4.0 Network Security Flashcards

Question

To improve your ability to monitor and manage your network devices, your network requirements call for purchasing devices that support out-of-band (OOB) management. Which of the following types of interfaces or devices is most likely to satisfy this requirement, as you select switches, routers, firewalls, and servers for purchase? A) Serial port B) Parallel port C) Separate network interface D) WAN port E) RJ-45 port

Answer 1

A serial port easily and regularly plays host to a modem, which provides a dial-up link that network admins can use to access the device to which it is attached. The whole idea of OOB is to use a separate communications link outside the scope and reach of the regular network. An out-of-band link provides a way to access a device even when the network is down or when the device needs to be powered up after a power fault or interruption. Console servers may also use special-purpose network console ports to obtain administrative access and control over such devices.

Answer 2

Fencing acts as the first line of defense against casual trespassers and potential intruders, but fencing should be complemented with other physical security controls, such as guards and dogs, to maintain the security of the facility. A fence height of 6 to 7 feet is considered ideal for preventing intruders from climbing over the fence. In addition to being a barrier to trespassers, the fence can also control crowds. A fence height of 3 to 4 feet acts as a protection against casual trespassers. For critical areas, the fence should be at least 8 feet high with three strands of barbed wire.

Answer 3

When comparing exploits vs. vulnerabilities, a vulnerability is a flaw or weakness, and an exploit takes advantage of that flaw. As examples, a vulnerability could be a section of code in an application that fails to validate user input against a range of acceptable values. The exploit would be the active use of that failure to validate to introduce malicious data, such as an SQL injection attack. A threat is the likelihood that an event is going to occur. The terms exploit and vulnerability are not interchangeable.

Answer 4

Remote Access Service (RAS) is a service provided by Windows that allows remote access to the network via a dial-up connection. In order to obtain a remote connection, two services need to be in place: RAS and dial-up networking (DUN). The server that will establish the remote connection needs to have RAS so that it can link to the remote computer. The remote computer needs to have DUN so that it can connect to the remote server.

Answer 5

You should deploy host-to-gateway IPSec mode. In this configuration, the VPN gateway requires the use of IPSec for all remote clients. The remote clients use IPSec to connect to the VPN gateway. Any communication between the VPN gateway and the internet hosts on behalf of the remote clients does not use IPSec. Only the traffic over the Internet uses IPSec. In host-to-host IPSec mode, each host must deploy IPSec. This mode would require that any internal hosts that communicate with the VPN clients would need to deploy IPSec. In gateway-to-gateway IPSec mode, the gateways at each end of the connection provide IPSec functionality. The individual hosts do not. For this reason, the VPN is transparent to the users. This deployment best works when a branch office or partner company needs access to your network.

Answer 6

In Public Key Infrastructure (PKI), an issuer is the entity that signs a certificate. Signing a certificate verifies that the name and key in the certificate are valid. PKI is a system designed to securely distribute public keys. A PKI typically consists of the following components: certificates, a key repository, a method for revoking certificates, and a method to evaluate a certificate chain, which security professionals can use to follow the possession of keys. Chain of custody might be used in proving legal cases against hackers. Most organizations implement PKI using a PKI Web service so that a third party is responsible for issuing and managing certificates.

Answer 7

A principal is any entity that possesses a public key. A verifier is an entity that verifies a public key chain. A subject is an entity that seeks to have a certificate validated. While a PKI can be a Web service, other Web services that organizations use include HTTP sites, FTP sites, and social networking sites. All organizations should consider the security and performance ramifications of the use of any of these Web services on the organization's network.

Answer 8

A certificate revocation list (CRL) contains a list of serial numbers for digital certificates that have not expired, but that a certification authority (CA) has specified to be invalid. Typically, the serial number of a digital certificate is placed in a CRL because the digital certificate has been compromised in some way. A CA, sometimes referred to as a certificate authority, is an entity that issues and validates digital certificates. To create a digital certificate, a user provides a CA with contact information and a public and private key pair. The CA verifies the provided information, and creates a digital document with the user's contact information and key pair. The CA then encrypts the digital document with its private key to create a digital certificate. Finally, users can use the CA's public key to determine whether a digital certificate is valid.

Answer 9

The private key of the root certification authority (CA) must be secured to ensure that the certificates that have been validated in a public key infrastructure (PKI) are protected. If the private key of the root CA has been compromised, then a new root certificate must be created and the PKI must be rebuilt. If the private key of a user's certificate has been compromised, then a new certificate should be created for that user and the user's compromised certificate should be revoked. The compromise of a user's certificate will not jeopardize other certificates in a PKI. A public key, as its name implies, is public, and does not need to be kept secret.

Answer 10

Cross certification is primarily used to establish trust between different PKIs and build an overall PKI hierarchy. Cross certification allows users to validate each other's certificate when they are certified under different certification hierarchies. The primary purpose of cross certification is to build a trust relationship between different certification hierarchies when users who belong to different hierarchies are required to communicate, and might require authentication for legitimate connections. The process implies the establishment of a trust relationship between two certification authorities (CAs) through the signing of another CA's public key in a certificate referred to as a cross certificate.

Answer 11

For the Network+ exam, you need to understand two other services: unified voice services and network controllers. Unified voice services are any services in which network (data) and voice services are implemented over the same media. The most popular example of this is Voice over IP (VoIP). Network controllers allow network administrators to manage multiple devices from a central device. For example, Cisco's Wireless LAN Controller (WLC) model 5760 allows centralized management and control of multiple wireless access points (WAPs).

Answer 12

DHCP snooping prevents an unauthorized DHCP server from issuing IP addresses to clients. The unauthorized or rogue DHCP server is often used in man-in-the-middle attacks. A trusted server is identified on a specific switch port by configuring the DHCP Snooping Trust State. This allows DHCP traffic to flow through the port. A DHCP server attached to a port that does not have a properly configured trust state will have its traffic blocked. Current Web communications can also be secured against eavesdropping, hijacking, and man-in-the-middle (MitM) attacks through mutual certificate authentication via Transport Layer Security (TLS). The encryption negotiated by TLS between a Web client and Web server provides protection against eavesdropping and hijacking, and the mutual authentication using certificates that provides protection against MitM attacks.

Answer 13

Bridge Protocol Data Unit (BPDU) guard works with Spanning Tree Protocol (STP) and PortFast. When a switch receives a BPDU, the BPDU guard disables the port on which PortFast has been configured. It prevents looping, not man-in-the-middle attacks.

Answer 14

Flood guard establishes the maximum number of MAC addresses that can be seen by an interface. The switch monitors the traffic on the interface. If the network gets flooded with MAC addresses, the flood monitor can intervene by disabling ports and filtering out traffic. Denial of Service (DoS) attacks may use traffic flooding to deny valid users the ability to interact with resources at an acceptable level, pace, or throughput. It prevents DoS flooding attacks, not man-in-the-middle attacks.

Answer 15

Disabling unused ports is an excellent way to secure a switch. You should only enable designated active ports needed for network connections. As an example, if you have a 24-port switch, but only 18 of those are needed for connected hosts, you should set the status of the other six ports to “disabled.”

Answer 16

Upgrading firmware is one way to ensure that the network component is performing properly, or to the current standard. Firmware differs from a driver. A driver allows the hardware communicate with an operating system, such as Windows 10, Linux, or OSX. Firmware is the software that allows the hardware device to operate. A simplified example of one aspect of firmware would be the line of instruction on the NIC that causes the green light to blink when network traffic is present. Installing patches and updates to the network hardware will ensure that the firmware is up to date and that any remedies to known security issues will be corrected.

Answer 17

Using secure protocols is paramount to network security. In SOHO networks, routers (as an example) are shipped with insecure protocols, such as WEP, enabled. While WEP is the easiest for consumer or novice to use while getting the network up and running, it is inherently insecure and should be disabled in favor of a more secure protocol such as WPA2.

Answer 18

A telephone can be used by a hacker to implement a social engineering attack in which the hacker attempts to gain critical network information through social interaction with company employees. For example, a hacker might call a user on a network and ask for a user name and password. If the user is not properly trained, then the user might provide his or her user name and password to the hacker. Dumpster diving is another social engineering method that is carried out by stealing information from a company's trash disposal. To prevent dumpster diving, destroy all paper and other media that are not required.

Answer 19

Captive portals are web pages, typically used in public networks, where users must complete some action before they are granted access to the network. Captive portals are commonly seen in coffee shops, hotels, and airports, and the user often has to accept an acceptable use policy (AUP) before they can connect to the internet. Port security allows a network administrator to only allow a specific MAC address (or group of MAC addresses) on a switch port. MAC filtering theoretically does the same thing as port filtering, but port filtering works on switches, whereas MAC filtering works on routers. MAC filtering is accomplished by granting (or denying) network access to a list of MAC addresses. The list of MAC addresses for which you are either granting or denying access to is stored in an access control list (ACL). ACLs compare the entity that is requesting access to a network resource against a list of valid entities. Access is granted or denied based on the access configured for that entity. Simply put, ACLs identify which users have access to a given object, such as a drive, a file, or a directory.

