Network+ Domain 3: Network Security

Which of the following attacks is a form of software exploitation that transmits or submits a longer stream of data than the input variable is designed to handle?
Buffer overflow

A buffer overflow occurs when software code receives too much input than it was designed to handle and when the programmer of that code failed to include input validation checks. When a buffer overflow occurs, the extra data is pushed into the execution stack and processed with security context of the system itself. In other words, a buffer overflow attack often allows the attacker to perform any operation on a system.

You have worked as the network administrator for a company for seven months. One day all picture files on the server become corrupted. You discover that a user downloaded a virus from the Internet onto his workstation, and it propagated to the server. You successfully restore all files from backup, but your boss is adamant that this situation does not reoccur. What should you do?
Install a network virus detection software solution.
An attacker sets up 100 drone computers that flood a DNS server with invalid requests. This is an example of which kind of attack?
DDoS

A DDoS attack is when multiple PCs attack a victim simultaneously and generate excessive traffic, thereby overloading communication channels, or exploiting software flaws.

Which is a form of attack that either exploits a software flaw or floods a system with traffic in order to prevent legitimate activities or transactions from occurring?
Denial of service attack
Which of the following is a form of denial of service attack that uses spoofed ICMP packets to flood a victim with echo requests using a bounce/amplification network?
Smurf

Smurf is a form of denial of service attack which uses spoofed ICMP packets to flood a victim with echo requests using a bounce/amplification network.

A Smurf attack requires all but which of the following elements to be implemented?
Padded cell

A padded cell is a type of intrusion enticement mechanism similar to a honey pot. A padded cell is a simulated network environment that is created when an intruder is detected. The intruder is transferred into the padded cell where all of its activities are monitored and logged while isolating the intruder from all sensitive information or controls.

What is the common name for a program that has no useful purpose, but attempts to spread itself to other systems and often damages resources on the systems where it is found?
Virus
Which of the following is not a primary characteristic of a worm?
It infects the MBR of a hard drive

A worm does not infect an MBR like a virus, a worm does not require a host file or drive element.
A worm is a self-contained, executable software package. It is able to self-replicate and actively seeks to spread itself to other networked systems.

Which of the following is the best countermeasure against man-in-the middle attacks?
IPsec

Use IPsec to encrypt data in a VPN tunnel as it passes between two communication partners

Which of the following describes a man-in-the-middle attack?
A false server intercepts communications from a client by impersonating the intended server.
What is the main difference between a worm and a virus?
A worm can replicate itself and does not need a host for distribution.

Both viruses and worms can cause damage to data and systems, and both spread from system to system, although a worm can spread itself while a virus attaches itself to a host for distribution.

Your company security policy states that wireless networks are not to be used because of the potential security risk they present to your network. One day you find that an employee has connected a wireless access point to the network in his office. What type of security risk is this?
Rogue access point
An attacker is trying to compromise a wireless network that has been secured using WPA2-PSK and AES. She first tried using AirSnort to capture packets, but found that she couldn’t break the encryption. As an alternative, she used software to configure her laptop to function as an access point. She configured the fake access point with the same SSID as the wireless network she is trying to break into. When wireless clients connect to her access point, she presents them with a web page asking them to enter the WPA2 passphrase. When they do, she then uses it to connect a wireless client to the real access point. What attack techniques did the attacker use in this scenario? (Select two.)
Pharming
Evil twin

• Evil twin: In this exploit, an attacker near a valid wireless access point installs an access point with the same (or similar) SSID.

• Pharming: In this exploit, the access point is configured to display a bogus web page that prompts for credentials, allowing the attacker to steal those credentials.

A senior executive reports that she received a suspicious email concerning a sensitive, internal project that is behind production. The email is sent from someone she doesn’t know and he is asking for immediate clarification on several of the project’s details so the project can get back on schedule. Which type of an attack best describes the scenario?
Whaling

Whaling is a form of a social engineering attack that is targeted to senior executives and high profile victims. Social engineering is an attack that exploits human nature by convincing someone to reveal information or perform an activity.

Which of the following is a common form of social engineering attack?
Hoax virus information e-mails.
A collection of zombie computers have been setup to collect personal information. What type of malware do the zombie computers represent?
Botnet

A botnet refers to a collection of zombie computers which are commanded from a central control infrastructure to propagate spam or to collect usernames and passwords to access secure information.

Which of the following is a characteristic of a virus?
Requires an activation mechanism to run
You have heard about a new malware program that presents itself to users as a virus scanner. When users run the software, it installs itself as a hidden program that has administrator access to various operating system components. The program then tracks system activity and allows an attacker to remotely gain administrator access to the computer. Which of the following terms best describes this software?
Rootkit

A rootkit is a set of programs that allows attackers to maintain permanent, administrator-level, hidden access to a computer. Rootkits require administrator access to install, and typically gain this access using a Trojan horse approach–masquerading as a legitimate program to entice users to install the software.

