Exam 2 Flashcards
(100 cards)
1
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Why would you use a vulnerability scanner? Select the best answer.
A. To identify open ports on a computer
B. To identify remote access policies
C. To crack passwords
D. To see whether passwords are sent as clear text
A
Answer: A. To identify open ports on a computer
Explanation: Vulnerability scanners are primarily used to find open ports on a computer and define what threats are associated with those ports. Remote access policies should be identified within the server where the policy was created, for example, in Windows Server. Password recovery programs such as John the Ripper should be used to crack passwords. To see whether passwords are being sent as clear text, you should use a protocol analyzer. See the section titled “Assessing Vulnerability with Security Tools” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.
2
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
What is another name for a malicious attacker? A. White hat B. Penetration tester C. Fuzzer D. Black hat
A
Answer: D. Black hat
Explanation: A black hat is someone who attempts to break into computers and networks without authorization. They are considered to be malicious attackers. A white hat is a non malicious hacker, often employed by an organization to test the security of a system before it goes online. An example of a white hat would be a penetration tester, who administers active tests against systems to determine whether specific threats can be exploited. A fuzzer is a colloquial name for a software tester. See the section titled “Think Like a Hacker” in Chapter 1, “Introduction to Security,” for more information.
3
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Your organization is designing two new systems. They require emphasis on the following: System A requires high availability. System B requires high security. Which configuration should you select?
A. System A and System B both fail open.
B. System A fails closed. System B fails open.
C. System A fails open. System B fails closed.
D. System A and System B both fail closed.
A
Answer: C. System A fails open. System B fails closed.
Explanation: System A requires high availability so it should fail open. For example, if the system were a monitoring system, and a portion of it failed, the organization might want it to fail open so that other portions of the monitoring system will still be accessible. However, System B requires security, so it should fail closed. Let’s say that System B was a firewall. If it crashed, would we still want network connectivity to pass through it? Probably not; because there would be little or no protection to the network. In general, if you need high availability the system should fail open. If you need high security, it should fail closed. See the section titled “Redundancy Planning” in Chapter 14, “Redundancy and Disaster Recovery,” for more information.
4
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
What would you use a TPM for? A. Input validation B. System hardening C. Cloud computing D. Full disk encryption
A
Answer: D. Full disk encryption
Explanation: A TPM (Trusted Platform Module) is a chip that resides on a motherboard (or similar location) that stores encrypted keys used to encrypt the entire hard disk on the system. Input validation is a technique used by programmers to secure their forms. System hardening is the process of securing a computer system through updates, closing ports, and so on. Cloud computing is the use of web-based applications (and other software, platforms, and infrastructures) that are provided by an external source on the Internet. See the section titled “Securing Computer Hardware and Peripherals” in Chapter 2, “Computer Systems Security,” for more information.
5
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
What kind of attack would a flood guard protect from? A. SYN attack B. Xmas attack C. MITM attack D. Botnet
A
Answer: A. SYN attack
Explanation: A SYN attack is when a large amount of synchronization request packets are sent from a client to a server—it is also known as a SYN flood. To protect against this, SYN flood guards can be implemented within some firewalls or as separate devices altogether. If on a firewall, some configuration is usually necessary. An Xmas attack (Christmas tree packet attack) is set with every single option; they are used to analyze TCP/IP responses but do not have the SYN flag set. MITM stands for man-in-the-middle, an attack that intercepts and modifies data traversing between a client and a server. A botnet is a group of compromised computers that jointly (and unknowingly) attack single points of interest such as web servers. See the section titled “Malicious Attacks” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
6
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Your CFO’s smartphone holding classified data has been stolen. What is the best way to reduce data leakage? A. Inform law enforcement B. Track the device with GPS C. Remotely sanitize the device D. Use strong encryption
A
Answer: C. Remotely sanitize the device
Explanation: If a device holding classified data is stolen, the best thing to do is to remotely sanitize the device (known as a remote wipe). It is too late to use strong encryption, but that should always be implemented on mobile devices (or any devices for that matter) with classified information. After remotely sanitizing the device, you might opt to inform law enforcement (or your organization’s security company or internal security investigators) and possibly track the device via GPS. See the section titled “Securing Computer Hardware and Peripherals” in Chapter 2, “Computer Systems Security,” for more information.
7
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which of the following would you most likely find in a buffer overflow attack? A. NOOP instructions B. Sequence numbers C. IV length D. Set flags
A
Answer: A. NOOP instructions
Explanation: A large number of NOOP (or no-op) instructions can be used to overflow a buffer, which could allow unwanted code to be executed or result in a DoS. Large numbers of NOOP instructions can be used to perform a NOP slide (or NOOP sled). Sequence numbers refers to how TCP packets are numbered. IV length has to do with the length of a string in a cipher. Flags are one or more bits that are set to a binary number to indicate whether something is on or off. See the section titled “Secure Programming” in Chapter 4, “Application Security,” for more information.
8
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
You have been tasked to access an older network device. Your only option is to use TELNET. Which port would need to be open on the network device by default? A. 3389 B. 161 C. 135 D. 23
A
Answer: D. 23
Explanation: TELNET uses port 23 by default. Some older devices may not be accessible remotely without using the deprecated TELNET protocol. The best thing to do in this situation would be to update the network device if possible or replace it. Port 135 is known as the DCE endpoint manager port or dcom-scm. Port 161 is the default port for SNMP. Port 3389 is the default port for the Remote Desktop Protocol. See the section titled “Ports and Protocols” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
9
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Some of the employees in your organization complain about how they are receiving e-mail loaded with advertisements. What should you do? A. Install antispyware. B. Install antispam. C. Install antivirus. D. Install HIDS.
A
Answer: B. Install antispam.
Explanation: Antispam software might be a standalone solution or part of an antimalware suite of programs. This is the best option when attempting to lessen the amount of spam e-mails that contain advertisements. Antimalware suites usually also include antispyware tools and antivirus tools. A HIDS is a host-based detection system. This is used to detect whether malicious activity is occurring on an individual computer. See the section titled “Computer Systems Security Threats” in Chapter 2, “Computer Systems Security,” for more information.
10
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which of the following encryption protocols is the strongest and can encrypt data with the least amount of CPU usage? A. DES B. AES C. 3DES D. RC4
A
Answer: B. AES
Explanation: AES, the Advanced Encryption Standard, is currently considered to be the strongest symmetric encryption protocol. It can also encrypt data with the least amount of CPU usage compared to the rest of the listed answers. This makes it a great choice for wireless networks, whole disk encryption, and so on. DES and its successor 3DES were the predecessors to AES. Both of them are considered deprecated, weaker encryption protocols and require more CPU usage than AES. RC4 is a symmetric stream cipher used with SSL and WEP. It is known for its speed but when used with WEP can be cracked easily. See the section titled “Encryption Algorithms” in Chapter 12, “Encryption and Hashing Concepts,” for more information.
11
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which of the following encryption algorithms are supported by the IEEE 802.11istandard? (Select the two best answers.) A. TKIP B. RSA C. ECC D. AES
A
Answers: A and D. TKIP and AES
Explanation: The IEEE 802.11i standard amends the original 802.11 standard and was later incorporated into the IEEE 802.11-2007 standard. It specifies security mechanisms for wireless networks including TKIP and AES. It also deprecates WEP. TKIP is the Temporal Key Integrity Protocol used as a solution to replace WEP without requiring any replacement of older hardware. Although it is a better solution than WEP, TKIP was deprecated in 2009 by the IEEE—CCMP is recommended in its place. AES, the Advanced Encryption Standard, is the superior type of encryption to use in wireless networks. It works with WPA and WPA2 but might require hardware upgrades. RSA (Rivest, Shamir, Adleman) is a public key cryptography algorithm commonly used on the Internet and considered to be unbreakable if used properly. ECC, which stands for elliptic curve cryptography, is another type of public key cryptography, but this is based on the structure of an elliptic curve and mathematical problems. See the section titled “Encryption Algorithms” in Chapter 12, “Encryption and Hashing Concepts,” for more information.
12
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which of the following web application security weaknesses can be mitigated by preventing the usage of HTML tags? A. SQL injection B. Cross-site scripting C. LDAP injection D. Rootkits
A
Answer: B. Cross-site scripting
Explanation: Cross-site scripting (XSS) is an attack on website applications that injects client-side script into web pages. SQL injection is a type of code injection that exploits vulnerabilities in databases. LDAP injection can be used to modify LDAP statements and modify the LDAP tree. Rootkits are software designed to gain administrator-level access over a computer system. See the section titled “Secure Programming” in Chapter 4, “Application Security,” for more information.
