Test #1 Flashcards
You want to ensure that data can only be viewed by authorized users. What provides this assurance? A. Confidentiality B. Integrity C. Availability D. Authentication
A. Confidentiality prevents unauthorized disclosure and is enforced with access controls and encryption. Integrity provides assurances that data has not been modified and is enforced with hashing. Availability ensures systems are up and operational when needed and uses fault tolerance and redundancy methods. Authentication provides proof that users are who they claim to be.
A database administrator has just completed an update to a database using a script. Unfortunately, the script had an error and wrote incorrect data throughout the database. What has been lost? A. Confidentiality B. Integrity C. Availability D. Authentication
B. If an unauthorized or unintended change occurs to data, the data has lost integrity. Confidentiality prevents unauthorized disclosure and is enforced with access controls and encryption. Availability ensures systems are up and operational when needed and uses fault tolerance and redundancy methods. Authentication provides proof that users are who they claim to
What does RAID-1 support? A. Authentication B. Availability C. Confidentiality D. Integrity
B. Redundant Array of Inexpensive Disks 1 (RAID-1) uses two disks to create a mirror of each, and it provides availability through fault tolerance. If a single drive fails, the system can tolerate the fault and continue to operate. Authentication provides proof of a user’s identity. Confidentiality ensures that data is only viewable by authorized users. Integrity provides assurances that data has not been modified.
A user enters a username and a password and logs onto a system. What does this describe? A. Identification B. Authentication C. Authorization D. Availability
B. Authentication occurs when an identity is verified. An entity claims an identity by presenting something like a username and proves the identity with an authentication mechanism such as a password. Authorization provides access to resources and occurs after authentication. Availability indicates that the system is up and operational when needed.
Your organization has configured an account policy that locks out a user accounts for thirty minutes if they enter the wrong password five times. What is this policy?
A. Account lockout policy
B. Account disablement policy
C. Account continuance policy
D. Password policy
A. An account lockout policy will force an account to be locked out after the wrong password is entered a set number of times (such as after five failed attempts). An account disablement policy specifies that accounts are disabled when no longer needed, such as after an employee leaves the company. There is no such thing as an account continuance policy. A password policy ensures strong passwords are used and users change their password regularly.
Which of the following supports the use of one-time passwords?
A. Proximity card
B. Tokens
C. CAC
D. PIV
B. A token (such as an RSA token) provides a rolling password for one-time use. A proximity card is something you have (or something a user has) as a factor of authentication, but it doesn’t use one-time passwords. A CAC and a PIV are both specialized types of smart cards that include photo identification.
A user must swipe his finger on a fingerprint scanner to gain access to his laptop. What is being used for authentication?
A. Something the user knows
B. Something the user has
C. Something the user wants
D. Biometrics
D. A fingerprint scanner is using biometrics (in the something the user is factor of authentication). Biometrics are the most difficult for an attacker to falsify or forge since it represents a user based on personal characteristics. A password or PIN is an example of something the user knows. A token or smart card is an example of something the user has. Something the user wants is not a valid factor of authentication.
Of the following choices, what qualifies as two-factor authentication?
A. Fingerprints from both of a user’s hands B. Two passwords
C. A smart card and a PIN
D. A token and a smart card
C. Two-factor authentication includes authentication from two of three factors (something you know, something you have, and something you are) and only a smart card (something you have) and a PIN (something you know) meet this requirement. Fingerprints from two hands use only biometrics (something you are), two passwords are two instances of something you know, and a token and smart card represent two instances of something you have.
Which of the following choices is an example of authentication based on something you have and something you are?
A. A username, password, and PIN
B. A token and a fingerprint scan
C. A token and a password
D. A PIN and a fingerprint scan
B. Token-based authentication is based on something you have, and a fingerprint scan is based on something you are. A username, password, and PIN all fall in under the something you know factor of authentication. A token and password are something you have and something you know. A PIN and a fingerprint scan are something you know and something you are.
