Chapter 3: Responding to Network-Based Threats

Question 1

Currently a company web server is outside the company’s internal network. The web server needs to be available for public access, but the external exposure poses a large, continuous risk. What is the most relevant recommendation for the company to mitigate risk to the web server?
A. Implement a triple-homed firewall.
B. Utilize IDS on the web server.
C. Segment the internal network.
D. Isolate the web server from the network.

Answer 1

A is correct. A triple-homed firewall is a firewall with three distinct networks attached—typically the external, the internal, and a DMZ. The DMZ is where the web server would be placed, accessible from the outside but more protected.

B, C, and D are incorrect. B is incorrect because an IDS would alert constantly to malicious attacks while doing little to stop them or mitigate the risk of compromise. C is incorrect because segmenting the internal network does not help with the externally facing web server. D is incorrect because isolating the web server makes
it inaccessible.

Question 2

Which of the following are benefits of network segmentation? (Choose all that apply.)
A. Improving network traffic
B. Mitigating risk from attackers
C. Simpler network topology
D. Preventing spillover of sensitive data
E. Streamlining access to applications and services

Answer 2

A, B, and D are correct. Network segmentation benefits include improving traffic, mitigating network risks, and preventing spillover of sensitive traffic from one network segment to another.

C and E are incorrect. C is incorrect because network segmentation does not simplify the network. E is incorrect because network segmentation can inadvertently stop
a user on one network segment from having access to services or applications on another segment.

Question 3

On occasion, the administrators for the company servers are offsite. However, when required, they need access to the servers on the internal network. What would be your recommendation?
A. Implement a firewall with a port of which only administrators are aware.
B. Allow administrators to bypass the firewall only if using their own mobile devices.
C. Configure the web server on the DMZ as a jump server.
D. Install and configure a stand-alone jump box just inside the firewall.

Answer 3

D is correct. A jump box would give administrators special access to the internal network. A jump box should be a stand-alone server, with no unnecessary services or ports open that an attacker could possibly exploit.

A, B, and C are incorrect. A is incorrect because having a particular “unknown” port open is not sound security. “Security through obscurity” is not good practice. B is incorrect because allowing any mobile device to bypass perimeter security is inviting a bad day if that mobile device falls into the wrong hands. C is incorrect because a jump server should not include any open ports that are unnecessary to its function as a jump box, thus ruling out the dual purpose as a web server.

Question 4

A “captive portal” is an example of which of the following?
A. DAC
B. In-band NAC
C. Out-of-band NAC
D. Role-based NAC

Answer 4

B is correct. A captive portal is a form of in-band network access control.

A, C, and D are incorrect. A is incorrect because a captive portal is not an example of discretionary access control. C is incorrect because a captive portal is not out-of-band NAC. D is incorrect because a captive portal is not based on roles.

Question 5

NAC solutions grant access based on which of the following? (Choose all that apply.)
A. Roles
B. Rules
C. Rates
D. Location
E. System patch level
F. Time of day

Answer 5

A, B, D, E, and F are correct. Network access control types include role-based, rule-
based, location-based, the system’s health, and the time of day.

C is incorrect. “Rates” is not an option for setting ACLs.

Question 6

To learn more about today’s threats, a cybersecurity analyst could install a system that appears as a typical server but is available only as a lure for attackers. What is such a system called?
A. Jump server
B. Intrusion detection system
C. Honeypot
D. RBAC box
E. Micro-segmented server

Answer 6

C is correct. The administrator wants a honeypot to lure in attackers in order to learn from their activities.

A, B, D, and E are incorrect. A is incorrect because a jump server is for administrators to use remotely to access a protected network. B is incorrect because an IDS is for monitoring for and alerting on malicious traffic. D and E are incorrect because both RBAC box and micro-segmented server are nonsensical terms.

Question 7

Which of the following are direct impacts of employing ACLs? (Choose two.)
A. Controlling access
B. Restricting malware from spreading
C. Filtering specific traffic
D. Enabling direct network routes

Answer 7

AandCarecorrect.Aiscorrectbecauseanaccesscontrollistisprimarilyforcontrolling
access. C is correct because using ACLs is a primary means of filtering traffic.

B and D are incorrect. B is incorrect because, although an ACL does facilitate filtering malware, it is a specific task for which an ACL is just one option. The primary purposes of an ACL are to control access and filter traffic, generally by address, port, or protocol. D is incorrect because, although an ACL can enable a direct network route (via a “permit” ACL), that is not the sole or general purpose of an ACL.