Answer 20

You should use Internet Protocol Security (IPSec) to secure Remote Desktop Protocol (RDP) over the Internet with connection security rules and associations because it uses only Microsoft-supplied protocols and services. This is the only option that provides an additional layer of encryption and security beyond what is included in RDP or Windows Remote Desktop Connections. The connection security rules and associations work with IPSec to establish how to broker a legitimate RDP connection and to manage proofs of identity and authentication between communicating parties. Purchasing WAN links between each pair of sites and running a commercial virtual private network (VPN) over IPSec offers strong security. However, doing so would require purchasing dedicated WAN links when Internet costs are lower or already covered through the company’s existing Internet access. This solution also incurs additional costs for a commercial VPN in which to run remote access. Creating a VPN, and running RDP over the VPN eliminates the cost of WAN links, but incurs the costs for a commercial VPN. Thus, it is not as cheap as the RDP option. Using a freeware virtual network computing (VNC) to run TeamViewer over the Internet is not a cheaper option because TeamViewer would incur costs to run. In addition, a VNC is not needed as Windows computers include RDP. VNC is an option to use if other operating systems are included. RDP does not offer complete security by itself. It also fails to provide authentication to verify the identity of RD session hosts. At a minimum, TLS should be employed to strengthen RDP.

Answer 21

DNS poisoning, also known as DNS cache poisoning, can direct user traffic to a malicious web site. The attack is accomplished by inserting a bogus record in the DNS server cache, redirecting traffic from the "good" web site to the malicious web site.

Answer 22

Address Resolution Protocol (ARP) poisoning, also known as ARP spoofing, occurs when an attacker sends counterfeit messages on the network, resulting in the replacement of a legitimate user's MAC address with the attacker's MAC address. Once that happens, the attacker will begin receiving traffic destined for the legitimate user.

Answer 23

An access control list (ACL) allows you to define which types of traffic are allowed into or out of the network on a protocol-by-protocol basis. ACLs can also be configured based on port number, MAC address, IP address, and other criteria. Distributed switching allows a host to select from a pool of switches.

Answer 24

It is critical that you know the difference between packet-switched and circuit-switched networks. Packet-switched networks break the traffic into small parcels. Depending on the layer at which they reside, those parcels are called packets. Each packet contains, among other things, the destination address. The receiving router uses that destination address to forward the packet to the next router. Circuit-switched networks require that a connection be established between the sender and the receiver. Once a connection is made (meaning that a circuit is formed), the data is routed from the sender to the receiver.

Answer 25

Software-defined networks (SDNs) allow a network administrator to direct and prioritize traffic, and connections, over virtual switches, from a centralized console. SDNs can control the access to switches and routers but do not have anything to do with allowing traffic to traverse a switch or router.

Answer 26

Extensible Authentication Protocol − Flexible Authentication via Secure Tunneling (EAP-FAST) was developed by Cisco to assist with enforcing strong password policies, and it does not require digital certificates. EAP-FAST is a faster version of Protected EAP (PEAP). EAP-FAST uses protected access credentials (PACs) stored on the supplicant device, somewhat like cookies. With the credentials already stored on the supplicant, authentication can occur more rapidly. Extensible Authentication Protocol (EAP) made the use of certificates, biometrics, and smart cards possible.

Answer 27

PEAP first creates a tunnel between the supplicant (client) and the server, and then proceeds with the rest of the steps in the EAP process. PEAP requires certificates.

Answer 28

Extensible Authentication Protocol − Transport Layer Security (EAP-TLS) uses public key infrastructure (PKI) certificates to authenticate the supplicant (client) and the server.

Answer 29

Geofencing allows an administrator to geographically define the boundaries of wireless access. It is particularly useful if the organization does not want individuals outside the building to have wireless access. Global Positioning System (GPS) or Radio Frequency Identification (RFID) data from the client device is used to request access to the authentication server. If the client device is within the defined boundaries, it will be granted access. Geofencing does not really provide a way to secure your network; it just limits the network's boundaries.

Answer 30

Device hardening is the application of defense in depth principles to help mitigate the attacks to which the device is susceptible. For a switch, device hardening could include shutting off unused ports. Another example could be blocking traffic on port 23 to prevent traffic on an unused port. Other enhanced security activities, such as password policies and establishing file permissions, are also examples of device hardening. Device hardening provides controls at all layers of the OSI model to provide the defense in depth. Defense in depth is a multi-layered approach to security that establishes a robust defensive strategy against attackers. This strategy prevents a single attack from being sufficient to breach an environment, forcing attackers to use complex, multi-pronged, daisy-chain attacks that are more likely to fail or be detected during the attempt.

Answer 31

Signature management is the monitoring of digital signatures to ensure that file tampering has not occurred. This would only protect against data integrity attacks, not against any other kinds of attacks

Answer 32

A quarantine network would be set up in an office for computer and mobile devices that do NOT comply with the network access control (NAC) policies. A NAC server would hold the policies that would control access to the network. If computers or mobile devices did not have the appropriate security controls configured, they would be placed on the quarantine network to isolate them. This would ensure that they would have limited access to the company network until the appropriate security measures were taken. A guest network would be set up in an office so that customers could access the Internet but not internal resources, such as printers and servers. A wireless network is configured so that users can wirelessly connect to the LAN. A virtual private network (VPN) is configured to allow personnel to securely access local resources via the Internet through a security VPN tunnel. A benefit from setting up a guest network is the ability to access isolated corporate resources.

Answer 33

For the Network+ exam, you need to understand the following NAC concepts: 802.1x − 802.1X is a protocol that authenticates a user before allowing any of the host's data traffic to be sent to the network. 802.1x authentication can work with the NAC server. While 802.1x is used for authentication, the NAC server will check to see if the appropriate security controls are in place on the authenticating devices based on the NAC policies that are configured. Posture assessment − This is the process whereby a client is checked against a set of requirements in a NAC policy. If a client meets the requirements, it is given full network access. If a client does not meet the requirements, it is placed on the quarantine network and given limited network access. Persistent vs non-persistent agents − An agent running on a client computer is a persistent agent if it runs all the time. It is a non-persistent agent if it is run only during an attempt by the client computer to connect to the network via the NAC server. Edge vs access control − Edge control verifies that users or devices have the appropriate permissions to access resources. NAC verifies that users or devices not only have the appropriate permissions to access resources but also that the users or devices have the appropriate security controls in place to ensure that the NAC client will not cause the network to be breached.

Answer 34

A privileged user account is an account that has less restrictive access to a system. Examples of privileged user accounts include domain administrators, local administrators, and application accounts. Users with privileged accounts can include systems admins, management personnel, network administrators, and database administrators, among others.

Answer 35

File integrity monitoring helps to identify unauthorized changes to files. The monitoring process looks at such events as if or when a file was changed, who made the change, the nature of the change, and what can be done to restore the file to the pre-change state. File integrity monitoring does not provide access to systems, only to files.

Answer 36

Role separation involves dividing server duties amongst two or more servers to reduce an attack profile. For example, if a server running the Active Directory, DNS, and DHCP roles went down, all those services would be unavailable. If, on the other hand, Server A hosted Active Directory, Server B hosted DNS, and Server C hosted DHCP, an attack that brought Server B down would not affect the other services. Role separation does not affect the levels of access granted to a system.

Answer 37

A demilitarized zone (DMZ) provides mitigation by placing two firewalls in the network. Critical servers such as email servers and web servers are placed between the two firewalls. A DMZ imposes more restrictions to access, not fewer restrictions. A demilitarized zone (DMZ) is an isolated subnet on a corporate network that contains resources that are commonly accessed by public users, such as Internet users. The DMZ is created to isolate those resources to ensure that other resources that should remain private are not compromised. A DMZ is usually implemented with the use of firewalls.

Answer 38

The most likely valid reason for moving servers that contain confidential information onto a demilitarized zone (DMZ) is compliance with federal and state regulations. Placing the servers that contain confidential information onto a DMZ will not isolate all confidential transactions because all users on the other subnets will still need to access the confidential information. Placing the servers that contain confidential information onto a DMZ will not encrypt all the confidential transactions. This would require that you employ data encryption while data is at rest and as it is transmitted. Placing servers that contain confidential information onto a DMZ will not improve bandwidth for all confidential information transactions. As a matter of fact, because the servers will be isolated on a separate network, transactions with those assets may actually cause performance to degrade. Any transactions would need to cross the firewall into the DMZ, thereby slowing does the transaction speed.

