate whether something is on or off.
What kind of threat is a virus that is designed to format a computer's hard drive on a specific calendar day? A. logic bomb B. adware C. bot D. spyware
Answer A is correct. A logic bomb is code designed to be set off on a specific day. This may cause a virus to execute or other malicious activity to occur at that specific time. A bot, short for robot, is also known as a zombie, which is a compromised computer controlled by a central source. Spyware is unwanted software that tracks Internet access. Adware is what causes the pop-up ads you see when you go to various websites. It is also software similar to spyware that will track your Internet access to expose you to specific ads.
What needs to be configured to offer remote access to a network? A. ACLs B. Tokens C. Biometrics D. Supplicants
Answer A is correct. Access control lists (ACLs) need to be configured properly for users to gain remote access through a firewall/router and proceed to the main network. Tokens are used in authentication schemes (often local) but are usually generated with little configuration. Biometrics is the authentication of individuals through physical characteristics. Supplicants (authentication agents) are usually loaded on computers in an 802.1X NAC network, which is usually local and with little configuration.
Randy needs an external add-on solution that can provide encryption and integrate with his existing database server. Which of the following would meet his needs? A. HSM B. CAC C. FDE D. TPM
Answer A is correct. An HSM (hardware security module) provides encryption and can be an external device that can integrate with an existing server. A TPM (trusted platform module) is an encrypting chip that resides on a motherboard. FDE stands for full disk encryption, which can be implemented with a TPM. CAC stands for Common Access Card, a smart ID card used by the Department of Defense (DoD).
In biometrics, what aspect of human authentication does a thumbprint scanner test for? A. something a user is B. something a user knows C. something a user does D. something a user has
Answer A is correct. Biometrics is the science of authenticating individuals according to their physical characteristics, or something the person is. A thumbprint is an example of something a user is; other examples include retina scans and even brain scans. An example of something a user knows would be a password or PIN. An example of something a user has would be a smart card or other ID card. An example of something a user does would be a signature or voice recognition.
Your boss's smartphone is encrypted and has screen lock protection, yet data was still stolen from it. How is this possible? A. bluesnarfing B. SIM cloning C. GPS tracking D. botnet
Answer A is correct. Bluesnarfing is an attack that can steal data such as phonebook contacts, calendar information, and so on, regardless of the phone's encryption and screen lock. To protect against this, set the smartphone to undiscoverable and use a hard-to-guess Bluetooth pairing key. A botnet might try to target a smartphone, but more often will go for other targets; regardless, the phone might be rendered useless after a botnet attack, but the data would probably not be compromised. SIM cloning involves duplicating the SIM card on a GSM-enabled phone, which allows two phones to share an account. GPS tracking allows a smartphone to be located physically, but if the phone is still encrypted, GPS tracking will not help with the stealing of data.
Which of the following is most likely to result in data loss? A. developers copying data from production to test environments with USB sticks B. encrypted backup tapes left unattended at reception for offsite storage C. back office staff updating details on a mainframe with SSH D. accounting personnel transferring confidential staff information with SFTP
Answer A is correct. By default, if data is copied to a USB stick, it is not encrypted. There is virtually no security in this scenario, and the worst part is that the USB sticks are physically traveling from one department to another. To rectify the situation, the developers could consider using AES-256 to encrypt the data on the USB flash drives. The accounting personnel are using SFTP, the backup tapes are encrypted, and the back office staff is using SSH. All these other scenarios at least have some kind of security in mind.
Which of the following is the best fire suppression system to use if you do not want any equipment to be damaged? A. Carbon dioxide B. Wet chemical fire extinguisher C. Wet pipe sprinkler D. Deluge sprinkler
Answer A is correct. Carbon dioxide fire extinguishers are the best fire suppression system to use if you don't want your equipment to be damaged. All the other answers can seriously damage equipment such as networking devices and servers. A carbon dioxide fire extinguisher is gaseous. There is a slight chance of ESD damage, but that is rare.
You want to secure your data to retain it over the long term. What is the best way to do this? A. offsite backup B. RAID 5 onsite backup C. onsite clustering D. virtualization
Answer A is correct. For purposes of retention, offsite backup is the best option. By keeping your backups offsite, you mitigate the risk of losing data during a disaster to your main office. All of the other options imply onsite backup or virtualization onsite, all of which are at risk if a disaster occurs at the main office.
The IT director is worried about OS vulnerabilities. What suggestion should you give as the best way to mitigate this threat? A. patch management B. locking cabinet C. encryption D. anti-spam software
Answer A is correct. If the IT director is worried about operating system vulnerabilities, then a solid patch management strategy should be implemented. By keeping the OS up to date, there should be fewer OS vulnerabilities and therefore fewer threats to the OS. Locking cabinets should be used to store devices and data when not in use. Anti-spam software is used to prevent unwanted e-mails from reaching users. Encryption is used to keep data confidential.
To determine network access requirements, a person working in HR has been tasked with assigning users in Accounting the same job function. What is this an example of? A. RBAC B. ACL C. MAC D. DAC
Answer A is correct. Role-based access control (RBAC) is when individuals are assigned groups of permissions that constitute a role. While a person in HR might not assign job functions within the operating system directly, the person will commonly assign the job functions for each user in some type of paper or electronic document and deliver that document to a security administrator who then implements those job functions within the operating system. Mandatory access control (MAC) is a model that determines permissions by a computer system. Discretionary access control (DAC) is when permissions are determined by the owner. An ACL is an access control list, which defines what IP addresses (or users) can access particular networks or resources.
You investigate an executive's laptop and find a system-level kernel module that is modifying the operating system's functions. What is this an example of? A. rootkit B. virus C. logic bomb D. worm
Answer A is correct. Rootkits are designed to gain administrative control over an OS without being detected and perform malicious operations. Worms and viruses affect files but not the kernel of the OS. Logic bombs are ways of delivering malicious software at a specific date.
Tara has written an application and is ready to go through the hardening process. Which of the following could be considered a hardening process of the SDLC? A. secure coding concepts B. disabling unnecessary services C. application patching management schedule D. disabling unnecessary accounts
Answer A is correct. Secure coding concepts such as input validation will help to harden an application within the systems development life cycle (SDLC). Although disabling unnecessary services and accounts and patching the application are important, these could all be considered application or server hardening, not hardening within the SDLC.
