Security Assessments and Audits Flashcards

1
Q

As part of your security audit, you would like to see what type of network traffic is being transmitted on the network. Which type of tool should you use?

Protocol analyzer

Port scanner

Vulnerability scanner

A

Protocol analyzer

Protocol analyzers use a promiscuous mode network card driver that allows the capture of all network traffic. Each switch port is a collision domain that prevents capturing unicast traffic related to other hosts; however, some switches allow mirroring of all switch traffic to a specific port

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A network consists of 250 computers. You must determine which machines are secure and which are not. Which type of tool should you use?

Protocol analyzer

Port scanner

Vulnerability scanner

A

Vulnerability scanner

Vulnerability scanners scan computers for known security violations and weaknesses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You would like to focus and track malicious activity to a particular host in your DMZ. What should you configure?

Honeynet

Honeypot

DMZ tracker

A

Honeypot

A honeypot is an intentionally vulnerable host used to attract and track malicious activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following would you employ to determine which TCP and UDP ports on a host are open?

Packet sniffer

Performance Monitor

Port scanner

A

Port scanner

Port scanners identify open ports on hosts. Personal firewall software may impede the success of port scanners. Note that port scanning can be detected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which procedure identifies assets, threats, and risks and also determines methods to minimize the impact of these threats?

Risk analysis

Vulnerability assessment

Port scanning

A

Risk analysis

Risk analysis identifies and prioritizes threats while determining how to minimize their effect on business operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A technician must identify deviations from normal network activity. Which task must she first perform?

Trend analysis

Baseline analysis

Performance monitoring

A

Baseline analysis

A baseline analysis establishes what is normal on a given network. Without this data, it is difficult to determine deviations from the norm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A developer analyzes source code to ensure there are no errors or potential security risks. Which term best identifies this activity?

Patch management

Debugging

Code review

A

Code review

Code review is an examination of source code to uncover errors or security risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A Windows computer has not been patched and the unnecessary services have not been disabled. Which of the following statements is true regarding security?

The computer will perform faster.

The computer has a large attack surface.

The computer has a small attack surface.

A

The computer has a large attack surface.

Computers with many potential vulnerabilities (software, physical) are said to have a larger attack surface than patched machines that run only software that is required. A larger attack surface means a higher degree of possibility of a machine becoming compromised

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A network security auditor simulates various network attacks against a corporate network. Which term best defines this procedure?

Vulnerability analysis

Network mapping

Penetration testing

A

Penetration testing

Penetration testing (pen testing) is an active, or intrusive, type of test that involves simulating malicious activity against hosts or entire networks in order to assess how secure they are and to identify threats. Proper written consent must be obtained prior to performing this type of testing since testing could disrupt hosts and networks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Your manager asks you to configure a collection of purposely vulnerable hosts in a DMZ for the purpose of tracking hacking attempts. What term best describes what you are configuring?

Honeynet

Honeypot

Firewall

A

Honeynet

A honeynet is composed of two or more honeypots. These are intentionally vulnerable hosts used to track malicious activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You run a vulnerability scan on subnet 192.168.1.0/24. The results state TCP ports 135 through 139 are open on most hosts. What does this refer to?

File and Print Sharing

Mail server

Remote Desktop Protocol

A

File and Print Sharing

Windows File and Print Sharing generally uses TCP ports 135 to 139

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You are a network consultant in charge of creating a wireless network infrastructure for a hotel. Toward the end of the implementation, your team evaluates the project to ensure that it meets the original stated requirements. What is this called?

Penetration testing

Risk assessment

Design review

A

Design review

Design review is a process whereby the original project objectives are compared against current progress to ensure that the objectives are being met

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

After careful log examination, you realize somebody has hacked into your WEP-secured home wireless network. What can you do to further secure wireless traffic?

Use WPA2 Enterprise.

Use WPA2 PSK.

Disable SSID broadcasting.

A

Use WPA2 PSK.

Wi-Fi Protected Access (WPA2) pre-shared key (PSK) is considered more secure than Wired Equivalent Privacy (WEP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What should be done to ensure that your network security is effective?

Patch all operating systems.

Update the BIOS on all systems.

Periodically test network security controls.

A

Periodically test network security controls.

Periodic network testing, perhaps even penetration testing, is valuable to ensure that your network security controls remain valid over time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following is considered passive security testing?