Answer 39

Remote Authentication Dial-In User Service (RADIUS) provides centralized remote user authentication, authorization, and accounting. RADIUS is defined by RFC 2138 and 2139. A RADIUS server acts as either the authentication server or a proxy client that forwards client requests to other authentication servers. The initial network access server, which is usually a VPN server or dial-up server, acts as a RADIUS client by forwarding the VPN or dial-up client's request to the RADIUS server. RADIUS is the protocol that carries the information between the VPN or dial-up client, the RADIUS client, and the RADIUS server. The centralized authentication, authorization, and accounting features of RADIUS allow central administration of all aspects of remote login. The accounting features allow administrators to track usage and network statistics by maintaining a central database.

Answer 40

The advantage of using 802.1x security over 802.11 Wired Equivalent Privacy (WEP) in a wireless local area network (WLAN) is that 802.1x security generates dynamic encryption keys. Two types of security standards can be implemented in a WLAN: 802.11 WEP and 802.1x security standards. The 802.11 security standard uses WEP keys for securing the data transferred over WLANs. You can configure either 40-bit or 128-bit static WEP keys for security over WLANs. The 802.1x security standard uses various authentication types based on the Extensible Authentication Protocol (EAP). These include the following: EAP-LEAP: Uses username and static password for authentication. EAP-TLS: Uses digital certificates for authentication. EAP-PEAP: Uses digital certificate, username, and static password or one-time passwords for authentication. The 802.1x security standard supports RADIUS server-based authentication, which provides centralized authentication, authorization, and accounting (AAA) service. RADIUS and 802.1x can be used to authenticate remote workers who connect from offsite.802.1x security also supports Network Access Control (NAC), also called Network Admission Control. This feature, offered by some authentication servers, can check device characteristics prior to allowing access to the network. Characteristics that can be checked include operating system version, antivirus software version, and so on. An administrator configures that NAC server to deny or allow access based the configuration baseline. A posture assessment is performed on the client computer to ensure that it meets the configuration baseline. A posture assessment can examine Windows registry settings antivirus software, Active Directory membership, and other settings.

Answer 41

Physical security limits access to the physical components of a network. Of the choices listed, the use of security badges is a method of providing physical security for a corporate network because only individuals with valid badges are allowed on company premises or in particular company areas.

Answer 42

For the Network+ exam, you must understand the following physical security controls: Mantraps or access control vestibules − a set of double doors usually monitored by a security guard. Only one person is allowed to enter the second set of doors when buzzed in by the security guard or by scanning their identification card. Network closets − All networking devices, including routers and switches, should be protected from public access by placing them in locked closets or rooms. Video monitoring − Video monitoring, including IP cameras and closed-circuit television (CCTV), records all activities that occur in the monitored areas. If tapes or DVDs are used, you should have a regular replacement schedule. A system that uses some sort of hard drive is a better option because it will allow more storage. In most cases with video monitoring, once the recording medium fills, new recorded data will overwrite older recorded data. So consider carefully any repercussions of any system you may use. Door access controls − Door access controls include any mechanism that is used to ensure that only authorized personnel can enter through a specific door. The most popular door access control is a lock with a key. However, you can also use keypads or cipher locks, which allow you to periodically change the entry code and may even allow you to issue different codes to personnel to allow you to track entry and exit. Proximity readers/key fob − requires the use of some sort of proximity or smart card to enter the building or data center. Preventing access to a user with a valid card is as simple as disabling that user's card. Biometrics − uses some sort of physical or behavioral characteristic to allow access. Users may scan their iris, retina, fingerprint, or some other physical characteristic. Behavioral versions require the user to input a certain pattern, write a certain phrase, or even input a certain phrase.

Answer 43

You should prevent downloads on a honeypot. Allowing downloads on a honeypot is a possible example of entrapment if it is used to make formal trespassing charges. Entrapment occurs when a hacker is tricked into performing an illegal activity. Entrapment is illegal. Opening port and services and allowing Web browsing on a honeypot are not examples of entrapments. They are enticements. Enticement allows the administrator to monitor activity to increase security and perhaps trace the attack. Enticement is legal. A honeynet is a group of honeypots that work together.

Answer 44

Need to know and least privilege affect the design of access control lists (ACLs). The need to know principle ensures that subjects are only given access to objects they require to complete their duties. The least privilege principle ensures that subjects are given the minimum level of access permissions they require to complete their duties. The concept of least privilege is based on the idea of zero trust. Zero trust is a security best practice of always assuming that someone who is attempting to gain access to or is already within the network is going to engage in malicious activity of some kind. The main principles of the Zero Trust model are to always verify users and data explicitly, always assume a breach can occur within your network, and utilize least privilege to minimize malicious insiders or compromised accounts. ACLs for files usually allow or deny access to the file based on permission configured for user or group accounts. ACLs on devices, such as routers, firewalls, and so on, usually allow or deny access to the device based on MAC filtering, IP filtering, or port filtering. MAC filtering is based on the MAC address of the client's network interface card (NIC). IP filtering is based on the IP address of the client's NIC. Port filtering is based on the port being used. Restricting access via ACLs is one of the most common security controls used.

Answer 45

Kerberos and SESAME are two authentication protocols that affect the design of the authentication process. Both of these protocols allow single sign-on, which means that users only login once. When designing ACLs, you should keep in mind that the default level of security should be no access. In your security design, what is not explicitly allowed should be implicitly denied.

Answer 46

A significant increase in network traffic, often referred to as a traffic spike, might indicate that a network is undergoing a denial-of-service (DoS) attack, which occurs when a hacker floods a network with requests. Virtualization can help to prevent DoS attacks. Performance baselines can help to determine if you are undergoing a DoS attack. A DoS attack prevents authorized users from accessing resources they are authorized to use. An example of a DoS attack is one that brings down an e-commerce Web site to prevent or deny usage to legitimate customers. A significant decrease in traffic might indicate a problem with network connectivity or network hardware, or it might indicate a non-DoS hacker attack. Networks with slightly fluctuating traffic levels are probably operating normally.

Answer 47

This scenario is an example of war chalking. War chalking originally occurred when hackers wrote SSID and security information on the side of buildings. This attack has steadily evolved to the point where hackers are now publishing this information on Web sites. WEP cracking is the process of cracking WEP security. WPA cracking is the process of cracking WPA security. War driving is also a wireless attack. However, with war driving, attackers drive around and attempt to discover wireless networks that are transmitting. An evil twin attack occurs when a wireless access point that is not under your control is used to perform a hijacking attack. An evil twin is a type of rogue access points. You should periodically perform a site survey to discover rogue access points. Rogue access points can be connected to either the wired or wireless network.

Answer 48

Vulnerability scanning looks for areas that are candidates for exploitation (weak spots) in networks, operating systems, applications, and equipment. Vulnerability scans can also identify the effectiveness of in-place systems designed to prevent those exploits. Another useful tool that can be used during vulnerability scanning is a Common Vulnerabilities and Exposures (CVE) system. This system acts as a reference model for all publicly known information-security vulnerabilities and exposures. This system can identify the severity levels of vulnerabilities found in a network and provide remediation tactics to minimize their impacts.

Answer 49

Asset tags, also referred to as asset tracking tags, can be labels with barcodes or QR codes, or can include radio frequency identification (RFID) chips that provide electronic tracking. Asset tracking tags are used to assign a number to particular piece of equipment (an asset) and use that number to monitor where the asset is. They can be used in conjunction with geolocation and geofencing.

Answer 50

The company has suffered a social engineering attack, in which a hacker poses as a company employee or contractor to gain information about a network from legitimate company employees. A hacker typically uses social engineering to gain user names and passwords or sensitive documents by non-technical means, such as posing as an employee or dumpster diving. A company can help protect itself from a social engineering attack by requiring employees to attend security awareness training, which is one of the most neglected aspects of network security.

Answer 51

For the Network+ exam, you also need to understand the following attacks: Session hijacking − takes over a Web session by surreptitiously obtaining the session ID and masquerading as the authorized user. VLAN hopping − send packets to a switch port which is generally not accessible. The attacker then attempts to change the security settings that are in place. If an attacker connects to an unused Voice over IP (VoIP) phone port to gain unauthorized access to a network, VLAN hopping has occurred. Compromised system − a system that has been the victim of an attack. The types of compromised systems vary greatly based on the type of attack that has occurred. Compromised systems should be isolated until the security issues can be removed. An example of this is when packet analysis reveals that multiple GET and POST requests from an internal host to a URL without any response from the server. Insider threat/malicious employee − a common attack that is carried out by personnel that has legitimate network access. These are often the hardest to detect because valid credentials are used. Zero-day attacks − occurs when a security issue that is unknown to the device or application vendor is exploited prior to a security update being issued. ARP cache poisoning − occurs when an attacker sends Address Resolution Protocol (ARP) messages to a network to associate the attacker's MAC address with the IP address of another host, such as the default gateway. This will cause traffic meant for that IP address to be sent to the attacker instead Packet/protocol abuse − occurs when an attacker attempts to exploit the protocols or packets that are transmitted over a network.