Which of the following is undetectable software that allows administrator-level access?
Rootkit
What is the greatest threat to the confidentiality of data in most secure organizations?
USB devices
A relatively new employee in the data entry cubical farm was assigned a user account similar to that of all of the other data entry employees. However, audit logs have shown that this user account has been used to change ACLs on several confidential files and has accessed data in restricted areas. This situation indicates which of the following has occurred?
Privilege escalation
Which of the following attacks tries to associate an incorrect MAC address with a known IP address?
ARP poisoning

ARP spoofing/poisoning associates the attacker’s MAC address with the IP address of victim devices. When computers send an ARP request to get the MAC address of a known IP address, the attacker’s system responds with its MAC address.

A router on the border of your network detects a packet with a source address that is from an internal client but the packet was received on the Internet-facing interface. This is an example of what form of attack?
Spoofing

Spoofing is the act of changing or falsifying information in order to mislead or re-direct traffic. In this scenario, a packet received on the inbound interface cannot receive a valid packet with a stated source that is from the internal network.

What is modified in the most common form of spoofing on a typical IP packet?
Source address
Which type of Denial of Service (DoS) attack occurs when a name server receives malicious or misleading data that incorrectly maps host names and IP addresses?
DNS poisoning
Which of the following is an example of an internal threat?
A user accidentally deletes the new product designs
An attacker sends an unwanted and unsolicited email message to multiple recipients with an attachment that contains malware. What kind of attack has occurred in this scenario?
Spam
An attacker uses an exploit to push a modified hosts file to client systems. This hosts file redirects traffic from legitimate tax preparation sites to malicious sites to gather personal and financial information. What kind of exploit has been used in this scenario? (Choose two. Both responses are different names for the same exploit.)
Pharming

DNS poisoning

Match the social engineering description on the left with the appropriate attack type on the right.
Phishing
An attacker sends an email pretending to be from a trusted organization, asking users to access a website to verify personal information.

Whaling
An attacker gathers personal information about the target individual, who is a CEO.

Spear phishing
An attacker gathers personal information about the target individual in an organization.

Dumpster diving
An attacker searches through an organization’s trash for sensitive information.

Piggybacking
An attacker enters a secured building by following an authorized employee through a secure door without providing identification.

Vishing
An attacker uses a telephone to convince target individuals to reveal their credit card information.

While developing a network application, a programmer adds functionally that allows her to access the running program, without authentication, to capture debugging data. The programmer forgets to remove this functionality prior to finalizing the code and shipping the application. What type of security weakness does this represent?
Backdoor
When you browse to a website, a pop-up window tells you that your computer has been infected with a virus. You click on the window to see what the problem is. Later, you find out that the window has installed spyware on your system. What type of attack has occurred?
Drive-by download

Drive-by downloads can occur in a few different ways:
• Through social engineering, the user is tricked into downloading the software.
• By exploiting a browser or operating system bug, a site is able to install software without the user’s knowledge or consent.

While using a web-based order form, an attacker enters an unusually large value in the Quantity field. The value entered is large enough to exceed the maximum value supported by the variable type used to store the quantity in the web application. This causes the value of the quantity variable to wrap around to the minimum possible value, which is a negative number. As a result, the web application processes the order as a return instead of a purchase, and the attacker’s account is refunded a large sum of money. What type of attack has occurred in this scenario?
Integer overflow
Purchasing insurance is what type of response to risk?
Transference

An organization can transfer risk through the purchase of insurance. When calculating the cost of insurance and the deductible, balance the cost against the expected loss from the incident.

Over the last month you have noticed a significant increase in the occurrence of inappropriate activities performed by employees. What is the best first response step to take in order to improve or maintain the security level of the environment?
Improve and hold new awareness sessions
Which of the following uses hacking techniques to proactively discover internal vulnerabilities?
Penetration testing
Which of the following activities are typically associated with a penetration test? (Select two.)
Attempting social engineering
Running a port scanner
What is the main difference between vulnerability scanning and penetration testing?
Vulnerability scanning is performed within the security perimeter; penetration testing is performed outside of the security perimeter.
Which of the following types of penetration test teams will provide you information that is most revealing of a real-world hacker attack?
Zero knowledge team

A zero knowledge team is a penetration testing team which most closely simulates a real-world hacker attack as they must perform all of the initial blind reconnaissance.

A security administrator is conducting a penetration test on a network. She connects a notebook system running Linux to the wireless network and then uses NMAP to probe various network hosts to see which operating system they are running. Which process did the administrator use in the penetration test in this scenario?
Active fingerprinting

Active fingerprinting is a form of system enumeration that is designed to gain as much information about a specific computer as possible. It identifies operating systems based upon ICMP message quoting characteristics. Portions of an original ICMP request are repeated (or quoted) within the response, and each operating system quotes this information back in a slightly different manner. Active fingerprinting can determine the operating system and even the patch level.

A security administrator is conducting a penetration test on a network. She connects a notebook system to a mirror port on a network switch. She then uses a packet sniffer to monitor network traffic to try and determine which operating systems are running on network hosts. Which process did the administrator use in the penetration test in this scenario?
Passive fingerprinting

Passive fingerprinting is a form of system enumeration that is designed to gain as much information about network computers as possible. It passively listens to network traffic generated by network hosts and attempts to identify which operating systems are in use based upon the ICMP message quoting characteristics they use. Portions of original ICMP requests are repeated (or quoted) within each response. Each operating system quotes this information back in a slightly different manner.

