Security Infrastructure Flashcards
- Given a scenario, you must be able to apply security principles to secure enterprise architecture - Given a scenario, you must be able to modify enterprise capabilities to enhance security
Which of the following port ranges is used for temporary outbound connections?
A) 0-1023
B) 1024-49151
C) 49152-65535
D) 65536-70000
Answer: C) 49152-65535
Explanation:
A) 0-1023: Incorrect. This range is for Well-Known Ports assigned by IANA for common protocols (e.g., HTTP, FTP).
B) 1024-49151: Incorrect. This range is for Registered Ports, which are vendor-specific and registered with IANA.
C) 49152-65535: Correct. This range is for Dynamic/Private Ports, used for temporary outbound connections.
D) 65536-70000: Incorrect. This range is invalid, as the maximum number of ports is 65,535.
Which protocol is connectionless and does not guarantee data delivery?
A) TCP
B) UDP
C) Both TCP and UDP
D) Neither TCP nor UDP
Answer: B) UDP
Explanation:
A) TCP: Incorrect. TCP is connection-oriented and guarantees data delivery through error checking and retries.
B) UDP: Correct. UDP is connectionless and does not guarantee delivery, making it faster but less reliable.
C) Both TCP and UDP: Incorrect. Only UDP is connectionless.
D) Neither TCP nor UDP: Incorrect. UDP fits the description.
In an SSH connection, which port is used on the server to listen for incoming connections?
A) Outbound port on the client
B) Inbound port 22 on the server
C) Dynamic port on the server
D) Registered port on the client
Answer: B) Inbound port 22 on the server
Explanation:
A) Outbound port on the client: Incorrect. The outbound port is used by the client to initiate the connection, not to listen.
B) Inbound port 22 on the server: Correct. The server listens for SSH connections on inbound port 22.
C) Dynamic port on the server: Incorrect. Dynamic ports are used for temporary outbound connections, not for listening.
D) Registered port on the client: Incorrect. Registered ports are vendor-specific and not directly related to SSH connections.
Which protocol uses port 443 for secure web communication?
A) HTTP
B) FTP
C) HTTPS
D) SSH
Answer: C) HTTPS
Explanation:
A) HTTP: Incorrect. HTTP uses port 80 for unsecured web communication.
B) FTP: Incorrect. FTP uses port 21 for file transfers.
C) HTTPS: Correct. HTTPS uses port 443 for secure web communication.
D) SSH: Incorrect. SSH uses port 22 for secure remote access.
What is the primary purpose of the TCP 3-way handshake?
A) To establish a secure connection
B) To ensure reliable and ordered data delivery
C) To encrypt data during transmission
D) To terminate a connection
Answer: B) To ensure reliable and ordered data delivery
Explanation:
A) To establish a secure connection: Incorrect. The 3-way handshake establishes a connection but does not inherently provide encryption (security is handled by protocols like TLS).
B) To ensure reliable and ordered data delivery: Correct. The 3-way handshake ensures that data is delivered reliably and in the correct order.
C) To encrypt data during transmission: Incorrect. Encryption is not part of the 3-way handshake.
D) To terminate a connection: Incorrect. The 3-way handshake is used to establish, not terminate, a connection.
Which of the following port ranges is assigned by IANA for commonly-used protocols?
A) 0-1023
B) 1024-49151
C) 49152-65535
D) 65536-70000
Answer: A) 0-1023
Explanation:
A) 0-1023: Correct. This range is for Well-Known Ports assigned by IANA for common protocols (e.g., HTTP, FTP).
B) 1024-49151: Incorrect. This range is for Registered Ports, which are vendor-specific.
C) 49152-65535: Incorrect. This range is for Dynamic/Private Ports used for temporary connections.
D) 65536-70000: Incorrect. This range is invalid, as the maximum number of ports is 65,535.
You are designing a secure network architecture for an enterprise. Where should a Unified Threat Management (UTM) firewall be placed to ensure maximum security?
A) Between the LAN and the internet connection
B) Inside the LAN, close to the application server
C) On the endpoint devices
D) In the DMZ
Answer: A) Between the LAN and the internet connection
Explanation:
A) Correct: A UTM firewall should be placed between the LAN and the internet connection to act as the first line of defense against external threats.
B) Incorrect: This placement is more suitable for an Application-Level Proxy Firewall, which is positioned close to the application server.
C) Incorrect: Endpoint devices use host-based firewalls, not UTM firewalls.
D) Incorrect: The DMZ is used for publicly accessible servers, not for UTM placement.
An organization wants to implement a firewall that can distinguish between different types of traffic and conduct deep packet inspection. Which type of firewall should they choose?
A) Packet Filtering Firewall
B) Stateful Firewall
C) Next-Generation Firewall (NGFW)
D) Circuit-Level Proxy Firewall
Answer: C) Next-Generation Firewall (NGFW)
Explanation:
A) Incorrect: Packet Filtering Firewalls only inspect packet headers and cannot distinguish between traffic types.
B) Incorrect: Stateful Firewalls track connections but lack deep packet inspection capabilities.
C) Correct: NGFWs are application-aware and can conduct deep packet inspection.
D) Incorrect: Circuit-Level Proxy Firewalls operate at the session layer and do not perform deep packet inspection.
An attacker is sending fragmented packets to evade detection by a security system. Which type of attack is this?
A) IP Spoofing
B) SYN Flood Attack
C) Packet Fragmentation Attack
D) Cross-Site Scripting (XSS)
Answer: C) Packet Fragmentation Attack
Explanation:
A) Incorrect: IP Spoofing involves faking the source IP address, not fragmenting packets.
B) Incorrect: SYN Flood Attacks overwhelm a server with incomplete TCP handshakes.
C) Correct: Packet Fragmentation Attacks involve breaking packets into smaller fragments to evade detection.
D) Incorrect: XSS is a web application attack, not a firewall attack.
You are securing a web application and want to actively block attacks in real-time. Which WAF placement should you use?
A) Out-of-Band
B) In-line
C) Mirrored Port
D) SPAN Port
Answer: B) In-line
Explanation:
A) Incorrect: Out-of-Band WAFs monitor traffic but do not actively block attacks.
B) Correct: In-line WAFs sit in the traffic path and actively block malicious requests.
C) Incorrect: Mirrored Ports are used for monitoring, not active blocking.
D) Incorrect: SPAN Ports are similar to Mirrored Ports and are used for traffic analysis, not active blocking.
An organization wants to enhance its security by implementing a firewall that provides full-stack visibility and integrates with other security products. Which firewall should they choose?
A) Packet Filtering Firewall
B) Stateful Firewall
C) Next-Generation Firewall (NGFW)
D) Kernel Proxy Firewall
Answer: C) Next-Generation Firewall (NGFW)
Explanation:
A) Incorrect: Packet Filtering Firewalls lack full-stack visibility and integration capabilities.
B) Incorrect: Stateful Firewalls do not provide full-stack visibility.
C) Correct: NGFWs offer full-stack visibility and can integrate with other security products.
D) Incorrect: Kernel Proxy Firewalls inspect packets at every layer but do not provide full-stack visibility or integration.
what does integrating with other security products mean?
For example, a Next-Generation Firewall (NGFW) can communicate with an IPS system to block suspicious traffic or send security logs to a SIEM system for deeper analysis. This coordination reduces manual work and improves security efficiency.
An organization wants to prevent common web application attacks like cross-site scripting (XSS) and SQL injections. Which security solution should they implement?
A) Packet Filtering Firewall
B) Web Application Firewall (WAF)
C) Stateful Firewall
D) Circuit-Level Proxy Firewall
Answer: B) Web Application Firewall (WAF)
Explanation:
A) Incorrect: Packet Filtering Firewalls cannot inspect HTTP traffic for web application attacks.
B) Correct: WAFs are designed to inspect HTTP traffic and prevent web application attacks like XSS and SQL injections.
C) Incorrect: Stateful Firewalls track connections but cannot inspect application-layer traffic.
D) Incorrect: Circuit-Level Proxy Firewalls operate at the session layer and do not inspect application-layer traffic.
An organization is using a UTM firewall but wants to improve efficiency by using a single engine for all security functions. Which firewall should they migrate to?
A) Packet Filtering Firewall
B) Stateful Firewall
C) Next-Generation Firewall (NGFW)
D) Application-Level Proxy Firewall
Answer: C) Next-Generation Firewall (NGFW)
Explanation:
A) Incorrect: Packet Filtering Firewalls do not use a single engine for multiple functions.
B) Incorrect: Stateful Firewalls lack the advanced capabilities of NGFWs.
C) Correct: NGFWs use a single engine for all security functions, improving efficiency.
D) Incorrect: Application-Level Proxy Firewalls are limited to Layer 7 inspection and do not integrate multiple functions.
An organization wants to ensure that its firewall can track connections and allow return traffic for outbound requests. Which type of firewall should they configure?
A) Packet Filtering Firewall
B) Stateful Firewall
C) Circuit-Level Proxy Firewall
D) Kernel Proxy Firewall
Answer: B) Stateful Firewall
Explanation:
A) Incorrect: Packet Filtering Firewalls do not track connections.
B) Correct: Stateful Firewalls track connections and allow return traffic for outbound requests.
C) Incorrect: Circuit-Level Proxy Firewalls operate at the session layer but do not track connections like Stateful Firewalls.
D) Incorrect: Kernel Proxy Firewalls inspect packets at every layer but do not specifically track connections.
Stateful Firewall is designed to keep track of the state of active connections (e.g., TCP connections) and uses this information to determine whether incoming traffic is part of an existing, legitimate connection.
