Domain 1.0 Network Security

Question 0

An S/FTP server is deployed within your intranet but is accessible to external users. You are not allowed to change the configuration of the network by relocating existing services. Which is the most important solution to install?

A. Install strong password management policies
B. Install a host firewall
C. Install a VPN server
D. Install a Network IDS

Answer 0

D. Install a Network IDS

IDS - Intrusion Detection System
VPN - Virtual Private Network

Question 1

How does a switch determine which port to use to transmit a packet once it is received?

A. IP routes
B. Security associations
C. ACLs
D. Mac tables

Answer 1

D. Mac tables

ACL - Access Control List

Question 2

What hardware device can filter content and cache data?

A. Switch
B. Proxy
C. Router
D. VPN concentrator

Answer 2

B. Proxy

Question 3

What tool can be used to distribute network data for the optimization of performance across multiple computers and networks?

A. Multiplexer
B. Switch trunking
C. Load balancer
D. NATing

Answer 3

C. Load balancer

Question 4

A malware scanner is least effective against what type of attack?

A. Pharming
B. Logic bomb
C. Trojan horse
D. Backdoor

Answer 4

A. Pharming

Question 5

A firewall is an example of what type of access control model?

A. Role Based Access Control
B. Mandatory Access Control
C. Rule Based Access Control
D. Discretionary Access Control

Answer 5

C. Rule Based Access Control

Question 6

Most corporate security policies set the firewall to use what security stance?

A. Anti-spoofing
B. Reverse DNS lookup
C. Malware filtering
D. Implicit deny

Answer 6

D. Implicit deny

Question 7

Which of the following performs loop protection?

A. 802.1x
B. Spanning tree
C. VPN
D. Caching

Answer 7

B. Spanning tree

STP - Spanning Tree Protocols (they build hierarchical maps from Bridge Protocol Data Units and provide loop protection)

Question 8

To leverage existing authentication services, what must a networking device support?

A. x.509 v3
B. 802.3
C. x.500
D. 802.1x

Answer 8

C. x.500

Question 9

What do ACLs most often contain in order for Access control within and between VLANs to be managed? [select two]

A. IP addresses
B. FQDNs
C. MAC addresses
D. Protocol ports

Answer 9

A. IP addresses
C. MAC addresses

MAC - Machine Address Code (also Mandatory Access Control, Media Access Control, and Message Authentication Code)

Question 10

Which of the following can be implemented in cloud services as Software as a Service (SaaS)?

A. Web based mail
B. On demand computing
C. Custom development based on programming language or database structures
D. Protocol ports

Answer 10

A. Web based mail

Question 11

VLANs represent what?

A. Virtualized honey pots
B. IP subnetting
C. Hardware imposed network segmentations
D. Wireless accessible service network

Answer 11

C. Hardware imposed network segmentations

VLAN - Virtual Local Area Network

Question 12

In order to provide the most complete protection against malware, which of the following is the best implementation choice?

A. Install anti-virus on the host computer and each virtual system
B. Install anti-virus only on the host computer
C. Install anti-virus only on the virtual systems
D. Install anti-virus on only one virtual system

Answer 12

A. Install anti-virus on the host computer and each virtual system

Question 13

When network access control is used to maintain patch levels and configs, where is a system returning from weeks in the field often placed?

A. In a quarantine with a remediation server
B. In a VPN
C. In an extranet
D. In the internet

Answer 13

A. In a quarantine with a remediation server

Question 14

What is the most effective method to reduce the risk of war dialing?

A. Blocking Caller ID
B. Installing video cameras in the parking area
C. Removing all modems
D. Disabling SSID broadcasting

Answer 14

C. Removing all modems

SSID - Service Set Identifier

Question 15

On what layer if the TCP/IP (DARPA or DOD) model does IPSec operate?

A. Process (Application)
B. Link (Network Interface)
C. Internet (Internetworking)
D. Host-to-host

Answer 15

C. Internet (Internetworking)

TCP/IP - Transmission Control Protocol/Internet Protocol
DARPA - Defense Advanced Research Projects Agency
DOD - Department of Defense

Question 16

What does the S/FTP replacement for traditional insecure FTP use for its security services?

A. SSL
B. SSH
C. SHA
D. SRPC

Answer 16

B. SSH

SSL - Secure Socket Layer
SSH - Secure Shell
SHA - Secure Hashing Algorithm

Question 17

What ports does SNMP utilize?

A. UDP 161 and 162
B. TCP 20 and 21
C. TCP 53 and UDP 53
D. TCP 25 and 110

Answer 17

A. UDP 161 and 162

Question 18

Which layer of the OSI model stack is secured by SSL or TLS?

A. Application
B. Presentation
C. Session
D. Transport

Answer 18

D. Transport

Question 19

Which of the following is used to secure FTPS?

A. SSH
B. SSL
C. IPSec
D. L2TP

Answer 19

B. SSL

SSL - Secure Socket Layer
FTPS - File Transfer Protocol over SSL
SSH - Secure Shell
IPSec - Internet Protocol Security
L2TP - Layer 2 Tunneling Protocol

Question 20

What is the default port for TFTP?

A. UDP 21
B. TCP 21
C. UDP 69
D. TCP 69

Answer 20

C. UDP 69

Question 21

Which of the following operates over default port TCP 22?

A. SNMP
B. NetBIOS
C. HTTPS
D. SCP

Answer 21

D. SCP

SCP - Secure Copy (from SSH suite)
SNMP - Simple Network Management Protocol
HTTPS - Hypertext Transfer Protocol over SSL (Secure Socket Layer)

Question 22

HTTPS operates over what default TCP port?