Which of the following authentication protocols uses tickets? A. LDAP B. MD5 C. SHA1 D. Kerberos
D. Kerberos is a network authentication protocol using tickets. The Lightweight Directory Access Protocol (LDAP) specifies formats and methods to query directories and is used to manage objects (such as users and computers) in an Active Directory domain. MD5 and SHA1 are hashing algorithms, not authentication protocols.
Dawn logged on using her work account at 6: 45 a.m. into a Kerberos realm. She was able to access network resources throughout the day with no problem. A crisis kept her at work late. However, she found that at about 7: 30 p.m., she was no longer able to access a server she accessed earlier. Another worker working on the evening shift accessed the server without any problem. What is the likely problem?
A. The server is down
B. Her certificate has expired
C. Her ticket has expired
D. The server’s certificate has expired
C. Kerberos uses time-stamped tickets, and they often have a lifetime of ten or twelve hours. If the ticket is expired, the user won’t be able to use it anymore without logging off and back on. Since another user is accessing the server, it is not down. A Kerberos realm uses tickets, not certificates, and there is no indication that certificates are being used.
- What is a primary difference between TACACS and TACACS +?
A. TACACS can use either TCP or UDP ports 514 while TACACS + uses only TCP port 514
B. TACACS can use either TCP or UDP ports 49 while TACACS + uses only TCP port 49
C. TACACS + can use either TCP or UDP ports 49 while TACACS uses only TCP port 49
D. TACACS + can use either TCP or UDP ports 514 while TACACS uses only TCP port 514
B. TACACS can use either TCP or UDP ports 49, while TACACS + uses only TCP port 49. Port 514 is used for the UNIX-based syslog.
Sally is required to review security logs and maintain three servers within a network. Instead of giving her full access to all network resources, she is granted access only to the security logs and the three servers. Which of the following choices best identifies what is being used?
A. MAC
B. DAC
C. RBAC
D. Least privilege
D. The principle of least privilege is a technical control and ensures that users have only the rights and permissions needed to perform the job, and no more. MAC, DAC, and RBAC are access control models that include much more than just a single access control such as least privilege.
An administrator wants to use user templates as a method of complying with the principle of least privilege. What access control model supports this process?
A. Discretionary access control (DAC)
B. Mandatory access control (MAC)
C. Role-based access control (RBAC)
D. Rule-based access control (RBAC)
C. Role-based access control (RBAC) allows an administrator to create a user template, add the user template to one or more groups based on roles, and then assign rights and permissions to the groups. Any user accounts created with this template will automatically have these permissions. The DAC model specifies that every object has an owner, and Windows systems use the DAC model by default for NTFS files and folders. The MAC model uses sensitivity labels.
What is the difference between rule-based and role-based access control?
A. Rule-based access control is based on a set of approved instructions while role-based is based on job function
B. Rule-based access control is based on job function while role-based is based on a set of approved instructions
C. Rule-based access control uses labels to identify subjects and objects while role-based requires every object to have an owner
D. They are both the same, and known as RBAC
A. Rule-based access control (RBAC) is based on a set of approved instructions configured as rules, while role-based uses roles (or groups) based on job functions. MAC uses labels to identify subjects and objects and DAC requires every object to have an owner. While both rule-based and role-based access controls share the same acronym (RBAC), they are not the same.
You want to increase physical security for your server room. Which of the following provides the best protection?
A. Limit access to only a single well-protected entrance
B. Ensure that the server room has one door for entrance and one door for exit
C. Ensure that access to the server is limited to only management
D. Remove all physical access to the server room
A. One of the best examples of physical security for a server room is to ensure that access is limited to only a single well-protected entrance. Two doors (one for entrance and one for exit) requires security at both doors, and it is difficult to ensure that each is only used for an entrance or exit. More than one entrance and exit makes it harder to monitor access.
Users in an organization are issued proximity cards that they use to access secure areas. Lately, users have begun trading their proximity cards so co-workers can access resources with someone else’s card. What permits this misuse?