Which of the following will stop network traffic when the traffic is not identified in the firewall ruleset? A. implicit deny B. explicit deny C. explicit allow D. access control lists
Answer A is correct. The principle of implicit deny is used to deny all traffic that isn't explicitly (or specifically) allowed or denied. In other words, if the type of traffic hasn't been associated with a rule, the implicit deny rule will kick in, thus protecting the device. Access control lists are used to filter packets and will include rules such as permit any or explicit denies to particular IP addresses.
Your boss needs you to implement a password policy that prevents a user from reusing the same password. To be effective, the policy must be implemented in conjunction with the password history policy. Which of the following is the best method? A. minimum age B. expiration time C. password length D. lockout time
Answer A is correct. This question refers to Windows Server products. The minimum age password policy setting must be set to enforce an effective password history policy. If this is not done (in conjunction with the password history policy), then the user will be able to reuse old passwords. For example, if the minimum age was set to the default of zero, then the user could simply change his password as many times as needed, without waiting, to get past the password history policy, and ultimately reuse an old password. The minimum age must always be less than the maximum age setting and must be more than zero to enforce a password history policy properly. Note: If you configure the maximum age in Windows Server, the minimum age will automatically be configured to a day less than the maximum age. While configuring maximum age might be another good solution for this scenario, the best and most direct solution would be to configure minimum age.Expiration of passwords, password length, and lockout time for accounts won't affect this scenario.
You get an automated call from what appears to be your bank. The recording asks you to state your name, state your birthday, and enter your bank account number to validate your identity. What type of attack has been perpetrated against you? A. vishing B. spoofing C. pharming D. phishing
Answer A is correct. Vishing is a type of phishing social engineering attack, but it is done over the phone, whereas regular phishing is usually done by e-mail. Pharming is an attack designed to redirect a website's traffic to another website. Spoofing is an attack where a person or a program masquerades as another one.
What is another name for a malicious attacker? A. fuzzer B. black hat C. white hat D. penetration tester
Answer B is correct. A black hat is someone who attempts to break into computers and networks without authorization. A black hat is considered to be a malicious attacker. A white hat is a nonmalicious hacker, often employed by an organization to test the security of a system before it goes online. An example of a white hat would be a penetration tester who administers active tests against systems to determine whether specific threats can be exploited. A fuzzer is a colloquial name for a software tester.
Hardware-based encryption devices such as hardware security modules (HSMs) are sometimes deployed by organizations more slowly than in other organizations. What is the best reason for this? A. multifactor authentication B. lack of management software C. USB removable encryption D. RBAC
Answer B is correct. A lack of management software can cause slower deployment of HSMs. Because an HSM is an external device, it requires management software to enable it to communicate with the computer it is connected to. The lack of decent management software could cause decision-makers at organizations to hesitate to adopt the solution. RBAC stands for role-based access control, which assigns roles to users based on sets of permissions. USB removable encryption is a decent solution for encrypting data, but unlike an HSM, it can't house extremely secure keys and doesn't have tamper protection, so USB removable encryption isn't really a substitute for an HSM. Multifactor authentication means that a user needs to have two forms of ID or needs to be authenticated in two or more ways to a system.
You have several unused USB flash drives, three laptops, and two HSMs that contain sensitive data. What is the best way to prevent the theft of these devices? A. Encryption B. Locking cabinet C. Hashing D. GPS tracking
Answer B is correct. A locking cabinet is the best way listed to prevent the theft of physical devices such as USB flash drives and laptops, but only if the locking cabinet is locked. GPS tracking can aid in finding devices after they were stolen. Encryption helps in keeping data secure even if the device is stolen (although it isn't a perfect solution). Hashing provides integrity of data. However, GPS tracking, encryption, and hashing won't stop the physical devices from being stolen. It's important to keep physical devices locked up when not in use and monitored by video surveillance or other means.
A customer has asked you to implement a solution to hide as much information about the internal structure of the network as possible. The customer also wants to minimize traffic with the Internet and does not want to increase security risks to the internal network. Which of the following solutions should you implement? A. NIDS B. proxy server C. protocol analyzer D. firewall
Answer B is correct. A proxy server, specifically a caching proxy, will minimize traffic with the Internet. Users who access the same websites will get their information from the proxy server instead of from the Internet. An IP proxy server will hide information about the internal structure of the network. Proxy servers are available that can handle both of these functions. A NIDS, network intrusion detection system, detects attacks on the network. A firewall closes off ports on the network, and although some firewalls also come with proxy functionality, it is not the best answer for this scenario. Protocol analyzers, also known as network sniffers, can analyze packets of information that have been captured.
Which of the following encryption protocols is the strongest and can encrypt data with the least amount of CPU usage? A. DES B. AES C. 3DES D. RC4
Answer B is correct. AES, the Advanced Encryption Standard, is currently considered to be the strongest symmetric encryption protocol. It can also encrypt data with the least amount of CPU usage compared to the rest of the listed answers. This makes it a great choice for wireless networks, whole disk encryption, and so on. DES and its successor 3DES were the predecessors to AES. Both of them are considered deprecated, weaker encryption protocols and require more CPU usage than AES. RC4 is a symmetric stream cipher used with SSL and WEP. It is known for its speed, but when used with WEP, it can be cracked easily.
A malicious computer is sending data frames with false hardware addresses to a switch. What is happening? A. MAC spoofing B. ARP poisoning C. DNS poisoning D. pWWN spoofing
Answer B is correct. ARP poisoning is an attack that exploits Ethernet networks—spoofed frames of data will contain false MAC addresses, ultimately sending false hardware address updates to a switch. DNS poisoning is the unauthorized modification of name resolution information. pWWN spoofing is a type of spoof attack carried out on SANs. MAC spoofing is a technique for changing the MAC address of a network adapter.
After auditing an FTP server, you note that the server has an average of 100 concurrent connections. Where should you look to determine whether this is normal or whether your FTP server is being attacked? A. secure code review B. baseline reporting C. security policy D. DRP
Answer B is correct. Baseline reporting will tell you what has happened in the past on your FTP server. By creating a baseline, you can compare current results with past results, helping you to determine whether the activity is normal. Secure code review is done to analyze whether the source code of a program has vulnerabilities. A security policy will dictate how an organization will approach risk and how it will deal with vulnerabilities. A DRP is a disaster recovery plan.
Of the following, what is the best option to implement if you want to be able to recover a lost laptop? A. HIDS B. GPS C. whole disk encryption D. remote wipe
Answer B is correct. GPS tracking is the best answer listed if you want to be able to recover a lost laptop. If installed properly (and if in GPS range), the GPS chip will enable the laptop to be tracked. Remote wipe (or remote sanitization) will wipe out all the data on the laptop (if it is accessible) but will, of itself, not inform you as to the location of the laptop. A HIDS (host-based intrusion detection system) is software that can be loaded on the laptop that will detect malicious activity. Whole disk encryption (such as BitLocker or TrueCrypt) will make the data hard to decrypt and read but won't aid in the tracking of the laptop.
