Exam 2 Flashcards
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Why would you use a vulnerability scanner? Select the best answer.
A. To identify open ports on a computer
B. To identify remote access policies
C. To crack passwords
D. To see whether passwords are sent as clear text
Answer: A. To identify open ports on a computer
Explanation: Vulnerability scanners are primarily used to find open ports on a computer and define what threats are associated with those ports. Remote access policies should be identified within the server where the policy was created, for example, in Windows Server. Password recovery programs such as John the Ripper should be used to crack passwords. To see whether passwords are being sent as clear text, you should use a protocol analyzer. See the section titled “Assessing Vulnerability with Security Tools” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
What is another name for a malicious attacker? A. White hat B. Penetration tester C. Fuzzer D. Black hat
Answer: D. Black hat
Explanation: A black hat is someone who attempts to break into computers and networks without authorization. They are considered to be malicious attackers. A white hat is a non malicious hacker, often employed by an organization to test the security of a system before it goes online. An example of a white hat would be a penetration tester, who administers active tests against systems to determine whether specific threats can be exploited. A fuzzer is a colloquial name for a software tester. See the section titled “Think Like a Hacker” in Chapter 1, “Introduction to Security,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Your organization is designing two new systems. They require emphasis on the following: System A requires high availability. System B requires high security. Which configuration should you select?
A. System A and System B both fail open.
B. System A fails closed. System B fails open.
C. System A fails open. System B fails closed.
D. System A and System B both fail closed.
Answer: C. System A fails open. System B fails closed.
Explanation: System A requires high availability so it should fail open. For example, if the system were a monitoring system, and a portion of it failed, the organization might want it to fail open so that other portions of the monitoring system will still be accessible. However, System B requires security, so it should fail closed. Let’s say that System B was a firewall. If it crashed, would we still want network connectivity to pass through it? Probably not; because there would be little or no protection to the network. In general, if you need high availability the system should fail open. If you need high security, it should fail closed. See the section titled “Redundancy Planning” in Chapter 14, “Redundancy and Disaster Recovery,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
What would you use a TPM for? A. Input validation B. System hardening C. Cloud computing D. Full disk encryption
Answer: D. Full disk encryption
Explanation: A TPM (Trusted Platform Module) is a chip that resides on a motherboard (or similar location) that stores encrypted keys used to encrypt the entire hard disk on the system. Input validation is a technique used by programmers to secure their forms. System hardening is the process of securing a computer system through updates, closing ports, and so on. Cloud computing is the use of web-based applications (and other software, platforms, and infrastructures) that are provided by an external source on the Internet. See the section titled “Securing Computer Hardware and Peripherals” in Chapter 2, “Computer Systems Security,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
What kind of attack would a flood guard protect from? A. SYN attack B. Xmas attack C. MITM attack D. Botnet
Answer: A. SYN attack
Explanation: A SYN attack is when a large amount of synchronization request packets are sent from a client to a server—it is also known as a SYN flood. To protect against this, SYN flood guards can be implemented within some firewalls or as separate devices altogether. If on a firewall, some configuration is usually necessary. An Xmas attack (Christmas tree packet attack) is set with every single option; they are used to analyze TCP/IP responses but do not have the SYN flag set. MITM stands for man-in-the-middle, an attack that intercepts and modifies data traversing between a client and a server. A botnet is a group of compromised computers that jointly (and unknowingly) attack single points of interest such as web servers. See the section titled “Malicious Attacks” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Your CFO’s smartphone holding classified data has been stolen. What is the best way to reduce data leakage? A. Inform law enforcement B. Track the device with GPS C. Remotely sanitize the device D. Use strong encryption
Answer: C. Remotely sanitize the device
Explanation: If a device holding classified data is stolen, the best thing to do is to remotely sanitize the device (known as a remote wipe). It is too late to use strong encryption, but that should always be implemented on mobile devices (or any devices for that matter) with classified information. After remotely sanitizing the device, you might opt to inform law enforcement (or your organization’s security company or internal security investigators) and possibly track the device via GPS. See the section titled “Securing Computer Hardware and Peripherals” in Chapter 2, “Computer Systems Security,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which of the following would you most likely find in a buffer overflow attack? A. NOOP instructions B. Sequence numbers C. IV length D. Set flags