Drag each penetration test characteristic on the left to the appropriate penetration test name on the right.
White box test
The tester has detailed information about the target system prior to starting the test.

Grey box test
The tester has the same amount of information that would be available to a typical insider in the organization.

Black box test
The tester has no prior knowledge of the target system.

Single blind test
Either the attacker has prior knowledge about the target system, or the administrator knows that the test is being performed.

Double blind test
The tester does not have prior information about the system and the administrator has no knowledge that the test is being performed.

When recovery is being performed due to a disaster, which services are to be stabilized first?
Mission critical

The services to be restored first are mission critical services. If mission critical services are not restored within their maximum tolerable downtime, the organization is no longer viable.

In business continuity planning, what is the primary focus of the scope?
Business processes

Company assets are the focus of risk assessment for security policy development, not BCP. Human life and safety are considerations for emergency response, but are not the focus of the BCP scope. Recovery time objective is a consideration in the development of emergency response, not an aspect of BCP scope.

What is the primary goal of business continuity planning?
Maintaining business operations with reduced or restricted infrastructure capabilities or resources
Which of the following network strategies connects multiple servers together such that if one server fails, the others immediately take over its tasks, preventing a disruption in service?
Clustering

Clustering connects multiple servers together using special software.

What is the primary security feature that can be designed into a network’s infrastructure to protect and support availability?
Redundancy
You manage a website for your company. The website uses three servers configured in a cluster. Incoming requests are distributed automatically between the three servers. All servers use a shared storage device that holds the website contents. Each server has a single network connection and a single power supply. Considering the availability of your website, which component represents a single point of failure?
Website storage

A single point of failure means that failure in one component will cause the entire website to be unavailable. If the storage unit fails, then the website content will be unavailable.

Besides protecting a computer from under voltages, a typical UPS also performs which two actions:
Conditions the power signal
Protects from over voltages
You manage the website for your company. The website uses a cluster of two servers with a single shared storage device. The shared storage device uses a RAID 1 configuration. Each server has a single connection to the shared storage, and a single connection to your ISP. You want to provide redundancy such that a failure in a single component does not cause the website to be unavailable. What should you add to your configuration to accomplish this?
Connect one server through a different ISP to the Internet.

If the ISP connection goes down, then the website is unavailable. Connecting one server to a different ISP, or both servers to two ISPs, will provide redundancy for the connection.

Even if you perform regular backups, what must be done to ensure that you are protected against data loss?
Regularly test restoration procedures
Which encryption method is used by WPA for wireless networks?
TKIP

WPA uses TKIP for encryption. TKIP uses rotating encryption keys for added security over WEP.
AES encryption is used with WPA2. AES requires specialized hardware that might not be available on a device that only supports WPA. WEP is a security method for wireless networks that provides encryption through the use of a shared encryption key (the WEP key).

You want to implement 802.1x authentication on your wireless network. Which of the following will be required?
RADIUS
You want to implement 802.1x authentication on your wireless network. Where would you configure passwords that are used for authentication?
On a RADIUS server

802.1x authentication uses usernames and passwords, certificates, or devices such as smart cards to authenticate wireless clients. Authentication requests received by the wireless access point are passed to a RADIUS server which validates the logon credentials (such as the username and password).

Which of the following wireless security methods uses a common shared key configured on the wireless access point and all wireless clients?
WEP, WPA Personal, and WPA2 Personal
You want to connect your client computer to a wireless access point connected to your wired network at work. The network administrator tells you that the access point is configured to use WPA2 Personal with the strongest encryption method possible. SSID broadcast is turned off. Which of the following must you configure manually on the client? (Select three.)
Preshared key
AES
SSID

WPA2 Personal uses a shared key for authentication. Once authenticated, dynamic keys are generated to be used for encryption. WPA2 supports AES and TKIP encryption, with AES being the stronger encryption method. With the SSID broadcast turned off, you will need to manually configure the SSID on the client.

Which of the following authentication protocols uses a three-way handshake to authenticate users to the network? (Choose two.)
MS-CHAP
CHAP
Which type of device is required to implement port authentication through a switch?
RADIUS server

Port authentication is provided by the 802.1x protocol, and allows only authenticated devices to connect to the LAN through the switch. 802.1x requires a RADIUS server (also called an AAA server) to validate the authentication credentials.

You want to increase the security of your network by allowing only authenticated users to be able to access network devices through a switch. Which of the following should you implement?
802.1x

802.1x authentication is an authentication method used on a LAN to allow or deny access based on a port or connection to the network. 802.1x is used for port authentication on switches and authentication to wireless access points. 802.1x requires an authentication server for validating user credentials. This server is typically a RADIUS server. Authenticated users are allowed full access to the network; unauthenticated users only have access to the RADIUS server.