13
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
You want to secure your data to retain it over the long term. What is the best way to do this? A. Onsite clustering B. Virtualization C. Offsite backup D. RAID 5 onsite backup
A
Answer: C. Offsite backup
Explanation: For purposes of retention, offsite backup is the best option. By keeping your backups offsite, you mitigate the risk of losing data during a disaster to your main office. All of the other options imply onsite backup or virtualization onsite; all of which are at risk if a disaster occurs at the main office. See the section titled “Disaster Recovery Planning and Procedures” in Chapter 14, “Redundancy and Disaster Recovery,” for more information.
14
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Your boss’s smartphone is encrypted and has screen lock protection, yet data was still stolen from it. How is this possible? A. Botnet B. Bluesnarfing C. SIM cloning D. GPS tracking
A
Answer: B. Bluesnarfing
Explanation: Bluesnarfing is an attack that can steal data such as phonebook contacts, calendar information, and so on, regardless of the phone’s encryption and screen lock. To protect against this, set the smartphone to undiscoverable and use a hard-to-guess Bluetooth pairing key. A botnet might try to target a smartphone, but more often they will go for other targets; regardless, the phone might be rendered useless after a botnet attack, but the data would probably not be compromised. SIM cloning involves duplicating the SIM card on a GSM-enabled phone, which allows two phones to share an account. GPS tracking allows a smartphone to be located physically, but if the phone is still encrypted, GPS tracking will not help with the stealing of data. See the section titled “Securing Computer Hardware and Peripherals” in Chapter 2, “Computer Systems Security,” for more information.
15
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
A malicious computer is sending data frames with false hardware addresses to a switch. What is happening? A. DNS poisoning B. pWWN spoofing C. MAC spoofing D. ARP poisoning
A
Answer: D. ARP poisoning
Explanation: ARP poisoning is an attack that exploits Ethernet networks—spoofed frames of data will contain false MAC addresses, ultimately sending false hardware address updates to a switch. DNS poisoning is the unauthorized modification of name resolution information. pWWN spoofing is a type of spoof attack carried out on SANs. MAC spoofing is a technique for changing the MAC address of a network adapter. See the section titled “Malicious Attacks” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
16
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
You are surprised to notice that a co-worker’s computer is communicating with an unknown IRC server and is scanning other systems on the network. None of this was scheduled by anyone in your organization, and the user appears to be unknowing of what is transpiring. What is the most likely cause?
A. The computer is part of a botnet.
B. The computer is infected with a worm.
C. The computer is infected with spyware.
D. The computer is infected with a rootkit.
A
Answer: A. The computer is part of a botnet.
Explanation: If the computer in question is scanning the network and accessing an unknown IRC server without the user’s knowledge, then the computer has probably been compromised as a zombie and is now part of a botnet. The IRC server probably acts as a central communication point for all zombies in the botnet. Though the computer had to be infected with some kind of payload originally, that malware is not responsible for the events that are transpiring currently. See the section titled “Computer Systems Security Threats” in Chapter 2, “Computer Systems Security,” for more information.
17
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
In a PKI, what is responsible for verifying certificate contents? A. Key escrow B. CA C. CRL D. Recovery agent
A
Answer: B. CA
Explanation: The CA (certificate authority) is responsible for verifying the authenticity of certificate contents. Key escrow is when a copy of the key is held, usually by third parties. The CRL is the certificate revocation list, where certificates are listed when their corresponding public key has been compromised. The recovery agent is used to recover keys, key components, and plaintext messages. See the section titled “Public Key Infrastructure” in Chapter 13, “PKI and Encryption Protocols,” for more information.
18
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
The university science lab is normally locked when no one is using it. The professor of the science department has a key to unlock the door. Other faculty members are given keys to lock the door only. What type of key structure is this? A. Symmetric B. Key escrow C. Asymmetric D. Secret keys
A
Answer: C. Asymmetric
Explanation: In an asymmetric key scenario, a pair of different keys is used to encrypt and decrypt data. They keys can be related, but they are not identical as in symmetric (or secret key) algorithms. The analogy here is that the professor and the other faculty have varying physical keys, one for unlocking; the others for locking. Key escrow is when keys are stored for third parties in the case of data loss. See the section titled “Public Key Infrastructure” in Chapter 13, “PKI and Encryption Protocols,” for more information.
19
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Mark works for a financial company. He has been tasked to protect customer data. He decides to install a mantrap and an HVAC system in the data center. Which of the following concepts has he addressed? A. Availability B. Integrity C. Confidentiality D. Recovery E. Accountability
A
Answers: A. Availability and C. Confidentiality
Explanation: The HVAC system addresses the need for availability of data. Without a proper HVAC system, a data center’s servers (and other equipment) would probably overheat resulting in a loss of service. The mantrap addresses the need for confidentiality. Customer data in financial organizations, health insurance companies, and many other organizations requires privacy and confidentiality. By installing a mantrap, unauthorized persons will be detained and won’t be able to access customer data. See the section titled “Environmental Controls” in Chapter 15, “Policies, Procedures, and People,” for more information.
20
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Several users complain they are encountering intermittent loss of network connectivity. The computers are wired to the LAN, and no wireless devices are being used. What should you implement? A. Data emanation B. Shielding C. HVAC D. Faraday cage
A
Answer: B. Shielding
Explanation: From the answers listed, shielding should be implemented. When multiple wired network connections are intermittently cutting out, chances are that EMI or some other type of interference is occurring and that something needs to be shielded better. One possibility is to replace standard UTP network cable with shielded twisted pair (STP). Another possibility is to check network devices and make sure they are not near a power source or other device that radiates EMI. HVAC equipment (if near network cabling or devices) can be shielded as well. Data emanation is when there is data leakage from network cables, wireless network devices, and other network equipment. A Faraday cage is used to block wireless data emanation, especially in server rooms and data centers. See the section titled “Environmental Controls” in Chapter 15, “Policies, Procedures, and People,” for more information.
21
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which protocol is based on SSH? A. SFTP B. TFTP C. FTP D. FTPS
A
Answer: A. SFTP
Explanation: SFTP is the SSH File Transfer Protocol (also called Secure FTP). It is an extension of the SSH protocol, which uses port 22. Contrast this with FTPS, which is FTP Secure or FTP-SSL, which uses port 443. Plain FTP has no built-in security and is not based on SSH. TFTP is a simple version of FTP. See the section titled “Ports and Protocols” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
22
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
The server room is on fire. What should the HVAC system do? A. Increase the humidity B. Increase the heat C. Turn off D. Turn on the AC
A
Answer: C. Turn off
Explanation: In the case of a fire, the HVAC system should be programmed to automatically shut off. The key here is that it is automated; that’s why the question is asking what the HVAC system would do, not what you would do. In fact, any other associated electrical units in the server room should shut off in the case of a fire as well. If an HVAC unit is turned on in any way shape or form (AC, heat, or whatever), it would effectively be blowing more air (oxygen) on the fire. Since oxygen feeds the fire, we don’t want to do this. To turn up the humidity you would have to move more humid air, once again, adding oxygen to the fire, so again not recommended. The HVAC system will not help in the case of a fire. That is what your specialized gaseous fire suppression system (and wet pipe system) is for. See the section titled “Environmental Controls” in Chapter 15, “Policies, Procedures, and People,” for more information.
23
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which of the following is a removable device that can be used to encrypt in a high availability clustered environment? A. Biometrics B. Cloud computer C. TPM D. HSM
A
Answer: D. HSM
Explanation: An HSM (hardware security module) is a device used to manage digital keys and provide authentication. It can be connected to a computer, a server, or a particular server in a clustered environment. Biometrics is the science of authenticating individuals by their physical traits. A cloud computer is a computer that resides on the Internet and is run by a third-party service provider that offers various computing services to individual users and small to midsized companies. A TPM is a trusted platform module, which is similar to an HSM but is internal to the computer, perhaps as a chip on the motherboard. See the section titled “Securing Computer Hardware and Peripherals” in Chapter 2, “Computer Systems Security,” for more information.
24
Q
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Of the following, what is the best option to implement if you wanted to recover a lost laptop? A. Remote wipe B. HIDS C. GPS D. WDE
A
Answer: C. GPS
Explanation: GPS tracking is the best answer listed if you want to recover a lost laptop. If installed properly (and if in GPS range) the GPS chip will enable the laptop to be tracked. Remote wipe (or remote sanitization) will wipe out all the data on the laptop (if it is accessible) but will, of itself, not inform you as to the location of the laptop. HIDS (host-based intrusion detection system) is software that can be loaded on the laptop that will detect malicious activity. WDE is whole disk encryption, which will make the data hard to decrypt and read but won’t aid in the tracking of the laptop. See the section titled “Securing Computer Hardware and Peripherals” in Chapter 2, “Computer Systems Security,” for more information.
25
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which of the following is the best description of a security advantage when using a standardized server image?