A. 443
B. 445
C. 23
D. 80

Answer 22

A. 443

TCP - Transmission Control Protocol

Question 23

What is the default TCP port of FTPS?

A. 443
B. 21
C. 22
D. 990

Answer 23

D. 990

FTPS - File Transfer Protocol over SSL (Secure Socket Layer)

Question 24

What is the encryption algorithm used by WEP?

A. DES
B. IDEA
C. RC4
D. CAST

Answer 24

C. RC4

WEP - Wired Equivalent Privacy (also a Weak Encryption, cracked with an IV attack)
DES - Digital Encryption Standard
IDEA - International Data Encryption Algorithm

Question 25

What is the IEEE standard amendment that defines WPA as a standards based alternative to WEP?

A. 802.11f
B. 802.11g
C. 802.11n
D. 802.11i

Answer 25

D. 802.11i

WPA - Wi-Fi Protected Areas
WEP - Wired Equivalent Privacy (also a Weak Encryption vulnerable to IV Attacks)

Question 26

The wireless PEAP is used for what purpose?

A. Authentication
B. Integrity checking
C. Detecting wireless networks
D. Exchanging session keys

Answer 26

A. Authentication

PEAP - Protected Extensible Authentication Protocol

Question 27

What is CCMP related to?

A. Hashing
B. WPA2-PSK
C. Antenna power level
D. 802.11n

Answer 27

B. WPA2-PSK

CCMP - Counter-Mode/CBC-MAC Protocol

Question 28

You want to ensure that data is only viewable by authorized users. What security principle are you trying to enforce?

A. Confidentiality
B. Integrity
C. Availability
D. Authentication

Answer 28

A. Confidentiality

Confidentiality ensures that data is only viewable by authorized users and can be ensured with access controls and encryption. Integrity ensures that data has not been modified and is ensured with hashing. Availability can be ensured with power, cooling systems, various fault tolerances, and redundancy. Authentication is the validation of a credential that is bound to an entity’s identification, should never be bypassed, and is a first step in access control, but by itself does not provide confidentiality.

Question 29

Of the following choices, what is the best way to protect the confidentiality of data?

A. Authentication
B. Encryption
C. Hashing
D. PaaS

Answer 29

B. Encryption

Encryption protects the confidentiality of data. You can encrypt any kind of data. Authentication is the validation of a credential that is bound to an entity’s identification, should never be bypassed, and is the first step in access control but by itself does not provide confidentiality. Hashing ensures the integrity of the data. Platform as a Service (PaaS) provides an easy to configure operating system for on-demand cloud computing.

Question 30

You want to ensure that data has not been changed between the time when it was sent and when it arrived at its destination. What provides this assurance?

A. Confidentiality
B. Integrity
C. Availability
D. Authentication

Answer 30

B. Integrity

Integrity ensures that data has not been modified and is ensured with hashing. Confidentiality ensures that data is only viewable by authorized users and can be ensured with access controls and encryption. Availability ensures systems are up and operational when needed and uses fault tolerance and redundancy methods. Authentication is the validation of a credential that is bound to an entity’s identification, should never be bypassed, and is the first step in access control but does not provide integrity.

Question 31

A database administrator is tasked with increasing the retail prices of all products in a database by 10 percent. The administrator writes a script performing a bulk update of the database and executes it. However, all retail prices are doubled (increased by 100 percent instead of 10 percent). What has been lost?

A. Confidentiality
B. Integrity
C. Hashing
D. Authentication

Answer 31

B. Integrity

The database has lost integrity through an unintended change. Loss of confidentiality indicates that unauthorized users have accessed the database. Hashing can be used to verify integrity in some situations, but confidentiality would not be compromised. Authentication is the validation of a credential that is bound to an entity’s identification, should never be bypassed, and is the first step in access control but does not provide integrity.

Question 32

Your organization is addressing single points of failure as potential risks to security. What are they addressing?

A. Confidentiality
B. Integrity
C. Availability
D. Authentication

Answer 32

C. Availability

By addressing a single point of failure (SPOF), you increase availibility. An SPOF can be a drive, a server, power, cooling or any other item whose failure will cause the entire system to fail. Confidentiality ensures that data is only viewable by authorized users and can be ensured with access controls and encryption. Integrity ensures that data has not been modified and is ensured with hashing. Authentication provides proof of a user’s identity.

Question 33

What are some common hashing algorithms and what do they provide?

Answer 33

MD5, SHA, and HMAC provide Integrity.

MD5 - Message Digest 5 (128 bits)
SHA - Secure Hashing Algorithm
SHA-0 is unused, SHA-1 is 160 bits, SHA-224, SHA-256, SHA-384, and SHA-512 (# represents the bits), SHA-3 is 1600 bits (Wikipedia)
HMAC - Hashed Message Authentication Code
Hashing algorithms always provide a fixed bit-string regardless of the size of the hashed data. By comparing the hash at two different times, you can verify the integrity of the data.

Question 34

What is identification?

Answer 34

Identification is a claim (userid, username, subject, entity, etc.)

Question 35

What is authentication?

Answer 35

Authentication is the validation of a credential that is bound to an entity’s identification and should never be bypassed.

Question 36

What are the three types of authentication?

Answer 36

Something you KNOW (username, passwords, PINS, etc.)

Something you HAVE (token, certificate, smart card, Common Access Card, etc.)

Something you ARE (biometrics)

Question 37

What are the 7 OSI levels?

Answer 37

Application (7)
Presentation (6)
Session (5)
Transport (4)
Network (3)
Data Link (2)
Physical (1)
"People Don't Need To See Pink Alligators"