Which of the following applications typically use 802.1x authentication? (Select two.)
Controlling access through a switch
Controlling access through a wireless access point
Which of the following attacks, if successful, causes a switch to function like a hub?
MAC flooding

MAC flooding overloads the switch’s MAC forwarding table to make the switch function like a hub. The attacker floods the switch with packets, each containing different source MAC addresses. The flood of packets fills up the forwarding table and consumes so much of the memory in the switch that it causes the switch to enter a state called failopen mode, in which all incoming packets are broadcast out all ports (as with a hub), instead of just to the correct ports as per normal operation.

You just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a server room that requires an ID card to gain access. You backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer using a Telnet client with a username of admin and a password of admin. You used the MD5 hashing algorithm to protect the password. What should you do to increase the security of this device? (Select two.)
Use an SSH client to access the router configuration.

Change the default administrative username and password.

You’ve just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a cubicle near your office. You’ve backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer using an SSH client with a user name of admin01 and a password of [email protected] You have used the MD5 hashing algorithm to protect the password. What should you do to increase the security of this device?
Move the router to a secure server room.
You can use a variety of methods to manage the configuration of a network router. Match the management option on the right with its corresponding description on the left. (Each option can be used more than once.)
SSL ==> Uses public-key cryptography

HTTP ==> Transfers data in clear text

SSH ==> Uses public-key cryptography

Telnet ==> Transfers data in clear text

Console port ==> Cannot be sniffed

You run a small network for your business that has a single router connected to the Internet and a single switch. You keep sensitive documents on a computer that you would like to keep isolated from other computers on the network. Other hosts on the network should not be able to communicate with this computer through the switch, but you still need to access the network through the computer. What should you use for this situation?
VLAN

Define virtual LANs (VLANs) on the switch. With a VLAN, a port on the switch is associated with a VLAN. Only devices connected to ports that are members of the same VLAN can communicate with each other. Routers are used to allow communication between VLANs if necessary.

When using Kerberos authentication, which of the following terms is used to describe the token that verifies the identity of the user to the target system?
Ticket

The tokens used in Kerberos authentication are known as tickets. These tickets perform a number of functions including notifying the network service of the user who has been granted access, and authenticating the identity of the person when they attempt to use that network service.

You have been contracted by a firm to implement a new remote access solution based on a Windows Server 2003 system. The customer wants to purchase and install a smartcard system to provide a high level of security to the implementation. Which of the following authentication protocols are you most likely to recommend to the client?
EAP
Which of the following is a platform independent authentication system that maintains a database of user accounts and passwords that centralizes the maintenance of those accounts?
RADIUS

The Remote Authentication Dial-In User Service (RADIUS) is an authentication system that allows the centralization of remote user account management.

Which of the following is a mechanism for granting and validating certificates?
PKI

Certificates are obtained from a Public Key Infrastructure (PKI). A PKI is a system that provides for a trusted third party to vouch for user identities. A PKI is made up of Certification Authorities (CAs), also called certificate authorities. A CA is an entity trusted to issue, store, and revoke certificates.

Which of the following are methods for providing centralized authentication, authorization, and accounting for remote access? (Select two.)
RADIUS

TACACS+

You want to implement an authentication method that uses public and private key pairs. Which authentication method should you use?
EAP

Public and private key pairs are used by certificates for authentication and encryption. Extensible Authentication Protocol (EAP) allows the client and server to negotiate the characteristics of authentication. EAP is used to allow authentication using smart cards, biometrics (user physical characteristics), and certificate-based authentication.

You have a web server that will be used for secure transactions for customers who access the website over the Internet. The web server requires a certificate to support SSL. Which method would you use to get a certificate for the server?
Obtain a certificate from a public PKI.
Which of the following authentication methods uses tickets to provide single sign-on?
Kerberos
Which of the following are used when implementing Kerberos for authentication and authorization? (Select two.)
Ticket granting server

Time server

You have decided to implement a remote access solution that uses multiple remote access servers. You want to implement RADIUS to centralize remote access authentication and authorization. Which of the following would be a required part of your configuration?
Configure the remote access servers as RADIUS clients.

When configuring a RADIUS solution, configure a single server as a RADIUS server. Then configure all remote access servers as RADIUS clients.

Which of the following are characteristics of TACACS+? (Select two.)
Uses TCP

Allows for a possible of three different servers, one each for authentication, authorization, and accounting

Which of the following is a feature of MS-CHAP v2 that is not included in CHAP?
Mutual authentication
Which of the following specifications identify security that can be added to wireless networks? (Select two.)
802.11i
802.1x

Standards described in 802.11i have been implemented in Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2). 802.1x is an authentication protocol that can be used on wireless networks.

As you are helping a user with a computer problem you notice that she has written her password on a note stuck to her computer monitor. You check the password policy of your company and find that the following settings are currently required:
• Minimum password length = 10
• Minimum password age = 4
• Maximum password age = 30
• Password history = 6
• Require complex passwords that include numbers and symbols
• Account lockout clipping level = 3
Which of the following is the best action to take to make remembering passwords easier so that she no longer has to write the password down?
Implement end-user training.

Instruct users on the importance of security and teach them how to create and remember complex passwords. Making any other changes would violate the security policy and reduce the overall security of the passwords.
References

Which of the following is the most common form of authentication?
Password

Most secure systems require only a username and password to provide users with access to the computing environment. Many forms of online intrusion attacks focus on stealing passwords. This makes using strong passwords very important. Without a strong password policy and properly trained users, the reliability of your security system is greatly diminished.