A. All antivirus software will be current.
B. All current updates for the OS will already have been applied.
C. All mandated security configurations will already have been applied to the OS.
D. OS licensing will be easier to track.
Answer: C. All mandated security configurations will already have been applied to the OS.
Explanation: Organizations develop standardized images for their server operating systems. They are standardized according to organizational policy. So, any mandated security configurations should be applied to the OS before it is made into an image to be used on the network. Unfortunately, that only gets the OS image to a certain point in time. Any new AV definitions, security updates to the OS, and so on, will need to be applied afterward according to organizational policy. OS licensing trackability should not change. Whether you track your OS licenses on paper or with a scanning program, they should be tracked in the same manner as with physical operating systems. See the section titled “Virtualization Technology” in Chapter 3, “OS Hardening and Virtualization,” for more information.
26
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
You are the security administrator for the company ABC Accounting Inc. The IT director has given rights to you allowing you to review logs and update network devices only. Other rights are given out to network administrators for the areas that fall within their job description. What kind of access control is this?
A. Job rotation
B. Discretionary
C. Mandatory vacation
D. Least privilege
```
Answer: D. Least privilege
Explanation: Least privilege is when users are given only the amount of rights necessary to do their job. Since the IT director only gave you specific rights and no more, and because other very specific rights are given to other network administrators, the least privilege rule applies here. Job rotation is when multiple users are cycled through different related tasks. Discretionary access control (DAC) is an access control model that has rules set by the user. Because the IT director has already set rights and permissions, this scenario does not involve DAC. Mandatory vacation is when a user is forced to take consecutive days vacation away from the office. See the section titled “Access Control Models Defined” in Chapter 9, “Access Control Methods and Models,” for more information.
27
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Which wireless configurations can be easily circumvented using a network sniffer?
A. Disabled SSID
B. EAP-TLS
C. WPA2
D. MAC filtering
E. WEP with 802.1X
```
Answers: A. Disabled SSID and D. MAC filtering
Explanation: Utilizing a network sniffer (or packet analyzer) can aid an attacker in discerning the SSID of an AP as well as which MAC addresses are being allowed in. By drilling down through the frames of information that are captured, the attacker can easily find the SSID name, and with a little work can deduce the MAC addresses that have access to the network. Then, the person need only spoof the MAC address and connect to the AP’s SSID manually and have access to the wireless network. The other answers concern authentication and encryption methods, which will be much more difficult to circumvent. 802.1X is network access control that uses various types of authentication methods including EAP-TLS. WEP and WPA2 are encryption methods, and while WEP is deprecated, it is difficult to get past when used in conjunction with 802.1X. See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.
28
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
You have been tasked with providing a staff of 250 employees secure remote access to your corporate network. Which of the following is the best solution?
A. VPN concentrator
B. Web security gateway
C. Web proxy
D. Software-based firewall
```
Answer: A. VPN concentrator
Explanation: The VPN concentrator is the best solution listed. A hardware device such as this can handle 250 concurrent, secure, remote connections to the network. Web security gateways are used to block access to specific websites. Web proxies cache website content for later use. Software-based firewalls can allow for remote secure access but not for the amount of concurrent connections needed. A hardware-based firewall or VPN concentrator is the best solution. See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.
29
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Susan is in charge of installing a business-critical application on an Internet-facing server. She is going to update the application to the most current version. What other security control should she perform in conjunction with the update? Select the best answer.
A. Run a port scan of the application server.
B. Review and apply vendor-provided hardening documentation.
C. Configure the firewall to prevent the application from auto-updating.
D. Configure the firewall to allow the application to auto-update.
Answer: B. Review and apply vendor-provided hardening documentation
Explanation: Third-party applications will usually come with a slew of documentation, including a list of hardening methods. This vendor documentation should be applied while updating the application as part of the entire application security process. It is the best answer as far as what to do in conjunction with the update. Running a port scan is a good idea at some point, but it has less to do with the application, and more to do with finding unnecessary ports and services. If the application is installed on an Internet-facing server, there probably won’t be a firewall involved. If the application server is in a DMZ, it will probably be behind a firewall, but by definition, even if the DMZ-based application serves users on the Internet, this isn’t considered to be directly Internet-facing. Otherwise, the firewall should usually be set up to allow an application to auto-update, but you never know; some applications might need to be updated manually, depending on the security level of the application and organizational policy. See the section titled “Firewalls and Network Security” in Chapter 6, “Network Perimeter Security,” for more information.
30
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
You have received several reports from users of corrupted data. You patched the affected systems but are still getting reports of corrupted data. Which of the following methods should you perform to help identify the problem?
A. Data integrity check
B. Penetration testing
C. Hardware baseline review
D. Vulnerability scan
```
Answer: D. Vulnerability scan
Explanation: If the data is becoming corrupted more than once even after an update to the affected systems, you should perform a vulnerability scan to find out what the possible threats and vulnerabilities are to those systems. A data integrity check would simply tell you that the data has been corrupted and therefore integrity is not intact. Penetration testing determines whether a system can be compromised by exploiting a particular threat. A hardware baseline review will tell you how your hardware is performing and how secure it is compared to the last baseline. Baselines are examples of vulnerability assessments, but in this case we need a software-based vulnerability assessment. See the section titled “Conducting Risk Assessments” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.
31
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Which of the following will stop network traffic when the traffic is not identified in the firewall rule set?
A. Explicit allow
B. Explicit deny
C. Implicit deny
D. Access control lists
```
Answer: C. Implicit deny
Explanation: The principle of implicit deny is used to deny all traffic that isn’t explicitly (or specifically) allowed or denied. In other words, if the type of traffic hasn’t been associated with a rule, the implicit deny rule will kick in, thus protecting the device. Access control lists are used to filter packets and will include rules such as permit any, or explicit denies to particular IP addresses. See the section titled “Access Control Models Defined” in Chapter 9, “Access Control Methods and Models,” and the section titled “Firewalls and Network Security” in Chapter 6, “Network Perimeter Security,” for more information.
32
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Which of the following equations represents the complexity of a password policy that enforces a lowercase password using the letters “a” through “z” where “n” is the password length?
A. n2 * 26
B. 26n
C. n26
D. 2n * 26
```
Answer: B. 26n
Explanation: The 26 refers to “a” through “z” (lowercase), which comes to 26 characters in total. The n is a variable that refers to the length of the password. When calculating a password, the amount of characters should be raised to a particular power that will be equal to the length of the password. So, if our policy in the above example dictated a password that was 8 characters long, then it would be 26 to the power of 8 or 268. In this case n = 8, but it doesn’t have to—it could be 10, 14, or whatever the security administrator sets the password length to in the password policy. See the section titled “Rights, Permissions, and Policies” in Chapter 9, “Access Control Methods and Models,” for more information.
33
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Improper use of P2P and social networking software may result in which of the following?
A. Data loss prevention
B. Denial of service
C. Shoulder surfing
D. Information disclosure
```
Answer: D. Information disclosure
Explanation: Using P2P software and social networking software (and websites) can lead to information disclosure. This could be due to user error, not following guidelines, using a weak password, and so on. One direct reason for this is when users place personal information where it can be easily found. Data loss prevention is a technique used to stop data leakage—it often entails the use of a hardware-based device. A denial of service is when a server is attacked with a flood of packets and there is a stoppage of service. Shoulder surfing is when someone attempts to gain personal information about another person by looking about the person’s desk or watching him while he is working on his computer. See the section titled “Social Engineering” in Chapter 15, “Policies, Procedures, and People,” for more information.
34
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Greg needs to centralize the authentication of multiple networking systems against a single user database. What is he trying to implement?
A. Access control list
B. Single sign-on
C. Multifactor authentication
D. Common Access Card
```
Answer: B. Single sign-on
Explanation: Single sign-on means the ability to log in to multiple systems using a single username/password combination (or other type of authentication method). This is what Greg needs in this scenario. Access control lists contain rules determining which IP addresses and users are allowed access to networks and data. Multifactor authentication is when two or more types of information (or physical security devices) are necessary to gain access to a system—for example, the combination of a username/password and a smart card. The Common Access Card is an authenticating smart card used by the DoD for personnel. See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.
35
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Your organization has a policy that states that user passwords must be at least 16 characters. Your computers use NTLM2 authentication for clients. Which of the following hash algorithms will be used for password authentication?