Answer 52

Of the choices presented, you should use Point-to-Point Protocol (PPP) to establish a connection between the Point-to-Point Tunneling Protocol (PPTP) server in Los Angeles and the PPTP server in Paris. You can use PPP to transmit TCP/IP network communications over point-to-point connections. PPP can also be used to transmit other network protocols, such as Network Basic Input/Output System Extended User Interface (NetBEUI) and Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX). PPP supports error checking and automatic configuration of network protocol parameters. Multilink PPP is a communications protocol that enables a computer to use two PPP ports to provide greater bandwidth. PPTP is an extension of PPP that was created by Microsoft to establish virtual private network (VPN) connections. To create a VPN connection between the two computers in this scenario, you should first establish a PPP connection between the PPTP server in Los Angeles and the PPTP server in Paris. Then, you should establish a PPTP connection through the PPP connection. Note that PPP is not used to establish a VPN connection. PPP acts as a carrier for PPTP, which is used to establish a VPN connection. Serial Line Internet Protocol (SLIP) is an older point-to-point protocol that enables the transmission of TCP/IP communications over a serial connection. SLIP only supports TCP/IP, and SLIP does not support error checking or automatic configuration of network protocol parameters. You cannot use SLIP to establish a VPN connection. Hypertext Transfer Protocol (HTTP) is used to transmit Web pages. Telnet is used to establish a console session with a remote host on a TCP/IP network. You cannot use HTTP or Telnet to establish a VPN connection.

Answer 53

Believable language is typically used to conceal the nature of a social engineering attack. An example of a social engineering attack is an e-mail hoax that is written in such a way that it causes non-technical users to panic because they think their computers have been compromised by a virus. E-mail hoaxes typically use company names and technical language that are designed to dupe non-technical users into believing the hoax. Phishing is a special type of social engineering attack that relies on deception and misinformation. A social engineering attack involves acquiring information by means of an e-mail, phone call, or some other method. Social engineering attacks are successful largely as a result of users' good intentions. Users want to warn others, so they forward the e-mail message that contains the fraudulent virus warnings to others. A social engineering attack can create heavy bandwidth loads on networks while users are replicating the message. Some social engineering attacks identify key system files as viruses and direct users to delete these files. Virus warnings contained in unsolicited e-mail messages should be verified with virus authorities, such as McAfee or Symantec, before those warnings are heeded. Encryption is not typically used to conceal the nature of a social engineering attack.

Answer 54

Geofencing allows an administrator to geographically define the boundaries of wireless access. It is particularly useful if the organization does not want individuals outside the building to have wireless access. Global Positioning System (GPS) or Radio Frequency Identification (RFID) data from the client device is used to request access to the authentication server. If the client device is within the defined boundaries, it will be granted access.

Answer 55

This is most likely the result of a ping of death attack. In a ping of death attack, a system or network is flooded with ICMP packets larger than 65,536 bytes. You can prevent this type of attack by not allowing ICMP messages from outside your network.

Answer 56

This scenario is not the result of backdoor access, also referred to as improper access. Backdoor access is usually obtained through using a backdoor utility or by using some built-in developer hook in an application that allows developers to circumvent normal authentication. It is often very hard to detect backdoor access. Companies should track the open-source projects that enter their network from external untrusted sources, such as open-source code repositories, and should rapidly respond to any backdoors discovered.

Answer 57

This scenario is not the result of ARP issues. This is often accomplished by poisoning the ARP cache of computers. ARP poisoning can also be referred to as man-in-the-middle (MITM) attacks. You can use dynamic ARP inspection at routers to help mitigate this issue. Dynamic ARP inspection is a security tool that can be utilized to reject malicious or invalid ARP packets from engaging with the network

Answer 58

Misconfigured firewall − allows vulnerabilities to be exposed, giving attackers the opportunity to exploit the firewall itself or the internal and DMZ devices the firewall was intended to protect. You should never allow all traffic into your internal network from the outside untrusted network. In addition, disable or remove any default accounts. If possible, configure the firewall to send alerts any time a configuration change has occurred. This would ensure that you would know that a configuration change has occurred and allow you to verify if the change was valid or carried out by an attacker.

Answer 59

Misconfigured ACLs/applications − allows vulnerabilities to be exposed, giving attackers the opportunity to exploit applications or entities protected by the access control list (ACL). Disable or remove any default accounts in applications. Make sure that ACLs are not configured to allow all. ACLs should default to deny for all accounts not given access.

Answer 60

Denial of service (DoS) − occurs when a server is flooded with traffic with the intent to shut down the server. In most cases, upgrading your devices and applications with the latest service packs or updates will prevent these attacks.

Answer 61

Open/closed ports − allows or denies network access to specific types of traffic based on the port used. You should disable all ports that you are not using. Remember any open ports are avenues of attack.

Answer 62

ICMP related issues − includes ping of death and unreachable default gateway. Most companies simply deny any ICMP from external networks.

Answer 63

Unpatched firmware/OSs − allows vulnerabilities to be exposed, giving attackers the opportunity to exploit the unpatched device or computer. Make sure that all patches, security updates, hotfixes, and service packs are deployed in a timely manner to all affected systems.

Answer 64

Malicious users − includes both trusted and untrusted users. Often malicious users will use packet sniffing utilities to obtain information about the network to enable attackers to carry out attack. Auditing can help mitigate this issue.

Answer 65

Authentication issues − includes TACACS/RADIUS misconfigurations and default passwords/settings. Terminal Access Controller Access-Control System (TACACS) is a TCP-based protocol used to communicate with an authentication, authorization, and accounting (AAA) server. Remote Authentication Dial-In User Service (RADIUS) is a UDP-based protocol used to communicate with a AAA server. Because TACACS and RADIUS only handle the authentication of remote users, the TACACS/RADIUS server isn't configured correctly only if valid users are not authenticated or if invalid users are authenticated. When it comes to default passwords, you should disable all default passwords on any authentication servers. Default settings should also be changed. Changing default passwords and settings will help to ensure that attackers cannot use these defaults to breach the network.

Answer 66

Banner grabbing/OUI − A banner is the text that is embedded with a message that is received from a host. Usually this text includes signatures of applications that issue the message. Banner grabbing is a fingerprinting technique that relies on morphed or empty TCP packets that are sent over to a target machine. Telnet, Netcat, Nmap and other tools can be used to carry out banner grabbing. First you need to thoroughly analyze what information is leaked. Set up your services properly. Default settings are always insecure. Turn off all the features and services that are unnecessary.

Answer 67

Domain/local group configurations − Groups are often used as part of any security configuration. Users are placed into group, and groups are given access to resources. You should periodically audit groups and ensure that their permissions are appropriately configured.

Answer 68

Jamming − Jamming compromises the wireless environment. It works by denying service to authorized users as legitimate traffic is jammed by the overwhelming frequencies of illegitimate traffic.

Answer 69

Legacy systems would be best isolated on a separate network segment. Network segmentation limits the exposure of these systems and reduces the attack surface by limiting it to only specific groups of users. In addition, you could configure the legacy systems so that they can only be accessed remotely using secure shell (SSH) or some other secure remote access technology. It is not necessary to isolate any of the other listed systems on a separate network. Kerberos, Remote Authentication Dial-In User Service (RADIUS), and Voice over Internet Protocol (VoIP) are designed to be implemented on corporate networks without segmenting them from regular network traffic.

Answer 70

The most common form of identification and authentication is user identification with reusable password. User identifications (IDs) and passwords are something a user knows. Biometrics, while not the most common form of identification and authentication, is more secure than using user identification and passwords. Biometrics is something you are. A fingerprint, for instance, would be more secure than a password, because your fingerprint will never change. Smart cards, which are something you have, are not commonly implemented because of expense. However, they are more secure than using user identification and passwords. Smart cards are a Type 2 authentication factor. Both smart cards and biometrics are forms of physical access control devices. These are designed to control who can gain physical access into a facility or to a specific area within a building. Two-factor authentication must include two of the following three categories: something you know (Type I), some you have (Type II), or something you are (Type III). Two-factor authentication is not as common as using user identification and passwords. An example of two-factor authentication would be using a password and a smart card. Multifactor authentication uses all three authentication mechanisms. An example of multifactor authentication would be using a password, a smart card, and a retina scan for authentication. Using a username and password is not two-factor authentication because they are both a Type I authentication mechanism. In some cases, companies also include a third factor, which can be somewhere you are or something you do. Somewhere you are verifies your location based on GPS coordinates or on the device from which you are using. Something you do asks you to complete a task, like performing verification on a different device or entering a PIN from an automated process. Passwords are considered the weakest authentication mechanism. Pass phrases are somewhat stronger because of their complexity. When assessing identification and authentication controls, it is good to maintain a list of authorized users and their approved access levels. A password policy should be implemented that forces users to change their passwords at predefined intervals. User accounts should be terminated when employment is terminated, or suspended while the user is on vacation or leave. Account lockout policies can ensure that unsuccessful login attempts will eventually result in an account being locked out.