Capturing network traffic

Brute-force password attack

Dictionary-based disk decryption

A

Capturing network traffic

The passive testing of security controls does not interfere with the normal operation of a computer system or network. Capturing network traffic simply takes a copy of network packets already being transmitted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

From the following list, identify the security misconfiguration:

A domain administrative account is used as a service account.

An Active Directory account is used as a service account.

Windows stations receive updates from a WSUS server instead of the Internet.

A

A domain administrative account is used as a service account.

A Windows service (and UNIX and Linux daemons) must run under the context of a standard user account. Assigning a powerful domain administrative account presents a major threat in the event that the service is compromised; the hacker would then have escalated domain administrative privileges. Service accounts should have only the rights and permissions required to function—nothing more. Many administrators do not force periodic password changes for service accounts, which presents yet another security risk

17
Q

A security-auditing team has been hired to conduct network penetration tests against a network. The team has not been given any data related to the network or its layout. What type of testing will the team perform?

Black box

White box

Gray box

A

Black box

Black-box testing refers to the process by which computer software or networks are tested and the testers have no information about how the software or networks are designed

18
Q

You are having trouble pinging host 192.168.17.45; there are no replies. One of your users must use the Remote Desktop Protocol (RDP) against the host to run an application. You cannot test RDP for the user, because you are currently logged on locally to a Linux server with only a command line. What can you use to determine quickly whether RDP is running on 192.168.17.45?

Packet sniffer

Wireless scanner

Port scanner

A

Port scanner

A port scanner is a quick, simple way to determine which ports are open on a host. Even though ping packets may be blocked, RDP packets may not be. Tools such as Netcat can be used on Linux and Windows to test communication with TCP and UDP ports

19
Q

After conducting a security audit, you inform the network owner that you discovered two unencrypted wireless networks. Your client asks how best to secure wireless traffic. Which of the following is the most secure wireless network encryption?

WEP

WPA

WPA2

A

WPA2

WPA2 is the most secure option from the presented list. Unlike WPA, WPA2 must be tested and certified by the Wi-Fi Alliance. WPA2 also uses a stronger encryption implementation in the form of AES, the U.S. government–accepted encryption standard

20
Q

A security auditor must determine what types of servers are running on a network. Which type of tool should be used?

Network mapper

Protocol analyzer

Port scanner

A

Network mapper

Network mapping utilities such as the open source Cheops tool can map out a network’s layout and identify operating systems running on hosts

21
Q

A security auditor discovers open wireless networks. She must recommend a secure solution. Which of the following is the most secure wireless solution?

802.1x

WEP

WPA PSK

A
  1. 1x
  2. 1x requires that connecting hosts or users first authenticate with a central authentication server before even gaining access to the network. This is considered the most secure of the listed choices since WEP and WPA PSK do not require authentication to get on the network; only a passphrase is required. Neither of the two uses a centralized authentication server
22
Q

Which of the following would not be considered during a security audit?

Locked server rooms

Wireless encryption in use

Patch status of all hosts

A

Patch status of all hosts

The cost of licensing software is not considered during a security audit. Ensuring license compliance might be considered but not the cost of the licenses. Compliance scanner tools ensure that network devices comply with organization security policies, including adherence to software licensing rules

23
Q

While auditing a Windows Active Directory environment, you discover that administrative accounts do not have configured account lockout policies. Which of the following are security concerns? (Choose two.)

If account lockout is enabled, administrative accounts could be locked out as a result of repeated password attempts.

If account lockout is not enabled, administrative accounts could be subjected to password attacks.

If account lockout is enabled, administrative accounts could be subjected to password attacks.

If account lockout is not enabled, administrative accounts could be locked out as a result of repeated password attempts.

A

If account lockout is enabled, administrative accounts could be locked out as a result of repeated password attempts.

If account lockout is not enabled, administrative accounts could be subjected to password attacks.

These answers present a catch-22 scenario. The best solution is to authenticate admin accounts with a smartcard. This would eliminate remote attacks on admin accounts because of the requirement of possessing a physical smartcard

24
Q

Which type of security testing provides network configuration information to testers?

White box

Black box

Gray box

A

White box

A white-box test provides testers with detailed configuration information regarding the software or network they are testing

25
Q

Which type of tool scans for known security threats on a group of computers?