A. MD5
B. AES
C. LM hash
D. SHA
```
Answer: A. MD5
Explanation: The MD5 hashing algorithm is used by NTLM2 authentication. MD5 stands for Message-Digest algorithm 5. It uses a 128-bit key and is a widely used hashing algorithm. LM hash is used with passwords of 14 or less characters. If you use a password of 15 characters or more on newer versions of Windows, the OS will store a constant string as the LM hash, which is effectively a null password, and thereby uncrackable. The real password will be stored as an NTLM2 hash and (in this case calculated with MD5) will be used solely. AES is the Advanced Encryption Standard used widely in wireless networks. SHA is the Secure Hash Algorithm, which employs a 160-bit hash. Newer versions of SHA are more secure than MD5. See the section titled “Hashing Basics” in Chapter 12, “Encryption and Hashing Concepts,” for more information.
36
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Tara has written an application and is ready to go through the hardening process. Which of the following could be considered a hardening process of the SDLC?
A. Disabling unnecessary services
B. Application patching management schedule
C. Disabling unnecessary accounts
D. Secure coding concepts
Answer: D. Secure coding concepts
Explanation: Secure coding concepts such as input validation will help to harden an application within the systems development life cycle (SDLC). While disabling unnecessary services and accounts, and patching the application are all important, these could all be considered application or server hardening, not hardening within the SDLC. See the section titled “Secure Programming” in Chapter 4, “Application Security,” for more information.
37
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Hardware-based encryption devices such as hardware security modules (HSM) can sometimes see slower deployment in some organizations. What is the best reason for this?
A. RBAC
B. USB removable encryption
C. Lack of management software
D. Multifactor authentication
```
Answer: C. Lack of management software
Explanation: A lack of management software can cause slower deployment of HSMs. Because the HSM is an external device, it requires software to manage it allowing the HSM to communicate with the computer it is connected to. The lack of decent management software could cause some decision makers at organizations to be slow to adopt the solution. RBAC stands for role-based access control, which assigns roles to users based on sets of permissions. USB removable encryption is a decent solution for encrypting data, but an HSM can house extremely secure keys in comparison and have tamper protection as well—so USB removable encryption isn’t really a substitute for an HSM. Multifactor authentication means that a user needs to have two forms of ID, or needs to be authenticated in two or more ways to a system. See the section titled “Securing Computer Hardware and Peripherals” in Chapter 2, “Computer Systems Security,” for more information.
38
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
What is the main difference between a worm and a virus?
A. A virus is easily removed.
B. A worm is undetectable.
C. A worm is self-replicating.
D. A virus is larger.
```
Answer: C. A worm is self-replicating.
Explanation: Worms are self-replicating once they are executed, whereas viruses are not. Viruses may spread out and infect one or more files, but the actual virus cannot replicate itself. Viruses and worms can both be difficult to remove—it depends on their severity and age. Worms and viruses can both be detected with antivirus software. Viruses can be larger or smaller than worms. The two are similar in general aside from self-replication. See the section titled “Computer Systems Security Threats” in Chapter 2, “Computer Systems Security,” for more information.
39
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Which of the following will identify a Smurf attack?
A. NIDS
B. Firewall
C. Content filter
D. Load balancer
```
Answer: A. NIDS
Explanation: A NIDS (network intrusion detection system) is designed to identify network attacks such as a Smurf attack (a type of DoS). Firewalls can block particular packets or IP addresses but don’t identify actual attacks. Content filters are used to secure users’ web browsing sessions, filtering out unwanted websites. Load balancers are used to distribute workload among multiple servers. See the section titled “NIDS Versus NIPS” in Chapter 6, “Network Perimeter Security,” for more information.
40
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Which of the following ports is required by an e-commerce web server running SSL?
A. Port 443 inbound
B. Port 80 inbound
C. Port 80 outbound
D. Port 443 outbound
```
Answer: A. Port 443 inbound
Explanation: The web server needs to have inbound port 443 open to accept secure requests for SSL sessions from clients. The outbound port doesn’t actually matter; it’s the inbound port that is important for the server. Inbound port 80 is used by default for regular HTTP connections. See the section titled “Security Protocols” in Chapter 13, “PKI and Encryption Protocols,” for more information.
41
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
In biometrics, what aspect of human authentication does a thumbprint scanner test for?
A. Something a user knows
B. Something a user is
C. Something a user has
D. Something a user does
```
Answer: B. Something a user is
Explanation: Biometrics is the science of authenticating individuals according to their physical characteristics, or something the person is. A thumbprint is an example of something a user is; other examples include retina scans and even brain scans. An example of something a user knows would be a password or PIN. An example of something a user has would be a smart card or other ID card. An example of something a user does would be a signature or voice recognition. See the section titled “Physical Security” in Chapter 8, “Physical Security and Authentication Models,” for more information.
42
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
What is MAC filtering a form of?
A. VPN
B. NAT
C. NAC
D. DMZ
```
Answer: C. NAC
Explanation: MAC filtering is when only a select list of MAC addresses is allowed to communicate with an AP or router. This is an example of network access control (NAC), a way of controlling how computers connect to the network in a secure fashion. VPN stands for virtual private network, which allows for the secure remote connection of computers to a network. NAT stands for network address translation, which takes care of the connection from LAN clients through a router and out to the Internet. A DMZ is a demilitarized zone—a place separate from the LAN where servers reside that can be reached by users on the Internet. See the section titled “Securing Wireless Networks” in Chapter 7, “Securing Network Media and Devices,” for more information.
43
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
A visitor plugs her laptop into the network in the conference room attempting to start a presentation that requires Internet access. The user gets a warning on the screen saying that her antivirus software is not up to date. As a result, the visitor is unable to access the Internet. What is the most likely cause of this?
A. The security posture on the network is disabled, and remediation must take place before the user can access the Internet.
B. The IDS blocked access to the network.
C. The IPS prevented access to the network.
D. The security posture on the network is enabled, and remediation must take place before the user can access the Internet.
Answer: D. The security posture on the network is enabled, and remediation must take place before the user can access the Internet.
Explanation: The security posture can be defined as the risk level to which a system is exposed. If enabled, a system will need to meet particular security requirements. In this case, the user cannot access the Internet with her laptop until the antivirus software is updated (the remediation). If disabled, the user would not need to update her system. An IDS will not block access to the network. Instead, an IDS will detect malicious activity on the network. An IPS is not designed to prevent internal users from accessing the network—it is designed to prevent malicious activity on the network. See the section titled “Monitoring Methodologies” in Chapter 11, “Monitoring and Auditing,” for more information.
44
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Your boss needs you to implement a password policy that prevents a user from reusing the same password. To be effective, it must be implemented in conjunction with the password history policy. Which of the following is the best method?
A. Minimum age
B. Expiration time
C. Password length
D. Lockout time
```
Answer: A. Minimum age
Explanation: This question refers to Windows Server products. The minimum age password policy must be set to enforce an effective password history policy. If this is not done (in conjunction with the password history policy) then the user will be able to reuse old passwords. For example, if the minimum age was set to the default of zero, then the user could simply change his password as many times as needed, without waiting, to get past the password history policy, and ultimately reuse an old password. The minimum age must always be less than the maximum age setting and must be more than zero to enforce a password history policy properly.
Note: If you configure the maximum age in Windows Server 2008 or Server 2003, the minimum age will automatically be configured to a day less than the maximum age. While maximum age might be another good possible answer to this question, the best and most direct answer would be minimum age.
Expiration of passwords, password length, and lockout time for accounts won’t affect this scenario. See the section titled “Rights, Permissions, and Policies” in Chapter 9, “Access Control Methods and Models,” for more information.
45
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
You are in charge of installing patches to servers. Which of the following processes should you follow before installing a patch?
A. Due process
B. Separation of duties
C. Fault tolerance
D. Change management
```
Answer: D. Change management
Explanation: Change management is a structured way of changing the state of a computer system or IT procedure. The idea behind this is that change is going to happen, but the organization should adapt with change and be knowledgeable of any proposed changes before they occur. Other people in your organization might require that patches not be installed to a particular server; you should get their permission first as part of the change management process before installing the patch. Due process is the principle that an organization must respect and safeguard a person’s rights. Separation of duties is when more than one person is required to complete a particular task. Fault tolerance is the capability of your network to continue functioning after an error or attack occurs. See the section titled “Legislative and Organizational Policies” in Chapter 15, “Policies, Procedures, and People,” for more information.
46
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Rick is reviewing the logs of a host-based IDS. They show that the computer has been compromised by a botnet and is communicating with a master server. If Rick needs to power the computer off, which of the following types of data will be unavailable?
A. Memory, system processes, and network processes
B. Memory, archival storage, and temporary files
C. Swap files, system processes, and the master boot record
D. The system disk, e-mail, and log files
Answer: A. Memory, system processes, and network processes
Explanation: Memory is cleared when the computer is shut down (unless hibernation mode has been implemented). This removes system and network processes from memory. Archival storage, the master boot record, system disk, e-mail, and log files will all still be available. Although two other answers had possibilities within them, they weren’t altogether correct. See the section titled “Implementing Security Applications” in Chapter 2, “Computer Systems Security,” for more information.