You have received several reports from users of corrupted data. You patched the affected systems but are still getting reports of corrupted data. Which of the following methods should you use to help identify the problem? A. hardware baseline review B. vulnerability scan C. data integrity check D. penetration testing
Answer B is correct. If the data is becoming corrupted more than once even after an update to the affected systems, you should perform a vulnerability scan to find out what the possible threats and vulnerabilities are to those systems. A data integrity check would simply tell you that the data has been corrupted and, therefore, that integrity is not intact. Penetration testing determines whether a system can be compromised by exploiting a particular threat. A hardware baseline review will tell you how your hardware is performing and how secure it is compared to the last baseline. Baselines are examples of vulnerability assessments, but in this case you need a software-based vulnerability assessment.
You have been tasked with securing a switch from physical access. Which of the following should you implement first? A. check the baseline configuration B. disable unused ports C. disable unnecessary accounts D. set up access control lists
Answer B is correct. If you need to physically secure a switch, you should first disable unused ports so that a person who has gained unauthorized access to your server room or data center cannot plug a laptop into one of those ports and access the network. It would also be wise to check (or create) a security baseline at some point after this. Access control lists are generally set up on routers, not on switches. Regardless, they deal with the logical, not the physical. The same holds true for accounts; they are of a logical nature and are usually set up on servers and routers.
The university science lab is normally locked when no one is using it. The professor of the science department has a key to unlock the door. Other faculty members are given keys to lock the door only. What type of key structure is this? A. key escrow B. asymmetric C. secret keys D. symmetric
Answer B is correct. In an asymmetric key scenario, a pair of different keys is used to encrypt and decrypt data. They keys can be related, but they are not identical as in symmetric (or secret key) algorithms. The analogy here is that the professor and the other faculty have varying physical keys, one for unlocking and the others for locking. Key escrow is when keys are stored for third parties in the case of data loss.
Which of the following is the best description of a security advantage when using a standardized server image? A. all current updates for the OS will already have been applied B. all mandated security configurations will already have been applied to the OS C. OS licensing will be easier to track D. all antivirus software will be current
Answer B is correct. Organizations develop standardized images for their server operating systems. They are standardized according to organizational policy. So, any mandated security configurations should be applied to the OS before it is made into an image to be used on the network. Unfortunately, that only gets the OS image to a certain point in time. Any new AV definitions, security updates to the OS, and so on, will need to be applied afterward according to organizational policy. OS licensing trackability should not change. Whether you track your OS licenses on paper or with a scanning program, they should be tracked in the same manner as with physical operating systems.
You ran a penetration test against your two database servers and found out that each of them could be compromised with the default database user account and password. Which of the following did you forget to do to your database servers? A. virtualization B. application hardening C. OS hardening D. patch management
Answer B is correct. Part of application hardening includes renaming (or disabling) default accounts and setting complex passwords. If these steps are not taken, compromising the application becomes very easy for attackers. OS hardening is not correct in this instance because it is the database that can be compromised using the default database username/password. Databases are considered to be applications, not operating systems. Patch management won't affect the default user account. The account has to be secured manually. Virtualization of operating systems doesn't come into play here, although it could help to have backup virtual images made in the case that the database server is compromised.
You are the network security administrator. One of the system administrators reports to you that an unauthorized user has accessed the network. What should you do first? A. Contact the police. B. Contain the problem. C. Determine the monetary impact. D. Notify management.
Answer B is correct. The first thing you should do is contain the problem. That can mean attracting the unauthorized user to a honeypot or honeynet or shutting down the affected systems. Afterward, depending on policy, you might notify management and possibly contact the police. Finally, you would determine the monetary impact after assessing the damage to the affected systems, if there were any.
You need to regulate cooling in your data center. What is the best environmental control to use? A. EMI shielding B. hot and cold aisles C. fire suppression D. video surveillance
Answer B is correct. To regulate cooling in a data center or server room, hot and cold aisles should be used. The cold aisle is on one side of the server racks. Air is drawn into the servers and exhausted into the hot aisle and ventilated out of the server room.
Improper use of P2P and social networking software may result in which of the following? A. shoulder surfing B. information disclosure C. data loss prevention D. denial of service
Answer B is correct. Using P2P software and social networking software (and websites) can lead to information disclosure. This could be due to user error, not following guidelines, using a weak password, and so on. An example of user error would be if the user was to place personally identifiable information (PII) where it can be easily found on a social networking website. Data loss prevention is a technique used to stop data leakage; it often entails the use of a hardware-based device. A denial of service is when a server is attacked with a flood of packets and there is a stoppage of service. Shoulder surfing is when someone attempts to gain personal information about another person by looking about the person's desk or watching him while he is working on his computer.
Your boss has asked you to reduce an AP's power setting and place the AP in the center of your building. What reconnaissance method is your boss trying to prevent? A. evil twin B. war-driving C. RF interference D. rogue AP
Answer B is correct. Your boss is trying to prevent war-driving. By streamlining your AP, you reduce the chance of a war-driver being able to access (or even "see") your wireless network. An evil twin is an AP put in place maliciously that has the same SSID as an already existing AP on your network. Rogue APs are access points that are not part of your wireless network. The above techniques in the scenario might reduce RF interference; however, RF interference is not a reconnaissance method.
Some of the employees in your organization complain that they are receiving e-mail loaded with advertisements. What should you do? A. Install anti-spyware. B. Install anti-spam. C. Install antivirus. D. Install a HIDS.
Answer B is correct. Anti-spam software might be a standalone solution or part of an anti-malware suite of programs. This is the best option when attempting to lessen the number of spam e-mails that contain advertisements. Anti-malware suites usually also include anti-spyware tools and antivirus tools. A HIDS is a host-based intrusion detection system. This is used to detect whether malicious activity is occurring on an individual computer.
Which of the following will identify a Smurf attack? A. content filter B. load balancer C. NIDS D. firewall
Answer C is correct. A NIDS (network intrusion detection system) is designed to identify network attacks such as a Smurf attack (a type of DoS). Firewalls can block particular packets or IP addresses, but they don't identify actual attacks. Content filters are used to secure users' web browsing sessions, filtering out unwanted websites. Load balancers are used to distribute workload among multiple servers.