Which of the following is an example of two-factor authentication?
A token device and a PIN

Two-factor authentication uses two different types of authentication (i.e. a combination of Type I, Type II, and Type III authentication). Of the examples listed here, a token device (Type II) combined with a PIN (Type I) is the only example of two-factor authentication.

Which of the following is an example of three-factor authentication?
Token device, keystroke analysis, cognitive question

Three-factor authentication uses three items for authentication, one each from each of the authentication types:
• Type I (something you know, such as a password, PIN, pass phrase, or cognitive question)
• Type II (something you have, such as a smart card, token device, or photo ID)
• Type III (something you are, such as fingerprints, retina scans, voice recognition, or keyboard dynamics)

Which of the following best describes one-factor authentication?
Multiple authentication credentials may be required, but they are all of the same type

One-factor authentication uses credentials of only one type, but may require multiple methods within the same type. For example, you might log on with just a password, or with a password along with answering a cognitive question (such as your mother’s maiden name). One-factor authentication that uses multiple credentials of the same type is also sometimes called strong authentication.

Match the authentication factor types on the left with the appropriate authentication factor on the right. Each authentication factor type can be used more than once.
PIN ==> Something you know

Smart card ==> Something you have

Password ==> Something you know

Retina scan ==> Something you are

Fingerprint scan ==> Something you are

Hardware token ==> Something you have

User name ==> Something you know

Voice recognition ==> Something you are

Wi-Fi triangulation ==> Somewhere you are

Typing behaviors ==> Something you do

You want to prevent your browser from running JavaScript commands that are potentially harmful. Which of the following would you restrict to accomplish this?
Client-side scripts

JavaScript is an example of client-side scripting, where the client system runs the scripts that are embedded in Web pages. When pages download, the scripts are executed.
ActiveX runs executable code within a browser, but ActiveX controls are not written using the JavaScript language.
Server-side scripts execute on the server, and modify the Web pages served to clients based on the results of the scripts.
The Common Gateway Interface (CGI) is scripting language that is often used to capture data from forms in a Web page and pass the data to an external program. CGI runs on the server to process Web form data.

Which of the following actions should you take to reduce the attack surface of a server?
Disable unused services.
You are concerned that wireless access points may have been deployed within your organization without authorization. What should you do? (Select two. Each response is a complete solution.)
Conduct a site survey.

Check the MAC addresses of devices connected to your wired switch.

If your anti-virus software does not detect and remove a virus, what should you try first?
Update your virus detection software.
Which remote access authentication protocol allows for the use of smart cards for authentication?
EAP

Extensible Authentication Protocol (EAP) is a set of interface standards that allows you to use various authentication methods including smartcards, biometrics, and digital certificates.

Which of the following do switches and wireless access points use to control access through the device?
MAC filtering

Both switches and wireless access points are layer 2 devices, meaning they use the MAC address for making forwarding decisions. Both devices typically include some form of security that restricts access based on the MAC address.

Telnet is inherently insecure because its communication is in plain text and is easily intercepted. Which of the following is an acceptable alternative to Telnet?
SSH

SSH (Secure Shell) allows for secure interactive control of remote systems. SSH uses RSA public key cryptography for both connection and authentication. SSH uses the IDEA algorithm for encryption by default, but is able to use Blowfish and DES.

Which security protocols use RSA encryption to secure communications over an untrusted network? (Select two.)
Transport Layer Security

Secure Sockets Layer

Which of the following networking devices or services prevents the use of IPsec in most cases?
NAT

IPsec cannot typically be used when static IP addresses are not used by both communication partners. NAT proxy performs network address translation on all communications. For this reason, the IP address seen for a system outside of the proxied network is not the real IP address of that system. This prevents the use of IPsec.

Which of the following protocols are often added to other protocols to provide secure transmission of data? (Select two.)
TLS
SSL

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are protocols that are used with other protocols to add security. In addition, Secure Shell (SSH) can be used to add security when using unsecure protocols.

A network switch detects a DHCP frame on the LAN that appears to have come from a DHCP server that is not located on the local network. In fact, it appears to have originated from outside the organization’s firewall. As a result, the switch drops the DHCP message from that server. Which security feature was enabled on the switch to accomplish this?
DHCP snooping

DHCP snooping filters out untrusted DHCP messages. An untrusted DHCP message is received from outside the network or firewall. DHCP snooping acts like a firewall between DHCP clients and your DHCP servers.

A network switch is configured to perform the following validation checks on its ports:
• All ARP requests and responses are intercepted.
• Each intercepted request is verified to ensure that it has a valid IP-to-MAC address binding.
• If the packet has a valid binding, the switch forwards the packet to the appropriate destination.
• If the packet has an invalid binding, the switch drops the ARP packet.
What security feature was enabled on the switch to accomplish this?
Dynamic ARP Inspection
You have just downloaded a file. You create a hash of the file and compare it to the hash posted on the website. The two hashes match. What do you know about the file?
Your copy is the same as the copy posted on the website.