47
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
You have been tasked to implement an encryption algorithm that has a key length of 128 bits. Which of the following is the only solution?
A. SHA
B. AES
C. 3DES
D. DES
```
Answer: B. AES
Explanation: AES128 is a 128-bit cipher, meaning it has a key length of 128 bits. However, a more secure solution would be to use AES256 (256-bit key length). SHA -1 is 160-bit, and SHA-2 is 256 or 512-bit in key length. DES is 56-bit, and its successor 3DES is 168-bit. See the section titled “Encryption Algorithms” in Chapter 12, “Encryption and Hashing Concepts,” for more information.
48
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
You have been tasked with securing a switch from physical access. Which of the following should you implement first?
A. Set up access control lists.
B. Check the baseline configuration.
C. Disable unused ports.
D. Disable unnecessary accounts.
```
Answer: C. Disable unused ports
Explanation: If you need to physically secure a switch, you should first disable unused ports so that a person who has gained unauthorized access to your server room or data center cannot plug a laptop into one of those ports and access the network. It would also be wise to check (or create) a security baseline at some point after this. Access control lists are generally set up on routers, not on switches. Regardless, they deal with the logical, not the physical. The same holds true for accounts, they are of a logical nature, and are usually set up on servers and routers. See the section titled “Network Design” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
49
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Which of the following requires a CA during the authentication process?
A. PEAP-TLS
B. FTPS explicit
C. FTPS implicit
D. MD5
```
Answer: A. PEAP-TLS
Explanation: PEAP (Protected Extensible Authentication Protocol) creates a TLS tunnel by acquiring a PKI certificate from a CA. It is known simply as PEAP or as PEAP-TLS. It is similar to EAP-TTLS. FTPS is FTP over SSL. Explicit mode means that the FTPS client must explicitly request security from the FTPS server. Implicit FTPS connections do not allow negotiation—there is no request for security; it is expected from the server. MD5 is a cryptographic hash function. See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.
50
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
You have been instructed to install an intrusion detection system that can protect a database server and the rest of the network. You cannot afford to use any more resources on the database server. You decide to implement a network intrusion detection system. Why is this superior to a host-based intrusion detection system? (Select the two best answers.)
A. A HIDS is not reliable when it comes to detecting attacks.
B. Usually, HIDS cannot detect network attacks.
C. A HIDS cannot be updated.
D. A HIDS can negatively impact system performance.
Answers: B and D. Usually, HIDS cannot detect network attacks, and A HIDS can negatively impact system performance.
Explanation: A HIDS usually cannot detect network attacks, whereas a NIDS can. A HIDS will definitely have a negative impact on system performance because it uses resources in the form of CPU and RAM; however, a HIDS is reliable when it comes to detecting attacks on an individual computer. Also, a HIDS can be updated. See the section titled “Implementing Security Applications” in Chapter 2, “Computer Systems Security,” for more information.
51
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
What should a disaster recovery plan (DRP) contain?
A. Hierarchical access control lists
B. Single points of failure
C. Hierarchical list of hot sites
D. Hierarchical list of critical systems
```
Answer: D. Hierarchical list of critical systems
Explanation: A disaster recovery plan should contain (among other things) a list of critical systems in order from the most critical to the least critical. Access control lists don’t fail, but the router that they are contained within may fail and therefore the routers should be listed as critical systems. Anything could be a single point of failure. If a single point of failure cannot be tolerated, it needs to be mitigated in the form of fault tolerance (UPS, RAID, clustering, and so on). Generally, an organization will only have one hot site due to the fact that they are very expensive to maintain. See the section titled “Disaster Recovery Planning and Procedures” in Chapter 14, “Redundancy and Disaster Recovery,” for more information.
52
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
NTLM is for the most part backward compatible and is an improved version of which of the following?
A. LANMAN
B. AES
C. MD5
D. passwd
```
Answer: A. LANMAN
Explanation: LANMAN is an outdated hash used in Windows—it is the original hash used to store passwords. NTLM (and the newer NTLMv2) hash are used in newer versions of Windows to replace LANMAN. AES is the Advanced Encryption Standard, a popular encryption method. MD5 is a different hash function used in the downloading of files among other things. Passwd is a text-based file used in Linux that stores user information and permissions. See the section titled “Hashing Basics” in Chapter 12, “Encryption and Hashing Concepts,” for more information.
53
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
A computer that is connected to an NAC-enabled network is not asked for the proper NAC credentials. What is a possible reason for this?
A. The computer is not patched.
B. The computer doesn’t have the latest antivirus definitions.
C. The computer is missing the authentication agent.
D. The computer does not have the latest SP.
Answer: C. The computer is missing the authentication agent.
Explanation: In a network access control (NAC) enabled network, computers must have the authentication agent installed; otherwise, the NAC system will not ask for the credentials (and the computer will not get access to the network). The authentication agent is also known as a supplicant (for example in 802.1X systems). The patch level, antivirus definitions, and service packs (SPs) are separate from the NAC system. See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.
54
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Which of the following security technologies should you provide to allow users remote access to your network? (Select the two best answers.)
A. Firewall
B. Subnetting
C. NAT
D. VPN
E. NAC
```
Answers: A. Firewall and D. VPN
Explanation: A firewall can be used in conjunction with a virtual private network (VPN) service to allow users remote access to your network. The firewall might incorporate the VPN, or the VPN might be controlled by a separate server or concentrator. Subnetting is not necessary for remote access, but it is a security method used to compartmentalize networks. Network address translation (NAT) is used to translate LAN addresses through to the Internet. Network access control (NAC) is used to authenticate computers and users in a secure fashion on the LAN. See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.
55
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
What kind of threat is a virus designed to format a computer’s hard drive on a specific calendar day?
A. Bot
B. Spyware
C. Logic bomb
D. Adware
```
Answer: C. Logic bomb
Explanation: A logic bomb is code designed to be set off on a specific day. This may cause a virus to execute or other malicious activity to occur at that specific time. A bot, short for robot, is also known as a zombie, which is a compromised computer controlled by a central source. Spyware is unwanted software that tracks Internet access. Adware is the pop-up ads you see when you go to various websites. It is also software similar to spyware that will track your Internet access to expose you to specific ads. See the section titled “Computer Systems Security Threats” in Chapter 2, “Computer Systems Security,” for more information.
56
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
When authenticating with PEAP, what isused to provide mutual authentication between peer computers?
A. MSCHAPv1
B. MD5
C. MSCHAPv2
D. EAP
```
Answer: C. MSCHAPv2
Explanation: PEAP uses MSCHAPv2 most commonly. This supports authentication via Microsoft Active Directory databases. MSCHAPv1 does not allow this and is not used in PEAP. MD5 is not an authentication method, and is not used by PEAP, but it is used in EAP-MD5 (as a hashing algorithm), which is also challenge-based. PEAP is a derivative of EAP (Extensible Authentication Protocol). See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.
57
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
What needs to be configured to offer remote access to a network?
A. Tokens
B. Biometrics
C. Supplicants
D. ACLs
```
Answer: D. ACLs
Explanation: Access control lists (ACLs) need to be configured properly for users to gain remote access through a firewall/router and on to the main network. Tokens are used in authentication schemes (often local) but are usually generated without little configuration. Biometrics is the authentication of individuals through physical characteristics. Supplicants (authentication agents) are usually loaded on computers in an 802.1X NAC network, which is usually local and usually done with little configuration. See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.
58
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
To determine network access requirements, a person working in HR has been tasked with assigning users in Accounting the same job function. What is this an example of?
A. MAC
B. DAC
C. RBAC
D. ACL
```
Answer: C. RBAC
Explanation: Role-based access control (RBAC) is when individuals are assigned groups of permissions that constitute a role. While a person in HR might not assign job functions within the operating system directly, the person will commonly assign the job functions for each user in some type of paper or electronic document, and deliver that document to a security administrator who then implements those job functions within the operating system. Mandatory access control (MAC) is a model that determines permissions by a computer system. Discretionary access control (DAC) is when permissions are determined by the owner. An ACL is an access control list, which defines what IP addresses (or users) can access particular networks or resources. See the section titled “Access Control Models Defined” in Chapter 9, “Access Control Methods and Models,” for more information.
59
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
You have been given 10 hard drives that need to be decommissioned. What is the first thing you should do?
A. Format the hard drive.
B. Perform a bit level erasure or overwrite the drive.
C. Contact a waste disposal facility.
D. Burn the hard drives in an incinerator.
Answer: B. Perform a bit level erasure or overwrite the drive.
