Securing Your Network

Question 1

What can an administrator use to detect malicious activity after it occurred?      
A. Firewall      
B. Sniffer      
C. Port scanner      
D. IDS

Answer 1

D. An intrusion detection system (IDS) detects malicious activity after it has occurred. A firewall attempts to prevent attacks. A sniffer can capture and analyze packets to read data or inspect IP headers. A port scanner looks for open ports on a system to determine running services and protocols.

Question 2

Of the following choices, what would detect compromises on a local server?     
A. HIDS      
B. NIPS      
C. Firewall      
D. Protocol analyzer

Answer 2

A. A host-based intrusion detection system (HIDS) can detect attacks (including successful attacks resulting in compromises) on local systems such as workstations and servers. A NIPS detects and mitigates attacks on a network, not local systems. A firewall attempts to prevent attacks not detect them. A protocol analyzer can capture and analyze packets, but it will not detect attacks.

Question 3

Of the following choices, what represents the best choice for a system to detect attacks on a network, but not block them?     
A. NIDS      
B. NIPS      
C. HIDS      
D. HIPS

Answer 3

A. A network-based intrusion detection system (NIDS) will detect attacks, but will not necessarily block them (unless it is an active NIDS). In contrast, a network-based intrusion prevention system will detect and block attacks. Host-based systems (HIDS and HIPS) provide protection for hosts, not networks.

Question 4

Your organization is using a NIDS. The NIDS vendor regularly provides updates for the NIDS to detect known attacks. What type of NIDS is this? A. Anomaly-based
B. Signature-based
C. Prevention-based
D. Honey-based

Answer 4

B. Signature-based, network-based intrusion detection systems (NIDS) use signatures similar to antivirus software which are downloaded regularly as updates. An anomaly-based (also called heuristic or behavior-based) detection system compares current activity with a previously created baseline to detect any anomalies or changes. An IPS is prevention based, but an IDS is detection based. There is no such thing as honey based.

Question 5

You are preparing to deploy an anomaly-based detection system to monitor network activity. What would you create first?     
A. Flood guards      
B. Signatures      
C. Baseline      
D. Honeypot

Answer 5

C. An anomaly-based (also called heuristic or behavior-based) detection system compares current activity with a previously created baseline to detect any anomalies or changes. Flood guards help protect against SYN flood attacks. Signature-based systems use signatures similar to antivirus software. A honeypot is a server designed to look valuable to an attacker and can divert attacks.

Question 6

Of the following choices, what can you use to divert malicious attacks on your network away from valuable resources to relatively worthless resources?      
A. IDS      
B. Proxy server      
C. Web application firewall      
D. Honeypot

Answer 6

D. A honeypot can divert malicious attacks to a harmless area of your network, away from production servers. An IDS can detect attacks, but only an active IDS (or an IPS) will take action, and it usually blocks the attack instead of diverting it. A proxy server can filter and cache content from web pages, but doesn’t divert attacks. A web application firewall (WAF) is an additional firewall designed to protect a web application.

Question 7

Of the following choices, what best describes the function of an IPS?
A. Detect attacks
B. Stop attacks in progress
C. Prevent attackers from attacking
D. Notify appropriate personnel of attacks

Answer 7

B. The primary purpose of an intrusion prevention system (IPS) is to stop attacks in progress. While an IPS detects attacks just as an IDS does, a distinguishing factor between an IDS and an IPS is that an IPS can also stop attacks in progress. It’s not possible to prevent attackers from attacking, but an IPS can reduce the impact they have on a system. Both IDSs and IPSs provide notifications.

Question 8

Of the following choices, what provides active protection for an operating system?      
A. NIDS      
B. NIPS      
C. HIDS      
D. HIPS

Answer 8

D. A host-based intrusion prevention system (HIPS) provides active protection for an individual host, including its operating system. In contrast, HIDS is passive by default. Network based IDSs and IPSs monitor and protect network traffic.

Question 9

Of the following choices, what most accurately describes a NIPS?
A. Detects and takes action against threats B. Provides notification of threats
C. Detects and eliminates threats
D. Identifies zero day vulnerabilities

Answer 9

A. A network-based intrusion prevention system (NIPS) attempts to detect and mitigate threats by taking action to block them. While a NIPS does provide notification, a distinguishing difference between a NIDS and a NIPS is that a NIPS takes action to stop the attack. Threats can’t be eliminated. An anomaly-based IDS or IPS may be able to identify zero day vulnerabilities, though honeypots are used more often to detect zero day vulnerabilities.