A hash is a function that takes a variable-length string (message) and compresses and transforms it into a fixed-length value. Hashes ensure the data integrity of files and messages in transit. The sender and the receiver use the same hashing algorithm on the original data. If the hashes match, then the data can be assumed to be unmodified. Hashes do not ensure confidentiality (in other words, hashes are not used to encrypt data).

You are an IT consultant and are visiting a new client’s site to become familiar with their network. As you walk around their facility, you note the following:
• When you enter the facility, a receptionist greets you and directs you down the hallway to the office manager’s cubicle. The receptionist uses a notebook system that is secured to her desk with a cable lock.
• The office manager informs you that the organization’s servers are kept in a locked closet. Only she has the key to the closet. When you arrive on site, you will be required to get the key from her to access the closet.
• She informs you that server backups are configured to run each night. A rotation of external USB hard disks are used as the backup media.
• You notice the organization’s network switch is kept in an empty cubicle adjacent to the office manager’s workspace.
• You notice that a router/firewall/content filter all-in-one device has been implemented in the server closet to protect the internal network from external attacks.
Which security-related recommendations should you make to this client? (Select two.)
Relocate the switch to the locked server closet.

Control access to the work area with locking doors and card readers.

What is a secure doorway that can be used in coordination with a mantrap to allow easy egress from a secured environment but which actively prevents re-entrance through the exit portal?
Turnstiles

Turnstiles allow easy egress from a secured environment but actively prevent re-entrance through the exit portal. Turnstiles are a common exit portal used in conjunction with entrance portal mantraps. A turnstile cannot be used to enter into a secured facility as it only functions in one direction.

You want to use CCTV to increase your physical security. You want to be able to remotely control the camera position. Which camera type should you choose?
PTZ

A Pan Tilt Zoom (PTZ) camera lets you dynamically move the camera and zoom in on specific areas to monitor (cameras without PTZ capabilities are manually set looking a specific direction). Automatic PTZ mode automatically moves the camera between several preset locations; manual PTZ lets an operator remotely control the position of the camera.

Which of the following allows for easy exit of an area in the event of an emergency, but prevents entry? (Select two.)
Turnstile
Double-entry door

A double entry door has two doors that are locked from the outside but with crash bars on the inside that allow easy exit. Double entry doors are typically used only for emergency exits, and alarms sound when the doors are opened. A turnstile is a barrier that permits entry in only one direction. Turnstiles are often used to permit easy exit from a secure area.

Match each physical security control on the left with an appropriate example of that control on the right. Each security control may be used once, more than once, or not at all.
Hardened carrier >> Protected cable distribution

Biometric authentication >> Door locks

Barricades >> Perimeter barrier

Emergency escape plans >> Safety

Alarmed carrier >> Protected cable distribution

Anti-passback system >> Physical access control

Emergency lighting >> Safety

Exterior floodlights >> Perimeter barrier

You are an IT consultant and are visiting a new client’s site to become familiar with their network. As you walk around their facility, you note the following:
• When you enter the facility, a receptionist greets you and directs you down the hallway to the office manager’s cubicle. The receptionist uses a notebook system that is secured to her desk with a cable lock.
• The office manager informs you that the organization’s servers are kept in a locked closet. Only she has the key to the closet. When you arrive on site, you will be required to get the key from her to access the closet.
• She informs you that server backups are configured to run each night. A rotation of external USB hard disks are used as the backup media.
• You notice the organization’s network switch is kept in an empty cubicle adjacent to the office manager’s workspace.
• You notice that a router/firewall/content filter UTM device has been implemented in the server closet to protect the internal network from external attacks.
Which security-related recommendations should you make to this client? (Select two.)
Relocate the switch to the locked server closet.

Control access to the work area with locking doors and proximity readers.

Which of the following is the most important thing to do to prevent console access to a network switch?
Keep the switch in a room that uses a cipher lock.
Which of the following does a router acting as a firewall use to control which packets are forwarded or dropped?
ACL

When you configure a router as a firewall, you configure the access control list (ACL) with statements that identify traffic characteristics, such as the direction of traffic (inbound or outbound), the source or destination IP address, and the port number. ACL statements include an action to either allow or deny the traffic specified by the ACL statement.

You have a router that is configured as a firewall. The router is a layer 3 device only. Which of the following does the router use for identifying allowed or denied packets?
IP address

A router acting as a firewall at layer 3 is capable of making forwarding decisions based on the IP address.

You want to allow traveling users to connect to your private network through the Internet. Users will connect from various locations including airports, hotels, and public access points such as coffee shops and libraries. As such, you won’t be able to configure the firewalls that might be controlling access to the Internet in these locations. Which of the following protocols would be most likely to be allowed through the widest number of firewalls?
SSL

Ports must be opened in firewalls to allow VPN protocols. For this reason, using SSL for the VPN often works through firewalls when other solutions do not because SSL uses port 443–a port that is often already open to allow HTTPS traffic. In addition, some NAT solutions do not work well with VPN connections.