A. A lack of authorization controls
B. A lack of access controls
C. Authentication verification without authorization D. Authorization verification without authentication
D. The proximity card is being used without any type of authentication other than holding the proximity badge, which is granting authorization to resources without authenticating users; a solution would be to require authentication though a method other than the proximity badge prior to authorizing access, such as matching a PIN to the card. Authorization is being granted based on possession of the proximity cards so there are authorization and access controls; however, there isn’t any authentication verification.
A security professional observes employees regularly tailgating others into a secure datacenter. What can prevent this?
A. CCTV
B. Mantrap
C. Proximity card
D. Cipher lock
B. A mantrap is highly effective at preventing unauthorized entry and can also be used to prevent tailgating. CCTV provides video surveillance and it can record unauthorized entry, but it can’t prevent it. A proximity card is useful as an access control mechanism, but it won’t prevent tailgating, so it isn’t as useful as a mantrap. A cipher lock is a door access control, but it can’t prevent tailgating.
An employee found a USB flash drive in the parking lot. What should the employee do with this?
A. Look at the contents to determine the owner B. Destroy it
C. Turn it into a security professional
D. Take it home and insert it into a home computer
C. The USB flash drive should be turned in to a security professional. It’s risky to plug it in to look at the contents or take it home, since it could have malware. While it may be safe to destroy it, a security professional can plug it into an isolated system to determine its contents and the owner.
An employee has left the company to go back to school. Which of the following is considered a security best practice in this situation?
A. Disable the account
B. Set the account to expire in sixty days
C. Set the password to expire
D. Since the employee left on good terms, nothing needs to be done
A. An account disablement policy would ensure that a terminated employee’s account is disabled to revoke the employee’s access. Setting an account to expire is useful for a temporary account, but in this situation, it would leave the account available for anyone to use for the next sixty days instead of immediately disabling it. Expiring the password forces the user to change the password at the next logon. It doesn’t matter why employees leave a company; if they are no longer employed, the account should be disabled.
You want to ensure that data remains in an encrypted format while it is transmitted over the Internet. Of the following choices, what can you use? (Choose all that apply.)
A. SFTP, FTPS, TFTP, HTTPS, SSL, TLS
B. SSH, SFTP, SSL, HTTP
C. TLS, SSL, SSH, FTPS, SFTP,
D. HTTPS, FTP, SSH, SSL
C. Transport Layer Security (TLS), Secure Sockets Layer (SSL), Secure Shell (SSH), File Transfer Protocol Secure (FTPS), and Secure File Transfer Protocol (SFTP) can all encrypt data transmitted over the Internet. (Notice they all have an “S” in them.) TFTP, HTTP, and FTP are all unencrypted.
You want to configure traps on devices in your network. What would you use?
A. A load balancer
B. SNMP
C. Default gateways
D. SCP
B. The Simple Network Management Protocol (SNMP) uses device traps to send notifications, and it can monitor and manage network devices, such as routers or switches. A load balancer can optimize and distribute data workloads across multiple computers. A default gateway is an IP address on a router, and it provides a path to another network. SCP is based on SSH and copies files over a network in an encrypted format.
What port does SCP use? A. 22 B. 23 C. 25 D. 80
A. Secure Copy (SCP) uses port 22, as do other protocols encrypted with Secure Shell (SSH), such as Secure File Transfer Protocol (SFTP). Telnet uses port 23. SMTP uses port 25. HTTP uses port 80.
Of the following choices, what is the best choice to indicate the protocol( s) that use( s) port 22?
A. SCP
B. SCP and SSH
C. SCP, TFTP, SQL, and SSH
D. SCP, SFTP, and SSH
D. Secure Copy (SCP), Secure File Transfer Protocol (SFTP), and Secure Shell (SSH) all use port 22. While SCP alone, and SCP and SSH, both use port 22, answer D is the best choice since it shows more of the protocols using this port. TFTP uses port 69 and Microsoft’s SQL server uses port 1433.