Question 10

You’ve recently completed a wireless audit and realize that the wireless signal from your company’s WAP reaches the parking lot. What can you do to ensure that the signal doesn’t reach outside your building?
A. Increase the WAP’s power level
B. Decrease the WAP’s power level
C. Enable SSID broadcasting
D. Disable SSID broadcasting

Answer 10

B. You can decrease the wireless access point’s (WAP’s) power level to reduce the footprint and ensure the WAP’s signal doesn’t reach outside the parking lot (or reposition the WAP’s antenna). Increasing the WAP’s power level increases the footprint. SSID broadcasting won’t have an impact on the footprint.

Question 11

Which one of the following secure protocols did WEP implement incorrectly, allowing attackers to crack it?      
A. SSL      
B. RC4      
C. CCMP      
D. AES 12.

Answer 11

B. Wired Equivalent Privacy (WEP) implemented RC4 with small initialization vectors (IVs), allowing an IV attack to discover the key. SSL uses RC4 successfully to encrypt and decrypt traffic, but WEP does not use SSL. CCMP is a strong encryption protocol based on AES that overcomes problems with TKIP, and WEP did not use CCMP. AES is a strong encryption standard. WEP did not use AES.

Question 12

Which of the following authentication mechanisms can provide centralized authentication for a wireless network?      
A. WPA2      
B. RADIUS      
C. Multifactor authentication      
D. Kerberos

Answer 12

D. Wi-Fi Protected Access version 2 (WPA2) provides the strongest security for an 802.11n (wireless) network of the given choices. FTPS secures FTP traffic with SSL. SSL encrypts other types of traffic, but not wireless network traffic. WEP is weak and should not be used.

Question 13

Which of the following authentication mechanisms can provide centralized authentication for a wireless network?      
A. WPA2      
B. RADIUS      
C. Multifactor authentication      
D. Kerberos

Answer 13

B. Remote Authentication Dial-in user Service (RADIUS) can provide centralized authentication for wireless networks as an 802.1X server in Enterprise mode. WPA2 provides security for a wireless network. Multifactor authentication uses two or more factors of authentication but does not provide centralized authentication. Kerberos provides authentication in Microsoft networks.

Question 14

You want to ensure that only specific wireless clients can access your wireless networks. Of the following choices, what provides the best solution?A. MAC filtering
B. Content filtering
C. NAT
D. NIPS

Answer 14

A. MAC filtering allows you to restrict access to the wireless networks to devices with specified MAC addresses (though an attacker can circumvent this method). Content filtering can filter traffic for malware and more, but it doesn’t restrict clients. NAT translates IP addresses and can hide internal private IP addresses, but it doesn’t restrict access. NIPS can detect and block attacks but not filter wireless clients.

Question 15

You recently completed a wireless audit of your company’s wireless network. You’ve identified several unknown devices connected to the network and realize they are devices owned by company employees. What can you use to prevent these devices from connecting?
A. MAC filtering
B. Enable SSID broadcast
C. Enable isolation mode on the WAP
D. Reduce the power levels on the WAP

Answer 15

A. MAC filtering can restrict the devices’ connectivity based on their MAC address and prevent the employees’ devices from connecting. Enabling SSID broadcast won’t prevent the devices from connecting. Isolation mode prevents wireless users from connecting to each other, not the WAP. Reducing the power levels reduces access for all devices, not just the employee owned devices.

Question 16

What can you do to prevent the easy discovery of a WAP?      
A. Enable MAC filtering      
B. Disable SSID broadcast      
C. Enable SSID broadcast      
D. Enable 802.1X authentication

Answer 16

B. You can disable SSID broadcasts to prevent the easy discovery of a WAP, but attackers can still locate the wireless network with a sniffer. MAC filtering can restrict what devices can connect, but attackers can circumvent this method, too. Enabling the SSID broadcast makes the WAP easier to discover. 802.1X authentication uses a RADIUS server to add security but doesn’t prevent the easy discovery of a WAP.

Question 17

While troubleshooting a problem with a WAP in your organization, you discover a rogue access point with the same SSID as the organization’s WAP. What is this second access point?      
A. IDS      
B. War chalking     
C. Evil twin      
D. Packet sniffer

Answer 17

C. An evil twin is a rogue (or counterfeit) access point with the same SSID as an authorized wireless access point (WAP). An IDS detects malicious activity after it has occurred, but is unrelated to WAPs. War chalking is the practice of drawing symbols in public places to identify wireless networks. While the evil twin is very likely capturing traffic with packet sniffing, an evil twin is not a packet sniffer.