Answer: A. NOOP instructions
Explanation: A large number of NOOP (or no-op) instructions can be used to overflow a buffer, which could allow unwanted code to be executed or result in a DoS. Large numbers of NOOP instructions can be used to perform a NOP slide (or NOOP sled). Sequence numbers refers to how TCP packets are numbered. IV length has to do with the length of a string in a cipher. Flags are one or more bits that are set to a binary number to indicate whether something is on or off. See the section titled “Secure Programming” in Chapter 4, “Application Security,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
You have been tasked to access an older network device. Your only option is to use TELNET. Which port would need to be open on the network device by default? A. 3389 B. 161 C. 135 D. 23
Answer: D. 23
Explanation: TELNET uses port 23 by default. Some older devices may not be accessible remotely without using the deprecated TELNET protocol. The best thing to do in this situation would be to update the network device if possible or replace it. Port 135 is known as the DCE endpoint manager port or dcom-scm. Port 161 is the default port for SNMP. Port 3389 is the default port for the Remote Desktop Protocol. See the section titled “Ports and Protocols” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Some of the employees in your organization complain about how they are receiving e-mail loaded with advertisements. What should you do? A. Install antispyware. B. Install antispam. C. Install antivirus. D. Install HIDS.
Answer: B. Install antispam.
Explanation: Antispam software might be a standalone solution or part of an antimalware suite of programs. This is the best option when attempting to lessen the amount of spam e-mails that contain advertisements. Antimalware suites usually also include antispyware tools and antivirus tools. A HIDS is a host-based detection system. This is used to detect whether malicious activity is occurring on an individual computer. See the section titled “Computer Systems Security Threats” in Chapter 2, “Computer Systems Security,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which of the following encryption protocols is the strongest and can encrypt data with the least amount of CPU usage? A. DES B. AES C. 3DES D. RC4
Answer: B. AES
Explanation: AES, the Advanced Encryption Standard, is currently considered to be the strongest symmetric encryption protocol. It can also encrypt data with the least amount of CPU usage compared to the rest of the listed answers. This makes it a great choice for wireless networks, whole disk encryption, and so on. DES and its successor 3DES were the predecessors to AES. Both of them are considered deprecated, weaker encryption protocols and require more CPU usage than AES. RC4 is a symmetric stream cipher used with SSL and WEP. It is known for its speed but when used with WEP can be cracked easily. See the section titled “Encryption Algorithms” in Chapter 12, “Encryption and Hashing Concepts,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which of the following encryption algorithms are supported by the IEEE 802.11istandard? (Select the two best answers.) A. TKIP B. RSA C. ECC D. AES
Answers: A and D. TKIP and AES
Explanation: The IEEE 802.11i standard amends the original 802.11 standard and was later incorporated into the IEEE 802.11-2007 standard. It specifies security mechanisms for wireless networks including TKIP and AES. It also deprecates WEP. TKIP is the Temporal Key Integrity Protocol used as a solution to replace WEP without requiring any replacement of older hardware. Although it is a better solution than WEP, TKIP was deprecated in 2009 by the IEEE—CCMP is recommended in its place. AES, the Advanced Encryption Standard, is the superior type of encryption to use in wireless networks. It works with WPA and WPA2 but might require hardware upgrades. RSA (Rivest, Shamir, Adleman) is a public key cryptography algorithm commonly used on the Internet and considered to be unbreakable if used properly. ECC, which stands for elliptic curve cryptography, is another type of public key cryptography, but this is based on the structure of an elliptic curve and mathematical problems. See the section titled “Encryption Algorithms” in Chapter 12, “Encryption and Hashing Concepts,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which of the following web application security weaknesses can be mitigated by preventing the usage of HTML tags? A. SQL injection B. Cross-site scripting C. LDAP injection D. Rootkits
Answer: B. Cross-site scripting
Explanation: Cross-site scripting (XSS) is an attack on website applications that injects client-side script into web pages. SQL injection is a type of code injection that exploits vulnerabilities in databases. LDAP injection can be used to modify LDAP statements and modify the LDAP tree. Rootkits are software designed to gain administrator-level access over a computer system. See the section titled “Secure Programming” in Chapter 4, “Application Security,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