What should a disaster recovery plan (DRP) contain? A. Single points of failure B. Hierarchical list of hot sites C. Hierarchical list of critical systems D. Hierarchical access control lists
Answer C is correct. A disaster recovery plan should contain (among other things) a list of critical systems in order from the most critical to the least critical. Access control lists don't fail, but the router that they are contained within may fail; therefore, the routers should be listed as critical systems. Anything could be a single point of failure. If a single point of failure cannot be tolerated, it needs to be mitigated in the form of fault tolerance (UPS, RAID, clustering, and so on). Generally, an organization will have only one hot site because hot sites are expensive to maintain.
Users are required to log in to the network. They use a smart card to do so. Which type of key does the smart card use to log in to the network? A. cipher key B. shared key C. private key D. public key
Answer C is correct. A private key is used by smart cards during login to a network. Often the smart card will be used along with another form of authentication, creating a multifactor authentication scheme. Public keys are used in asymmetric encryption environments. A key is basically one component of a cipher or algorithm. A shared key is often used in public-key environments and asymmetric encryption environments, in which two users share the same key.
What would you implement to separate the two departments? A. MAC filtering B. cloud computing C. VLAN D. SaaS
Answer C is correct. A virtual LAN (VLAN) is used to logically separate groups of computers. It is often done to separate departments in a virtual manner without having to change the physical cabling design. MAC filtering is a method implemented on access points to allow only specific systems onto the wireless network. Cloud computing is a group of various services offered by third-party organizations; the services are hosted on the Internet. SaaS (Software as a Service) is an example of cloud computing.
Which of the following protocols or services uses port 19? A. telnet B. SMTP C. CHARGEN D. echo
Answer C is correct. CHARGEN, the character generator, uses port 19. It is commonly used by a Fraggle attack. Echo uses port 7. Telnet uses port 23. SMTP uses port 25.
You are in charge of installing patches to servers. Which of the following processes should you follow before installing a patch? A. Separation of duties B. Due process C. Change management D. Fault tolerance
Answer C is correct. Change management is a structured way of changing the state of a computer system or IT procedure. The idea behind this is that change is going to happen, so the organization should adapt with change and be knowledgeable of any proposed changes before they occur. Other people in your organization might require that patches not be installed to a particular server before they have given the green light to do so; you should get their permission first as part of the change management process before installing the patch. Due process is the principle that an organization must respect and safeguard a person's rights. Separation of duties is when more than one person is required to complete a particular task. Fault tolerance is the capability of your network to continue functioning after an error or attack occurs.
To prevent ad hoc configuration issues on your wireless network, what method should you implement? A. Incident management strategy B. Auditing strategy C. Change management strategy D. Patch management strategy
Answer C is correct. Change management is a structured way of making changes to networking equipment and other systems. It is done in such a way that everyone involved is notified of a change. If a person were to add networking devices to an ad hoc wireless network without consulting anyone else, it could cause many issues, including, but not limited to, loss of access to the network. Incident management (and incident response) is a set of procedures that a person goes through when examining a computer or network-related security incident. Patch management is the planning, testing, implementing, and auditing of patches that are installed on systems. Auditing strategies in patch management involve making sure the patch holds properly over time. In general, auditing strategies are implemented to properly record and review what happens to data within the various servers and other computers on the network.
You have been given ten hard drives that need to be decommissioned. What is the first thing you should do? A. burn the hard drives in an incinerator B. format the hard drive C. perform a bit-level erasure or overwrite the drive D. contact a waste disposal facility
Answer C is correct. Hard drives should be sanitized. This can be done with bit-level erasure software that completely obliterates any data that was previously on the drive. Formatting the drive is not sufficient because data can still be recovered from a formatted drive. Even if you plan to dispose of the drives with a third-party facility, the drive should still be sanitized beforehand. Most organizations will not burn hard drives. It might even be illegal in your municipality. Instead, after sanitization, hard drives are often pulverized.
You have implemented an X.509 PKI. One of the private keys has been compromised before the certificate's regular expiration date. What should you do? A. put the certificate in escrow B. validate the certificate C. revoke the certificate D. register the certificate
Answer C is correct. If a certificate is compromised before its regular expiration date, you should revoke the certificate. At this point it should be added to the certificate revocation list (CRL) and published. The certificate should not be used again. It should not be validated or registered. It should also not be put in escrow unless a third party specifically requests it.
Your CFO's smartphone holding classified data has been stolen. What is the best way to reduce data leakage? A. Inform law enforcement. B. Use strong encryption. C. Remotely sanitize the device. D. Track the device with GPS.
Answer C is correct. If a device holding classified data is stolen, the best thing to do is to remotely sanitize the device (known as a remote wipe). It is too late to use strong encryption, but that should always be implemented on mobile devices (or any devices, for that matter) with classified information. After remotely sanitizing the device, you might opt to inform law enforcement (or your organization's security company or internal security investigators) and possibly track the device via GPS.
A computer that is connected to a NAC-enabled network is not asked for the proper NAC credentials. What is a possible reason for this? A. the computer is not patched B. the computer doesn't have the latest antivirus definitions C. the computer is missing the authentication agent D. the computer does not have the latest SP
Answer C is correct. In a network access control (NAC) enabled network, computers must have the authentication agent installed; otherwise, the NAC system will not ask for the credentials (and the computer will not get access to the network). The authentication agent is also known as a supplicant (in 802.1X systems, for example). The patch level, antivirus definitions, and service packs (SPs) are separate from the NAC system.
The server room is on fire. What should the HVAC system do? A. Increase the humidity. B. Turn on the AC. C. Turn off. D. Increase the heat.
Answer C is correct. In the case of a fire, the HVAC system should be programmed to automatically shut off. The key here is that it is automated; that's why the question is asking what the HVAC system would do, not what you would do. In fact, any other associated electrical units in the server room should shut off in the case of a fire as well. If an HVAC unit is turned on in any way, shape, or form (AC, heat, or whatever), it would effectively be blowing more air (oxygen) on the fire. Because oxygen feeds the fire, you don't want this to occur. Increasing the humidity would move more humid air, once again adding oxygen to the fire, so again this is not recommended. The HVAC system will not help in the case of a fire. That is what your specialized gaseous fire suppression system (and wet pipe system) is for.