For example, when a user sends an outbound request, the firewall keeps track of that request, allowing the return traffic (response) to come back through the firewall. This is important because return traffic needs to be associated with the original request.
Which security architecture uses a dual-homed host to separate internal and external networks?
A) Packet Filtering Firewall
B) Screened Subnet
C) Stateful Firewall
D) Web Application Firewall
Answer: B) Screened Subnet
Note: How does packet inspection work at each layer?
Layer 2 (Data Link Layer) → Think of this as the “physical address” level. If a firewall operates here, it can filter traffic based on MAC addresses (like identifying devices in a local network) and control which devices can talk to each other.
Layer 3 (Network Layer) → This is where IP addresses come into play. A firewall at this layer checks source and destination IPs to decide whether to allow or block traffic. (Example: “Only let traffic from 192.168.1.1 through.”)
Layer 4 (Transport Layer) → This layer deals with ports and protocols (like TCP and UDP). A firewall here can filter traffic based on port numbers (e.g., blocking port 22 for SSH) and connection types (TCP vs. UDP). It might also detect packet types (like SYN packets used in TCP handshakes) to block suspicious activity.
Layer 5 (Session Layer) → This is about managing sessions between two systems. A firewall at this layer can verify if a session is properly established before allowing communication. (Example: A Circuit-Level Proxy Firewall ensures a valid handshake happens before forwarding data.)
Which port configuration is used to monitor network traffic without disrupting the data path?
A) In-line Port
B) Mirrored Port
C) SPAN Port
D) Both B and C
Answer: D) Both B and C
Which firewall operates at the application layer (Layer 7) and inspects traffic based on content?
A) Layer 4 Firewall
B) Layer 7 Firewall
C) Circuit-Level Proxy Firewall
D) Kernel Proxy Firewall
Answer: B) Layer 7 Firewall
Which type of firewall is specifically designed to prevent cross-site scripting (XSS) attacks?
A) Packet Filtering Firewall
B) Web Application Firewall (WAF)
C) Stateful Firewall
D) Circuit-Level Proxy Firewall
Answer: B) Web Application Firewall (WAF)
Which firewall feature provides visibility into all layers of network traffic, from Layer 1 to Layer 7?
A) Deep Packet Inspection
B) Full-Stack Visibility
C) Application Awareness
D) Signature-Based Intrusion Protection
Answer: B) Full-Stack Visibility
You are configuring an Access Control List (ACL) on a firewall. Which of the following best practices should you follow to ensure proper traffic filtering?
A) Place generic rules at the top and specific rules at the bottom.
B) Place specific rules at the top and generic rules at the bottom.
C) Use only permit rules and avoid deny rules.
D) Use only deny rules and avoid permit rules.
Answer: B) Place specific rules at the top and generic rules at the bottom.
Explanation:
A) Incorrect: Generic rules at the top can lead to unintended traffic matches, bypassing specific rules.
B) Correct: Specific rules at the top ensure precise filtering, while generic rules at the bottom act as a catch-all.
C) Incorrect: Using only permit rules would allow all unmatched traffic, reducing security.
D) Incorrect: Using only deny rules would block all traffic, including legitimate traffic.
What happens to traffic that does not match any rule in an ACL?
A) It is automatically permitted.
B) It is automatically denied.
C) It is logged and then permitted.
D) It is forwarded to another ACL for evaluation.
Answer: B) It is automatically denied.
Explanation:
A) Incorrect: Unmatched traffic is not permitted; this would create a security risk.
B) Correct: The implied deny rule ensures that unmatched traffic is automatically denied.
C) Incorrect: While logging is a good practice, unmatched traffic is still denied.
D) Incorrect: Traffic is not forwarded to another ACL; it is denied if no rule matches.
An organization wants to block a large group of IP addresses associated with a known malicious network. Which firewall feature should they use?
A) Implied Deny
B) Bulk Blocking
C) Stateful Inspection
D) Deep Packet Inspection
Answer: B) Bulk Blocking
Explanation:
A) Incorrect: Implied deny blocks unmatched traffic but does not address bulk blocking.
B) Correct: Bulk blocking allows the organization to block a large group of IP addresses or domains at once.
C) Incorrect: Stateful inspection tracks connections but does not block multiple IPs simultaneously.
D) Incorrect: Deep packet inspection analyzes traffic content but does not block multiple IPs.
An organization wants to protect its entire network with a dedicated security device. Which type of firewall should they implement?
A) Software-Based Firewall
B) Hardware-Based Firewall
C) Web Application Firewall (WAF)
D) Kernel Proxy Firewall
Answer: B) Hardware-Based Firewall
Explanation:
A) Incorrect: Software-based firewalls protect individual devices, not the entire network.
B) Correct: Hardware-based firewalls are dedicated devices that protect an entire network or subnet.
C) Incorrect: WAFs focus on web application traffic, not general network traffic.
D) Incorrect: Kernel proxy firewalls inspect packets at every layer but are not dedicated network devices. Note: it doesn’t inpect pakcet at eavery layer.
You are modifying an ACL to enhance security. Which of the following actions should you take to ensure proper logging and auditing?
A) Disable logging to improve performance.
B) Log only permit actions.
C) Log all deny actions.
D) Use only generic rules to reduce log size.
Answer: C) Log all deny actions.
Explanation:
A) Incorrect: Disabling logging removes visibility into potential security incidents.
B) Incorrect: Logging only permit actions does not provide insight into blocked traffic.
C) Correct: Logging all deny actions helps identify and investigate potential threats.
D) Incorrect: Generic rules can lead to unintended matches and reduce security.
Which of the following is a key component of an ACL rule?
A) Type of traffic (e.g., TCP, UDP)
B) Source of traffic (e.g., IP address)
C) Destination of traffic (e.g., IP address)
D) All of the above
Answer: D) All of the above
Explanation:
A) Correct: The type of traffic (protocol) is a key component.
B) Correct: The source of traffic (IP address or subnet) is a key component.
C) Correct: The destination of traffic (IP address or subnet) is a key component.
D) Correct: All of the above are key components of an ACL rule.
Why is it important to log deny actions in a firewall?
A) To improve network performance.
B) To identify and investigate potential security threats.
C) To reduce the size of the ACL.
D) To automatically permit blocked traffic.
Answer: B) To identify and investigate potential security threats.
Explanation:
A) Incorrect: Logging does not directly improve performance.
B) Correct: Logging deny actions helps identify and investigate potential threats.
C) Incorrect: Logging does not reduce the size of the ACL.
D) Incorrect: Logging does not permit blocked traffic; it only records the action.
An organization wants to secure individual workstations with a firewall. Which type of firewall should they use?
A) Hardware-Based Firewall
B) Software-Based Firewall
C) Web Application Firewall (WAF)
D) Kernel Proxy Firewall
Answer: B) Software-Based Firewall
Explanation:
A) Incorrect: Hardware-based firewalls protect entire networks, not individual devices.
B) Correct: Software-based firewalls run on individual devices and provide per-device security.
C) Incorrect: WAFs focus on web application traffic, not general workstation traffic.
D) Incorrect: Kernel proxy firewalls inspect packets at every layer but are not typically used for individual workstations.
Which method is used to configure ACLs via a graphical interface?
A) Command Line Interface (CLI)
B) Web-Based Interface
C) Bulk Blocking
D) Implied Deny
Answer: B) Web-Based Interface
Which ACL feature can define priority levels for network traffic?
A) Implied Deny
B) Quality of Service (QoS)
C) Bulk Blocking
D) Stateful Inspection
Answer: B) Quality of Service (QoS)
What is the purpose of adding an explicit ‘deny all’ rule at the end of an ACL?
A) To permit all unmatched traffic.
B) To block all unmatched traffic.
C) To improve logging performance.
D) To reduce the size of the ACL.
Answer: B) To block all unmatched traffic.
Which of the following best describes the key difference between an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS)?
A) IDS logs and alerts, while IPS logs, alerts, and takes action
B) IDS takes action against threats, while IPS only monitors and logs them
C) IPS operates only on host-based systems, while IDS is network-based
D) IDS and IPS are both preventive technologies that actively block attacks
Correct Answer: A
✅ A) IDS logs and alerts, while IPS logs, alerts, and takes action
An IDS (Intrusion Detection System) is passive, meaning it only logs or alerts about suspicious activity but does not take direct action.
An IPS (Intrusion Prevention System) is active, meaning it logs, alerts, and also takes action (e.g., blocking traffic) to stop threats.
Incorrect Answers:
❌ B) IDS takes action against threats, while IPS only monitors and logs them
Incorrect because IDS does not take action, while IPS does.
❌ C) IPS operates only on host-based systems, while IDS is network-based
Incorrect because both IDS and IPS can be implemented as network-based (NIDS) or host-based (HIDS).
❌ D) IDS and IPS are both preventive technologies that actively block attacks
Incorrect because IDS does not block attacks—it only alerts. Only IPS actively blocks threats.
Where should a Network-based Intrusion Detection System (NIDS) be placed for maximum visibility into network traffic?
A) Inside the firewall, directly monitoring internal traffic
B) On a SPAN (mirror) port of the main switch
C) Installed on each endpoint device individually
D) On a separate network outside of the organization’s main network
Correct Answer: B
✅ B) On a SPAN (mirror) port of the main switch
A SPAN (Switched Port Analyzer) port, also called a mirror port, is commonly used to monitor all network traffic and send a copy to the NIDS for inspection.
Incorrect Answers:
❌ A) Inside the firewall, directly monitoring internal traffic
Incorrect because NIDS is typically deployed at the network perimeter to monitor incoming/outgoing traffic before reaching internal systems.
❌ C) Installed on each endpoint device individually
Incorrect because that describes Host-based IDS (HIDS), not Network-based IDS (NIDS).