Which protocol does HTTPS use to offer greater security in Web transactions?
SSL

HTTPS uses Secure Sockets Layer (SSL) to offer greater security in Web transactions.

You are the administrator of your company’s network. You want to prevent unauthorized access to your intranet from the Internet. Which of the following should you implement?
Firewall
You have been given a laptop to use for work. You connect the laptop to your company network, use it from home, and use it while traveling. You want to protect the laptop from Internet-based attacks. Which solution should you use?
Host-based firewall
You manage a small network at work. Users use workstations connected to your network. No portable computers are allowed. As part of your security plan, you would like to implement scanning of e-mails for all users. You want to scan the e-mails and prevent any e-mails with malicious attachments from being received by users. Your solution should minimize administration, allowing you to centrally manage the scan settings. Which solution should you use?
Network based firewall

A network-based firewall inspects traffic as it flows between networks. For example, you can install a network-based firewall on the edge of your private network that connects to the Internet and scans all incoming e-mail. Scanning e-mail as it arrives at your e-mail server allows you to centralize management and stop malicious e-mails before they arrive at client computers.

Your company has a connection to the Internet that allows users to access the Internet. You also have a Web server and an e-mail server that you want to make available to Internet users. You want to create a DMZ for these two servers. Which type of device should you use to create the DMZ?
Network based firewall
You have just installed a packet-filtering firewall on your network. Which options will you be able to set on your firewall? (Select all that apply.)
Source address of a packet
Port number
Destination address of a packet
You want to install a firewall that can reject packets that are not part of an active session. Which type of firewall should you use?
Circuit-level
Which of the following are characteristics of a circuit-level gateway? (Select two.)
Filters based on sessions

Stateful

Which of the following are characteristics of a packet filtering firewall? (Select two.)
Filters IP address and port
Stateless
You provide Internet access for a local school. You want to control Internet access based on user, and prevent access to specific URLs. Which type of firewall should you install?
Application-level
You have a company network that is connected to the Internet. You want all users to have Internet access, but need to protect your private network and users. You also need to make a Web server publicly available to Internet users. Which solution should you use?
Use firewalls to create a DMZ. Place the Web server inside the DMZ, and the private network behind the DMZ.
You have used firewalls to create a demilitarized zone. You have a Web server that needs to be accessible to Internet users. The Web server must communicate with a database server for retrieving product, customer, and order information. How should you place devices on the network to best protect the servers? (Select two.)
Put the database server on the private network.

Put the Web server inside the DMZ.

You provide Internet access for a local school. You want to control Internet access based on user, and prevent access to specific URLs.
Which type of firewall should you install?
Application level
You have just installed a packet-filtering firewall on your network. What options will you be able to set on your firewall? Select all that apply.
Destination address of a packet
Port number
Source address of a packet
Which of the following describes how access lists can be used to improve network security?
An access list filters traffic based on the IP header information such as source or destination IP address, protocol, or socket numbers.
Of the following security zones, which one can serve as a buffer network between a private secured network and the untrusted Internet?
DMZ

A DMZ or demilitarized zone is a network placed between a private secured network and the untrusted Internet to grant external users access to internally controlled services. The DMZ serves as a buffer network.

Which of the following is likely to be located in a DMZ?
FTP server
When designing a firewall, what is the recommended approach for opening and closing ports?
Close all ports; open only ports required by applications inside the DMZ.
In which of the following situations would you most likely implement a demilitarized zone (DMZ)?
You want to protect a public Web server from attack.
A small startup company has hired you to harden their new network. Because funds are limited, you have decided to implement a unified threat management (UTM) device that provides multiple security features in a single network appliance:
• Firewall
• VPN
• Anti-spam
• Antivirus
You join the UTM device to the company’s Active Directory domain. The company’s traveling sales force will use the VPN functionality provided by the UTM device to connect to the internal company network from hotel and airport public WiFi networks. What weaknesses exist in this implementation?
The UTM represents a single point of failure.
Match the firewall type on the left with its associated characteristics on the right. Each firewall type may be used once, more than once, or not at all.
Operates at Layer 2 >> Virtual firewall

Operates at Layer 3 >> Routed firewall

Counts as a hop in the path between hosts >> Routed firewall

Does not count as a hop in the path between hosts >> Virtual firewall

Each interface connects to a different network >> Routed firewall

Each interface connects to the same network segment >> Virtual firewall

An all-in-one security appliance is best suited for which type of implementation?
A remote office with no on-site technician.
Which of the following features are common functions of an all-in-one security appliance? (Select two.)
Spam filtering
Bandwidth shaping
You recently installed a new all-in-one security appliance in a remote office. You are in the process of configuring the device. You need to:
• Increase the security of the device.
• Enable remote management from the main office.
• Allow users to be managed through Active Directory.
You want to configure the device so you can access it from the main office. You also want to make sure the device is as secure as possible. Which of the following tasks should you carry out? (Select two.)
Change the default username and password.

Configure the device’s authentication type to use Active Directory.