An administrator wants to determine what services and protocols are running on a remote system. Of the following choices, what is the best choice to achieve this goal?
A. Go to the datacenter, log on, and inspect the system
B. Perform a vulnerability assessment
C. Perform an ICMP sweep
D. Identify open ports on the system
D. Since many services and protocols use open ports, an administrator can identify running services on a system by determining what ports are open. Since the system is remote, it could be in another building or even another city, so going to the datacenter is not the best choice. While a vulnerability assessment will often include a port scan, it will do much more. An ICMP sweep (also called a host enumeration sweep) will identify servers on a network, but not individual services, protocols,
You are examining open ports on a firewall and you see that port 500 is open. What is the likely reason?
A. To support an L2TP VPN connection
B. To support a PPTP VPN connection
C. To support a TACACS + VPN connection D. To support an IPsec VPN connection
D. Internet Protocol security (IPsec) virtual private network (VPN) connections use port 500 (often combined with protocol IDs 50 and/ or 51 to identify IPsec) with the Internet Key Exchange (IKE) protocol. L2TP uses port 1701. PPTP uses port 1723. TACACS + uses port 49.
Your organization has configured switches so that only devices with specific MAC addresses can connect to specific ports on the switches. The switch prevents any other devices from connecting. What is this?
A. Content filtering
B. Port security
C. Load balancing
D. Proxy caching
B. A version of port security maps specific end-device MAC addresses to specific ports on the switch and prevents any other devices from connecting. Web security gateways and all-in-one security appliances provide content filtering. A load balancer optimizes and distributes data loads across multiple computers or multiple networks. A proxy server provides content filtering and caching.
You are reviewing a firewall’s ACL and see the following statement: drop all. What security principle does this enforce?
A. Least privilege
B. Integrity
C. Availability
D. Implicit deny
D. A drop all or deny any any statement is placed at the end of an access control list (ACL) and enforces an implement deny strategy. Least privilege ensures users have only the access they need to perform their jobs and no more. Integrity provides assurances that data has not been modified, and availability ensures systems and data are up and operational when needed, but the drop all statement doesn’t address either of these as directly as implicit deny.
Firewalls include rules in an ACL. Which of the following would block network traffic that isn’t in any of the previously defined rules?
A. Explicit allow
B. Implicit allow
C. Explicit deny
D. Implicit deny
D. Most firewalls have an implicit deny statement (such as drop all or deny any any) at the end of an access control list (ACL) to block all traffic not previously allowed. An allow rule would not block traffic. An explicit deny rule explicitly blocks traffic defined in the rule only, not all other traffic.
An organization wants to hide addresses it uses on its internal network. What can assist with this goal?
A. MAC filtering
B. NAC
C. NAT
D. DMZ
C. Network Address Translation (NAT) translates public IP addresses to private, private IP addresses back to public, and hides addresses on the internal network. Port security and network access control use MAC filtering to limit access. Network access control can inspect clients for health prior to allowing network access. A DMZ provides access to services (hosted on servers) from the Internet while providing a layer of protection for the internal network.
Your network includes a device that examines network traffic and determines when the traffic is outside expected boundaries. What is this device? A. Anomaly-based HIDS B. Signature-based HIDS C. Anomaly-based NIDS D. Signature-based NIDS
- C. An anomaly-based, network-based intrusion detection system (NIDS) compares current activity with a previously created baseline to detect abnormal activity. HIDS systems only monitor individual systems, not the network. Signature-based IDSs use signatures similar to antivirus software.
Attackers frequently attack your organization, and administrators want to learn more about zero day attacks on the network. What can they use?
A. Anomaly-based HIDS
B. Signature-based HIDS
C. Honeypot
D. Signature-based NIDS
C. A honeypot is a server designed to look valuable to an attacker and can help administrators learn about zero day exploits, or previously unknown attacks. HIDS protects host-based attacks and wouldn’t help with network-based attacks. Signature-based tools would not have a signature for zero day attack since the attack method is unknown by definition.
