Security Assessments and Audits

Question 1

As part of your security audit, you would like to see what type of network traffic is being transmitted on the network. Which type of tool should you use?

Protocol analyzer

Port scanner

Vulnerability scanner

Answer 1

Protocol analyzer

Protocol analyzers use a promiscuous mode network card driver that allows the capture of all network traffic. Each switch port is a collision domain that prevents capturing unicast traffic related to other hosts; however, some switches allow mirroring of all switch traffic to a specific port

Question 2

A network consists of 250 computers. You must determine which machines are secure and which are not. Which type of tool should you use?

Protocol analyzer

Port scanner

Vulnerability scanner

Answer 2

Vulnerability scanner

Vulnerability scanners scan computers for known security violations and weaknesses

Question 3

You would like to focus and track malicious activity to a particular host in your DMZ. What should you configure?

Honeynet

Honeypot

DMZ tracker

Answer 3

Honeypot

A honeypot is an intentionally vulnerable host used to attract and track malicious activity

Question 4

Which of the following would you employ to determine which TCP and UDP ports on a host are open?

Packet sniffer

Performance Monitor

Port scanner

Answer 4

Port scanner

Port scanners identify open ports on hosts. Personal firewall software may impede the success of port scanners. Note that port scanning can be detected

Question 5

Which procedure identifies assets, threats, and risks and also determines methods to minimize the impact of these threats?

Risk analysis

Vulnerability assessment

Port scanning

Answer 5

Risk analysis

Risk analysis identifies and prioritizes threats while determining how to minimize their effect on business operations

Question 6

A technician must identify deviations from normal network activity. Which task must she first perform?

Trend analysis

Baseline analysis

Performance monitoring

Answer 6

Baseline analysis

A baseline analysis establishes what is normal on a given network. Without this data, it is difficult to determine deviations from the norm

Question 7

A developer analyzes source code to ensure there are no errors or potential security risks. Which term best identifies this activity?

Patch management

Debugging

Code review

Answer 7

Code review

Code review is an examination of source code to uncover errors or security risks

Question 8

A Windows computer has not been patched and the unnecessary services have not been disabled. Which of the following statements is true regarding security?

The computer will perform faster.

The computer has a large attack surface.

The computer has a small attack surface.

Answer 8

The computer has a large attack surface.

Computers with many potential vulnerabilities (software, physical) are said to have a larger attack surface than patched machines that run only software that is required. A larger attack surface means a higher degree of possibility of a machine becoming compromised

Question 9

A network security auditor simulates various network attacks against a corporate network. Which term best defines this procedure?

Vulnerability analysis

Network mapping

Penetration testing

Answer 9

Penetration testing

Penetration testing (pen testing) is an active, or intrusive, type of test that involves simulating malicious activity against hosts or entire networks in order to assess how secure they are and to identify threats. Proper written consent must be obtained prior to performing this type of testing since testing could disrupt hosts and networks

Question 10

Your manager asks you to configure a collection of purposely vulnerable hosts in a DMZ for the purpose of tracking hacking attempts. What term best describes what you are configuring?

Honeynet

Honeypot

Firewall

Answer 10

Honeynet

A honeynet is composed of two or more honeypots. These are intentionally vulnerable hosts used to track malicious activity

Question 11

You run a vulnerability scan on subnet 192.168.1.0/24. The results state TCP ports 135 through 139 are open on most hosts. What does this refer to?

File and Print Sharing

Mail server

Remote Desktop Protocol

Answer 11

File and Print Sharing

Windows File and Print Sharing generally uses TCP ports 135 to 139

Question 12

You are a network consultant in charge of creating a wireless network infrastructure for a hotel. Toward the end of the implementation, your team evaluates the project to ensure that it meets the original stated requirements. What is this called?

Penetration testing

Risk assessment

Design review

Answer 12

Design review

Design review is a process whereby the original project objectives are compared against current progress to ensure that the objectives are being met

Question 13

After careful log examination, you realize somebody has hacked into your WEP-secured home wireless network. What can you do to further secure wireless traffic?

Use WPA2 Enterprise.

Use WPA2 PSK.

Disable SSID broadcasting.

Answer 13

Use WPA2 PSK.

Wi-Fi Protected Access (WPA2) pre-shared key (PSK) is considered more secure than Wired Equivalent Privacy (WEP)

Question 14

What should be done to ensure that your network security is effective?

Patch all operating systems.

Update the BIOS on all systems.

Periodically test network security controls.

Answer 14

Periodically test network security controls.