Rick is reviewing the logs of a host-based IDS. They show that the computer has been compromised by a botnet and is communicating with a master server. If Rick needs to power the computer off, which of the following types of data will be unavailable? A. Swap files, system processes, and the master boot record B. Memory, archival storage, and temporary files C. Memory, system processes, and network processes D. The system disk, e-mail, and log files
Answer C is correct. Memory is cleared when the computer is shut down (unless hibernation mode has been implemented). This removes system and network processes from memory. Archival storage, the master boot record, system disk, e-mail, and log files will still be available. Although two other answers had possibilities within them, they weren't altogether correct.
Which of the following requires a CA during the authentication process? A. FTPS implicit B. MD5 C. PEAP-TLS D. FTPS explicit
Answer C is correct. PEAP (Protected Extensible Authentication Protocol) creates a TLS (Transport Layer Security) tunnel by acquiring a PKI certificate from a CA. It is known simply as PEAP or as PEAP-TLS. It is similar to EAP-TTLS. FTPS is FTP over SSL. Explicit mode means that the FTPS client must explicitly request security from the FTPS server. Implicit FTPS connections do not allow negotiation—there is no request for security; it is expected from the server. MD5 is a cryptographic hash function.
Which of the following solutions should be used by heavily utilized networks? A. VPN concentrator B. telephony C. provider cloud D. remote access
Answer C is correct. Provider clouds can offer Infrastructure as a Service (IaaS), which can alleviate some of the stress an organization's network might suffer from. In addition, provider clouds can offer software (SaaS) and platforms (PaaS). VPN concentrators and remote access are not good choices for heavily utilized networks. They are meant for smaller groups of remote users. Telephony is not a solution for heavily utilized networks. It is quite the opposite; often networks are the solution for telephony usage.
In which of the following ways can risk not be managed? A. risk mitigation B. risk acceptance C. risk elimination D. risk transfer
Answer C is correct. Risk cannot simply be eliminated. It can be mitigated by way of securing systems and implementing security policies; it can be transferred by way of insurance policies; it can be accepted to a certain extent, but it cannot be eliminated.
Greg needs to centralize the authentication of multiple networking systems against a single user database. What is he trying to implement? A. Common Access Card B. Access control list C. Single sign-on D. Multifactor authentication
Answer C is correct. Single sign-on means the ability to log in to multiple systems using a single username/password combination (or other type of authentication method). This is what Greg needs in this scenario. Access control lists contain rules determining which IP addresses and users are allowed access to networks and data. Multifactor authentication is when two or more types of information (or physical security devices) are necessary to gain access to a system—for example, the combination of a username/password and a smart card. The Common Access Card is an authenticating smart card used by the Department of Defense (DoD) for personnel.
In a PKI, what is responsible for verifying certificate contents? A. Recovery agent B. Key escrow C. CA D. CRL
Answer C is correct. The CA (certificate authority) is responsible for verifying the authenticity of certificate contents. Key escrow is when a copy of the key is held, usually by third parties. The CRL is the certificate revocation list, where certificates are listed when their corresponding public key has been compromised. The recovery agent is used to recover keys, key components, and plaintext messages.
Specific secure data is only supposed to be viewed by certain authorized users. What concept ensures this? A. Availability B. Integrity C. Confidentiality D. Authenticity
Answer C is correct. The concept of confidentiality ensures that only authorized users can view secure data. Integrity ensures that data has not been tampered with. Availability ensures that data is accessible and ready. Authenticity ensures that data comes from who the data is supposed to come from and that it is a reputable source.
A visitor plugs her laptop into the network in the conference room and attempts to start a presentation that requires Internet access. The user gets a warning on the screen saying that her antivirus software is not up to date. As a result, the visitor is unable to access the Internet. What is the most likely cause of this? A. the IDS blocked access to the network B. the security posture on the network is disabled, and remediation must take place before the user can access the Internet C. the security posture on the network is enabled, and remediation must take place before the user can access the Internet D. the IPS prevented access to the network
Answer C is correct. The security posture can be defined as the risk level to which a system is exposed. If enabled, a system will need to meet particular security requirements. In this case, the user cannot access the Internet with her laptop until the antivirus software is updated (the remediation). If the security posture were disabled, the user would not need to update her system. An IDS will not block access to the network. Instead, an IDS will detect malicious activity on the network. An IPS is not designed to prevent internal users from accessing the network; it is designed to prevent malicious activity on the network.
Which of the following ports is required by an e-commerce web server running SSL? A. port 80 outbound B. port 80 inbound C. port 443 inbound D. port 443 outbound
Answer C is correct. The web server needs to have inbound port 443 open to accept secure requests for SSL sessions from clients. The outbound port doesn't actually matter; it's the inbound port that is important for the server. Inbound port 80 is used by default for regular HTTP connections.
Susan is in charge of installing a business-critical application on an Internet-facing server. She is going to update the application to the most current version. What other security control should she perform in conjunction with the update? A. configure the firewall to allow the application to auto-update B. run a port scan of the application server C. review and apply vendor-provided hardening documentation D. configure the firewall to prevent the application from auto-updating
Answer C is correct. Third-party applications will usually come with a slew of documentation, including a list of hardening methods. This vendor documentation should be applied while updating the application as part of the entire application security process. It is the best answer as far as what to do in conjunction with the update. Running a port scan is a good idea at some point, but it has less to do with the application and more to do with finding unnecessary ports and services. If the application is installed on an Internet-facing server, there probably won't be a firewall involved. If the application server is in a DMZ, it will probably be behind a firewall, but, by definition, even if the DMZ-based application serves users on the Internet, this isn't considered to be directly Internet-facing. Otherwise, the firewall should usually be set up to allow an application to auto-update, but you never know—some applications might need to be updated manually, depending on the security level of the application and organizational policy.
You suspect that an unauthorized person has accessed your server room. Which of the following would be the best proof of this? A. Security guard testimony B. Card key log C. Video surveillance D. Security log
Answer C is correct. Video surveillance would be the most undeniable source of proof listed. A card key log from a proximity reader system could have been tampered with or the unauthorized person might have obtained a legitimate card key. Security logs are not good sources of proof, and although a security guard's testimony could be compelling, it could still be deniable. Video surveillance (for example, CCTV systems) is the best form of proof because it is the hardest to tamper with or spoof.
Which of the following is a passive attempt at identifying weaknesses? A. Penetration testing B. DoS attack C. Vulnerability scanning D. Port scanning
Answer C is correct. Vulnerability scanning is considered to be an example of passive security testing. The acts of port scanning, penetration testing, and testing by way of attack (such as a DoS) are all considered to be active security testing.