❌ D) On a separate network outside of the organization’s main network
Incorrect because an IDS needs direct access to the main network’s traffic to detect potential threats.
Which of the following types of IDS detection methods is best suited for identifying zero-day attacks?
A) Signature-based IDS
B) Stateful-matching IDS
C) Anomaly-based IDS
D) Pattern-matching IDS
Correct Answer: C
✅ C) Anomaly-based IDS
Anomaly-based IDS works by establishing a baseline of normal behavior and detecting deviations, making it effective at identifying zero-day attacks (unknown threats).
Incorrect Answers:
❌ A) Signature-based IDS
Incorrect because it only detects known threats based on predefined signatures. Zero-day attacks don’t have signatures yet.
❌ B) Stateful-matching IDS
Incorrect because it detects threats by tracking the state of network traffic but still relies on predefined rules.
❌ D) Pattern-matching IDS
Incorrect because pattern-matching relies on predefined patterns and cannot detect unknown attacks.
Which type of Intrusion Detection System (IDS) specifically monitors wireless networks for unauthorized access attempts?
A) Host-based IDS (HIDS)
B) Network-based IDS (NIDS)
C) Wireless IDS (WIDS)
D) Intrusion Prevention System (IPS)
Correct Answer: C
✅ C) Wireless IDS (WIDS)
WIDS (Wireless Intrusion Detection System) is designed to monitor Wi-Fi traffic, detect unauthorized devices, and identify potential threats to the wireless network.
Incorrect Answers:
❌ A) Host-based IDS (HIDS)
Incorrect because HIDS monitors specific devices, not wireless networks.
❌ B) Network-based IDS (NIDS)
Incorrect because NIDS monitors wired network traffic, not Wi-Fi traffic.
❌ D) Intrusion Prevention System (IPS)
Incorrect because IPS is a preventive system, whereas WIDS is specifically for monitoring wireless networks.
Which of the following is an advantage of stateful-matching IDS over pattern-matching IDS?
A) It requires less processing power and memory
B) It can detect multi-step or complex attacks
C) It is more effective at detecting zero-day attacks
D) It only analyzes single packets for specific patterns
Correct Answer: B
✅ B) Correct. Stateful-matching IDS tracks the state of network connections (i.e., keeps track of the connection’s status over time) and analyzes patterns of traffic over multiple packets. This allows it to detect more complex, multi-step attacks, like those that involve a series of interactions, such as a buffer overflow attack or a TCP handshake attack. By tracking the entire session, it can identify malicious behavior that spans multiple packets.
Incorrect Answers:
❌ A) It requires less processing power and memory
Incorrect because stateful-matching requires more resources to track the state of network connections.
❌ C) It is more effective at detecting zero-day attacks
Incorrect because anomaly-based IDS is better suited for zero-day detection, not stateful-matching.
❌ D) It only analyzes single packets for specific patterns
Incorrect because pattern-matching IDS works this way, whereas stateful-matching looks at sequences of packets.
Buffer Overflow Attack
Imagine a buffer as a storage space in a computer’s memory where data is temporarily held while it’s being processed. Every buffer has a specific size—like a cup that can only hold a certain amount of water.
What happens in a buffer overflow attack?
An attacker sends more data into the buffer than it can handle. This is like trying to pour more water into a cup than it can hold, causing the water to spill over the sides.
Why is this a problem?
When the excess data “spills” over, it can overwrite important information in the computer’s memory. This could allow the attacker to:
Crash the system by corrupting the program.
Take control of the system by inserting malicious code into the memory, which then gets executed.
Example:
Imagine you’re entering a password into a website. If the website doesn’t properly check the length of the password, an attacker could send a longer password that overflows the memory and could make the system run malicious code.
TCP Handshake Attack
The TCP handshake is like a way for two devices (like your computer and a server) to introduce themselves and establish a connection before they start communicating.
What is the TCP handshake?
Step 1: Your computer (client) says, “Hello, I want to connect to you” (this is the SYN request).
Step 2: The server responds, “Sure, I’m ready to connect with you” (this is the SYN-ACK reply).
Step 3: Your computer says, “Great, let’s start” (this is the ACK reply to finalize the handshake).
What happens in a TCP handshake attack?
An attacker can interrupt or fake this process, which causes problems:
Denial of Service (DoS): The attacker sends many “SYN” requests but doesn’t complete the handshake. The server keeps waiting for the final ACK, wasting its resources and making it unavailable to legitimate users.
SYN Flood Attack: The attacker floods the server with many incomplete handshake requests. The server’s resources get used up, and it can’t process real requests from legitimate users.
Where should an Intrusion Prevention System (IPS) be placed in a network to provide the most effective security?
A) Directly behind the firewall, inspecting all incoming and outgoing traffic
B) On a separate VLAN, monitoring only internal traffic
C) At the user endpoint level, on each device
D) Outside the firewall, monitoring traffic before it reaches the network
Correct Answer: A
✅ A) Directly behind the firewall, inspecting all incoming and outgoing traffic
An IPS should be placed directly behind the firewall so that it can inspect traffic that has passed through initial filtering but still might contain threats.
Incorrect Answers:
❌ B) On a separate VLAN, monitoring only internal traffic
Incorrect because IPS needs to scan traffic entering and leaving the network, not just internal traffic.
❌ C) At the user endpoint level, on each device
Incorrect because IPS is typically deployed at the network level, not individual endpoints. HIDS would be used on endpoints.
❌ D) Outside the firewall, monitoring traffic before it reaches the network
Incorrect because an IPS outside the firewall would be overwhelmed with malicious traffic, making it inefficient.
Scenario: Your company wants to secure access to a critical database server located in a high-security zone. The server contains sensitive customer information, and access needs to be tightly controlled while also ensuring that administrators can manage the system from a remote location.
Which of the following solutions would provide secure access to this server while minimizing security risks?
A) Proxy Server
B) Jump Server
C) Load Balancer
D) Network Sensor
Answer: B) Jump Server
Explanation:
A) Proxy Server: While proxy servers provide security features such as filtering and caching, they are not specifically designed for secure administrative access to servers in different security zones.
B) Jump Server: This is the correct option. Jump servers provide a secure gateway for system administrators to access devices in different security zones. It minimizes risk by isolating the sensitive systems and logging all access attempts.
C) Load Balancer: Load balancers distribute traffic across multiple servers for high availability but do not control administrative access or provide enhanced security for sensitive server access.
D) Network Sensor: Network sensors monitor traffic for suspicious activity, but they are not intended for securing administrative access to critical systems.
Scenario: A large enterprise is experiencing high traffic loads, and the performance of its web servers is suffering. The company wants to improve the load distribution and reduce the chances of a single server becoming overloaded while ensuring that network security is not compromised.
Which of the following network appliances would best help improve the distribution of traffic while maintaining security?
A) Application Delivery Controller (ADC)
B) Proxy Server
C) Network Sensor
D) Jump Server
Answer: A) Application Delivery Controller (ADC)
Explanation:
A) Application Delivery Controller (ADC): ADCs are the best choice for distributing traffic across multiple servers while offering additional functionality such as SSL termination, HTTP compression, and content caching. This enhances both performance and security.
B) Proxy Server: While proxy servers provide traffic management and caching, they are not as optimized for load balancing and advanced traffic management as ADCs.
C) Network Sensor: Network sensors are used to monitor network traffic for suspicious activity, but they don’t manage traffic distribution or load balancing.
D) Jump Server: Jump servers secure administrative access to critical systems but do not provide traffic distribution capabilities.
SSL Termination:
What it is: SSL Termination is when the ADC (Application Delivery Controller) handles the secure SSL/TLS encryption and decryption for you.
How it works: Normally, when someone visits a website using HTTPS, the data is encrypted between the user’s browser and the server. With SSL termination, the ADC handles that encryption and decryption process. The ADC decrypts the secure data, passes it to the web server unencrypted, and then encrypts the response back to the user.
Why it’s used: It offloads the SSL decryption from the web server, freeing it up to focus on delivering content faster. It also centralizes SSL management (making it easier to renew and manage SSL certificates).
Scenario: Your organization is facing multiple Distributed Denial of Service (DDoS) attacks targeting its public-facing website. The attackers are sending huge amounts of traffic to the website, overwhelming the server. You need to implement a solution that hides the real server’s IP address and filters out malicious traffic.
Which network appliance would best help mitigate this attack while ensuring legitimate traffic can still reach the server?
A) Application Delivery Controller (ADC)
B) Proxy Server
C) Jump Server
D) Network Sensor
Answer: B) Proxy Server
Explanation:
A) Application Delivery Controller (ADC): While ADCs manage traffic distribution and enhance performance, they are not designed specifically to hide the server’s IP address or filter malicious traffic in the context of DDoS attacks.
B) Proxy Server: This is the correct choice. A proxy server can hide the real server’s IP address and filter traffic, blocking suspicious or malicious requests, which is crucial during a DDoS attack.
C) Jump Server: Jump servers are used for secure administrative access, not for mitigating DDoS attacks or filtering malicious traffic.
D) Network Sensor: Network sensors monitor traffic for suspicious activity but do not perform the actual filtering or traffic management to mitigate a DDoS attack.
Scenario: The enterprise wants to optimize its web servers by reducing the load from frequently requested content, such as images and videos, and improve response times for users, especially those with slower internet connections.
Which of the following network appliances would best help in achieving this goal while maintaining security?
A) Application Delivery Controller (ADC)
B) Network Sensor
C) Load Balancer
D) Proxy Server
Answer: A) Application Delivery Controller (ADC)
Explanation:
A) Application Delivery Controller (ADC): ADCs are designed to optimize web server performance by offloading tasks like SSL termination, content caching, and HTTP compression. This would reduce server load and improve response times.