Explanation: Hard drives should be sanitized. This can be done with bit-level erasure software that completely obliterates any data that was previously on the drive. Formatting the drive is not enough as data can still be recovered from a formatted drive. Even if you plan on disposing of the drives with a third-party facility, the drive should still be sanitized beforehand. Most organizations will not burn hard drives. It might even be illegal in your municipality. Instead, after sanitization, hard drives are often pulverized. See the section titled “Legislative and Organizational Policies” in Chapter 15, “Policies, Procedures, and People,” for more information.
60
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Which of the following protocols or services uses port 19?
A. CHARGEN
B. Echo
C. Telnet
D. SMTP
```
Answer: A. CHARGEN
Explanation: CHARGEN, the character generator, uses port 19. It is commonly used by a Fraggle attack. Echo uses port 7. Telnet uses port 23. SMTP uses port 25. See the section titled “Ports and Protocols” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
61
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
You have several unused USB flash drives, three laptops, and two HSMs that contain sensitive data. What is the best way to prevent the theft of these devices?
A. GPS tracking
B. Encryption
C. Locking cabinet
D. Hashing
```
Answer: C. Locking cabinet
Explanation: A locking cabinet is the best way listed to prevent the theft of physical devices such as USB flash drives and laptops. But only if the locking cabinet...is locked. GPS tracking can aid in finding devices after they were stolen. Encryption helps in keeping data secure even if the device is stolen (although it isn’t a perfect solution). Hashing provides integrity of data. However, GPS tracking, encryption, and hashing won’t stop the physical devices from being stolen. It’s important to keep physical devices locked up when not in use and monitored by video surveillance or other means. See the section titled “Securing Computer Hardware and Peripherals” in Chapter 2, “Computer Systems Security,” for more information.
62
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
You suspect that an unauthorized person has accessed your server room. Which of the following would be the best proof of this?
A. Card key log
B. Video surveillance
C. Security log
D. Security guard testimony
```
Answer: B. Video surveillance
Explanation: Video surveillance would be the most undeniable source of proof listed. A card key log from a proximity reader system could have been tampered with or the unauthorized person might have obtained a legitimate card key. Security logs are not good sources of proof, and although a security guard’s testimony could be compelling, it could still be deniable. Video surveillance (for example CCTV systems) is the best form of proof because it would be the hardest to tamper with or spoof. See the section titled “Physical Security” in Chapter 8, “Physical Security and Authentication Models,” for more information.
63
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Your boss has asked you to reduce an AP’s power setting, and place the AP in the center of your building. What reconnaissance method is your boss trying to prevent?
A. Wardriving
B. Evil twin
C. Rogue AP
D. RF interference
```
Answer: A. Wardriving
Explanation: Your boss is trying to prevent wardriving. By streamlining your AP, you reduce the chance of a wardriver being able to access (or even “see”) your wireless network. An evil twin is an AP put in place maliciously that has the same SSID as an already existing AP on your network. Rogue APs are access points that are not part of your wireless network. The above techniques in the scenario might reduce RF interference; however, RF interference is not a reconnaissance method. See the section titled “Securing Wireless Networks” in Chapter 7, “Securing Network Media and Devices,” for more information.
64
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Mitigating risk based on cost could be described as which of the following?
A. Business impact analysis
B. Quantitative risk assessment
C. Vulnerability assessment
D. Qualitative risk assessment
```
Answer: B. Quantitative risk assessment
Explanation: Quantitative risk assessment measures risk using exact monetary values. Whereas qualitative risk assessment assigns numeric values to the probability of risk. Business impact analysis is the differentiation of critical and non urgent functions and is part of a DRP or BCP. A vulnerability assessment is an analysis of security weakness in an organization. See the section titled “Conducting Risk Assessments” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.
65
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
A customer has asked you to implement a solution to hide as much information about the internal structure of the network as possible. The customer also wants to minimize traffic with the Internet and does not want to increase security risks to the internal network. Which of the following solutions should you implement?
A. NIDS
B. Firewall
C. Protocol analyzer
D. Proxy server
```
Answer: D. Proxy server
Explanation: A proxy server, specifically a caching proxy, will minimize traffic with the Internet. Users that access the same websites will get their information from the proxy server instead of from the Internet. An IP proxy server will hide information about the internal structure of the network. Proxy servers are available that can handle both of these functions. A NIDS, network intrusion detection system, detects attacks on the network. A firewall closes off ports on the network; and although some firewalls also come with proxy functionality, it is not the best answer for this scenario. Protocol analyzers, also known as network sniffers, can analyze packets of information that have been captured. See the section titled “Firewalls and Network Security” in Chapter 6, “Network Perimeter Security,” for more information.
66
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Specific secure data is only supposed to be viewed by certain authorized users. What concept ensures this?
A. Confidentiality
B. Integrity
C. Availability
D. Authenticity
```
Answer: A. Confidentiality
Explanation: The concept of confidentiality ensures that only authorized users can view secure data. Integrity ensures that data has not been tampered with. Availability ensures that data is accessible and ready. Authenticity ensures that data comes from who the data is supposed to come from and that it is a reputable source. See the section titled “Security 101” in Chapter 1, “Introduction to Security,” for more information.
67
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
To prevent ad hoc configuration issues onyour wireless network, what method should you implement?
A. Incident management strategy
B. Auditing strategy
C. Change management strategy
D. Patch management strategy
```
Answer: C. Change management strategy
Explanation: Change management is a structured way of making changes to networking equipment and other systems. It is done in a way where everyone involved is notified of a change. If a person was to add networking devices to an ad hoc wireless network without consulting anyone else, it could cause many issues, including, but not limited to, loss of access to the network. Incident management (and incident response) is a set of procedures that a person goes through when examining a computer or network-related security incident. Patch management is the planning, testing, implementing, and auditing of patches that are installed on systems. Auditing strategies in patch management involve making sure the patch holds properly over time. In general, auditing strategies are implemented to properly record and review what happens to data within the various servers and other computers on the network. See the section titled “Legislative and Organizational Policies” in Chapter 15, “Policies, Procedures, and People,” for more information.
68
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
You have disabled all unnecessary services on a domain controller. What is this an example of?
A. Secure code review
B. Baselining
C. Patch management strategy
D. Application hardening
```
Answer: D. Application hardening
Explanation: Application hardening is the securing of an application, disabling of unnecessary services, disabling unused accounts, removal of unnecessary applications, and so on. Secure code review is the analysis of code to make sure it cannot be corrupted—this is done through input validation, checking for unmanaged code, checking for sensitive data, and so on. Baselining is the process or measuring changes in a system. Patch management strategy is the entire four-step process involved when adding patches to a system. See the section titled “Hardening Operating Systems” in Chapter 3, “OS Hardening and Virtualization,” for more information.
69
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Which of the following would an antivirus program most likely not detect? (Select the two best answers.)
A. Logic bomb
B. Worm
C. Virus
D. Trojan
E. Pharming
```
Answers: A. Logic bomb and E. Pharming
Explanation: Antivirus programs are meant to scan for viruses, worms, and Trojans. They are least likely to discover logic bombs since they don’t manifest themselves right away. Pharming is a type of social engineering attack that antivirus programs are not designed to detect. See the section titled “Computer Systems Security Threats” in Chapter 2, “Computer Systems Security,” for more information.
70
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Users are required to log in to the network. They use a smart card to do so. Which type of key does the smart card use to log in to the network?
A. Cipher key
B. Shared key
C. Private key
D. Public key
```
Answer: C. Private key
Explanation: A private key is used by smart cards during login to a network. Often the smartcard will be used along with another form of authentication, creating a multifactor authentication scheme. Public keys are used in asymmetric encryption environments. A key is basically one component of a cipher or algorithm. A shared key is often used in public key environments and asymmetric encryption environments, in which two users share the same key. See the section titled “Physical Security” in Chapter 8, “Physical Security and Authentication Models,” for more information.
71
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
The IT director is worried about OS vulnerabilities. What suggestion should you give as the best way to mitigate this threat?
A. Locking cabinet
B. Patch management
C. Antispam software
D. Encryption
```
Answer: B. Patch management
Explanation: If the IT director is worried about operating system vulnerabilities, then a solid patch management strategy should be implemented. By keeping the OS up to date, there should be fewer OS vulnerabilities and therefore fewer threats to the OS. Locking cabinets should be used to store devices and data when not in use. Antispam software is used to prevent unwanted e-mails from reaching users. Encryption is used to keep data confidential. See the section titled “Legislative and Organizational Policies” in Chapter 15, “Policies, Procedures, and People,” for more information.
72
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
What would you implement to separate two departments?