Answer 71

You should deploy a VLAN. This type of network can be used to ensure that internal access to other parts of the network is controlled and restricted. A VLAN is usually created using a switch. VLANs provide a layer of protection against sniffers and can also decrease broadcast traffic. Creating a VLAN is much simpler than using firewalls or implementing a virtual private network (VPN). Whenever implementing a VLAN, organizations should consider making it private. A private VLAN is a type of VLAN where a VLAN is created with ports that are restricted so they can only communicate with given uplinks.

Answer 72

Diameter was created to deal with Voice over IP (VoIP) and wireless services. It was created to address new technologies that RADIUS was not designed to handle. Although Diameter was designed to be backward compatible with RADIUS, some RADIUS servers have trouble working with Diameter servers. A RADIUS server provides authentication, authorization, and accounting (AAA). The server may also be referred to as a AAA server. Terminal Access Controller Access Control System (TACACS) is the CISCO implementation of RADIUS. TACACS is the first generation and combines the authentication and auditing process. XTACACS is the second generation and separates the authentication, authorization, and auditing processes. TACACS+ is the third generation and provide all the features of XTACACS along with extended two-factor user authentication. TACACS+ adheres to AAA via a centralized database and can service multiple routers and switches. TACACS+ also allows challenge/response and password encryption.

Answer 73

You should check for driver updates. Periodically, vendors may release new features for their products. For network cards, these new features are part of the driver software. You should not check for operating system updates. Operating system updates may include new operating system features, but the user is requesting new network card features. These are usually offered as part of a new device driver. You should not check for firmware updates. Firmware is used for routers, switches, mobile phones, and computers. They are not used for network cards. You should not upgrade the operating system. The new network card features are part of the device driver software, not the operating system.

Answer 74

You should deploy a test lab to prevent issues with any future updates. All service packs and other updates will be deployed in the test lab first. If they do not cause any issues, you can then deploy the service packs or updates in the live environment. You should not deploy a guest network. This type of network is used by guests when they visit your company and allows you to isolate guest access from the internal network. You should not deploy system restore on all computers. While deploying system restore on all computers is a good measure, this does not prevent issues with any future updates. It will just provide a recovery mechanism that can roll back any computers on which it is installed to a previous state. You should not deploy updates from a central server. This is often deployed on large networks to make security packs and updates easier to deploy. However, it doesn't prevent issues with any future updates.

Answer 75

Training employees about proper licensing and use of an organization’s software and hardware includes the following: To prevent unauthorized or improper consumption of licenses To avoid liability from violating license rules or restrictions To comply with license restrictions or limitations To practice good organizational ethics and governance While promoting minimal consumption of licenses can be good for the bottom line, it has nothing to do with honoring or disregarding licensing restrictions. Minimal licensing consumption is usually an IT department issue, not an issue for other employees. Making effective use of automated license management can check to ensure that licensing restrictions are observed and complied with, but has nothing to do with honoring or disregarding them. Automated licensing is usually an IT department issue.

Answer 76

Media Access Control (MAC) filtering allows the administrator to restrict device access to the network based on the MAC address associated with the Network Interface Card (NIC) on that device. The administrator can set up a permission list (filter) on the router where only devices with specific MAC addresses are allowed on the network. A MAC address is uniquely associated with a NIC, and is analogous to a Vehicle Identification Number (VIN) on an automobile. In essence, the MAC address is the serial number of the NIC.

Answer 77

Temporal Key Integrity Protocol-Rivest Cipher 4 (TKIP-RC4) is an encryption method that was designed to provide security enhancements to wireless networks using WEP. WEP was an extremely weak encryption standard. TKIP added a key distribution method whereby each transmission had its own encryption key, an authentication method to verify message integrity, and an encryption method called RC4 (Rivest Cipher 4). WEP is based on RC4, but was poorly designed and used a too-short IV of only 24 bits instead of the standard 64 bits used by RC4.

Answer 78

A virus is malicious software (malware) that relies upon other application programs to execute and infect a system. The main criterion for classifying a piece of executable code as a virus is whether it spreads itself by means of hosts. The host could be any application or file on the system. A virus infects a system by replicating itself through application hosts. Viruses usually include a replication mechanism and an activation mechanism designed with a particular objective in mind. Some of the different types of viruses are: Compression virus: It decompresses itself on execution but otherwise resides normally in a system. Viruses usually spread via infected disks (such as floppy disks, CDs, and removable disks), through e-mail, or via infected programs. Executable files should be filtered from e-mail to prevent virus propagation. If you receive an e-mail regarding the transmission of a virus, you should contact your system administrator to see if the e-mail is valid and find out any steps you should take. The systems administrator should investigate the validity of the e-mail. Virus hoaxes can create as much damage as real viruses because the hoaxes result in forwarded e-mails that clog systems, and can result in confidential information being disclosed. The standard security best practices for mitigating risks from malicious programs, such as viruses, worms and Trojans, include implementing antivirus software, using host-based intrusion detection system, and setting limits on application sharing and execution. A worm does not require the support of application programs to be executed and is a self-contained program capable of executing and replicating on its own. Typically, a worm is spread by e-mails, transmission control protocols (TCP's), and disk drives. Worms replicate on their own. A worm can distribute itself without having to attach to a host file. A logic bomb implies a dormant program that is triggered following a specific action by the user or after a certain interval of time. The primary difference between logic bombs, viruses, and worms is that a logic bomb is triggered when specific conditions are met. An example of a logic bomb is a program that starts deleting files when a certain user ID is deleted. A Trojan horse is malware that is disguised as a useful utility, but has malicious code embedded. When the disguised utility is run, the Trojan horse performs malicious activities in the background and provides a useful utility at the front end. Trojan horses use covert channels to perform malicious activities, such as deleting system files and planting a back door into a system.

Answer 79

Stealth virus: It hides the changes it makes as it replicates. Stealth viruses often intercept disk access requests.

Answer 80

Self-garbling virus: It formats its own code to prevent antivirus software from detecting it.

Answer 81

Polymorphic virus: It can produce multiple operational copies of itself.

Answer 82

Multipart virus: It can infect system files and boot sectors of a computer system.

Answer 83

Macro virus: It generally infects the system by attaching itself to MS-Office applications.

Answer 84

Boot sector virus: It infects the master boot record of the system and is spread via infected floppy disks

Answer 85

Compression virus: It decompresses itself on execution but otherwise resides normally in a system.

Answer 86

Counter Mode with Cypher Block Chaining (CBC) Media Access Control Protocol − Advanced Encryption Standard (AES-CCMP) provides greater security over wireless networks through CBC MAC, ensuring that incoming packets are indeed coming from the stated source. It also provides fast encryption using AES, which encrypts blocks of data instead of individual bits. In a wireless network, a preshared key (PSK) is an encryption method used with WPA Personal or WPA2 personal. PSK is appropriate for small office-home office (SOHO) networks. A user will request access to the wireless network, supply a passphrase, which is then used with the Service Set Identifier (SSID) to generate a unique encryption key. PSK is not as secure as AES-CCMP.

Answer 87

Username and password is not an example of multifactor authentication. Because both of these factors are something you know, a single factor of authentication is used here. All of the other options are considered multifactor authentication because they include authentication factors of two different types. Multifactor authentication combines two or more of the following: Something you know is the most common type of authentication. Passwords, personal identification numbers (PINs), mother’s maiden name, color of your first car, the name of your first boss, and the name of your favorite teacher are all examples of something you know. Authentication by something you have would be implemented using an item that you have in your possession, such as a smart card, key fob, or USB dongle. Something you are would be biometric authentication. Fingerprints, iris and retina scans, and even voice-prints can be used to authenticate your identity. Somewhere you are provides location-based authentication. There are several ways to do this, including getting the GPS coordinates of a cell phone, the location of a cell tower, or an IP address. For example, a company can examine an incoming IP address. If it is identified as originating in a foreign country, authentication fails. Something you do is based on the way you perform a particular action. One example is keyboard cadence or the way you type a word or phrase. Signature dynamics is another example of something you do. Even if an attacker guesses your password, he or she will not be able to type or write it in the exact same manner that you do.