You want to secure your data to retain it over the long term. What is the best way to do this? A. Onsite clustering B. Virtualization C. Offsite backup D. RAID 5 onsite backup
Answer: C. Offsite backup
Explanation: For purposes of retention, offsite backup is the best option. By keeping your backups offsite, you mitigate the risk of losing data during a disaster to your main office. All of the other options imply onsite backup or virtualization onsite; all of which are at risk if a disaster occurs at the main office. See the section titled “Disaster Recovery Planning and Procedures” in Chapter 14, “Redundancy and Disaster Recovery,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Your boss’s smartphone is encrypted and has screen lock protection, yet data was still stolen from it. How is this possible? A. Botnet B. Bluesnarfing C. SIM cloning D. GPS tracking
Answer: B. Bluesnarfing
Explanation: Bluesnarfing is an attack that can steal data such as phonebook contacts, calendar information, and so on, regardless of the phone’s encryption and screen lock. To protect against this, set the smartphone to undiscoverable and use a hard-to-guess Bluetooth pairing key. A botnet might try to target a smartphone, but more often they will go for other targets; regardless, the phone might be rendered useless after a botnet attack, but the data would probably not be compromised. SIM cloning involves duplicating the SIM card on a GSM-enabled phone, which allows two phones to share an account. GPS tracking allows a smartphone to be located physically, but if the phone is still encrypted, GPS tracking will not help with the stealing of data. See the section titled “Securing Computer Hardware and Peripherals” in Chapter 2, “Computer Systems Security,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
A malicious computer is sending data frames with false hardware addresses to a switch. What is happening? A. DNS poisoning B. pWWN spoofing C. MAC spoofing D. ARP poisoning
Answer: D. ARP poisoning
Explanation: ARP poisoning is an attack that exploits Ethernet networks—spoofed frames of data will contain false MAC addresses, ultimately sending false hardware address updates to a switch. DNS poisoning is the unauthorized modification of name resolution information. pWWN spoofing is a type of spoof attack carried out on SANs. MAC spoofing is a technique for changing the MAC address of a network adapter. See the section titled “Malicious Attacks” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
You are surprised to notice that a co-worker’s computer is communicating with an unknown IRC server and is scanning other systems on the network. None of this was scheduled by anyone in your organization, and the user appears to be unknowing of what is transpiring. What is the most likely cause?
A. The computer is part of a botnet.
B. The computer is infected with a worm.
C. The computer is infected with spyware.
D. The computer is infected with a rootkit.
Answer: A. The computer is part of a botnet.
Explanation: If the computer in question is scanning the network and accessing an unknown IRC server without the user’s knowledge, then the computer has probably been compromised as a zombie and is now part of a botnet. The IRC server probably acts as a central communication point for all zombies in the botnet. Though the computer had to be infected with some kind of payload originally, that malware is not responsible for the events that are transpiring currently. See the section titled “Computer Systems Security Threats” in Chapter 2, “Computer Systems Security,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
In a PKI, what is responsible for verifying certificate contents? A. Key escrow B. CA C. CRL D. Recovery agent
Answer: B. CA
Explanation: The CA (certificate authority) is responsible for verifying the authenticity of certificate contents. Key escrow is when a copy of the key is held, usually by third parties. The CRL is the certificate revocation list, where certificates are listed when their corresponding public key has been compromised. The recovery agent is used to recover keys, key components, and plaintext messages. See the section titled “Public Key Infrastructure” in Chapter 13, “PKI and Encryption Protocols,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
The university science lab is normally locked when no one is using it. The professor of the science department has a key to unlock the door. Other faculty members are given keys to lock the door only. What type of key structure is this? A. Symmetric B. Key escrow C. Asymmetric D. Secret keys
Answer: C. Asymmetric
Explanation: In an asymmetric key scenario, a pair of different keys is used to encrypt and decrypt data. They keys can be related, but they are not identical as in symmetric (or secret key) algorithms. The analogy here is that the professor and the other faculty have varying physical keys, one for unlocking; the others for locking. Key escrow is when keys are stored for third parties in the case of data loss. See the section titled “Public Key Infrastructure” in Chapter 13, “PKI and Encryption Protocols,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Mark works for a financial company. He has been tasked to protect customer data. He decides to install a mantrap and an HVAC system in the data center. Which of the following concepts has he addressed? A. Availability B. Integrity C. Confidentiality D. Recovery E. Accountability
Answers: A. Availability and C. Confidentiality