A. MAC filtering
B. Cloud computing
C. VLAN
D. SaaS
```
Answer: C. VLAN
Explanation: A virtual LAN (VLAN) is used to logically separate groups of computers. It is often done to separate departments in a virtual manner without having to change the physical cabling design. MAC filtering is a method implemented on access points to allow only specific systems onto the wireless network. Cloud computing is a group of various services offered by third-party organizations—the services are hosted on the Internet. SaaS (Software as a Service) is an example of cloud computing. See the section titled “Network Design” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
73
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which of the following best describes a TPM?
A. Hardware chip that stores keys
B. High-speed secure removable storage device
C. Third-party certificate authority
D. USB encryption
Answer: A. Hardware chip that stores keys
Explanation: A TPM (Trusted Platform Module) is a chip that resides on a motherboard that stores encrypted keys used to encrypt the entire hard drive of a computer. A hardware security module (HSM) is a high-speed secure removable storage device. An example of a third-party certificate authority (CA) is a company such as VeriSign that develops and distributes trusted certificates. USB encryption is a removable type of encryption; for example, a USB flash drive might be encrypted with AES256 to keep data secure. See the section titled “Securing Computer hardware and Peripherals” in Chapter 2, “Computer Systems Security,” for more information.
74
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Which of the following is a passive attempt at identifying weaknesses?
A. Port scanning
B. Penetration testing
C. DoS attack
D. Vulnerability scanning
```
Answer: D. Vulnerability scanning
Explanation: Vulnerability scanning is considered to be an example of passive security testing. The acts of port scanning, penetration testing, and testing by way of attack (such as a DoS) are all considered to be active security testing. See the section titled “Conducting Risk Assessments” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.
75
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Your organization currently uses two-factor authentication but wants to install a third factor of authentication. The existing system uses passwords and software-based PKI tokens. Which of the following would provide a third factor of authentication?
A. Elliptic curve
B. Fingerprint scanner
C. Passphrases
D. Four digit pin codes
```
Answer: B. Fingerprint scanner
Explanation: A fingerprint scanner is the only option that can offer a third factor of authentication. Elliptic curve is a type of asymmetric encryption, not a type of authentication. Passphrases and PINs fall into the same category as passwords, so they are not considered a separate type of authentication. See the section titled “Physical Security” in Chapter 8, “Physical Security and Authentication Models,” for more information.
76
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
An attacker has identified and exploited several vulnerabilities in a closed-source application that your organization has developed. What did the attacker implement?
A. Secure code review
B. Vulnerability testing
C. Fuzzing
D. Compiling
```
Answer: C. Fuzzing
Explanation: Fuzzing (fuzz testing) is the automated insertion of random data into a computer program. It is used to find vulnerabilities by the people who developed the program and by attackers. Secure code review is the analysis of source code by authorized individuals in an attempt to find problems and security issues. Vulnerability testing is a scan done on computers and networks to find their vulnerability level. Compiling is the transformation of source code, generally done to create executable programs. See the section titled “Secure Programming” in Chapter 4, “Application Security,” for more information.
77
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which of the following are requirements for a cold site?
A. Power and connectivity
B. Redundant servers and networking devices
C. Close proximity to the datacenter
D. Patched and updated client computers
Answer: A. Power and connectivity
Explanation: A cold site need only have power and data/telco connectivity ready to go in the case of an emergency. The organization is expected to provide servers and other computers, phones, as well as configure them all. Warm sites might have computers and servers available but not configured. Hot sites will have redundant servers and networking devices, and patched client computers. Plus everything will be configured and ready to go at short notice. See the section titled “Redundancy Planning” in Chapter 14, “Redundancy and Disaster Recovery,” for more information.
78
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
User awareness and training can help with which of the following?
A. Compliance with legislative and vendor software best practices
B. Enforcement of physical security requirements
C. Minimizing organizational risk caused by users
D. Identifying DoS attacks
Answer: C. Minimizing organizational risk caused by users
Explanation: Users are an aspect of risk to an organization (whether they mean to be or not!). By committing to a training schedule and other user awareness policies, an organization can reduce that risk. See the section titled “Legislative and Organizational Policies” in Chapter 15, “Policies, Procedures, and People,” for more information.
79
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
After auditing an FTP server you note that the server has an average of 100 concurrent connections. Where should you look to determine whether this is normal or whether your FTP server is being attacked?
A. Secure code review
B. Baseline reporting
C. Security policy
D. DRP
```
Answer: B. Baseline reporting
Explanation: Baseline reporting will tell you what has happened in the past on your FTP server. By creating a baseline, you can compare current results with past results, helping you to determine whether the activity is normal. Secure code review is done to analyze whether the source code of a program has vulnerabilities. A security policy will dictate how an organization will approach risk and how it will deal with vulnerabilities. A DRP is a disaster recovery plan. See the section titled “Using Tools to Monitor Systems and Networks” in Chapter 11, “Monitoring and Auditing,” for more information.
80
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
A user attempts to log on to the network three times and fails each time. After the third time, the user is not allowed to attempt to log in for 30 minutes. What setting is this known as?
A. Account lockout duration
B. Account lockout threshold
C. Password complexity requirements
D. Minimum password age
```
Answer: A. Account lockout duration
Explanation: The account lockout duration is the amount of time that users will not be allowed to attempt to log in to the network after they have reached the threshold of account login failures. By default this setting is 30 minutes on many security policies. The account lockout threshold is the amount of times that the user is allowed to attempt to log in. The default on many policies is five, but often organizations change this to three (known as the three-strikes-and-you’re-out rule). Password complexity requirements can be enabled within a policy; if so, the users need to incorporate three of four methods of password complexity including uppercase characters, numeric characters, special characters, and so on. Minimum password age is the amount of days that a password must exist before a user is allowed to change it. See the section titled “Rights, Permissions, and Policies” in Chapter 9, “Access Control Methods and Models,” for more information.
81
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Which of the following is a trusted OS implementation used to prevent malicious code from executing on Linux platforms?
A. System File Checker (SFC)
B. SELinux
C. Tripwire
D. vmlinuz
```
Answer: B. SELinux
Explanation: Security-Enhanced Linux (SELinux) is a feature that supports mandatory access control and includes modifications that add security to Linux distributions helping to prevent malicious and suspicious code from executing. System File Checker (SFC) is a utility in Windows that checks the integrity of system files and replaces them if necessary. Tripwire is Linux-based open source software designed to check data integrity and alert users to changes. Vmlinuz is a compressed bootable version of the Linux kernel. See the section titled “Access Control Models Defined” in Chapter 9, “Access Control Methods and Models,” for more information.
82
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Your boss asks you to install a wireless access point and set up a new wireless network. Which protocol offers the best wireless security?
A. WPA
B. SSH
C. WEP
D. WPA2
```
Answer: D. WPA2
Explanation: WPA2 (Wi-Fi Protected Access version 2) is the most secure of the protocols listed when it comes to wireless networking security. WPA (or WPA version 1) is still widely used, but if possible wireless networks should be upgraded to WPA2. SSH is Secure Shell, which allows data to be sent and received securely between two networked systems. WEP (Wired Equivalent Privacy) is deprecated and not recommended for use. See the section titled “Securing Wireless Networks” in Chapter 7, “Securing Network Media and Devices,” for more information.
83
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Which of the following would a routine system audit most likely include?
A. Penetration testing
B. User rights and permissions reviews
C. Security policy development
D. Port scanning
```
Answer: B. User rights and permissions reviews
Explanation: Routine system audits will check for user rights and permissions as well as analyze log files, for example, the Security log in Windows. The development and implementation of the security policy that enabled the security log should have been done long before actual auditing takes place. Penetration testing and port scanning are not included in routine system audits but might be part of more elaborate security audits. Routine system audits are noninvasive (passive) allowing the systems to be audited to continue functioning as normal. See the section titled “Conducting Audits” in Chapter 11, “Monitoring and Auditing,” for more information.
84
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
What is a default rule found in a firewall’s ACL?
A. Deny all
B. Permit all
C. netsh advfirewall firewall
D. add address=192.168.0.0/16
```
Answer: A. Deny all
Explanation: The deny all rule is a default rule found in a corporate firewall’s access control lists (ACLs). It is an example of the implicit deny concept. Permit all is not a default rule as it would be quite dangerous. Netsh advfirewall firewall is a command used in Windows to view personal firewall information. Add address=192.168.0.0/16 is a way to disable (or enable) private addressing space. See the section titled “Firewalls and Network Security” in Chapter6, “Network Perimeter Security,” for more information.
85
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Your Windows domain has additional servers configured as member servers. Your job is to minimize the risk of unauthorized persons logging on locally to the member servers. Your solution should have a minimal impact on local management and administration and should not limit administrator access. Which of following are the best solutions? (Select the two best answers.)
A. Disable account lockout policies.
B. Require strong passwords.
C. Rename the local default accounts.
D. Configure all services to run under the context of the Local System account.
E. Disable the local default accounts.
F. Provide backdoors into the member servers.
Answers: B and C. Require strong passwords, and rename the local default accounts.