Answer 88

With the greatest powers to create, configure and manage systems and security, privileged users make the rules and set the conditions that all other users must follow on systems and networks. This calls for extreme care, constant vigilance, and respect for ethics, confidentiality, and the responsibilities of the role. Not even privileged users should be able to obtain account and password information from another user at will. Personnel must be trained to never give their credentials to anyone. All of the other options are appropriate regarding privileged accounts. The basic rule of privileged access is that only those who take responsibility for their actions and agree to the privileged user agreement, referred to as a Privileged User Agreement (PUA), will be granted such access. Privileged access may only be used to perform assigned job duties. This statement enunciates the principal that privileged access is a duty to be carried out in strict accordance with the requirements of the job at hand, as well as in compliance with best security practice, ethics, and good governance. By documenting all actions that privileged users undertake, they may be held to account for their privileged actions at any time. Transparency is the key to proper security. Use of privilege to establish, alter, or deny access, privileges, or resources for others should occur in keeping with the dictates of the job and one's employer's instructions, in keeping with best security practice, ethics, and good governance. Privileged users should understand and accept the consequences of their uses of privilege and fully understand the potential for loss, damage, or harm that can follow in the wake of errors or mistakes.

Answer 89

Video surveillance can serve as a deterrent, an authentication method, or documentation. It is important to choose the right type of equipment for the business environment. For example, do you need infra-red cameras for low-light situations? Do you need motion detection that would only activate recording when there is movement? How many cameras do you need? How would you place them to provide sufficient coverage and eliminate blind spots? Video surveillance is usually considered a detective physical security control. By saving and storing the information recorded, it acts as documentation.

Answer 90

A firewall is used to create a demilitarized zone (DMZ). A DMZ is a zone located between a company's internal network and the Internet that usually contains servers that the public will be accessing. The DMZ implementation provides an extra security precaution to protect the resources on the company's internal network. Usually two firewalls are used to create a DMZ. One firewall resides between the public network and DMZ, and another firewall resides between the DMZ and private network. All publicly accessible servers should be placed on the DMZ, including servers that personnel must remotely access.

Answer 91

A firewall is used to create a demilitarized zone (DMZ). A DMZ is a zone located between a company's internal network and the Internet that usually contains servers that the public will be accessing. The DMZ implementation provides an extra security precaution to protect the resources on the company's internal network. Usually two firewalls are used to create a DMZ. One firewall resides between the public network and DMZ, and another firewall resides between the DMZ and private network. All publicly accessible servers should be placed on the DMZ, including servers that personnel must remotely access. A router is used to create individual subnetworks on an Ethernet network. Routers operate at the Network layer of the OSI model. While a firewall can also be a router, it is referred to as a firewall when it functions to create a DMZ. An active hub is used to connect devices in a star topology. An active hub has circuitry that allows signal regeneration. A passive hub connects devices in a star topology, but it does not provide any signal regeneration.

Answer 92

A patch should be installed on a server after it has been tested locally on a non-production server and by the computing community. A security patch is a major, crucial update for the OS or product for which it is intended, and consists of a collection of patches released to date since the OS or product was shipped. A security patch is mandatory for all users, addresses a new vulnerability, and should be deployed as soon as possible. Security patches are usually small. Patch management is a critical part of ensuring that your network is secure. If you do not install the latest patches, security updates, and service packs, your network can be compromised. You should make sure to test all service packs, security updates, and hotfixes in a test lab before deploying them in the live environment. This will ensure that any issues with the updates are detected BEFORE live deployment and can prevent possible downtime. This is also important when a vendor releases an updates or new version of a Web-based application. Always test the software in a test lab first.

Answer 93

OS updates − Operating system (OS) updates come in many forms. Service packs are usually fully tested by the vendor and contain all updates and hotfixes since the last service pack. Hotfixes are released to fix an urgent issue and are not tested as stringently as service packs. Other updates can be released periodically to fix minor issues and are usually tested a bit more than hotfixes, but not as much as service packs. However, you should still test any OS updates in a lab environment BEFORE you deploy them in the live server and client computers.

Answer 94

Driver updates − Driver updates are released by device or component vendors, including video cards and network cards. Make sure to install the driver that is appropriate for your OS version.

Answer 95

Feature changes/updates − Feature changes or updates are released by OS and application vendors to provide users with additional functionality. Only deploy those features that your users need, because the features will require storage space.

Answer 96

Major vs minor updates − While both major and minor updates should be deployed, you should read the documentation that comes with the update to see if your organization considers it to be major or minor. What the vendor may consider major, the vendor may only consider minor. Deploy any major updates as quickly as possible.

Answer 97

Vulnerability patches − A vulnerability patch is usually a security patch. These patches are usually very important to prevent security breaches or exploitation of the vulnerability.

Answer 98

Upgrading vs downgrading − Upgrading is the process is installing the next version of an OS or application. Downgrading is the process of reverting to a previous version of an OS or application. If available with your operating system, you should some sort of system restore program to create a savepoint before you install a new OS or application version. This will allow you to easily revert back to the previous version using the savepoint you created.

Answer 99

Configuration backup − A full backup is suggested before you install any patches, hotfixes, service packs, new OS versions, or any other update. However, many OSs now offer a system restore program that will create savepoints. This process is usually much faster than a full backup. Also, restoring a savepoint is much quicker when compared to the restore time of a backup.

Answer 100

Motion detection sensors could be used to trigger an alarm in the event of unauthorized entry into a room or building. Motion detection is the process of installing security devices that would detect movement and set off an alarm, create an alert, or even trigger video recording. For example, if a business is closed over the weekend, the business can set up a motion detection system to detect unauthorized activity in the premises during the closed period. Motion detection, video surveillance, asset tracking tags, and tamper detection are all considered to be physical security detection devices. They detect when a security event has occurred.

Answer 101

Tamper detection involves implementing a method to determine if something has been altered without authorization. The method could be something as simple as a seal over a door. If the seal is broken, the door has been opened. Tamper detection can also be used in surveillance cameras. If a camera is struck (changing its field of view) or no longer transmitting, an alert can be sent to the monitoring console indicating that the camera has been tampered with. Tamper detection is commonly used on computer cases so that technicians can detect if the case has been opened. Most tamper detection is manual and does not provide any mechanism where an alarm is triggered.

Answer 102

Asset tracking tags are used to assign a number to particular piece of equipment (an asset) and monitor where the asset is. Asset tags can be labels with barcodes or QR codes, or be equipped with radio frequency identification (RFID) chips that provide electronic tracking. Asset tags can be used with geofencing to prevent devices from leaving a certain area, or with geolocation to ensure that the asset can be located within a certain area. However, an asset tracking tag would not detect motion within a facility.

Answer 103

The best solution is to deploy a Multiprotocol Label Switching Layer 3 (MPLS L3) virtual private network (VPN). This will allow all offices to connect to the same single-routed network and connect directly to the cloud.

Answer 104

For the Network+ exam, you will also need to understand the difference between a split tunnel and a full tunnel. A spilt tunnel divides internet traffic and sends some it through an encrypted VPN tunnel and routes the other data through a different tunnel separately on an open network. The purpose of a split tunnel is to allow a user to chose which applications will be secured and which can connect normally. A full tunnel differs in that all information is sent through an encrypted tunnel while utilizing the VPN. While this is a less risky option, it is also more costly.

Answer 105

Changing default credentials is important for router and switch security, particularly with SOHO routers. Default credentials are published by the router manufacturers, and an easy search using the router model number will provide you (and an attacker) with the information needed to reconfigure the router. Changing the default credentials is an essential step in securing your network. While the other options can harden the router, the first and most crucial step is to change the default credentials because they are widely known and can be used by attackers.

Answer 106

Distributed denial-of-service (DDoS) attacks are an extension of the denial-of-service (DoS) attack. In DDoS, the attacker uses multiple computers to target a critical server and deny access to the legitimate users. The primary components of a DDoS attack are the client, the masters or handlers, the slaves (or bots), and the target system. The initial phase of the DDoS attack involves using numerous slaves and planting backdoors in the slaves that are controlled by master controllers. Handlers are the systems that instruct the slaves to launch an attack against a target host. Slaves are typically systems that have been compromised through backdoors, such as Trojans, and are not aware of their participation in the attack. Masters or handlers are systems on which the attacker has been able to gain administrative access. The primary problem with DDoS is that it addresses the issues related to the availability of critical resources instead of confidentiality and integrity issues. Therefore, it is difficult to detect DDoS attacks by using security technologies such as SSL and PKI. To detect the use of zombies in a DDoS attack, you should examine the firewall logs. A botnet is a form of command and control network. Command and control refers to the process in which an attacker establishes a connection to a compromised asset and begins using that asset to start taking control over a network.A command-and-control server will control a botnet, which consists of multiple bots, or compromised devices. Both zombies and botnets can be used in a DDoS attack. A traditional DoS attack might not disrupt a critical server operation, but a DDoS attack can overwhelm the server with multiple requests until it ceases to be functional. Trinoo and tribal flow network (TFN) are examples of DDoS tools.