What is the main difference between a worm and a virus? A. a virus is easily removed B. a virus is larger C. a worm is self-replicating D. a worm is undetectable
Answer C is correct. Worms are self-replicating once they are executed, whereas viruses are not. Viruses may spread out and infect one or more files, but the actual virus cannot replicate itself. Viruses and worms can be difficult to remove, depending on their severity and age. Both worms and viruses can be detected with antivirus software. Viruses can be larger or smaller than worms. The two are similar in general, aside from self-replication.
What kind of attack would a flood guard protect a network from? A. botnet B. MITM attack C. xmas attack D. SYN attack
Answer D is correct. A SYN attack (also known as a SYN flood) is when a large amount of synchronization request packets are sent from a client to a server. To protect against this, SYN flood guards can be implemented within some firewalls or as separate devices altogether. If implemented on a firewall, some configuration is usually necessary. An Xmas attack (Christmas tree packet attack) is used to analyze TCP/IP responses. It might have many of the option bits in the header enabled, but it does not have the SYN flag set. MITM stands for man-in-the-middle, an attack that intercepts and modifies data traveling between a client and a server. A botnet is a group of compromised computers that jointly (and unknowingly) attacks single points of interest such as web servers.
What would you use a TPM for? A. Cloud computing B. System hardening C. Input validation D. Full disk encryption
Answer D is correct. A TPM (trusted platform module) is a chip that resides on a motherboard (or similar location) that stores encrypted keys used to encrypt the entire hard disk on the system. Input validation is a technique used by programmers to secure their forms. System hardening is the process of securing a computer system through updates, closing ports, and so on. Cloud computing is the use of web-based applications (and other software, platforms, and infrastructures) that are provided by an external source on the Internet.
You have been tasked to implement an encryption algorithm that has a key length of 128 bits. Which of the following is the only solution? A. SHA B. DES C. 3DES D. AES
Answer D is correct. AES-128 is a 128-bit cipher, meaning it has a key length of 128 bits. However, a more secure solution would be to use AES-256 (256-bit key length). SHA-1 is 160-bit, and SHA-2 is 256- or 512-bit in key length. DES is 56-bit, and its successor 3DES is 168-bit.
Which of the following will help to prevent data theft? A. password history B. GPS tracking C. video surveillance D. clean desk policy
Answer D is correct. An organization might institute a clean desk policy to ensure that USB flash drives, discs, and other items are not left lying around. Password history is a policy that can be implemented to disallow users from configuring a password that they have used previously. GPS tracking can be used to find portable devices but will usually be too late to prevent data theft. Video surveillance is great as a record of who entered a building but is not a proactive way to prevent data theft.
Which of the following web application security weaknesses can be mitigated by preventing the usage of HTML tags? A. LDAP injection B. rootkits C. SQL injection D. cross-site scripting
Answer D is correct. Cross-site scripting (XSS) is an attack on website applications that injects client-side script into web pages. SQL injection is a type of code injection that exploits vulnerabilities in databases. LDAP injection can be used to modify LDAP statements and modify the LDAP tree. Rootkits are software designed to gain administrator-level access over a computer system.
Several users complain they are encountering intermittent loss of network connectivity. The computers are wired to the LAN, and no wireless devices are being used. What should you implement? A. HVAC B. faraday cage C. data emanation D. shielding
Answer D is correct. From the answers listed, shielding should be implemented. When multiple wired network connections are intermittently cutting out, chances are that EMI or some other type of interference is occurring and that something needs to be shielded better. One possibility is to replace standard unshielded twisted-pair (UTP) network cable with shielded twisted-pair (STP). Another possibility is to check network devices and make sure they are not near a power source or other device that radiates EMI. HVAC equipment (if near network cabling or devices) can be shielded as well. Data emanation is when there is data leakage from network cables, wireless network devices, and other network equipment. A Faraday cage is used to block wireless data emanation, especially in server rooms and data centers.
An attacker has identified and exploited several vulnerabilities in a closed-source application that your organization has developed. What did the attacker implement? A. compiling B. secure code review C. vulnerability testing D. fuzzing
Answer D is correct. Fuzzing (fuzz testing) is the automated insertion of random data into a computer program. It is used to find vulnerabilities by the people who developed the program and by attackers. Secure code review is the analysis of source code by authorized individuals in an attempt to find problems and security issues. Vulnerability testing is a scan done on computers and networks to find their vulnerability level. Compiling is the transformation of source code, generally done to create executable programs.
You have disabled all unnecessary services on a domain controller. What is this an example of? A. patch management strategy B. baselining C. secure code review D. OS hardening
Answer D is correct. Hardening of the OS is the act of configuring an OS securely, updating it, creating rules and policies to help govern the system in a secure manner, and removing unnecessary applications and services. This is done to minimize OS exposure to threats and to mitigate possible risk. Secure code review is the analysis of code to make sure it cannot be corrupted; this is done through input validation, checking for unmanaged code, checking for sensitive data, and so on. Baselining is the process of measuring changes in a system. Patch management strategy is the entire four-step process involved when adding patches to a system.
You are surprised to notice that a co-worker's computer is communicating with an unknown IRC server and is scanning other systems on the network. None of this was scheduled by anyone in your organization, and the user appears to be unaware of what is transpiring. What is the most likely cause? A. the computer is infected with a rootkit B. the computer is infected with spyware C. the computer is infected with a worm D. the computer is part of a botnet
Answer D is correct. If the computer in question is scanning the network and accessing an unknown IRC server without the user's knowledge, then the computer has probably been compromised as a zombie and is now part of a botnet. The IRC server probably acts as a central communication point for all zombies in the botnet. Though the computer had to be infected with some kind of payload originally, that malware is not responsible for the events that are transpiring currently.
NTLM is for the most part backward compatible and is an improved version of which of the following? A. AES B. MD5 C. passwd D. LANMAN
Answer D is correct. LANMAN is an outdated hash used in Windows; it is the original hash used to store passwords. The NTLM (and the newer NTLMv2) hash is used in newer versions of Windows to replace LANMAN. AES is the Advanced Encryption Standard, a popular encryption method. MD5 is a different hash function used in the downloading of files, among other things. Passwd is a text-based file used in Linux that stores user information and permissions.