Members of the Sales team use laptops to connect to the company network. While traveling, they connect their laptops to the Internet through airport and hotel networks. You are concerned that these computers will pick up viruses that could spread to your private network. You would like to implement a solution that prevents the laptops from connecting to your network unless anti-virus software and the latest operating system patches have been installed. Which solution should you use?
NAC

Network Access Control (NAC) controls access to the network by not allowing computers to access network resources unless they meet certain predefined security requirements

You have a company network with a single switch. All devices connect to the network through the switch. You want to control which devices will be able to connect to your network. For devices that do not have the latest operating system patches, you want to prevent access to all network devices except for a special server that holds the patches that the computers need to download. Which of the following components will be part of your solution? (Select two.)
802.1x authentication

Remediation servers

A network utilizes a Network Access Control (NAC) solution to protect against malware. When a wired or wireless host tries to connect to the network, a NAC agent on the host checks it to make sure it has all of the latest operating system updates installed and that the latest antivirus definitions have been applied. What is this process called?
Posture assessment

When a wired or wireless host tries to connect to the network, a NAC agent on the host checks it to make sure it has all of the latest operating system updates installed and that the latest antivirus definitions have been applied. This is called a posture assessment. The agent then submits the results of the assessment as a Statement of Health (SoH) to the System Health Validator (SHV).

The outside sales reps from your company use notebook computers, tablets, and phones to connect to the internal company network. While traveling, they connect their devices to the Internet using airport and hotel networks. You are concerned that these devices will pick up viruses that could spread to your private network. You would like to implement a solution that prevents devices from connecting to your network unless antivirus software and the latest operating system patches have been installed. When a host tries to connect to the network, the host should be scanned to verify its health. If the host is not healthy, then it should be placed on a quarantine network where it can be remediated. Once healthy, the host can then connect to the production network. Which solution should you use?
NAC

Network Access Control (NAC) prevents devices from accessing network resources unless they meet certain predefined security requirements.

The owner of a hotel has contracted with you to implement a wireless network to provide Internet access for patrons. The owner has asked that you implement security controls such that only paying patrons are allowed to use the wireless network. She wants them to be presented with a login page when they initially connect to the wireless network. After entering a code provided by the concierge at check-in, they should then be allowed full access to the Internet. If a patron does not provide the correct code, they should not be allowed to access the Internet. Under no circumstances should patrons be able to access the internal hotel network where sensitive data is stored. What should you do?
Implement a guest network
What is the most important element related to evidence in addition to the evidence itself?
Chain of custody document
The chain of custody is used for what purposes?
Listing people coming into contact with evidence
You have been asked to draft a document related to evidence gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court. What type of document is this?
Chain of custody
What does hashing of log files provide?
Proof that the files have not been altered
You want to store your computer-generated audit logs in case they are needed in the future for examination or to be used as evidence in the event of a security incident. Which method can you use to ensure that the logs you put in storage have not been altered when you go to use them in the future?
Create a hash of each log.
Which method can be used to verify that a bit-level image copy of a hard drive is an exact clone of the original hard drive collected as evidence?
Hashing

Hashing is the method used to verify that a bit-level image copy of a hard drive is an exact clone of the original hard drive collected as evidence.

The immediate preservation of evidence is paramount when conducting a forensic analysis. Which of the following actions is most likely to destroy critical evidence?
Rebooting the system
When duplicating a drive for forensic investigative purposes, which of the following copying methods is most appropriate?
Bit-level cloning
How can a criminal investigator ensure the integrity of a removable media device found while collecting evidence?
Create a checksum using a hashing algorithm
You manage the network for your company. You have recently discovered information on a computer hard drive that might indicate evidence of illegal activity. You want to perform forensic activities on the disk to see what kind of information it contains. What should you do first?
Make a bit-level copy of the disk

Before conducting an investigation of data on a disk, you should create a hash of the disk, create a bit-level copy of the disk, then create a hash of your copy of the disk. Perform any investigative activities on your copy of the disk, not on the original disk.

Arrange the computer components listed on the left in order of decreasing volatility on the right.
CPU registers and caches
System RAMWhich of the following is an important aspect of evidence gathering?
Paging file
Hard disk
File system backup on an external USB drive
After an intrusion has occurred and the intruder has been removed from the system, which of the following is the best next step or action to take?
Back up all logs and audits regarding the incident
If maintaining confidentiality is of the utmost importance to your organization, what is the best response when an intruder is detected on your network?
Disconnect the intruder.
Which of the following is an important aspect of evidence gathering?
Backing up all log files and audit trails
When conducting a forensic investigation, and assuming that the attack has been stopped, which of the following actions should you perform first?
Document what’s on the screen
During a recent site survey, you find a rogue wireless access point on your network. Which of the following actions should you take first to protect your network, while still preserving evidence?
Disconnect the access point from the network
You have discovered a computer that is connected to your network that was used for an attack. You have disconnected the computer from the network to isolate it from the network and stop the attack. Which should you do next?
Perform a memory dump
You have recently discovered that a network attack has compromised your database server. In the process, customer credit card numbers might have been taken by an attacker. You have stopped the attack and put measures in place to prevent the same incident from occurring in the future. What else might you be legally required to do?
Contact your customers to let them know of the security breach
In which stage of the evidence lifecycle is the forensic report created?
Preservation and analysis