B) Network Sensor: Network sensors are used for traffic monitoring and security but do not directly optimize web server performance or reduce load from frequently requested content.
C) Load Balancer: Load balancers distribute traffic across multiple servers, but they do not handle caching or content compression like ADCs.
D) Proxy Server: While proxy servers help with caching, they are not as specialized in web server optimization and performance as ADCs.
Scenario: A company wants to restrict access to its internal network resources based on geographical location. The goal is to block any requests coming from unauthorized countries and reduce the risk of cyberattacks.
Which network appliance would help enforce this geographical access control policy?
A) Proxy Server
B) Jump Server
C) Application Delivery Controller (ADC)
D) Network Sensor
Answer: A) Proxy Server
Explanation:
A) Proxy Server: Proxy servers can be configured to route traffic in a way that restricts or controls traffic from specific geographical regions, making it the ideal choice for enforcing this policy.
B) Jump Server: Jump servers are used for secure administrative access but do not provide geographical filtering for network traffic.
C) Application Delivery Controller (ADC): While ADCs provide traffic management and performance optimization, they do not specifically handle geographical access control.
D) Network Sensor: Network sensors monitor traffic for suspicious activity but do not control or filter access based on geographical location.
A company wants to prevent unauthorized devices from connecting to their network. They have implemented port security on their switches but are concerned about MAC spoofing attacks. What additional measure can they implement to mitigate MAC spoofing?
A. Disable port security entirely.
B. Use 802.1X authentication in conjunction with port security.
C. Increase the number of allowed MAC addresses per port.
D. Disable the CAM table.
Correct Answer: B. Use 802.1X authentication in conjunction with port security.
Explanation:
A: Disabling port security would leave the network vulnerable to unauthorized access.
B: 802.1X authentication adds an extra layer of security by requiring devices to authenticate before accessing the network, reducing the risk of MAC spoofing.
C: Increasing the number of allowed MAC addresses per port would weaken port security.
D: Disabling the CAM table would prevent the switch from functioning properly.
What is the purpose of sticky MACs in port security?
A. To allow unlimited MAC addresses on a port.
B. To dynamically authorize the first connected device’s MAC address.
C. To disable port security after a certain number of devices connect.
D. To flood traffic to all ports.
Correct Answer: B. To dynamically authorize the first connected device’s MAC address.
Explanation:
A: Sticky MACs do not allow unlimited MAC addresses; they restrict access to authorized devices.
B: Sticky MACs automatically authorize the first connected device’s MAC address, simplifying setup.
C: Sticky MACs do not disable port security; they enhance it.
D: Flooding traffic is unrelated to sticky MACs.
How do switches improve network efficiency compared to hubs?
A. By operating at Layer 3 and using IP addresses.
B. By preventing collisions and operating in full-duplex mode.
C. By broadcasting all traffic to every port.
D. By using static routing tables.
Correct Answer: B. By preventing collisions and operating in full-duplex mode.
Explanation:
A: Switches operate at Layer 2, not Layer 3.
B: Switches prevent collisions and use full-duplex mode, allowing simultaneous data transmission and reception.
C: Broadcasting all traffic is a characteristic of hubs, not switches.
D: Switches do not use static routing tables; they use MAC address tables.
What happens when a switch does not know the destination MAC address of a frame?
A. It drops the frame.
B. It forwards the frame to all ports except the source port.
C. It sends the frame to the default gateway.
D. It blocks the frame.
Correct Answer: B. It forwards the frame to all ports except the source port.
Explanation:
A: The switch does not drop the frame; it floods it.
B: This is called flooding, and it ensures the frame reaches its destination.
C: Switches do not use default gateways for unknown MAC addresses.
D: Blocking the frame would prevent communication.
Question: What is the primary vulnerability of the CAM table?
A. It can be overwhelmed by MAC flooding attacks.
B. It can only store 10 MAC addresses.
C. It is encrypted and cannot be accessed.
D. It does not support VLANs.
Correct Answer: A. It can be overwhelmed by MAC flooding attacks.
Explanation:
A: MAC flooding attacks overwhelm the CAM table, causing the switch to fail open and flood traffic.
B: The CAM table can store thousands of MAC addresses, not just 10.
C: The CAM table is not encrypted; it is a memory table.
D: The CAM table supports VLANs.
How can a network administrator protect the CAM table from MAC flooding attacks?
A. Disable the CAM table.
B. Implement port security to limit the number of MAC addresses per port.
C. Use static routing tables.
D. Encrypt the CAM table.
Correct Answer: B. Implement port security to limit the number of MAC addresses per port.
Explanation:
A: Disabling the CAM table would prevent the switch from functioning.
B: Port security limits the number of MAC addresses per port, preventing MAC flooding.
C: Static routing tables are unrelated to CAM table protection.
D: The CAM table cannot be encrypted.
Which role in 802.1X authentication forwards credentials to the authentication server?
A. Supplicant
B. Authenticator
C. Authentication Server
D. RADIUS
Correct Answer: B. Authenticator
Explanation:
A: The supplicant is the device trying to connect.
B: The authenticator (switch or AP) forwards credentials to the authentication server.
C: The authentication server validates the credentials.
D: RADIUS is a type of authentication server.
What is a key difference between RADIUS and TACACS+?
A. RADIUS is Cisco proprietary, while TACACS+ is cross-platform.
B. RADIUS uses TCP, while TACACS+ uses UDP.
C. RADIUS combines authentication and authorization, while TACACS+ separates them.
D. RADIUS is slower than TACACS+.
Correct Answer: C. RADIUS combines authentication and authorization, while TACACS+ separates them.
Explanation:
A: TACACS+ is Cisco proprietary, not RADIUS.
B: RADIUS uses UDP, while TACACS+ uses TCP.
C: TACACS+ separates authentication, authorization, and accounting (AAA), while RADIUS combines them.
D: TACACS+ is slower due to TCP overhead.
Which EAP variant requires digital certificates on both the client and server?
A. EAP-MD5
B. EAP-TLS
C. EAP-TTLS
D. EAP-FAST
Correct Answer: B. EAP-TLS
Explanation:
A: EAP-MD5 uses passwords, not certificates.
B: EAP-TLS requires certificates on both the client and server for mutual authentication.
C: EAP-TTLS requires a certificate only on the server.
D: EAP-FAST uses protected access credentials (PAC), not certificates.
802.1X is like a gatekeeper that controls access to the network. It says, “Only authenticated devices can pass through.”
EAP is the method used by 802.1X to authenticate those devices. For example, 802.1X might use EAP to check if the device has the correct password, certificate, or other credentials before letting it onto the network.
Why might an organization choose EAP-FAST over EAP-TLS?
A. EAP-FAST is faster and does not require certificates.
B. EAP-FAST provides stronger encryption than EAP-TLS.
C. EAP-FAST is Cisco proprietary.
D. EAP-FAST uses digital certificates on both the client and server.
Correct Answer: A. EAP-FAST is faster and does not require certificates.
Explanation:
A: EAP-FAST uses pre-shared keys (PSK) instead of certificates, making it simpler and faster to deploy.
B: EAP-TLS provides stronger encryption due to its use of certificates.
C: EAP-LEAP is Cisco proprietary, not EAP-FAST.
D: EAP-FAST does not use certificates on both the client and server.
EAP-FAST is faster mainly because it uses symmetric key cryptography instead of relying on public key infrastructure (PKI) like EAP-TLS.
Which EAP variant requires a server certificate but allows clients to authenticate using passwords?
A. EAP-TLS
B. EAP-TTLS
C. EAP-FAST
D. EAP-MD5
Correct Answer: B. EAP-TTLS
Explanation:
EAP-TTLS requires a server certificate but allows clients to use passwords for authentication, making it more flexible than EAP-TLS.
Why is EAP-LEAP considered less secure than other EAP variants?
A. It uses one-way authentication.
B. It is vulnerable to dictionary attacks.
C. It does not support mutual authentication.
D. It is limited to Cisco devices.
Correct Answer: B. It is vulnerable to dictionary attacks.
Explanation:
EAP-LEAP uses weak encryption for passwords, making it susceptible to dictionary attacks.
EAP-LEAP (Lightweight Extensible Authentication Protocol) is a wireless authentication method created by Cisco. It was designed to improve security over basic WEP encryption, but it has serious weaknesses.
Which protocol uses TCP for transport and provides granular control over AAA functions?
A. RADIUS
B. TACACS+
C. EAP
D. PEAP
Correct Answer: B. TACACS+
Explanation:
TACACS+ uses TCP and separates authentication, authorization, and accounting, providing more granular control.
What is the best way to prevent MAC spoofing attacks in a network using port security?
A. Disable port security.
B. Use static MAC address assignments.
C. Implement 802.1X authentication.
D. Increase the number of allowed MAC addresses per port.
Correct Answer: C. Implement 802.1X authentication.
Explanation:
802.1X authentication ensures that only authorized devices can connect, reducing the risk of MAC spoofing.
Where 802.1X is Used:
Switches → Used for wired network access control.
Wireless Access Points (WAPs) → Used for Wi-Fi authentication (e.g., WPA2-Enterprise).
How It Works on a Switch:
A device (supplicant) connects to a switch port.
The switch (authenticator) blocks access until authentication is complete.
The switch forwards authentication requests to a RADIUS server.
If credentials are valid, network access is granted. Otherwise, the device is denied or placed in a guest VLAN.
How does a switch handle traffic for devices in different VLANs?