Answer 107

A land attack involves sending a spoofed TCP SYN packet with the target host's IP address and an open port as both the source and the destination to the target host on an open port. The land attack causes the system to either freeze or crash because the computer continuously replies to itself

Answer 108

Reflective/amplified − uses potentially legitimate third-party component to send the attack traffic to a victim, hiding the attackers' identity. The attackers send packets to the reflector servers with a source IP address set to their victim's IP, indirectly overwhelming the victim with the response packets. Domain Name System (DNS) and Network Time Protocol (NTP) servers are particularly susceptible to this attack.

Answer 109

Smurfing − a DDoS attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP Broadcast address. The target of the attack is flooded with packets, causing performance to decline.

Answer 110

Physical attack − an attack where an attacker attacks a device in such a way as to permanently put it out of commission. Also referred to as permanent DoS, this attack may involve affecting the firmware or infecting the device with malware.

Answer 111

In the case of local authentication, the credentials are stored on the device being used (a local device), not on a remote server. Local authentication is accomplished by the user providing credentials (typically a user name and password) and verifying those credentials against a local database.

Answer 112

Kerberos is an authentication protocol that uses a third-party server (a key distribution center or KDC) to provide authentication between a client and a server. A client sends an authentication request to the KDC. The KDC contacts the Active Directory server, which authenticates the user and the user’s authorized groups. The KDC replies to the client with a ticket granting ticket (TGT) containing a session key and the groups authorized for the user. The TGT basically is a “proof of identity”. The client caches that TGT. If the client wants access to a server, the client sends the name of the server, the TGT, and an authentication key to the Active Directory server. The Active Directory server checks with the KDC to ensure the key’s validity and sends the client a service ticket to share with the server. The server validates the service ticket and grants access to the client. Again, this scenario first requires full network authentication.

Answer 113

A honeypot system is installed to entice potential attackers. A honeypot system is generally installed together with popular services and enabled ports behind a firewall in a demilitarized zone (DMZ). This system should be isolated to prevent it from hampering the operations of a protected network. The implementation of this system underlines the difference between the concepts of entrapment and enticement. Entrapment refers to inducing an intruder to commit an unintended crime. Enticement refers to the process of rendering a computer vulnerable to attacks by making popular ports and services available on the computer. A honeynet is an entire system or network of honeypots that are set up to entice attackers.

Answer 114

Penetration testing is used to assess a system's capability to resist an attack and to reveal any system or network vulnerability. Penetration testing, which is also called ethical hacking, is the vulnerability assessment procedure performed by security professionals after receiving the management's approval. Vulnerability assessments are designed to identify, quantify, and prioritize the various vulnerabilities that can be found within a network. These assessments are designed to make IT teams aware of the holes within their defenses so they can mitigate them. Ethical hackers use tools that have the potential to assess security flaws without exploiting the vulnerabilities in an organization's network infrastructure. The primary objective of penetration testing or ethical hacking is to assess the capability of the system to resist attacks and to reveal system and network vulnerabilities. Examples of penetration testing include war dialing, sniffing, and scanning.

Answer 115

A screened subnet is another term for a demilitarized zone (DMZ). Two firewalls are used in this configuration: one firewall resides between the public network and DMZ, and the other resides between the DMZ and private network. A DMZ is a separate network segment that contains Internet-accessible servers, which is separated from the Internet and the rest of the private network by a firewall. A system administrator would deploy a Web server on a DMZ if the Web server needed to be separated from other networked servers. The general standpoint behind a DMZ is that all the systems on the DMZ can be compromised because the DMZ can be accessed from the Internet. An e-mail server and FTP server could also be located on a DMZ. If you locate the e-mail server on the private network, you could place an e-mail proxy on the DMZ. An extranet is similar to a DMZ, but is only accessible to partners or clients. Firewall architectures include bastion hosts, dual-homed firewalls, screened hosts, and screened subnets.

Answer 116

The main purpose of a VPN concentrator is to terminate the VPN tunnels. The main purpose of a DNS server is to resolve host names and IP addresses. The main purpose of a DHCP server is to provide dynamic IP addresses. The main purpose of a proxy server is to manage Internet requests and cache Web content.

Answer 117

Remote Authentication Dial-In User Service (RADIUS) servers handle both authentication and authorization over UDP. RADIUS was originally designed for dial-up networking and validates the credentials of a remote user against a stored database. If the validation is successful, the user is granted access (authorization) to network resources. Terminal Access Controller Access Control System Plus (TACACS+) authenticates the credentials of a remoter user, typically an administrator. Unlike RADIUS, TACACS+ only provides authentication, not authorization. Lightweight Directory Access Protocol (LDAP) validates user credentials (typically a username and password) against a database stored in a Microsoft Active Directory server, OpenLDAP, or OpenDJ. LDAP runs over TCP. Single sign-on (SSO) allows a client to access multiple applications with a single set of credentials. As an example, once you log on to the network, those same credentials grant you access to email, a shared drive or other network resources and applications. SSO is a technology that may rely on several underlying authentication technologies. SSO on its own does not use UDP or TCP.

Answer 118

Security guard personnel are the most expensive countermeasure used to reduce physical security risks. The cost of hiring, training, and maintaining them can easily outweigh the benefits. Security guard personnel, in combination with other physical security controls and technical controls such as fences, gates, lighting, dogs, CCTVs, alarms, and intrusion detection systems, act as the first line of defense in maintaining the security of a facility infrastructure. Security guards are the best protection against piggybacking. Piggybacking is a physical cyber-attack where an unauthorized party gains access to the premises by following an authorized employee in the door as they open it. A similar social engineering attack to piggybacking is tailgating. Tailgating is when a malicious actor gains access to a restricted premises of an area by following after someone who has just opened a door to a restricted area.The main difference is that piggybacking occurs with the authorized user’s knowledge, while tailgating does not. Mantraps (also known as access control vestibules) also provide protection against piggybacking. The last line of defense is the remaining workforce of the company, excluding the security guards, in a layered security architecture. Personnel are an example of physical security controls and not administrative controls.

Answer 119

You should complete a vendor assessment. A vendor assessment is designed to evaluate and approve potential third-party vendors to ensure that the products that they are selling or providing are safe and secured to use. When contracting with another business, it is critical to understand who you may be working with, how secure they are, and what vulnerabilities may exist with their products, as those factors can have a significant impact on your own network security. A vendor assessment is a type of business risk assessment. A process assessment is considered to be a business risk assessment. During a process assessment, an organization will analyze the various process and policies that are in place and assess how secure these routines are. The goal of this assessment is to identify any protocols or policies that create unnecessary risk, such as weak off-boarding polices or weak device management policies. Routinely auditing your own organizations polices ensures that risks are being minimized and that polices remain up to date.

Answer 120

A threat assessment, a posture assessment, and a vulnerability assessment are all forms of a security risk assessment. In a threat assessment, an organization will determine the credibility and seriousness of a potential threat, as well as the threat’s likelihood of occurrence. Threats can be manmade, such as a malicious insider, or environmental, such as a flood or earthquake. Posture assessments are used to provide a detailed analysis of an organization’s current cybersecurity strength. Understanding how strong an organization’s defenses are critical to adequately estimating how exposed an organization may be to a cyber-attack. Vulnerability assessments are used to identify, quantity, and prioritize the various vulnerabilities within a network. All networks have vulnerabilities, and these assessments help determine where they are and what steps need/can be taken to minimize or remove them.

Answer 121

After a client is authenticated on a network that uses Kerberos 5, the client is granted a ticket-granting ticket (TGT). To ensure that tickets expire correctly, clock synchronization used in Kerberos authentication. In Kerberos, a client is granted a TGT from an Authentication Server (AS), which is sometimes referred to as a ticket granting Server (TGS). The client then sends its TGT to a Key Distribution Center (KDC), and the KDC sends a session key to the client. The client then uses the session key to gain access to resources on a Kerberos network. Because the KDC relies on a timestamp to determine the age of a request, a timestamp is included during key exchanges. If the timestamp is older than the allowed grace period for requests, then it is possible that a hacker intercepted the request. Therefore, a network that relies on Kerberos for authentication requires some type of time synchronization service for hosts on a network.

Answer 122

Implementing a separate guest network will provide improved security through isolation. Because the guest network is isolated, you can set up security controls to ensure that guests cannot communicate with the private corporate network. None of the other solutions are provided by the network segmentation. Link aggregation occurs when two links work together to provide better throughput. High availability through redundancy is ensured when redundant systems are implemented, such as redundant WAN links or redundant RAID arrays. Improved network performance for internal personnel cannot be ensured based on the implementation you have described. The only way to ensure improved network performance for internal personnel is to implement Quality of Service (QoS) or some other technology that allows you to regulate traffic.