Explanation: The HVAC system addresses the need for availability of data. Without a proper HVAC system, a data center’s servers (and other equipment) would probably overheat resulting in a loss of service. The mantrap addresses the need for confidentiality. Customer data in financial organizations, health insurance companies, and many other organizations requires privacy and confidentiality. By installing a mantrap, unauthorized persons will be detained and won’t be able to access customer data. See the section titled “Environmental Controls” in Chapter 15, “Policies, Procedures, and People,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Several users complain they are encountering intermittent loss of network connectivity. The computers are wired to the LAN, and no wireless devices are being used. What should you implement? A. Data emanation B. Shielding C. HVAC D. Faraday cage
Answer: B. Shielding
Explanation: From the answers listed, shielding should be implemented. When multiple wired network connections are intermittently cutting out, chances are that EMI or some other type of interference is occurring and that something needs to be shielded better. One possibility is to replace standard UTP network cable with shielded twisted pair (STP). Another possibility is to check network devices and make sure they are not near a power source or other device that radiates EMI. HVAC equipment (if near network cabling or devices) can be shielded as well. Data emanation is when there is data leakage from network cables, wireless network devices, and other network equipment. A Faraday cage is used to block wireless data emanation, especially in server rooms and data centers. See the section titled “Environmental Controls” in Chapter 15, “Policies, Procedures, and People,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which protocol is based on SSH? A. SFTP B. TFTP C. FTP D. FTPS
Answer: A. SFTP
Explanation: SFTP is the SSH File Transfer Protocol (also called Secure FTP). It is an extension of the SSH protocol, which uses port 22. Contrast this with FTPS, which is FTP Secure or FTP-SSL, which uses port 443. Plain FTP has no built-in security and is not based on SSH. TFTP is a simple version of FTP. See the section titled “Ports and Protocols” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
The server room is on fire. What should the HVAC system do? A. Increase the humidity B. Increase the heat C. Turn off D. Turn on the AC
Answer: C. Turn off
Explanation: In the case of a fire, the HVAC system should be programmed to automatically shut off. The key here is that it is automated; that’s why the question is asking what the HVAC system would do, not what you would do. In fact, any other associated electrical units in the server room should shut off in the case of a fire as well. If an HVAC unit is turned on in any way shape or form (AC, heat, or whatever), it would effectively be blowing more air (oxygen) on the fire. Since oxygen feeds the fire, we don’t want to do this. To turn up the humidity you would have to move more humid air, once again, adding oxygen to the fire, so again not recommended. The HVAC system will not help in the case of a fire. That is what your specialized gaseous fire suppression system (and wet pipe system) is for. See the section titled “Environmental Controls” in Chapter 15, “Policies, Procedures, and People,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which of the following is a removable device that can be used to encrypt in a high availability clustered environment? A. Biometrics B. Cloud computer C. TPM D. HSM
Answer: D. HSM
Explanation: An HSM (hardware security module) is a device used to manage digital keys and provide authentication. It can be connected to a computer, a server, or a particular server in a clustered environment. Biometrics is the science of authenticating individuals by their physical traits. A cloud computer is a computer that resides on the Internet and is run by a third-party service provider that offers various computing services to individual users and small to midsized companies. A TPM is a trusted platform module, which is similar to an HSM but is internal to the computer, perhaps as a chip on the motherboard. See the section titled “Securing Computer Hardware and Peripherals” in Chapter 2, “Computer Systems Security,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Of the following, what is the best option to implement if you wanted to recover a lost laptop? A. Remote wipe B. HIDS C. GPS D. WDE
Answer: C. GPS
Explanation: GPS tracking is the best answer listed if you want to recover a lost laptop. If installed properly (and if in GPS range) the GPS chip will enable the laptop to be tracked. Remote wipe (or remote sanitization) will wipe out all the data on the laptop (if it is accessible) but will, of itself, not inform you as to the location of the laptop. HIDS (host-based intrusion detection system) is software that can be loaded on the laptop that will detect malicious activity. WDE is whole disk encryption, which will make the data hard to decrypt and read but won’t aid in the tracking of the laptop. See the section titled “Securing Computer Hardware and Peripherals” in Chapter 2, “Computer Systems Security,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which of the following is the best description of a security advantage when using a standardized server image?