Question 8

The following text is an example of a what?
deny icmp 172.16.0.0 0.15.255.255 192.168.50.0 0.0.0.255
A. Spam filter
B. Access control list
C. VPN tunnel setup
D. IGMP setup

Answer 8

B is correct. The string “deny icmp 192.168.50.0 0.0.0.255 172.16.0.0 0.15.255.255” is an access control list that denies ICMP traffic originating from the 192.168.50.0 subnet targeting any addresses between 172.16.0.0 and 172.31.255.255.

A, C, and D are incorrect. A is incorrect because the ACL is not filtering spam but rather Internet Control Message Protocol (ICMP) traffic. C is incorrect because the ACL is not setting up a VPN. D is incorrect because the ACL is not configuring the Internet Group Management Protocol (IGMP).

Question 9

In the following ACL, what does “10.235.235.235” represent?
permit tcp 10.15.0.0 0.255.255.255 10.235.235.235 0.255.255.255
A. Subnet mask
B. Source address
C. Destination address
D. The filtered port

Answer 9

C is correct. The 10.235.235.235 in the ACL is the destination address.

A, B, and D are incorrect. A is incorrect because the subnet masks are 0.255.255.255. B is incorrect because the source address provided is 10.15.0.0 (a subnet).
D is incorrect because no port is provided in the ACL.

Question 10

When needing a new server, a company administrator starts with installing a pre-built server image. The image has most services running and applications already installed to make the task as easy as possible. As the cybersecurity analyst, what would be your best recommendation for the administrator?
A. Rebuild the server image with as few services and applications as possible.
B. Rebuild the server image with all services and applications installed but not running.
C. Create several server images depending on the subnet.
D. Run a vulnerability scanner on the already-deployed servers.

Answer 10

A is correct. Certainly the best recommendation is to rebuild the image to have enabled only the minimum number of services and applications running. Then the administrator would enable or install only what is needed for the particular target system.

B, C, and D are incorrect. B is incorrect because having all services and applications installed still provides several more attack vectors compared to not installed, even if those added are not running. C is incorrect because creating several images might be more work than it is worth. Having them specific to the subnet makes little practical sense. D is incorrect because a vulnerability scan is a good idea, but it does not address the ongoing practice of installing an image with several services running.

Question 11

Which of the following are the method and purpose of a DNS sinkhole? (Choose two.)
A. Redirecting DNS queries away from a known-malicious server
B. Providing no DNS resolution responses
C. Logging DNS resolution requests to determine infected hosts
D. Logging DNS redirects to determine the infected domain

Answer 11

A and C are correct. The method of a DNS sinkhole is to redirect DNS queries
by infected machines away from a known malware server. The purpose of a DNS sinkhole is to log DNS resolution requests to help identify what other machines are likely infected.

B and D are incorrect. B is incorrect because the DNS sinkhole does return DNS responses, but just to an internal server, one on which those queries are logged.
D is incorrect because the malicious domain is already known.

Question 12

A company has a significant investment in network intrusion detection systems, which are able to inspect traffic with significant speed and reasonable effectiveness. However, a recent incident reveals that employees could use point-to-point encryption to mask data exfiltration. What would be the best recommendation for the company?
A. Upgrade the IDS to an IPS.
B. Employ endpoint security controls.
C. Prohibit all uses of encryption.
D. Replace the suspected employees.

Answer 12

B is correct. Endpoint security is a necessary complement to network security.
In this case, endpoint security controls would allow inspection of network traffic before it is encrypted.

A, C, and D are incorrect. A is incorrect because an IPS will also not be able to view and inspect encrypted traffic. C is incorrect because banning widespread use of encryption might cause more harm than good, without knowing the full impact of such a ban. D is incorrect because employees cannot be terminated without
just cause.

Question 13

What type of network access control is being demonstrated in Figure 3-1?
A. B. C. D.
Role-based Rule-based Time of day Location

Answer 13

C is correct. The device restrictions are shown to be based on the allowed days and times.

A, B, and D are incorrect. A is incorrect because there are no roles shown as conditions for access restriction. B is incorrect because there is no access restriction specific to a rule. D is incorrect because the location is unknown and not restricting access.

Question 14

A cybersecurity analyst is told to enforce access control to files based on roles. Looking at the following two illustrations, select the appropriate answer when identifying an example of role-based network access control.