A. It floods the traffic to all ports.
B. It forwards the traffic based on MAC addresses.
C. It uses Layer 3 routing to forward the traffic.
D. It blocks the traffic between VLANs.
Correct Answer: C. It uses Layer 3 routing to forward the traffic.
Explanation:
A switch operates primarily at Layer 2 (Data Link Layer), but when devices are in different VLANs, Layer 3 (Network Layer) routing is required to route traffic between them. This routing is done by either a Layer 3 switch or an external router.
Here’s how it works:
Devices in different VLANs are separated at Layer 2, meaning they cannot communicate directly with each other.
A Layer 3 switch or router is used to perform inter-VLAN routing (also called routing between VLANs) by forwarding traffic based on IP addresses.
A company wants to implement a layered security approach using port security, 802.1X, and EAP. What is the correct order of implementation?
A. Port security → EAP → 802.1X
B. 802.1X → EAP → Port security
C. EAP → 802.1X → Port security
D. Port security → 802.1X → EAP
Correct Answer: D. Port security → 802.1X → EAP
Explanation:
Port security restricts access at the port level, 802.1X enforces authentication, and EAP provides the authentication framework.
port security is a feature on network switches that controls how many devices (based on MAC addresses) are allowed to connect to a particular port.
A company wants to connect its New York and London offices securely over the internet. Which VPN type should they use?
A. Client-to-Site VPN
B. Site-to-Site VPN
C. Clientless VPN
D. Split Tunnel VPN
Correct Answer: B. Site-to-Site VPN
Explanation:
A: Client-to-Site VPN is for individual users, not entire networks.
B: Site-to-Site VPN connects two or more networks securely over the internet.
C: Clientless VPN is for accessing resources via a web browser, not connecting networks.
D: Split Tunnel VPN is a configuration, not a VPN type.
A remote employee needs to securely access company files from home. Which VPN type is most appropriate?
A. Site-to-Site VPN
B. Client-to-Site VPN
C. Clientless VPN
D. Full Tunnel VPN
Correct Answer: B. Client-to-Site VPN
Explanation:
A: Site-to-Site VPN connects networks, not individual users.
B: Client-to-Site VPN is designed for individual users to securely access a private network.
C: Clientless VPN is for web-based access, not full network access.
D: Full Tunnel VPN is a configuration, not a VPN type.
A company wants to allow employees to securely access a private web portal without installing VPN software. Which VPN type should they use?
A. Site-to-Site VPN
B. Client-to-Site VPN
C. Clientless VPN
D. Split Tunnel VPN
Correct Answer: C. Clientless VPN
Explanation:
A: Site-to-Site VPN connects networks, not individual users.
B: Client-to-Site VPN requires software installation.
C: Clientless VPN allows secure access via a web browser without additional software.
D: Split Tunnel VPN is a configuration, not a VPN type.
A remote employee is working from a coffee shop and needs to access company resources securely. Which VPN configuration should they use?
A. Full Tunnel VPN
B. Split Tunnel VPN
C. Clientless VPN
D. Site-to-Site VPN
Correct Answer: A. Full Tunnel VPN
Explanation:
A: Full Tunnel VPN routes all traffic through the VPN, providing higher security on untrusted networks.
B: Split Tunnel VPN is less secure as it routes only some traffic through the VPN.
C: Clientless VPN is for web-based access, not full network access.
D: Site-to-Site VPN connects networks, not individual users.
What is the purpose of the TLS handshake in a VPN connection?
A. To establish a basic connection between the client and server.
B. To encrypt data and establish secure communication.
C. To authenticate the client using a username and password.
D. To fragment data packets for faster transmission.
Correct Answer: B. To encrypt data and establish secure communication.
Explanation:
A: The TCP 3-way handshake establishes the basic connection.
B: The TLS handshake secures the connection by agreeing on encryption keys and methods.
C: Authentication is part of the process but not the primary purpose.
D: Fragmentation is unrelated to the TLS handshake.
Which protocol is a UDP-based alternative to TLS and is used for secure communication in video conferencing?
A. IPSec
B. DTLS
C. AH
D. ESP
Correct Answer: B. DTLS
Explanation:
A: IPSec is used for VPNs, not specifically for video conferencing.
B: DTLS is a UDP-based version of TLS, ideal for real-time applications like video conferencing.
C: AH provides integrity and authentication but does not encrypt data.
D: ESP provides encryption but is not UDP-based.
A company wants to encrypt only the data payload for a client-to-site VPN. Which IPSec mode should they use?
A. Transport Mode
B. Tunnel Mode
C. Full Tunnel Mode
D. Split Tunnel Mode
Correct Answer: A. Transport Mode
Explanation:
A: Transport Mode encrypts only the payload, leaving the original IP header visible( Which contain the source and destination IP addresses).
B: Tunnel Mode encrypts the entire packet, including the header.
C: Full Tunnel Mode is a VPN configuration, not an IPSec mode.
D: Split Tunnel Mode is a VPN configuration, not an IPSec mode.
A company is experiencing fragmentation issues with their site-to-site VPN. What should they consider to resolve this?
A. Use Transport Mode instead of Tunnel Mode.
B. Increase the MTU size using jumbo frames.
C. Switch to a Clientless VPN.
D. Use a Split Tunnel VPN.
Correct Answer: B. Increase the MTU size using jumbo frames.
Explanation:
A: Transport Mode is not suitable for site-to-site VPNs.
B: Jumbo frames (up to 9000 bytes) can reduce fragmentation in site-to-site VPNs.
C: Clientless VPN is not relevant to fragmentation issues.
D: Split Tunnel VPN does not address fragmentation.
Which IPSec component ensures data integrity and authentication but does not encrypt data?
A. ESP
B. AH
C. IKE
D. DTLS
Correct Answer: B. AH
Explanation:
A: ESP provides encryption, integrity, and authentication.
B: AH ensures data integrity and authentication but does not encrypt data.
C: IKE is used for key exchange, not data integrity.
D: DTLS is a UDP-based encryption protocol.
New IP Header | ESP Header | Encrypted (Original IP Header + Data) | ESP Trailer | ESP Auth (Optional) |
Packet Structure (ESP in Tunnel Mode):
Packet Structure (AH in Tunnel Mode):
| New IP Header | AH | Original IP Header | Data |
How AH Works:
Data Integrity: It uses cryptographic hash functions (e.g., SHA-1, SHA-2) to ensure that the data has not been altered in transit.
Authentication: It verifies the sender’s identity using a shared secret or public-key cryptography.
No Encryption: It does not modify or hide the content of the data, unlike other IPSec components that provide encryption.
What is the purpose of a Security Association (SA) in IPSec?
A. To establish a secure channel for data transfer.
B. To fragment data packets for faster transmission.
C. To authenticate users using a username and password.
D. To encrypt only the payload of the data packet.
Correct Answer: A. To establish a secure channel for data transfer.
Explanation:
A: SAs define the encryption algorithms, authentication methods, and keys for secure communication.
B: Fragmentation is unrelated to SAs.
C: Authentication is part of the SA but not its primary purpose.
D: Encrypting the payload is a function of ESP, not SAs.
What is the purpose of IKE Phase 1 in IPSec?
A. To encrypt the data payload.
B. To establish a secure channel for further negotiations.
C. To fragment data packets for faster transmission.
D. To authenticate users using a username and password.
Correct Answer: B. To establish a secure channel for further negotiations.
Explanation:
IKE Phase 1 authenticates devices and sets up a secure channel for IKE Phase 2 negotiations.
Which step in the TCP 3-way handshake confirms the connection is ready for data transfer?
A. SYN
B. SYN-ACK
C. ACK
D. FIN
Correct Answer: C. ACK
Explanation:
The ACK (Acknowledgment) step confirms the connection is ready for data transfer.
How does IPSec prevent replay attacks?
A. By encrypting the entire packet.
B. By using sequence numbers to check packet order.
C. By fragmenting data packets.
D. By using jumbo frames.
Correct Answer: B. By using sequence numbers to check packet order.
Explanation:
IPSec uses sequence numbers to ensure packets are not replayed by attackers.
In IPSec Tunnel Mode, what is added to the original packet?
A. A new IP header.
B. A TLS handshake.
C. A UDP header.
D. A jumbo frame.
Correct Answer: A. A new IP header.
Explanation:
Tunnel Mode encapsulates the entire original packet (header + payload) and adds a new IP header.
In which scenario are jumbo frames most beneficial?
A. Site-to-Site VPNs over the internet.
B. Client-to-Site VPNs for remote workers.
C. Local Area Networks (LANs).
D. Clientless VPNs for web access.
Correct Answer: C. Local Area Networks (LANs).
Explanation:
Jumbo frames are used in LANs to improve performance but are not suitable for WANs or VPNs over the internet.
Which of the following is a limitation of clientless VPNs?
A. They require dedicated VPN software.
B. They cannot be used for non-web-based applications.
C. They provide full network access.
D. They use IPSec for encryption.
Correct Answer: B. They cannot be used for non-web-based applications.
Explanation:
Clientless VPNs are limited to web-based access and cannot be used for non-web-based applications.
Which protocol operates at the network layer and secures all types of traffic?
A. TLS
B. DTLS
C. IPSec
D. AH
Correct Answer: C. IPSec
Explanation:
IPSec operates at the network layer and secures all types of traffic, while TLS operates at the application layer.
What is the benefit of using both ESP and AH in IPSec?
A. Faster data transmission.
B. Comprehensive security (encryption, integrity, and authentication).
C. Reduced packet size.
D. Simplified configuration.
Correct Answer: B. Comprehensive security (encryption, integrity, and authentication).
Explanation:
ESP provides encryption, while AH provides integrity and authentication. Using both ensures comprehensive security.