A. All antivirus software will be current.
B. All current updates for the OS will already have been applied.
C. All mandated security configurations will already have been applied to the OS.
D. OS licensing will be easier to track.
Answer: C. All mandated security configurations will already have been applied to the OS.
Explanation: Organizations develop standardized images for their server operating systems. They are standardized according to organizational policy. So, any mandated security configurations should be applied to the OS before it is made into an image to be used on the network. Unfortunately, that only gets the OS image to a certain point in time. Any new AV definitions, security updates to the OS, and so on, will need to be applied afterward according to organizational policy. OS licensing trackability should not change. Whether you track your OS licenses on paper or with a scanning program, they should be tracked in the same manner as with physical operating systems. See the section titled “Virtualization Technology” in Chapter 3, “OS Hardening and Virtualization,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
You are the security administrator for the company ABC Accounting Inc. The IT director has given rights to you allowing you to review logs and update network devices only. Other rights are given out to network administrators for the areas that fall within their job description. What kind of access control is this? A. Job rotation B. Discretionary C. Mandatory vacation D. Least privilege
Answer: D. Least privilege
Explanation: Least privilege is when users are given only the amount of rights necessary to do their job. Since the IT director only gave you specific rights and no more, and because other very specific rights are given to other network administrators, the least privilege rule applies here. Job rotation is when multiple users are cycled through different related tasks. Discretionary access control (DAC) is an access control model that has rules set by the user. Because the IT director has already set rights and permissions, this scenario does not involve DAC. Mandatory vacation is when a user is forced to take consecutive days vacation away from the office. See the section titled “Access Control Models Defined” in Chapter 9, “Access Control Methods and Models,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which wireless configurations can be easily circumvented using a network sniffer? A. Disabled SSID B. EAP-TLS C. WPA2 D. MAC filtering E. WEP with 802.1X
Answers: A. Disabled SSID and D. MAC filtering
Explanation: Utilizing a network sniffer (or packet analyzer) can aid an attacker in discerning the SSID of an AP as well as which MAC addresses are being allowed in. By drilling down through the frames of information that are captured, the attacker can easily find the SSID name, and with a little work can deduce the MAC addresses that have access to the network. Then, the person need only spoof the MAC address and connect to the AP’s SSID manually and have access to the wireless network. The other answers concern authentication and encryption methods, which will be much more difficult to circumvent. 802.1X is network access control that uses various types of authentication methods including EAP-TLS. WEP and WPA2 are encryption methods, and while WEP is deprecated, it is difficult to get past when used in conjunction with 802.1X. See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
You have been tasked with providing a staff of 250 employees secure remote access to your corporate network. Which of the following is the best solution? A. VPN concentrator B. Web security gateway C. Web proxy D. Software-based firewall
Answer: A. VPN concentrator
Explanation: The VPN concentrator is the best solution listed. A hardware device such as this can handle 250 concurrent, secure, remote connections to the network. Web security gateways are used to block access to specific websites. Web proxies cache website content for later use. Software-based firewalls can allow for remote secure access but not for the amount of concurrent connections needed. A hardware-based firewall or VPN concentrator is the best solution. See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Susan is in charge of installing a business-critical application on an Internet-facing server. She is going to update the application to the most current version. What other security control should she perform in conjunction with the update? Select the best answer.