Question 18

You want to identify the physical location of a rogue access point you discovered in the footprint of your company. What would you use?     
A. Bluesnarfing      
B. Bluejacking      
C. War chalking      
D. War driving

Answer 18

D. War driving is the practice of looking for a wireless network, and administrators sometimes use war driving as part of a wireless audit to locate rogue access points. Bluesnarfing involves accessing data on a phone. Bluejacking involves sending unsolicited messages to a phone. War chalking identifies publically accessible wireless networks with symbols written in chalk or painted on a wall as graffiti.

Question 19

You are hosting a wireless hotspot, and you want to segment wireless users from each other. What should you use?      
A. Personal mode      
B. Enterprise mode      
C. Isolation mode      
D. WEP

Answer 19

C. Isolation mode on a WAP segments wireless users from each other and is commonly used in hotspots. Personal mode uses a PSK and Enterprise mode uses an 802.1X authentication server to increase security. WEP is a weak encryption algorithm and not recommended for use.

Question 20

Which of the following best describes bluejacking?

A. Bluejacking involves accessing data on a phone.
B. Bluejacking involves checking a WAPs antenna placement, power levels, and encryption techniques.
C. Bluejacking involves sending unsolicited messages to a phone.
D. Bluejacking involves a rogue access point with the same SSID as your production WAP.

.

Answer 20

C. Bluejacking involves sending unsolicited messages to a phone. Bluesnarfing involves accessing data on a phone. A wireless audit involves checking a WAPs antenna placement, power levels, and encryption techniques. An evil twin is a rogue access point with the same SSID as an authorized WAP.

Question 21

Someone stole an executive’s smartphone, and the phone includes sensitive data. What should you do to prevent the thief from reading the data? A. Password protect the phone
B. Encrypt the data on the phone
C. Use remote wipe
D. Track the location of the phone

Answer 21

C. Remote wipe capabilities can send a remote wipe signal to the phone to delete all the data on the phone, including any cached data. The phone is lost, so it’s too late to password protect or encrypt the data now if these steps weren’t completed previously. While tracking the phone may be useful, it doesn’t prevent the thief from reading the data.

Question 22

You are deploying a remote access server for your organization. Employees will use this to access the network while on the road. Of the following choices, what must you configure?     
A. NAC      
B. ACLs      
C. MACs      
D. NAT-T

Answer 22

B. Access control lists within a firewall must include rules to open the appropriate ports. NAC increases security and can filter traffic based on MAC addresses, but neither is required for remote access. NAT-T can circumvent problems related to IPsec usage, but it is not requirement for all remote access.

Question 23

Your organization is creating a site-to-site VPN tunnel between the main business location and a remote office. What can it use to create the tunnel? A. WPA2-Enterprise
B. RADIUS
C. NAC
D. IPsec

Answer 23

D. IPsec is one of many tunneling protocols the organization can use to create a VPN tunnel. WPA2-Enterprise is a secure wireless protocol that includes authentication using an 802.1X server (often implemented as RADIUS). RADIUS provides authentication but doesn’t create a tunnel. NAC provides security for clients, such as inspecting them for health, but doesn’t create the tunnel.

Question 24

You are planning to deploy a VPN with IPsec. Users will use the VPN to access corporate resources while they are on the road. How should you use IPsec?     
A. With AH in tunnel mode      
B. With AH in transport mode      
C. With ESP in tunnel mode      
D. With ESP in transport mode

Answer 24

C. Encapsulating Security Payload (ESP) in tunnel mode encapsulates the entire IP packets and provides confidentiality, integrity, and authentication. AH only provides integrity and authentication. Transport mode doesn’t encrypt the entire IP packets and is used internally within a private network, not with a VPN.

Question 25

An employee connects to the corporate network using a VPN. However, the client is not able to access internal resources, but instead receives a warning indicating their system is not up to date with current patches. What is causing this behavior?
A. The VPN is using IPsec
B. The VPN is not using IPsec
C. NAC is disabled on the network and remediation must take place before the client can access internal resources
D. NAC is enabled on the network and remediation must take place before the client can access internal resources

Answer 25

D. Network access control (NAC) inspects clients for specific health conditions and can redirect access to a remediation network for unhealthy clients. NAC is not dependent on the tunneling protocol (such as IPsec). The warning would not appear if NAC was disabled.