A. Illustration A
B. Illustration B
C. Both illustrations
D. Neither illustration

Answer 14

A is correct. Illustration A shows roles such as author, editor, and manager.

B, C, and D are incorrect. B is incorrect because Illustration B shows names, not roles. C is incorrect because Illustration B is not correct. D is incorrect because Illustration A an example of role-based access control.

Question 15

Ensuring patches are properly tested and deployed can be a challenging but necessary task. Which of the following statements are true regarding patching? (Choose all that apply.)
A. Patch testing should be done very soon after vendor release.
B. Before patches are deployed, patches should be carefully tested, staged, and finally
rolled out to production.
C. Ifdonecarefully,patchescanbetested,staged,andsenttoproductionatthesametime.
D. If time is critical, patches can be tested and staged at the same time.

Answer 15

A, B, and D are correct. A is correct because patches should be tested within a short time after their release. B is correct because patches should be tested before being installed on production systems. D is correct because, if time is critical, testing and staging could be done in parallel, but before a patch goes on live production systems.

C is incorrect. Patches should not be put into production without at least testing first.

Question 16

A cybersecurity analyst has identified a significant vulnerability to the company’s payroll server application. The analyst’s recommendation is to immediately patch the vulnerability. Unfortunately, because the application was developed internally and its developer has since left, the application cannot be patched. Without a patch, the analyst has to use other options to lessen the risk. Such options include using a host-based IDS on the application server and additional logging on upstream network devices. What is the term to describe the analyst’s options?
A. Network isolation
B. Location-based access control
C. Mandatory access control
D. Compensating controls

Answer 16

D is correct. The options cited are compensating controls, meaning controls put in
place because the primary recommendation (patching) was not available or feasible.

A, B, and C are incorrect. A is incorrect because the application server wasn’t isolated from the network. B is incorrect because the options mentioned do not include any location-based access control. C is incorrect because no options include mandatory access control.

Question 17

What hardening technique can be described as “minimizing the attack surface”?
A. Blocking unused ports and services
B. Endpoint security
C. Compensating controls
D. Role-based access control

Answer 17

A is correct. Having fewer running services and open ports means fewer possible vectors for attack. Blocking unused or unnecessary ports and services minimizes the area for potential attack and exploitation.

B, C, and D are incorrect. B is incorrect because although endpoint security means hardening the host, it’s not always synonymous with minimizing the attack surface. C is incorrect because compensating controls can include several ways of minimizing risk beside blocking unused ports or services. D is incorrect because RBAC is a specialized access control, not a means of minimizing the attack surface.

Question 18

What access control model involves granting explicit authorization for a given object, per a given user?
A. Group policies
B. RBAC
C. MAC
D. Role-based

Answer 18

C is correct. Mandatory access control requires giving explicit authorization to a given user for a given object. Used rarely outside of military and highly sensitive organizations, the MAC model includes labels for creating levels of access, using the terms Unclassified, Confidential, Secret, and Top Secret.

A, B, and D are incorrect. A is incorrect because group policies are far less explicit than MAC, allowing for access to be passed down or inherited at an admin’s discretion. B is incorrect because role-based access control is not explicit per user, but instead per role. D is incorrect because role-based is a form of network access control, controlling access by a role; it is not explicit to the user.

Question 19

What is a technique that allows system administrators to apply configuration changes to several systems at once?
A. NAC
B. GPO
C. ACL
D. IDS

Answer 19

B is correct. Group Policy Objects allow Windows system admins to push system
changes to several machines at once.

A, C, and D are incorrect. A is incorrect because network access control is more about facilitating access, not pushing system changes. C is incorrect because access control lists also manage access, not system changes. D is incorrect because an intrusion detection system does not make system changes.

Question 20

A company would like for access only to be granted if the employee’s laptop meets a number of criteria. Specific conditions that each laptop must meet include only the approved version of Windows, mail application v2.5 or higher, web browser v8.0, and database application v1.18. Also, each laptop must have no unauthorized storage attached. What access control model would you recommend the company use?
A. Location-based
B. Rule-based
C. Role-based
D. Mandatory access control

Answer 20

B is correct. Rule-based access control allows for granting access based on all those criteria. Rules are created to identify and determine all the system health and configuration criteria mentioned.

A, C, and D are incorrect. A is incorrect because location is unimportant. C is incorrect because no user roles were mentioned. D is incorrect because mandatory access control involves granting explicit access to specific users, not access based on system configuration.