A. Run a port scan of the application server.
B. Review and apply vendor-provided hardening documentation.
C. Configure the firewall to prevent the application from auto-updating.
D. Configure the firewall to allow the application to auto-update.
Answer: B. Review and apply vendor-provided hardening documentation
Explanation: Third-party applications will usually come with a slew of documentation, including a list of hardening methods. This vendor documentation should be applied while updating the application as part of the entire application security process. It is the best answer as far as what to do in conjunction with the update. Running a port scan is a good idea at some point, but it has less to do with the application, and more to do with finding unnecessary ports and services. If the application is installed on an Internet-facing server, there probably won’t be a firewall involved. If the application server is in a DMZ, it will probably be behind a firewall, but by definition, even if the DMZ-based application serves users on the Internet, this isn’t considered to be directly Internet-facing. Otherwise, the firewall should usually be set up to allow an application to auto-update, but you never know; some applications might need to be updated manually, depending on the security level of the application and organizational policy. See the section titled “Firewalls and Network Security” in Chapter 6, “Network Perimeter Security,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
You have received several reports from users of corrupted data. You patched the affected systems but are still getting reports of corrupted data. Which of the following methods should you perform to help identify the problem? A. Data integrity check B. Penetration testing C. Hardware baseline review D. Vulnerability scan
Answer: D. Vulnerability scan
Explanation: If the data is becoming corrupted more than once even after an update to the affected systems, you should perform a vulnerability scan to find out what the possible threats and vulnerabilities are to those systems. A data integrity check would simply tell you that the data has been corrupted and therefore integrity is not intact. Penetration testing determines whether a system can be compromised by exploiting a particular threat. A hardware baseline review will tell you how your hardware is performing and how secure it is compared to the last baseline. Baselines are examples of vulnerability assessments, but in this case we need a software-based vulnerability assessment. See the section titled “Conducting Risk Assessments” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which of the following will stop network traffic when the traffic is not identified in the firewall rule set? A. Explicit allow B. Explicit deny C. Implicit deny D. Access control lists
Answer: C. Implicit deny
Explanation: The principle of implicit deny is used to deny all traffic that isn’t explicitly (or specifically) allowed or denied. In other words, if the type of traffic hasn’t been associated with a rule, the implicit deny rule will kick in, thus protecting the device. Access control lists are used to filter packets and will include rules such as permit any, or explicit denies to particular IP addresses. See the section titled “Access Control Models Defined” in Chapter 9, “Access Control Methods and Models,” and the section titled “Firewalls and Network Security” in Chapter 6, “Network Perimeter Security,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which of the following equations represents the complexity of a password policy that enforces a lowercase password using the letters “a” through “z” where “n” is the password length? A. n2 * 26 B. 26n C. n26 D. 2n * 26
Answer: B. 26n
Explanation: The 26 refers to “a” through “z” (lowercase), which comes to 26 characters in total. The n is a variable that refers to the length of the password. When calculating a password, the amount of characters should be raised to a particular power that will be equal to the length of the password. So, if our policy in the above example dictated a password that was 8 characters long, then it would be 26 to the power of 8 or 268. In this case n = 8, but it doesn’t have to—it could be 10, 14, or whatever the security administrator sets the password length to in the password policy. See the section titled “Rights, Permissions, and Policies” in Chapter 9, “Access Control Methods and Models,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Improper use of P2P and social networking software may result in which of the following? A. Data loss prevention B. Denial of service C. Shoulder surfing D. Information disclosure
Answer: D. Information disclosure
Explanation: Using P2P software and social networking software (and websites) can lead to information disclosure. This could be due to user error, not following guidelines, using a weak password, and so on. One direct reason for this is when users place personal information where it can be easily found. Data loss prevention is a technique used to stop data leakage—it often entails the use of a hardware-based device. A denial of service is when a server is attacked with a flood of packets and there is a stoppage of service. Shoulder surfing is when someone attempts to gain personal information about another person by looking about the person’s desk or watching him while he is working on his computer. See the section titled “Social Engineering” in Chapter 15, “Policies, Procedures, and People,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Greg needs to centralize the authentication of multiple networking systems against a single user database. What is he trying to implement? A. Access control list B. Single sign-on C. Multifactor authentication D. Common Access Card
Answer: B. Single sign-on
Explanation: Single sign-on means the ability to log in to multiple systems using a single username/password combination (or other type of authentication method). This is what Greg needs in this scenario. Access control lists contain rules determining which IP addresses and users are allowed access to networks and data. Multifactor authentication is when two or more types of information (or physical security devices) are necessary to gain access to a system—for example, the combination of a username/password and a smart card. The Common Access Card is an authenticating smart card used by the DoD for personnel. See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Your organization has a policy that states that user passwords must be at least 16 characters. Your computers use NTLM2 authentication for clients. Which of the following hash algorithms will be used for password authentication? A. MD5 B. AES C. LM hash D. SHA
Answer: A. MD5
Explanation: The MD5 hashing algorithm is used by NTLM2 authentication. MD5 stands for Message-Digest algorithm 5. It uses a 128-bit key and is a widely used hashing algorithm. LM hash is used with passwords of 14 or less characters. If you use a password of 15 characters or more on newer versions of Windows, the OS will store a constant string as the LM hash, which is effectively a null password, and thereby uncrackable. The real password will be stored as an NTLM2 hash and (in this case calculated with MD5) will be used solely. AES is the Advanced Encryption Standard used widely in wireless networks. SHA is the Secure Hash Algorithm, which employs a 160-bit hash. Newer versions of SHA are more secure than MD5. See the section titled “Hashing Basics” in Chapter 12, “Encryption and Hashing Concepts,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Tara has written an application and is ready to go through the hardening process. Which of the following could be considered a hardening process of the SDLC?