What is the primary purpose of SD-WAN?
A. To replace traditional firewalls with cloud-based security.
B. To efficiently route traffic between remote sites, data centers, and cloud environments.
C. To provide wireless internet access using cellular networks.
D. To encrypt all traffic using VPNs.
Correct Answer: B. To efficiently route traffic between remote sites, data centers, and cloud environments.
Explanation:
A: SD-WAN does not replace firewalls; it focuses on traffic routing.
B: SD-WAN optimizes traffic routing for distributed networks.
C: Cellular networks are one of the transport services SD-WAN can use, but not its primary purpose.
D: Encryption is a feature of VPNs, not the primary purpose of SD-WAN.
Which of the following is a key benefit of SD-WAN?
A. Increased hardware dependency.
B. Reduced agility and flexibility.
C. Centralized control and cost-effectiveness.
D. Limited integration with cloud services.
Correct Answer: C. Centralized control and cost-effectiveness.
Explanation:
A: SD-WAN reduces hardware dependency by using software-based control.
B: SD-WAN increases agility and flexibility, not reduces it.
C: SD-WAN provides centralized control and can use cost-effective internet connections.
D: SD-WAN integrates well with cloud services.
What does SASE stand for, and what is its primary purpose?
A. Secure Access Service Edge; to replace traditional VPNs with SD-WAN.
B. Software-Defined Wide Area Network; to optimize traffic routing.
C. Secure Access Service Edge; to combine networking and security in a cloud-based service.
D. Software-Defined Networking; to manage local area networks.
Correct Answer: C. Secure Access Service Edge; to combine networking and security in a cloud-based service.
Explanation:
A: SASE combines networking and security, not just replacing VPNs.
B: SD-WAN focuses on traffic routing, not SASE.
C: SASE integrates networking (e.g., SD-WAN) and security (e.g., firewalls, Zero Trust) in a cloud-based service.
D: SDN manages local networks, not SASE.
Which of the following is NOT a component of SASE?
A. Firewalls.
B. VPNs.
C. Cloud Access Security Brokers (CASBs).
D. Multiprotocol Label Switching (MPLS).
Correct Answer: D. Multiprotocol Label Switching (MPLS).
Explanation:
A: Firewalls are a key component of SASE.
B: VPNs are included in SASE for secure connections.
C: CASBs are used for cloud security in SASE.
D: MPLS is a transport service used by SD-WAN, not a component of SASE.
Imagine an employee tries to upload confidential company files to their personal Google Drive. A CASB can detect this and block the action or encrypt the data before it leaves.
Which type of internet connection is best suited for enterprises requiring high-performance, secure connections?
A. Broadband (Fiber, DSL, Cable).
B. LTE (Cellular Network).
C. MPLS (Multiprotocol Label Switching).
D. Public Wi-Fi.
MPLS (Multiprotocol Label Switching).
Explanation:
A: Broadband is cost-effective but less secure and predictable than MPLS.
B: LTE is great for backup but not ideal as the primary connection.
C: MPLS provides fast, predictable, and secure connections, ideal for enterprises.
D: Public Wi-Fi is insecure and unsuitable for enterprise use.
What is the primary advantage of SD-WAN’s centralized control?
A. It requires more hardware at each branch office.
B. It allows for real-time monitoring and policy enforcement across the entire network.
C. It limits the use of cloud services.
D. It increases the cost of network management.
Correct Answer: B. It allows for real-time monitoring and policy enforcement across the entire network.
Explanation:
A: SD-WAN reduces hardware dependency, not increases it.
B: Centralized control provides real-time monitoring and policy enforcement.
C: SD-WAN integrates well with cloud services.
D: SD-WAN reduces costs, not increases them.
How does SD-WAN differ from traditional WANs in terms of cloud integration?
A. SD-WAN cannot integrate with cloud services.
B. SD-WAN enables dynamic and efficient routing for cloud services.
C. Traditional WANs are better suited for cloud-based applications.
D. SD-WAN and traditional WANs are identical in cloud integration.
Correct Answer: B. SD-WAN enables dynamic and efficient routing for cloud services.
Explanation:
A: SD-WAN integrates well with cloud services.
B: SD-WAN optimizes traffic routing for cloud-based applications.
C: Traditional WANs struggle with cloud integration.
D: SD-WAN is superior to traditional WANs for cloud integration.
A remote employee needs secure access to company resources from home. Which solution is best suited for this scenario?
A. MPLS.
B. SD-WAN.
C. SASE.
D. Broadband.
Correct Answer: C. SASE.
Explanation:
A: MPLS is for connecting networks, not individual users.
B: SD-WAN optimizes traffic but does not provide comprehensive security for remote access.
C: SASE combines networking and security, ideal for secure remote access.
D: Broadband is a type of connection, not a solution for secure access.
How does a firewall function in a SASE architecture?
A. It encrypts all traffic using VPNs.
B. It inspects traffic for security threats before allowing access to company resources.
C. It prioritizes traffic for critical applications.
D. It provides wireless internet access using cellular networks.
Correct Answer: B. It inspects traffic for security threats before allowing access to company resources.
Explanation:
A: Encryption is handled by VPNs, not firewalls.
B: Firewalls in SASE inspect traffic for threats before granting access.
C: Traffic prioritization is a function of SD-WAN, not firewalls.
D: Cellular networks are a transport service, not a function of firewalls.
How does SD-WAN improve performance compared to traditional VPNs for cloud access?
A. By encrypting all traffic using MPLS.
B. By reducing latency and simplifying network management.
C. By limiting access to cloud services.
D. By increasing hardware dependency.
Correct Answer: B. By reducing latency and simplifying network management.
Explanation:
A: MPLS is a transport service, not related to encryption.
B: SD-WAN optimizes traffic routing, reducing latency and simplifying management.
C: SD-WAN enhances access to cloud services, not limits it.
D: SD-WAN reduces hardware dependency, not increases it.
Which transport service is best suited for enterprises requiring high-performance, secure connections?
A. Broadband.
B. LTE.
C. MPLS.
D. Public Wi-Fi.
Correct Answer: C. MPLS.
Explanation:
MPLS provides fast, predictable, and secure connections, ideal for enterprises.
What can you do with an SD-WAN centralized dashboard?
A. Monitor performance and set policies.
B. Encrypt all traffic using VPNs.
C. Replace traditional firewalls.
D. Limit access to cloud services.
Monitor performance and set policies.
Explanation:
The centralized dashboard allows real-time monitoring, policy setting, and troubleshooting.
What is the primary difference between SD-WAN and SDN?
A. SD-WAN focuses on WAN optimization, while SDN focuses on LAN/data center management.
B. SD-WAN replaces traditional firewalls, while SDN replaces VPNs.
C. SD-WAN is used for wireless networks, while SDN is used for wired networks.
D. SD-WAN and SDN are identical in functionality.
Correct Answer: A. SD-WAN focuses on WAN optimization, while SDN focuses on LAN/data center management.
Explanation:
SD-WAN optimizes wide area networks, while SDN manages local area networks or data centers.
How are policies delivered in a SASE architecture?
A. Through individual hardware devices at each branch office.
B. Through a common set of policy and management platforms.
C. Through manual configuration by network administrators.
D. Through traditional VPNs.
Correct Answer: B. Through a common set of policy and management platforms.
Explanation:
SASE delivers policies through centralized, cloud-based management platforms.
Which of the following cloud services aligns with SASE principles?
A. AWS VPC.
B. Azure Virtual WAN.
C. Google Cloud Interconnect.
D. All of the above.
Correct Answer: D. All of the above.
Explanation:
AWS VPC, Azure Virtual WAN, and Google Cloud Interconnect all align with SASE principles.
What is the role of Zero Trust in SASE?
A. To prioritize traffic for critical applications.
B. To ensure users are authenticated before granting access.
C. To replace traditional firewalls.
D. To provide wireless internet access.
Correct Answer: B. To ensure users are authenticated before granting access.
Explanation:
Zero Trust ensures that users are authenticated and authorized before accessing resources.
What is the primary function of a Cloud Access Security Broker (CASB) in SASE?
A. To optimize traffic routing.
B. To secure cloud applications and enforce security policies.
C. To replace traditional VPNs.
D. To provide wireless internet access.
Correct Answer: B. To secure cloud applications and enforce security policies.
Explanation:
CASBs secure cloud applications and enforce security policies in SASE.
How does traffic flow through a SASE firewall?
A. Traffic is encrypted using VPNs before reaching the firewall.
B. Traffic is inspected for security threats before accessing company resources.
C. Traffic is prioritized for critical applications.
D. Traffic is routed through MPLS connections.
Correct Answer: B. Traffic is inspected for security threats before accessing company resources.
Explanation:
The firewall inspects traffic for threats before granting access to company resources.
Why is SD-WAN essential for organizations migrating to cloud-based services?
A. It limits access to cloud services.
B. It increases hardware dependency.
C. It optimizes traffic routing for IaaS, PaaS, and SaaS.
D. It replaces traditional firewalls.
Correct Answer: C. It optimizes traffic routing for IaaS, PaaS, and SaaS.
Explanation:
SD-WAN optimizes traffic routing, making it essential for cloud migration.
When might an organization choose SASE over SD-WAN?
A. When they need to replace traditional firewalls.
B. When they want to combine networking and security in a cloud-based service.
C. When they want to increase hardware dependency.
D. When they want to limit access to cloud services.
Correct Answer: B. When they want to combine networking and security in a cloud-based service.
Explanation:
SASE combines networking and security, making it a suitable replacement for SD-WAN in some scenarios.
Why is it important to place routers at the network’s edge?