Users in your network are complaining that they are unable to download content from a specific website. Additionally, your IDS is recording multiple events on the network. What is a likely reason why users are unable to download this content?
A. A load balancer is blocking content from the website
B. The firewall is in failopen mode
C. An evil twin is on the network
D. NIPS is blocking content from the website
D. A network-based intrusion prevention system (NIPS) can detect and block malicious content, and both a NIPS and an intrusion detection system (IDS) can record the events. A load balancer can optimize and distribute data loads across multiple computers. Firewalls would normally fail in failsafe/ failsecure (or closed) mode, blocking all traffic, but if it failed in failopen mode, it would allow all traffic. An evil twin is a rogue wireless access point with the same SSID as a live wireless access point.
Attackers have launched multiple attacks against your network in recent weeks. While administrators have taken action to reduce the impact of the attacks, management wants to prevent these attacks. What can prevent ongoing network-based attacks?
A. NIDS
B. NIPS
C. HIDS
D. HIPS
B. A network-based intrusion prevention system (NIPS) can detect and prevent ongoing network-based attacks. In contrast, a NIDS would only detect the activity, and this is likely what is alerting administrators to the attacks now. Host-based IDSs and IPSs detect malicious activity only on a host, not a network.
Users that are further away from the WAP installed in your company’s network are having trouble connecting. What can you check to increase the coverage of the WAP?
A. SSID broadcasting
B. Encryption method
C. Verify Enterprise mode is used
D. Power levels
D. You can increase coverage of a wireless access point (WAP) by increasing the power level and by adjusting the antenna placement. SSID broadcasting and encryption method does not affect the wireless coverage. Enterprise mode uses an 802.1X server for authentication and stronger security but does not affect the coverage of the WAP.
You are configuring a secure wireless network that will use WPA2. Management wants to use a more secure method than PSKs. Of the following choices, what will you need?
A. 802.11n
B. CCMP
C. AES
D. RADIUS
D. WPA2 needs RADIUS to support WPA2 Enterprise mode. WPA2 personal mode uses a preshared key (PSK), and since management does not want to use PSKs, the solution requires Enterprise mode. 802.11n is a wireless standard. CCMP and AES provide strong encryption. However, using 802.11n, CCMP, or AES does not prevent the use of PSKs.
You have discovered a counterfeit wireless station using the same SSID as your wireless network. What best describes this? A. Evil twin B. IV attack C. War driving D. Rogue access point
- A. An evil twin is a rogue (or counterfeit) access point with the same SSID as an authorized access point. An IV attack attempts to discover encryption keys to crack WEP. War driving is the practice of driving around looking for access points. A rogue access point is an unauthorized wireless station, but if it has the same SSID, it’s best described as an evil twin.
You are planning to complete a wireless audit. What should you check? (Choose all that apply.) A. Antenna placement B. Power levels C. Footprint D. Encryption E. Flood guards
A, B, C, D. A wireless audit can check antenna placement, WAP power levels, WAP footprint, and encryption techniques. It also looks for rogue access points and unauthorized users, which are not listed in the answers. Flood guards can help prevent SYN flood attacks.
Your organization wants to provide secure remote access to the internal network to over two hundred employees that are regularly on the road. What would they use?
A. VPN concentrator
B. Health agents
C. Web application firewall
D. Honeypot
A. VPN concentrators provide strong security and support large numbers of VPN clients. Health agents are required for network access control (NAC) solutions, but not required for all remote access solutions. A web application firewall (WAF) is a firewall specifically designed to protect a web application, such as a web server, and not required for remote access. A honeypot is a server designed to look valuable to an attacker, can divert attacks, and can help organizations identify the latest unknown attacks.
What type of control is MAC filtering?
A. Network access control
B. Physical control
C. Detective control
D. Management control
A. MAC filtering is a form of network access control (NAC). A physical control restricts physical access to buildings and hardware devices. A detective control such as a security audit detects when a vulnerability has been exploited. Management controls are primarily administrative in function, such as risk assessments or vulnerability assessments.