A. Disabling unnecessary services
B. Application patching management schedule
C. Disabling unnecessary accounts
D. Secure coding concepts
Answer: D. Secure coding concepts
Explanation: Secure coding concepts such as input validation will help to harden an application within the systems development life cycle (SDLC). While disabling unnecessary services and accounts, and patching the application are all important, these could all be considered application or server hardening, not hardening within the SDLC. See the section titled “Secure Programming” in Chapter 4, “Application Security,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Hardware-based encryption devices such as hardware security modules (HSM) can sometimes see slower deployment in some organizations. What is the best reason for this? A. RBAC B. USB removable encryption C. Lack of management software D. Multifactor authentication
Answer: C. Lack of management software
Explanation: A lack of management software can cause slower deployment of HSMs. Because the HSM is an external device, it requires software to manage it allowing the HSM to communicate with the computer it is connected to. The lack of decent management software could cause some decision makers at organizations to be slow to adopt the solution. RBAC stands for role-based access control, which assigns roles to users based on sets of permissions. USB removable encryption is a decent solution for encrypting data, but an HSM can house extremely secure keys in comparison and have tamper protection as well—so USB removable encryption isn’t really a substitute for an HSM. Multifactor authentication means that a user needs to have two forms of ID, or needs to be authenticated in two or more ways to a system. See the section titled “Securing Computer Hardware and Peripherals” in Chapter 2, “Computer Systems Security,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
What is the main difference between a worm and a virus? A. A virus is easily removed. B. A worm is undetectable. C. A worm is self-replicating. D. A virus is larger.
Answer: C. A worm is self-replicating.
Explanation: Worms are self-replicating once they are executed, whereas viruses are not. Viruses may spread out and infect one or more files, but the actual virus cannot replicate itself. Viruses and worms can both be difficult to remove—it depends on their severity and age. Worms and viruses can both be detected with antivirus software. Viruses can be larger or smaller than worms. The two are similar in general aside from self-replication. See the section titled “Computer Systems Security Threats” in Chapter 2, “Computer Systems Security,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which of the following will identify a Smurf attack? A. NIDS B. Firewall C. Content filter D. Load balancer
Answer: A. NIDS
Explanation: A NIDS (network intrusion detection system) is designed to identify network attacks such as a Smurf attack (a type of DoS). Firewalls can block particular packets or IP addresses but don’t identify actual attacks. Content filters are used to secure users’ web browsing sessions, filtering out unwanted websites. Load balancers are used to distribute workload among multiple servers. See the section titled “NIDS Versus NIPS” in Chapter 6, “Network Perimeter Security,” for more information.
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which of the following ports is required by an e-commerce web server running SSL? A. Port 443 inbound B. Port 80 inbound C. Port 80 outbound D. Port 443 outbound
Answer: A. Port 443 inbound
Explanation: The web server needs to have inbound port 443 open to accept secure requests for SSL sessions from clients. The outbound port doesn’t actually matter; it’s the inbound port that is important for the server. Inbound port 80 is used by default for regular HTTP connections. See the section titled “Security Protocols” in Chapter 13, “PKI and Encryption Protocols,” for more information.