Periodic network testing, perhaps even penetration testing, is valuable to ensure that your network security controls remain valid over time

Question 15

Which of the following is considered passive security testing?

Capturing network traffic

Brute-force password attack

Dictionary-based disk decryption

Answer 15

Capturing network traffic

The passive testing of security controls does not interfere with the normal operation of a computer system or network. Capturing network traffic simply takes a copy of network packets already being transmitted

Question 16

From the following list, identify the security misconfiguration:

A domain administrative account is used as a service account.

An Active Directory account is used as a service account.

Windows stations receive updates from a WSUS server instead of the Internet.

Answer 16

A domain administrative account is used as a service account.

A Windows service (and UNIX and Linux daemons) must run under the context of a standard user account. Assigning a powerful domain administrative account presents a major threat in the event that the service is compromised; the hacker would then have escalated domain administrative privileges. Service accounts should have only the rights and permissions required to function—nothing more. Many administrators do not force periodic password changes for service accounts, which presents yet another security risk

Question 17

A security-auditing team has been hired to conduct network penetration tests against a network. The team has not been given any data related to the network or its layout. What type of testing will the team perform?

Black box

White box

Gray box

Answer 17

Black box

Black-box testing refers to the process by which computer software or networks are tested and the testers have no information about how the software or networks are designed

Question 18

You are having trouble pinging host 192.168.17.45; there are no replies. One of your users must use the Remote Desktop Protocol (RDP) against the host to run an application. You cannot test RDP for the user, because you are currently logged on locally to a Linux server with only a command line. What can you use to determine quickly whether RDP is running on 192.168.17.45?

Packet sniffer

Wireless scanner

Port scanner

Answer 18

Port scanner

A port scanner is a quick, simple way to determine which ports are open on a host. Even though ping packets may be blocked, RDP packets may not be. Tools such as Netcat can be used on Linux and Windows to test communication with TCP and UDP ports

Question 19

After conducting a security audit, you inform the network owner that you discovered two unencrypted wireless networks. Your client asks how best to secure wireless traffic. Which of the following is the most secure wireless network encryption?

WEP

WPA

WPA2

Answer 19

WPA2

WPA2 is the most secure option from the presented list. Unlike WPA, WPA2 must be tested and certified by the Wi-Fi Alliance. WPA2 also uses a stronger encryption implementation in the form of AES, the U.S. government–accepted encryption standard

Question 20

A security auditor must determine what types of servers are running on a network. Which type of tool should be used?

Network mapper

Protocol analyzer

Port scanner

Answer 20

Network mapper

Network mapping utilities such as the open source Cheops tool can map out a network’s layout and identify operating systems running on hosts

Question 21

A security auditor discovers open wireless networks. She must recommend a secure solution. Which of the following is the most secure wireless solution?

802.1x

WEP

WPA PSK

Answer 21

802. 1x
803. 1x requires that connecting hosts or users first authenticate with a central authentication server before even gaining access to the network. This is considered the most secure of the listed choices since WEP and WPA PSK do not require authentication to get on the network; only a passphrase is required. Neither of the two uses a centralized authentication server

Question 22

Which of the following would not be considered during a security audit?

Locked server rooms

Wireless encryption in use

Patch status of all hosts

Answer 22

Patch status of all hosts

The cost of licensing software is not considered during a security audit. Ensuring license compliance might be considered but not the cost of the licenses. Compliance scanner tools ensure that network devices comply with organization security policies, including adherence to software licensing rules

Question 23

While auditing a Windows Active Directory environment, you discover that administrative accounts do not have configured account lockout policies. Which of the following are security concerns? (Choose two.)

If account lockout is enabled, administrative accounts could be locked out as a result of repeated password attempts.

If account lockout is not enabled, administrative accounts could be subjected to password attacks.

If account lockout is enabled, administrative accounts could be subjected to password attacks.

If account lockout is not enabled, administrative accounts could be locked out as a result of repeated password attempts.

Answer 23

If account lockout is enabled, administrative accounts could be locked out as a result of repeated password attempts.

If account lockout is not enabled, administrative accounts could be subjected to password attacks.

These answers present a catch-22 scenario. The best solution is to authenticate admin accounts with a smartcard. This would eliminate remote attacks on admin accounts because of the requirement of possessing a physical smartcard

Question 24

Which type of security testing provides network configuration information to testers?

White box

Black box

Gray box

Answer 24

White box

A white-box test provides testers with detailed configuration information regarding the software or network they are testing

Question 25

Which type of tool scans for known security threats on a group of computers?