You are the security administrator for the company ABC Accounting, Inc. The IT director has given rights to you that allows you to review logs and update network devices only. Other rights are given out to network administrators for the areas that fall within their job description. What kind of access control is this? A. job rotation B. discretionary C. mandatory vacation D. least privilege
Answer D is correct. Least privilege is when users are given only those rights necessary to do their job. Because the IT director only gave you specific rights and no more, and because other very specific rights are given to other network administrators, the least privilege rule applies here. Job rotation is when multiple users are cycled through different related tasks. Discretionary access control (DAC) is an access control model that has rules set by the user. Because the IT director has already set rights and permissions, this scenario does not involve DAC. Mandatory vacation is when a user is forced to take consecutive days of vacation away from the office.
What is MAC filtering a form of? A. NAT B. VPN C. DMZ D. NAC
Answer D is correct. MAC filtering occurs when only a select list of MAC addresses is allowed to communicate with an AP or router. This is an example of network access control (NAC), a way of controlling how computers connect to the network in a secure fashion. VPN stands for virtual private network, which allows for the secure remote connection of computers to a network. NAT stands for network address translation, which takes care of the connection from LAN clients through a router and out to the Internet. A DMZ is a demilitarized zone, a place separate from the LAN where servers reside that can be reached by users on the Internet.
Mitigating risk based on cost could be described as which of the following? A. vulnerability assessment B. qualitative risk assessment C. business impact analysis D. quantitative risk assessment
Answer D is correct. Quantitative risk assessment measures risk using exact monetary values. Qualitative risk assessment assigns numeric values to the probability of risk. Business impact analysis is the differentiation of critical and non-urgent functions and is part of a DRP or a BCP. A vulnerability assessment is an analysis of security weakness in an organization.
Which of the following would a routine system audit most likely include? A. penetration testing B. port scanning C. security policy development D. user rights and permissions reviews
Answer D is correct. Routine system audits will check for user rights and permissions as well as analyze log files (for example, the Security log in Windows). The development and implementation of the security policy that enabled the security log should have been done long before actual auditing takes place. Penetration testing and port scanning are not included in routine system audits but might be part of more elaborate security audits. Routine system audits are noninvasive (passive), allowing the systems to be audited to continue functioning as normal.
Which of the following is a trusted OS implementation used to prevent malicious code from executing on Linux platforms? A. system file checker (SFC) B. vmlinuz C. tripwire D. SELinux
Answer D is correct. Security-Enhanced Linux (SELinux) is a feature that supports mandatory access control and includes modifications that add security to Linux distributions to help prevent malicious and suspicious code from executing. System File Checker (SFC) is a utility in Windows that checks the integrity of system files and replaces them if necessary. Tripwire is Linux-based open source software designed to check data integrity and alert users to changes. Vmlinuz is a compressed bootable version of the Linux kernel.
Your organization is designing two new systems. They require an emphasis on the following: System A requires high availability. System B requires high security. Which configuration should you select? A. system A and system B both fail closed B. system A and system B both fail-open C. system A fails closed. System B fail-open D. system A fails open. System fails closed
Answer D is correct. System A requires high availability, so it should fail open. For example, if the system were a monitoring system, and a portion of it failed, the organization might want it to fail open so that other portions of the monitoring system will still be accessible. However, System B requires security, so it should fail closed. Let's say that System B was a firewall. If it crashed, would we still want network connectivity to pass through it? Probably not, because there would be little or no protection to the network. In general, if you need high availability, the system should fail open. If you need high security, it should fail closed.
You have been tasked to access an older network device. Your only option is to use Telnet. Which port would need to be open on the network device by default? A. 3389 B. 161 C. 135 D. 23
Answer D is correct. Telnet uses port 23 by default. Some older devices may not be accessible remotely without using the deprecated Telnet protocol. The best thing to do in this situation would be to update the network device, if possible, or replace it. Port 3389 is the default port for the Remote Desktop Protocol. Port 161 is the default port for SNMP. Port 135 is known as the DCE endpoint manager port or dcom-scm.
Which of the following equations represents the complexity of a password policy that enforces a lowercase password using the letters a through z, where "n" is the password length? A. n^26 B. 2n*26 C. n2*26 D. 26^n
Answer D is correct. The 26 refers to the 26 characters a through z (lowercase). The superscript "n" is a variable that refers to the length of the password. When calculating a password, the number of characters should be raised to a particular power that will be equal to the length of the password. So, if your policy in this example dictated a password that is eight characters long, then it would be 26 to the power of 8, or 208,827,064,576. In this case, n = 8, but it could be 10, 14, or whatever the security administrator sets the password length to in the password policy.
Your organization has a policy that states that user passwords must be at least 16 characters. Your computers use NTLM2 authentication for clients. Which of the following hash algorithms will be used for password authentication? A. SHA B. LM hash C. AES D. MD5
Answer D is correct. The MD5 hashing algorithm is used by NTLM2 authentication. MD5 stands for Message-Digest algorithm 5. It uses a 128-bit key and is a widely used hashing algorithm. LM hash is used with passwords of 14 or fewer characters. If you use a password of 15 characters or more on newer versions of Windows, the OS will store a constant string as the LM hash, which is effectively a null password, and thereby uncrackable. The real password will be stored as an NTLM2 hash and (in this case calculated with MD5) will be used solely. AES is the Advanced Encryption Standard, used widely in wireless networks. SHA is the Secure Hash Algorithm, SHA-1 employs a 160-bit hash that is deprecated. Newer versions of SHA are more secure than MD5.
Which of the following is the best practice to secure log files? A. Log all failed and successful login attempts. B. Increase the size of the log files. C. Perform hashing of the log files. D. Copy the log files to a server in a remote location.
Answer D is correct. The best practice to securing log files is to make sure they are copied to a remote location—better yet to another server in a remote location—where they can be easily accessed if the original server fails. This remote location should be in another city, not across the street in another building. Logging all failed and successful login attempts can create gigantic log files, the kind that might be impossible to manage. Most organizations will not do this. Increasing the size of log files won't necessarily secure them, but it is a good idea when it comes to the management of log files. The default size of log files in most operating systems is not large enough for today's big organizations. The hashing of log files is a good idea when securing the log files so that integrity can be maintained, but it is not necessarily the best practice. It should be used in conjunction with copying the files to a secure location.
What is a default rule found in a firewall's ACL? A. permit all B. netsh advfirewall firewall C. add address=192.168.0.0/16 D. deny all
Answer D is correct. The deny all rule is a default rule found in a corporate firewall's access control lists (ACLs). It is an example of the implicit deny concept. Permit all is not a default rule, as that would be quite dangerous. Netsh advfirewall firewall is a command used in Windows to view personal firewall information. Add address=192.168.0.0/16 is a way to disable (or enable) private addressing space.