Answer 123

Without a secure method of authenticating employees who do not have security key cards, the loss of a key card becomes a potential security risk. Placing photographs in employee records is a secure method of determining whether an employee who lost their key card should be allowed to enter the company office building. A security guard can access a digitized photograph and determine whether to allow an employee to enter the office building. A security guard is a physical security measure. The requirement than an employee sign a log book if they do not have a key card does not identify the employee as someone allowed to enter an office building. Allowing employees who have lost their key cards to enter a building where key cards are required for entry defeats the purpose of using key cards. Requiring a second key card to gain access to the data center offers additional limitations on access to company information stores, but does not address the immediate concern of authenticating the employee for entry into the office building.

Answer 124

You should be concerned with generating new keys. If a breach has occurred, and the attacker has managed to obtain the keys, generating new keys will keep the attacker from using the stolen keys again. Avoiding common passwords is critical to establishing basic security. Refrain from using dictionary words, names, numbers-only passwords, and keyboard patterns, like qwerty. In a recent NIST study, the most secure passwords are comprised of three to four random 10+ character words, such as “ElephantConstitutionInternationalConvention.” Disabling IP ports helps limit the type of traffic on your network, and also provides fewer dormant ports for hackers to exploit. As an example, if you do not want a PPTP VPN on your network, you should disable port 1723. File hashing is an excellent security measure to detect whether or not a file has been intercepted and altered. An algorithm is used to create a unique value (hash) based on the file’s contents. The recipient of the file uses the same algorithm to generate a hash. If the two hash values match, the file has not been altered. Examples of hash algorithms include MD5, SHA1, and CRC32.

Answer 125

The primary aim of security awareness training is to ensure that all employees understand their security responsibilities, the ethical conduct expected from them, and the acceptable use of an effective security program. It is important to understand the corporate culture and its effect on the security of the organization. User responsibilities for protection of information assets are defined in the organization's information security policies, procedures, standards, and best practices developed for information protection. Security awareness training may be customized for different groups of employees, such as senior management, technical staff, and users. Each group has different responsibilities and they need to understand security from a perspective pertaining to their domain. For example, the security awareness training for the management group should focus on a clear understanding of the potential risks, exposure, and legal obligations resulting from loss of information. Technical staff should be well versed regarding the procedures, standards, and guidelines to be followed. User training should include examples of acceptable and unacceptable activities and the implication of noncompliance. User training might be focused on threats, such as social engineering, which can lead to the divulgence of confidential information that may hamper business operations by compromising the confidentiality and the integrity of information assets. Staff members should particularly be made aware of such attacks to avoid unauthorized access attempts. End user awareness and training is the responsibility of management and should include training, policies, and procedures to ensure that organizational security is understood by all personnel. Before developing security awareness training, it is important that the corporate environment is fully understood. Let's look at an example. Suppose an organization notices that a large amount of malware and virus infections have occurred at one satellite office while there are hardly any at another almost identical office. If both sites are running the same company image and receive the same company group policies, then it is most likely that the office with the most incidents should have their end-user awareness training examined. End-user awareness training must be provided to all employees at all levels to provide the protection for the company.

Answer 126

You should deploy a centralized Windows Software Update Services (WSUS) server that will download and deploy the updates and deploy a group policy that ensures that all servers and clients obtain their updates from the centralized server. The WSUS server will download all the updates needed for clients and servers. This means that an update will only need to be downloaded once from the Internet. By using a group policy, you can configure the server and client computers to obtain the updates from the centralized server. This will allow you to configure the day and time that servers and clients will check for updates. Therefore, you can deploy the updates during off-peak times and minimize network performance issues due to updates.

Answer 127

An e-mail hoax is also referred to as a social engineering attack. An e-mail hoax is an e-mail message that contains a false warning about a potential virus infection. As well-meaning users forward an e-mail hoax to other users, resulting in increased e-mail traffic that can seriously deplete the amount of bandwidth available on a network. Most network-bound viruses are spread by e-mail. Social engineering attacks are those attacks that rely on personnel to reveal information that will allow an attack to be carried out. The best defense against social engineering attacks is security training. A logic bomb is a program that is designed to destroy network resources when a specified event occurs. A backdoor is an unguarded pathway into a network. A Trojan horse is a program that seems innocuous but contains malicious code that can damage network resources or provide hackers with a pathway into a network.

Answer 128

Kerberos uses ASs and TGSs to provide network authentication. The Kerberos authentication protocol has been implemented in the Windows 2000 operating system and on several versions of the UNIX operating system, including FreeBSD. Kerberos is an authentication protocol based on Data Encryption Standard (DES) that was developed at MIT to securely authenticate network users. DES was developed by the U.S. government in the early 1970s to encrypt government documents. DES uses a 56-bit encryption key. A stronger version of DES, known as Triple DES, uses a 168-bit encryption key. When a user logs on to a network that uses Kerberos, the user's client computer sends a request for a ticket-granting ticket (TGT) to a Kerberos server, which usually acts as an AS and a TGS. The server, in its role as an AS, sends the client a TGT. When the user wants to gain access to a network resource, the user's client computer sends the TGT to the TGS, and the TGS uses the information in the TGT to construct a service ticket. The client computer then sends the service ticket to the network service, and the network resource analyzes the service ticket to determine whether the user is allowed to gain access to the resource.

Answer 129

Disabling unnecessary services helps reduce the number of potential exploits available to an attacker. By default, Windows starts what are typically unnecessary services during bootup. As an example, you should disable FTP publishing if you do not need FTP service, and disable removable storage if you feel it is not needed. You can see which services are running by going to Start -> Run -> Services.msc. Device ports (physical and virtual) should be turned off or disabled when not in use. Disabling physical ports on a computer, switch, or router prevents an intruder from connecting an unauthorized machine to an empty port. In addition, you can disable TCP or UDP ports. As an example, disabling unused logical ports, such as port 23, prevent the use of the unsecure Telnet protocol. Changing the default credentials is important for router and switch security, particularly with SOHO routers. Default credentials are published by the router manufacturers, and an easy search using the router model number will provide you (and an attacker) with the information needed to reconfigure the router. Changing the default credentials is an essential step in securing your network. However, this will not prevent users from spreading malware through USB flash drives or disable unnecessary services. Using secure protocols is paramount to network security. In SOHO networks, routers (as an example) are shipped with insecure protocols, such as WEP, enabled. While WEP is the easiest for consumer or novice to use while getting the network up and running, it is inherently insecure and should be disabled in favor of a more secure protocol, such as WPA2. However, secure protocols will not prevent users from spreading malware through USB flash drives or disable unnecessary services.

Answer 130

Physical penetration is a social engineering attack that is typically considered the most dangerous attack that a targeted hacker can use. A targeted hacker chooses a specific organization or target to attack. In a physical penetration attack, a targeted hacker enters the premises of an organization and gains access to computer systems or plugs a laptop computer into an organization's internal network. A physical penetration attack is considered the most dangerous type of targeted hacker attack because computer network equipment is typically not well protected inside an organization's physical location. In a dumpster diving attack, a hacker searches through an organization's trash for sensitive information, such as user names, passwords, and documents that were intended to be kept secret.

Answer 131

Role separation involves dividing server duties amongst two or more servers to reduce an attack profile. For example, if a server running the Active Directory, DNS, and DHCP roles went down, all those services would be unavailable. If, on the other hand, Server A hosted Active Directory, Server B hosted DNS, and Server C hosted DHCP, an attack that brought Server B down would not affect the other services. Because fewer services are hosted on a single device or network, there are fewer services to attack. Attack profiles are also referred to as attack surfaces. Other ways to reduce the attack surface include disabling scripting types, closing unneeded ports, and turning off unneeded virtual servers.

Answer 132

Phishing is the action of sending out an email that is designed to trick the user into giving up personal information. That information is then exploited by criminal. Phishing emails appear to come from legitimate companies, and when the user clicks on a link in the email, the user is directed to a website that appears authentic. The user then fills in account information, which is captured by the criminal. All of the other attacks can take place without the user's knowledge, and therefore do not rely on tricking the user into taking an action that reveals personal information. Deauthentication attacks disassociate a user with a wireless access point, forcing them to retransmit their login credentials. A brute force attack attempts to guess the user's password. This attack differs from a dictionary attack by using additional (random) character combinations, often numbering in the millions. This attack takes significantly more time than a dictionary attack. Ransomware holds a computer hostage until the user pays a fee. The attacks often begin as an urgent email, where the user is directed to click a link or open a document to resolve the issue. Once the user completes the action, malicious software is installed on the user's computer, often locking the user out of the system until a fee is paid.