Packet sniffer

Vulnerability scanner

Risk scanner

Answer 25

Vulnerability scanner

Vulnerability scanners such as nmap normally use an updated database of known security vulnerabilities and misconfigurations for various operating systems and network devices. This database is compared against a single host or a network scan to determine whether any hosts or devices are vulnerable. Reports can then be generated from the scan. Network scans can also reveal the presence of rogue systems, including rogue DHCP servers that dole out incorrect IP configurations to disrupt network communications or to re-route traffic through attacker systems for unauthorized detailed traffic examination

Question 26

You would like an unused host to log zero-day exploit activity. What should you configure?

Patch server

Honeynet

Honeypot

Answer 26

Honeypot

Honeypots are intentionally exposed systems used to attract the attention of hackers or malicious code for further study

Question 27

A large wireless network currently uses WPA PSK. As part of your network audit findings, you recommend a centralized wireless authentication option. What should you recommend?

RADIUS

WEP

WPA2 PSK

Answer 27

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a central server that authenticates users connecting to a network. Failure to authenticate to the RADIUS server means access to the network is denied

Question 28

Your company hired a consultant to implement a secure VPN solution using PKI certificates and smartcard authentication. Mark, your boss, has asked you to evaluate the implementation to ensure that the solution addresses the original need. Which term best describes what you will be doing?

Design review

Application security architecture review

VPN review

Answer 28

Design review

A design review ensures that a solution meets stated security requirements

Question 29

A user complains that legitimate e-mail messages from some customers are incorrectly flagged as spam by the corporate mail server. How might you explain what is happening to your user?

The e-mail messages in question are generating false positives.

The false positives are generating e-mail messages.

The e-mail message in question are generating false negatives.

Answer 29

The e-mail messages in question are generating false positives.

A false positive occurs when a harmless item or event occurs but is flagged as problematic

Question 30

You are the newly hired security officer for Jokers Inc. An existing network diagram for the Halifax location has been provided, as shown in Figure 18-5. Which recommendations should you make to secure the network infrastructure? (Choose two.)

Do not allow all outbound traffic through the firewalls.

Allow DNS replication traffic only between specific DNS hosts.

Do not place DNS servers in a DMZ.

Do not allow outbound TCP 443 traffic.

Answer 30

Do not allow all outbound traffic through the firewalls.

Allow DNS replication traffic only between specific DNS hosts.

Firewalls should scrutinize not only incoming network traffic but also traffic leaving a network. This can prevent SMTP relaying, spam, DDoS attacks, and many more attacks initiated from your network to a victim host or network. DNS servers must replicate only with other known DNS servers to prevent replicating DNS records to rogue DNS hosts

Question 31

Acme Inc. uses the 199.126.129.0/24 network address range in its DMZ. You are configuring the firewall separating the DMZ from the private network so that traffic from DMZ hosts is allowed into the private network. You issue the command router(config)#access-list 45 permit 192.168.1.0 0.0.0.255. What is the problem with this configuration?

Access-list 55 must be used.

192.168.1.0 is a reserved private network address.

The subnet mask in the router command is incorrect.

Answer 31

192.168.1.0 is a reserved private network address.

Reserved private network addresses such as 192.168.1.0 are not routed by Internet routers and therefore should be used only on internal networks, not on a DMZ

Question 32

Employee laptops must be secured when employees travel for business purposes. What can you do to harden user laptops?

Set a CMOS password.

Configure disk mirroring.

Generate file hashes for all hard disk files.

Answer 32

Set a CMOS password.

CMOS passwords prevent unauthorized persons from booting from USB or CD to bypass operating system security

Question 33

When is baseline reporting useful?

When conducting a penetration test

When hardening HTTPS servers

When comparing normal activity with current activity

Answer 33

When comparing normal activity with current activity

A baseline establishes what system performance looks like under normal conditions. This can be compared to current conditions to determine whether anything is out of the norm

Question 34

Why are penetration tests sometimes not recommended?

They can identify security threats.

They could degrade network performance.

They could generate too much logging data.

Answer 34

They could degrade network performance.

Penetration testing can be risky. Many techniques are involved, but degrading network performance or crashing hosts is a distinct possibility

Question 35

You need to verify whether DNS servers allow DNS zone transfers to all hosts. Which built-in operating system command should you use?

arp

ping

nslookup

Answer 35

nslookup

The name server lookup (nslookup) command is built into both Windows and Linux operating system, whereas the dig command is specific to Linux