A. To reduce the cost of network hardware.
B. To filter traffic efficiently and enhance security.
C. To increase the speed of wireless connections.
D. To provide flexibility for mobile devices.
Correct Answer: B. To filter traffic efficiently and enhance security.
Explanation:
A: Cost reduction is not the primary reason for placing routers at the edge.
B: Routers placed at the network’s edge (also called edge routers or border routers) serve as the first line of defense between an internal network and external networks (such as the internet).
C: Routers do not directly increase wireless speed.
D: Flexibility for mobile devices is more related to access points, not routers.
a typical enterprise network, traffic flow is usually:
- Internet → Router → Firewall → Internal Network
What is the primary purpose of security zones in a network?
A. To increase the speed of data flow.
B. To isolate devices with similar security requirements.
C. To replace traditional firewalls.
D. To provide wireless internet access.
Correct Answer: B. To isolate devices with similar security requirements.
Explanation:
A: Security zones do not directly increase data flow speed.
B: Security zones isolate devices based on security needs, reducing risk.
C: Security zones complement firewalls but do not replace them.
D: Wireless access is unrelated to security zones.
What is the modern term for a DMZ in network configurations?
A. Security Zone.
B. Screened Subnet.
C. Firewall.
D. Access Point.
Correct Answer: B. Screened Subnet.
Explanation:
A: Security zones isolate devices but are not the modern term for DMZ.
B: “Screened Subnet” is the modern term for DMZ.
C: Firewalls are security devices, not a term for DMZ.
D: Access points provide wireless connectivity, unrelated to DMZ.
What is the primary goal of reducing the attack surface in a network?
A. To increase the speed of data flow.
B. To minimize points where unauthorized access can occur.
C. To replace traditional firewalls.
D. To provide wireless internet access.
Correct Answer: B. To minimize points where unauthorized access can occur.
Explanation:
A: Reducing the attack surface does not directly increase data flow speed.
B: Minimizing the attack surface reduces vulnerabilities and unauthorized access points.
C: Reducing the attack surface complements firewalls but does not replace them.
D: Wireless access is unrelated to the attack surface.
Which connectivity method is best suited for a stable and fast connection but restricts mobility?
A. Wi-Fi.
B. Ethernet.
C. LTE.
D. Microwave Links.
Correct Answer: B. Ethernet.
Explanation:
A: Wi-Fi provides flexibility but may suffer from interference.
B: Ethernet offers stability and speed but restricts mobility.
C: LTE is wireless and flexible but not as stable as Ethernet.
D: Microwave links are wireless and used for long-distance communication.
Which device is an example of an active inline device?
A. Intrusion Detection System (IDS).
B. Network TAP.
C. Intrusion Prevention System (IPS).
D. SPAN Port.
Correct Answer: C. Intrusion Prevention System (IPS).
Explanation:
A: IDS is a passive device.
B: Network TAP is a passive monitoring device.
C: IPS is an active inline device that can block or modify traffic.
D: SPAN port is used for passive monitoring.
What is the primary advantage of a fail-closed failure mode?
A. Maintains connectivity during a failure.
B. Prioritizes security over connectivity.
C. Increases network speed.
D. Reduces hardware costs.
Correct Answer: B. Prioritizes security over connectivity.
Explanation:
A: Fail-open maintains connectivity, not fail-closed.
B: Fail-closed blocks all traffic during a failure, prioritizing security.
C: Failure modes do not affect network speed.
D: Failure modes are unrelated to hardware costs.
What is a network bottleneck?
A. A device that increases network speed.
B. A point in the network where data flow is slowed due to overload.
C. A type of wireless connection.
D. A security feature that blocks unauthorized access.
Correct Answer: B. A point in the network where data flow is slowed due to overload.
Explanation:
A: Bottlenecks slow down the network, not increase speed.
B: A bottleneck occurs when a device or link cannot handle the data flow.
C: Bottlenecks are not a type of wireless connection.
D: Bottlenecks are unrelated to security features.
What is a key limitation of microwave links?
A. They require a clear line of sight.
B. They are more expensive than fiber-optic lines.
C. They cannot transmit large amounts of data.
D. They are slower than Ethernet connections.
Correct Answer: A. They require a clear line of sight.
Explanation:
A: Microwave links require a clear line of sight, which can be challenging.
B: Microwave links are cost-effective compared to fiber-optic lines.
C: Microwave links can transmit large amounts of data.
D: Microwave links are not necessarily slower than Ethernet.
Which mode allows a device to block or modify traffic in real-time?
A. TAP Mode.
B. Monitor Mode.
C. In-Line Mode.
D. SPAN Port.
Correct Answer: C. In-Line Mode.
Explanation:
A: TAP Mode is passive and cannot block or modify traffic.
B: Monitor Mode is passive and relies on the switch.
C: In-Line Mode allows active inspection and control of traffic.
D: SPAN Port is used for passive monitoring.
In a large office building, where should access points be placed to ensure optimal coverage?
A. In the basement.
B. Near the network server room.
C. Strategically throughout the building to reduce interference.
D. Only in the executive offices.
Correct Answer: C. Strategically throughout the building to reduce interference.
Explanation:
Access points should be placed to ensure coverage and reduce interference, not just in specific areas.
What is the primary purpose of a screened subnet in a modern network?
A. To increase the speed of data flow.
B. To host public-facing services and protect internal networks.
C. To replace traditional firewalls.
D. To provide wireless internet access.
Correct Answer: B. To host public-facing services and protect internal networks.
Explanation:
Screened subnets act as buffer zones for public-facing services, protecting internal networks.
Which of the following is a method to reduce the attack surface in a network?
A. Regularly assess and patch vulnerabilities.
B. Increase the number of access points.
C. Use only wireless connections.
D. Replace all routers with switches.
Correct Answer: A. Regularly assess and patch vulnerabilities.
Explanation:
Regularly assessing and patching vulnerabilities reduces the attack surface.
Which connectivity method is best suited for a remote area without fiber-optic infrastructure?
A. Ethernet.
B. Wi-Fi.
C. LTE.
D. Microwave Links.
Correct Answer: D. Microwave Links.
Explanation:
Microwave links are ideal for remote areas where fiber-optic infrastructure is unavailable.
: Which device should be chosen if the goal is to monitor traffic without disrupting it?
A. Intrusion Prevention System (IPS).
B. Network TAP.
C. Firewall.
D. Load Balancer.
Correct Answer: B. Network TAP.
Explanation:
Network TAPs passively monitor traffic without disrupting it.
When should an organization choose a fail-closed failure mode?
A. When maintaining connectivity is more important than security.
B. When security is more important than maintaining connectivity.
C. When the network segment is non-critical.
D. When the network uses only wireless connections.
Correct Answer: B. When security is more important than maintaining connectivity.
Explanation:
Fail-closed prioritizes security over connectivity, making it suitable for critical network segments.
What is a common strategy to resolve network bottlenecks?
A. Increase the number of access points.
B. Upgrade network hardware (e.g., switches, routers).
C. Use only wireless connections.
D. Replace all firewalls with IDS.
Correct Answer: B. Upgrade network hardware (e.g., switches, routers).
Explanation:
A. Helps with Wi-Fi coverage but does not directly resolve bottlenecks in the wired network.
B. A network bottleneck occurs when network hardware (such as routers, switches, or cables) cannot handle the amount of traffic passing through it. Upgrading to higher-capacity hardware (e.g., gigabit/10G switches, enterprise-grade routers) can increase bandwidth, reduce latency, and improve overall network performance.
Common Hardware Upgrades to Fix Bottlenecks:
Upgrading to higher-capacity switches (e.g., from 100 Mbps to 1 Gbps or 10 Gbps).
Replacing outdated routers with models that support higher throughput and better traffic management.
Using high-performance network interface cards (NICs) on servers and workstations.
Upgrading network cabling (e.g., from Cat5e to Cat6 or fiber optic cables).
In which scenario are microwave links most beneficial?
A. In a densely populated urban area with fiber-optic infrastructure.
B. In a remote area with no fiber-optic infrastructure.
C. In a small office with Ethernet connections.
D. In a data center with high-speed switches.
Correct Answer: B. In a remote area with no fiber-optic infrastructure.
Explanation:
Microwave links are ideal for remote areas where fiber-optic infrastructure is unavailable.
What happens if an inline device fails in fail-open mode?
A. Traffic is blocked, and the network becomes unavailable.
B. Traffic continues to flow, but without security inspection.
C. The device switches to passive monitoring mode.
D. The network speed increases.
Correct Answer: B. Traffic continues to flow, but without security inspection.
Explanation:
Fail-open mode allows traffic to pass during a failure, maintaining connectivity but reducing security.
What is the primary purpose of implementing controls in an organization?
A. To increase the speed of data flow.
B. To reduce potential risks and safeguard assets.
C. To replace traditional firewalls.
D. To provide wireless internet access.
Correct Answer: B. To reduce potential risks and safeguard assets.
Explanation:
A: Controls are not primarily about increasing data flow speed.
B: Controls are protective measures to reduce risks and safeguard assets.
C: Controls complement firewalls but do not replace them.
D: Wireless access is unrelated to the primary purpose of controls.
Which principle ensures that users and systems have only necessary access rights?
A. Defense in Depth.
B. Least Privilege.
C. Risk-based Approach.
D. Open Design Principle.
Correct Answer: B. Least Privilege.
Explanation:
A: Defense in Depth involves multiple layers of security.
B: Least Privilege ensures users and systems have only necessary access rights.
C: Risk-based Approach prioritizes controls based on potential risks.
D: Open Design Principle ensures transparency and accountability.
What is the primary benefit of using a Defense in Depth strategy?