User awareness and training can help with which of the following? A. enforcement of physical security requirements B. compliance with legislative and vendor software best practices C. identifying DoS attacks D. minimizing organizational risk caused by users
Answer D is correct. Users are an aspect of risk to an organization (whether they mean to be or not). By committing to a training schedule and other user-awareness policies, an organization can reduce that risk.
Why would you use a vulnerability scanner? A. To identify remote access policies B. To crack passwords C. To see whether passwords are sent as clear text D. To identify open ports on a computer
Answer D is correct. Vulnerability scanners are primarily used to find open ports on a computer and define what threats are associated with those ports. Remote access policies should be identified within the server where the policy was created (for example, in Windows Server). Password recovery programs such as John the Ripper should be used to crack passwords. To see whether passwords are being sent as clear text, you should use a protocol analyzer.
Your boss asks you to install a wireless access point and set up a new wireless network. Which protocol offers the best wireless security? A. WEP B. SSH C. WPA D. WPA2
Answer D is correct. WPA2 (Wi-Fi Protected Access version 2) is the most secure of the protocols listed when it comes to wireless networking security. WPA (or WPA version 1) is still widely used, but if possible wireless networks should be upgraded to WPA2. SSH is Secure Shell, which allows data to be sent and received securely between two networked systems. WEP (Wired Equivalent Privacy) is deprecated and not recommended for use.
You are the systems administrator for your organization. Human resources notifies you that a particular user has been terminated. What should you do? A. Retain the user's data for a specific amount of time. B. Disable the user's account. C. Delete the user's data. D. Delete the user's account.
Answers A and B are correct. If a user is terminated, standard policy is to disable that user's account and to retain the user's data for a specific amount of time, which should be stated within the policy. It is not wise to delete a user's account because all audited information and encryption keys associated with the user account will be lost.
You have been instructed to install an intrusion detection system that can protect a database server and the rest of the network. You cannot afford to use any more resources on the database server. You decide to implement a network intrusion detection system. Why is this superior to a host-based intrusion detection system? Each correct answer represents a complete solution. Choose two. A. A HIDS can negatively impact system performance. B. A HIDS is not reliable when it comes to detecting attacks. C. Usually, a HIDS cannot detect network attacks. D. A HIDS cannot be updated.
Answers A and C are correct. A HIDS usually cannot detect network attacks, whereas a NIDS can. A HIDS will definitely have a negative impact on system performance because it uses resources in the form of CPU and RAM; however, a HIDS is reliable when it comes to detecting attacks on an individual computer. Also, a HIDS can be updated.
Which of the following would an antivirus program most likely not detect? A. Trojan B. Pharming C. Logic bomb D. Worm E. Virus
Answers B and C are correct. Antivirus programs are meant to scan for viruses, worms, and Trojans. They are least likely to discover logic bombs because logic bombs don't manifest themselves right away. Pharming is a type of social engineering attack that antivirus programs are not designed to detect.
Your Windows domain has additional servers configured as member servers. Your job is to minimize the risk of unauthorized persons logging on locally to the member servers. Your solution should have a minimal impact on local management and administration and should not limit administrator access. Which of the following are the best solutions? A. disable account lockout policies B. require strong passwords C. rename the local default accounts D. configure all services to run under the context of the Local System account E. disable the local default accounts F. provide backdoors into the member servers
Answers B and C are correct. By renaming the local default accounts (which includes the administrator account), users will have a difficult time attempting to select a username with administrative access. Most people know that the default administrative account in Windows is the administrator account; by renaming it you add a layer of security. Requiring strong passwords is always a good idea and can help prevent an unauthorized user from logging on to the member server. On some Windows systems, by default, the administrator account has a blank password. It is common procedure to rename the account and configure a complex password. Disabling account lockout policies makes the server less secure. By default, services do run under the local system account. Disabling the local default accounts would also disable the administrator account, and the question specifies that administrator access should not be limited. It is not a good idea to provide backdoors into any servers or devices; if backdoors are found, they should be eliminated or reported to the vendor of the software.
Which of the following encryption algorithms are supported by the IEEE 802.11i standard? A. RSA B. TKIP C. AES D. ECC
Answers B and C are correct. The IEEE 802.11i standard amends the original 802.11 standard and was later incorporated into the IEEE 802.11-2007 standard. It specifies security mechanisms for wireless networks, including TKIP and AES. It also deprecates WEP. TKIP, the Temporal Key Integrity Protocol, is used as a solution to replace WEP without requiring any replacement of older hardware. Although it is a better solution than WEP, TKIP was deprecated in 2009 by the IEEE—CCMP is recommended in its place. (CCMP stands for Counter Mode Cipher Block Chaining Message Authentication Code Protocol.) AES, the Advanced Encryption Standard, is the superior type of encryption to use in wireless networks. It works with WPA and WPA2 but might require hardware upgrades. RSA (Rivest, Shamir, Adleman) is a public-key cryptography algorithm commonly used on the Internet and considered to be unbreakable if used properly. ECC, which stands for elliptic curve cryptography, is another type of public-key cryptography, but this is based on the structure of an elliptic curve and mathematical problems.
Which wireless configurations can be easily circumvented using a network sniffer? A. WEP with 802.1X B. MAC filtering C. WPA2 D. EAP-TLS E. Disabled SSID
Answers B and E are correct. Utilizing a network sniffer (or packet analyzer) can aid an attacker in discerning the SSID of an AP as well as which MAC addresses are being allowed in. By drilling down through the frames of information that are captured, the attacker can easily find the SSID name and, with a little work, can deduce the MAC addresses that have access to the network. Then the person need only spoof the MAC address and connect to the AP's SSID manually to have access to the wireless network. The other answers concern authentication and encryption methods, which will be much more difficult to circumvent. 802.1X is network access control that uses various types of authentication methods including EAP-TLS. WEP and WPA2 are encryption methods, and although WEP is deprecated, it is difficult to get past when used in conjunction with 802.1X. Lesson
Mark works for a financial company. He has been tasked to protect customer data. He decides to install a mantrap and an HVAC system in the data center. Which of the following concepts has he addressed? A. accountability B. recovery C. confidentiality D. integrity E. availability
Answers C and E are correct. The HVAC system addresses the need for availability of data. Without a proper HVAC system, a data center's servers (and other equipment) would probably overheat, resulting in a loss of service. The mantrap addresses the need for confidentiality. Customer data in financial organizations, health insurance companies, and many other organizations requires privacy and confidentiality. By installing a mantrap, unauthorized persons will be detained and won't be able to access customer data.