Packet sniffer

Vulnerability scanner

Risk scanner

A

Vulnerability scanner

Vulnerability scanners such as nmap normally use an updated database of known security vulnerabilities and misconfigurations for various operating systems and network devices. This database is compared against a single host or a network scan to determine whether any hosts or devices are vulnerable. Reports can then be generated from the scan. Network scans can also reveal the presence of rogue systems, including rogue DHCP servers that dole out incorrect IP configurations to disrupt network communications or to re-route traffic through attacker systems for unauthorized detailed traffic examination

26
Q

You would like an unused host to log zero-day exploit activity. What should you configure?

Patch server

Honeynet

Honeypot

A

Honeypot

Honeypots are intentionally exposed systems used to attract the attention of hackers or malicious code for further study

27
Q

A large wireless network currently uses WPA PSK. As part of your network audit findings, you recommend a centralized wireless authentication option. What should you recommend?

RADIUS

WEP

WPA2 PSK

A

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a central server that authenticates users connecting to a network. Failure to authenticate to the RADIUS server means access to the network is denied

28
Q

Your company hired a consultant to implement a secure VPN solution using PKI certificates and smartcard authentication. Mark, your boss, has asked you to evaluate the implementation to ensure that the solution addresses the original need. Which term best describes what you will be doing?

Design review

Application security architecture review

VPN review

A

Design review

A design review ensures that a solution meets stated security requirements

29
Q

A user complains that legitimate e-mail messages from some customers are incorrectly flagged as spam by the corporate mail server. How might you explain what is happening to your user?

The e-mail messages in question are generating false positives.

The false positives are generating e-mail messages.

The e-mail message in question are generating false negatives.

A

The e-mail messages in question are generating false positives.

A false positive occurs when a harmless item or event occurs but is flagged as problematic

30
Q

You are the newly hired security officer for Jokers Inc. An existing network diagram for the Halifax location has been provided, as shown in Figure 18-5. Which recommendations should you make to secure the network infrastructure? (Choose two.)

Do not allow all outbound traffic through the firewalls.

Allow DNS replication traffic only between specific DNS hosts.

Do not place DNS servers in a DMZ.

Do not allow outbound TCP 443 traffic.

A

Do not allow all outbound traffic through the firewalls.

Allow DNS replication traffic only between specific DNS hosts.

Firewalls should scrutinize not only incoming network traffic but also traffic leaving a network. This can prevent SMTP relaying, spam, DDoS attacks, and many more attacks initiated from your network to a victim host or network. DNS servers must replicate only with other known DNS servers to prevent replicating DNS records to rogue DNS hosts

31
Q

Acme Inc. uses the 199.126.129.0/24 network address range in its DMZ. You are configuring the firewall separating the DMZ from the private network so that traffic from DMZ hosts is allowed into the private network. You issue the command router(config)#access-list 45 permit 192.168.1.0 0.0.0.255. What is the problem with this configuration?

Access-list 55 must be used.

192.168.1.0 is a reserved private network address.

The subnet mask in the router command is incorrect.

A

192.168.1.0 is a reserved private network address.

Reserved private network addresses such as 192.168.1.0 are not routed by Internet routers and therefore should be used only on internal networks, not on a DMZ

32
Q

Employee laptops must be secured when employees travel for business purposes. What can you do to harden user laptops?

Set a CMOS password.

Configure disk mirroring.

Generate file hashes for all hard disk files.

A

Set a CMOS password.

CMOS passwords prevent unauthorized persons from booting from USB or CD to bypass operating system security

33
Q

When is baseline reporting useful?

When conducting a penetration test

When hardening HTTPS servers

When comparing normal activity with current activity

A

When comparing normal activity with current activity

A baseline establishes what system performance looks like under normal conditions. This can be compared to current conditions to determine whether anything is out of the norm

34
Q

Why are penetration tests sometimes not recommended?

They can identify security threats.

They could degrade network performance.

They could generate too much logging data.

A

They could degrade network performance.

Penetration testing can be risky. Many techniques are involved, but degrading network performance or crashing hosts is a distinct possibility

35
Q

You need to verify whether DNS servers allow DNS zone transfers to all hosts. Which built-in operating system command should you use?

arp

ping

nslookup

A

nslookup

The name server lookup (nslookup) command is built into both Windows and Linux operating system, whereas the dig command is specific to Linux