A. It reduces the cost of security controls.
B. It ensures robust protection even if one control fails.
C. It increases the speed of data flow.
D. It replaces traditional firewalls.
Correct Answer: B. It ensures robust protection even if one control fails.
Explanation:
A: Defense in Depth may increase costs due to multiple layers of security.
B: Defense in Depth provides robust protection by using multiple layers of security.
C: Defense in Depth is not about increasing data flow speed.
D: Defense in Depth complements firewalls but does not replace them.
What is the primary focus of a risk-based approach to selecting controls?
A. Applying updates randomly or equally.
B. Focusing on the biggest risks first.
C. Increasing the number of access points.
D. Replacing all firewalls with IDS.
Correct Answer: B. Focusing on the biggest risks first.
Explanation:
A: Applying updates randomly is not a risk-based approach.
B: A risk-based approach prioritizes controls based on the biggest risks.
C: Increasing access points is unrelated to a risk-based approach.
D: Replacing firewalls with IDS is not a risk-based approach.
Why is lifecycle management important for security controls?
A. To increase the speed of data flow.
B. To adapt to the evolving threat landscape.
C. To replace traditional firewalls.
D. To provide wireless internet access.
Correct Answer: B. To adapt to the evolving threat landscape.
Explanation:
A: Lifecycle management is not about increasing data flow speed.
B: Lifecycle management ensures controls are regularly reviewed, updated, and retired to adapt to evolving threats.
C: Lifecycle management complements firewalls but does not replace them.
D: Wireless access is unrelated to lifecycle management.
What is the primary goal of the Open Design Principle?
A. To increase the speed of data flow.
B. To ensure transparency and accountability through rigorous testing.
C. To replace traditional firewalls.
D. To provide wireless internet access.
Correct Answer: B. To ensure transparency and accountability through rigorous testing.
Explanation:
A: Open Design Principle is not about increasing data flow speed.
B: The Open Design Principle ensures transparency and accountability through rigorous testing and scrutiny of controls.
C: Open Design Principle complements firewalls but does not replace them.
D: Wireless access is unrelated to the Open Design Principle.
The Open Design Principle states that the security of a system should not rely on secrecy of its design or implementation but instead on strong, well-tested mechanisms.
🔹 Key Goals:
Encourages transparency, allowing security experts to analyze and improve the system.
Ensures accountability through peer review and rigorous testing.
Reduces reliance on security through obscurity, making the system more resilient to attacks.
🔹 Example:
Open-source encryption protocols (e.g., AES, TLS) are publicly reviewed for vulnerabilities rather than relying on secrecy.
What is the first step in the methodology for selecting controls?
A. Set Clear Objectives.
B. Assess Current State.
C. Conduct Gap Analysis.
D. Benchmarking.
Correct Answer: B. Assess Current State.
Explanation:
A: Setting clear objectives comes after assessing the current state.
B: The first step is to assess the current state of the infrastructure, vulnerabilities, and controls.
C: Gap analysis is conducted after assessing the current state.
D: Benchmarking is done after setting clear objectives.
What is the primary purpose of benchmarking in selecting controls?
A. To increase the speed of data flow.
B. To compare processes and security metrics with industry best practices.
C. To replace traditional firewalls.
D. To provide wireless internet access.
Correct Answer: B. To compare processes and security metrics with industry best practices.
Explanation:
A: Benchmarking is not about increasing data flow speed.
B: Benchmarking compares your organization’s processes and security metrics with industry best practices.
C: Benchmarking complements firewalls but does not replace them.
D: Wireless access is unrelated to benchmarking.
Which group is responsible for ensuring security measures follow regulations?
A. Executives & Business Leaders.
B. IT & Security Teams.
C. Compliance & Legal Teams.
D. Employees & End Users.
Correct Answer: C. Compliance & Legal Teams.
Explanation:
A: Executives approve budgets and align security with business goals.
B: IT & Security Teams implement and maintain controls.
C: Compliance & Legal Teams ensure security measures follow regulations (e.g., GDPR, HIPAA).
D: Employees & End Users follow security policies.
What is a key best practice for selecting controls?
A. Apply updates randomly or equally.
B. Conduct regular risk assessments.
C. Increase the number of access points.
D. Replace all firewalls with IDS.
Correct Answer: B. Conduct regular risk assessments.
Explanation:
A: Applying updates randomly is not a best practice.
B: Selecting the right security controls requires understanding risks to the organization. Regular risk assessments help identify vulnerabilities, threats, and the impact of security breaches, allowing for effective control selection.
C: Increasing access points is unrelated to best practices for selecting controls.
D: Replacing firewalls with IDS is not a best practice.
Which of the following is an example of a control that monitors and acts on network traffic?
A. Intrusion Detection System (IDS).
B. Intrusion Prevention System (IPS).
C. Network TAP.
D. SPAN Port.
Correct Answer: B. Intrusion Prevention System (IPS).
Explanation:
A: IDS monitors traffic but does not act on it.
B: IPS monitors and acts on network traffic (e.g., blocking malicious traffic).
C: Network TAP passively monitors traffic.
D: SPAN Port passively mirrors traffic.
A company identifies a critical vulnerability in its web server. What should they do first?
A. Apply updates to all systems equally.
B. Patch the critical vulnerability immediately.
C. Increase the number of access points.
D. Replace all firewalls with IDS.
Correct Answer: B. Patch the critical vulnerability immediately.
Explanation:
A: Applying updates equally is not a risk-based approach.
B: Patching the critical vulnerability first is a risk-based approach.
C: Increasing access points is unrelated to vulnerability patching.
D: Replacing firewalls with IDS is not a risk-based approach.
Which metric is commonly used in benchmarking to measure the efficiency of patch management?
A. Number of access points.
B. Time to patch critical vulnerabilities.
C. Number of firewalls.
D. Speed of data flow.
Correct Answer: B. Time to patch critical vulnerabilities.
Explanation:
A: Number of access points is unrelated to patch management.
B: Time to patch critical vulnerabilities is a key metric for patch management efficiency.
C: Number of firewalls is unrelated to patch management.
D: Speed of data flow is unrelated to patch management.
Time to patch critical vulnerabilities (also called Mean Time to Patch - MTTP) is a key metric in patch management benchmarking. It measures how quickly an organization applies patches to fix critical security flaws after they are released.
🔹 Why It Matters:
Minimizes exposure to exploits.
Reduces attack surfaces by closing security gaps.
Ensures compliance with industry standards (e.g., NIST, CIS).
Improves incident response by quickly addressing vulnerabilities.
🔹 Example:
If a critical vulnerability is disclosed in Windows Server, an organization with strong patch management would test and deploy the patch within hours or days, rather than weeks.
Which stakeholder group is responsible for implementing and maintaining security controls?
A. Executives & Business Leaders.
B. IT & Security Teams.
C. Compliance & Legal Teams.
D. Employees & End Users.
Correct Answer: B. IT & Security Teams.
Explanation:
A: Executives approve budgets and align security with business goals.
B: IT & Security Teams implement and maintain security controls.
C: Compliance & Legal Teams ensure security measures follow regulations.
D: Employees & End Users follow security policies.
What is the final step in the lifecycle management of controls?
A. Review.
B. Update.
C. Retire.
D. Implement.
Correct Answer: C. Retire.
Explanation:
A: Review is an ongoing step but not the final one.
B: Update is part of the process but not the final step.
C: Retire is the final step when controls are no longer needed or effective.
D: Implement is an early step in the lifecycle.
How does the Open Design Principle ensure transparency and accountability?
A. By increasing the speed of data flow.
B. Through rigorous testing and scrutiny of controls.
C. By replacing traditional firewalls.
D. By providing wireless internet access.
Correct Answer: B. Through rigorous testing and scrutiny of controls.
Explanation:
A: Open Design Principle is not about increasing data flow speed.
B: Rigorous testing and scrutiny ensure transparency and accountability.
C: Open Design Principle complements firewalls but does not replace them.
D: Wireless access is unrelated to the Open Design Principle.
What is the primary goal of conducting a gap analysis in selecting controls?
A. To increase the speed of data flow.
B. To identify discrepancies between current and desired security postures.
C. To replace traditional firewalls.
D. To provide wireless internet access.
Correct Answer: B. To identify discrepancies between current and desired security postures.
Explanation:
A: Gap analysis is not about increasing data flow speed.
B: Gap analysis identifies discrepancies between current and desired security postures.
C: Gap analysis complements firewalls but does not replace them.
D: Wireless access is unrelated to gap analysis.
What is the primary purpose of conducting a cost-benefit analysis when selecting controls?
A. To increase the speed of data flow.
B. To evaluate the balance between desired security level and required resources.
C. To replace traditional firewalls.
D. To provide wireless internet access.
Correct Answer: B. To evaluate the balance between desired security level and required resources.
Explanation:
A: Cost-benefit analysis is not about increasing data flow speed.
B: Cost-benefit analysis evaluates the balance between security and resources.
C: Cost-benefit analysis complements firewalls but does not replace them.
D: Wireless access is unrelated to cost-benefit analysis.
A cost-benefit analysis helps organizations evaluate security controls by balancing the cost of implementing the control with its benefit in reducing risk. The goal is to ensure that the security control provides value without being overly expensive or resource-intensive.
🔹 Key Purpose:
Assess costs (e.g., time, money, resources) of a security control.
Evaluate benefits (e.g., risk reduction, compliance, and operational efficiency).
Ensure cost-effective solutions that meet security requirements.
🔹 Example:
Implementing multi-factor authentication (MFA) may have an upfront cost (e.g., software, training), but the benefits in terms of preventing unauthorized access could far outweigh the cost, especially for high-risk assets.