Explanation: By renaming the local default accounts (which includes the administrator account), users will have a difficult time attempting to select a username with administrative access. Most people know that the default administrative account in Windows is the administrator account; by renaming it you add a layer of security. Strong passwords is always a good idea and can help prevent an unauthorized user from logging on to the member server. On some Windows systems, by default, the administrator account has a blank password. It is common procedure to rename the account and configure a complex password. Disabling account lockout policies makes the server less secure. By default services do run under the local system account. Disabling the local default accounts would also disable the administrator account, and the question specifies that administrator access should not be limited. It is not a good idea to provide backdoors into any servers or devices; if backdoors are found, they should be eliminated or reported to the vendor of the software. See the section titled “Rights, Permissions, and Policies” in Chapter 9, “Access Control Methods and Models,” for more information.
86
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
In which of the following ways can risk not be managed?
A. Risk transfer
B. Risk mitigation
C. Risk acceptance
D. Risk elimination
```
Answer: D. Risk elimination
Explanation: Risk cannot simply be eliminated. It can be mitigated by way of securing systems and implementing security policies; it can be transferred by way of insurance policies; it can be accepted to a certain extent, but it cannot be eliminated. See the section titled “Conducting Risk Assessments” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.
87
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
You get an automated call from what appears to be your bank. The recording asks you to state your name, birthday, and enter your bank account number to validate your identity. What type of attack has been perpetuated against you?
A. Pharming
B. Phishing
C. Vishing
D. Spoofing
```
Answer: C. Vishing
Explanation: Vishing is a type of phishing social engineering attack, but it is done over the phone, whereas regular phishing is usually done by e-mail. Pharming is an attack designed to redirect a website’s traffic to another website. Spoofing is an attack where a person or a program masquerades as another one. See the section titled “Malicious Attacks” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
88
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
You need to regulate cooling in your data center. What is the best environmental control to use?
A. EMI shielding
B. Hot and cold aisles
C. Fire suppression
D. Video surveillance
```
Answer: B. Hot and cold aisles
Explanation: To regulate cooling in a datacenter or server room, hot and cold aisles should be used. The cold aisle is on one side of the server racks. Air is drawn into the servers and exhausted into the hot aisle and ventilated out of the server room. See the section titled “Environmental Controls” in Chapter 15, “Policies, Procedures, and People,” for more information.
89
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Which of the following will help to prevent data theft? Select the best answer.
A. Password history
B. GPS tracking
C. Video surveillance
D. Clean desk policy
```
Answer: D. Clean desk policy
Explanation: An organization might institute a clean desk policy in the hopes that USB flash drives, discs, and other items are not left lying around. Password history is a policy that can be implemented that disallows users from configuring a same password they had used previously. GPS tracking can be used to find portable devices but will usually be too late to prevent data theft. Video surveillance is great as a record of who entered a building but is not a proactive way to prevent data theft. See the section titled “Legislative and Organizational Policies” in Chapter 15, “Policies, Procedures, and People,” for more information.
90
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
The IT director asks you to configure security for your network. The network is isolated from the Internet by a perimeter network. The perimeter network contains three web servers and a network intrusion detection system. You need to test the network’s capability to detect and respond to a denial-of-service attack against the applications running on the web servers.
What method should you use?
A. Port scanning
B. Vulnerability scanning
C. Penetration testing
D. Network analysis
```
Answer: C. Penetration testing
Explanation: Penetration testing will give you a detailed account of whether a network has the capability to detect and respond to a denial-of-service attack. Penetration testing is a type of active testing that should be performed during off hours because it uses many resources on the network and on the computer running the test. The other three answers are types of passive analysis. They might tell you whether the network has the capability to detect an attack but cannot tell you whether the network has the capability to respond to an attack. The network intrusion detection system (NIDS) only detects attacks and warns an administrator if it finds one. So in actuality, chances are your penetration tests will inform you that the network cannot respond to a denial-of-service attack. See the section titled “Conducting Risk Assessments” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.
91
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which of the following is the best practice to secure log files?
A. Copy the log files to a server in a remote location.
B. Log all failed and successful login attempts.
C. Increase the size of the log files.
D. Perform hashing of the log files.
Answer: A. Copy the log files to a server in a remote location.
Explanation: The best practice to securing log files is to make sure that they are copied to a remote location—better yet to another server in a remote location where they can be easily accessible if the original server fails. This remote location should be in another city, not across the street in another building. Logging all failed and successful login attempts can create gigantic log files—the kind that might be impossible to manage. Most organizations will not do this. Increasing the size of log files won’t necessarily secure them, but it is a good idea when it comes to the management of log files. The default size of log files in most operating systems is not large enough for today’s big organizations. The hashing of log files is a good idea when securing the log files so that integrity can be maintained but is not necessarily the best practice. It should be used in conjunction with copying the files to a secure location. See the section titled “Conducting Audits” in Chapter 11, “Monitoring and Auditing,” for more information.
92
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
You are the network security administrator. One of the system administrators reports to you that an unauthorized user has accessed the network. What should you do first?
A. Contact the police.
B. Contain the problem.
C. Determine the monetary impact.
D. Notify management.
```
Answer: B. Contain the problem.
Explanation: The first thing you should do is contain the problem. That can mean attracting the unauthorized user to a honeypot or honeynet or shutting down the affected systems. Afterward, depending on policy, you might notify management and possibly contact the police. Finally, you would determine the monetary impact after assessing the damage to the affected systems, if there were any. See the section titled “Legislative and Organizational Policies” in Chapter 15, “Policies, Procedures, and People,” for more information.
93
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Randy needs an external add-on solution that can provide encryption and integrate with his existing database server. Which of the following would meet his needs?
A. TPM
B. FDE
C. CAC
D. HSM
```
Answer: D. HSM
Explanation: A hardware security module (HSM) provides encryption and can be an external device that can integrate with an existing server. A trusted platform module (TPM) is an encrypting chip that resides on a motherboard. FDE stands for full disk encryption, which can be implemented with a TPM. CAC stands for Common Access Card, a smart ID card used by the DoD. See the section titled “Securing Computer Hardware and Peripherals” in Chapter 2, “Computer Systems Security,” for more information.
94
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
You investigate an executive’s laptop and find a system-level kernel module that is modifying the operating system’s functions. What is this an example of?
A. Logic bomb
B. Virus
C. Rootkit
D. Worm
```
Answer: C. Rootkit
Explanation: Rootkits are designed to gain administrative control over an OS without being detected, and perform malicious operations. Worms and viruses affect files but not the kernel of the OS. Logic bombs are ways of delivering malicious software at a specific date. See the section titled “Computer Systems Security Threats” in Chapter 2, “Computer Systems Security,” for more information.
95
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
You are the systems administrator for your organization. Human resources notifies you that a particular user has been terminated. What should you do? (Select the two best answers.)
A. Retain the user’s data for a specific amount of time.
B. Delete the user’s account.
C. Delete the user’s data.
D. Disable the user’s account.
Answers: A and D. Retain the user’s data for a specific amount of time, and disable the user’s account.
Explanation: If a user is terminated, standard policy is to disable that user’s account and to retain the user’s data for a specific amount of time, which should be stated within the policy. It is not wise to delete a user’s account, because all audited information and encryption keys associated with the user account will be lost. See the section titled “Legislative and Organizational Policies” in Chapter 15, “Policies, Procedures, and People,” for more information.
96
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
Which of the following is most likely to result in data loss?
A. Accounting personnel transferring confidential staff information with SFTP
B. Developers copying data from production to test environments with USB sticks
C. Encrypted backup tapes left unattended at reception for offsite storage
D. Back office staff updating details on a mainframe with SSH
Answer: B. Developers copying data from production to test environments with USB sticks Explanation: By default, if data is copied to a USB stick, it is not encrypted. There is virtually no security in this scenario, and the worst part is that the USB sticks are physically travelling from one department to another. To rectify the situation, the developers could consider using AES256 to encrypt the data on the USB flash drives. The accounting personnel are using SFTP, the backup tapes are encrypted, and the back office staff is using SSH. All these other scenarios at least have some kind of security in mind. See the section titled “Securing Computer Hardware and Peripherals” in Chapter 2, “Computer Systems Security,” for more information.
97
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Which of the following solutions should be used by heavily utilized networks?
A. VPN concentrator
B. Remote access
C. Provider cloud
D. Telephony
```
Answer: C. Provider cloud
Explanation: Provider clouds can offer Infrastructure as a Service (IaaS), which can alleviate some of the stress an organization’s network might suffer from. In addition provider clouds can offer software (SaaS) and platforms (PaaS). VPN concentrators and remote access are not good choices for heavily utilized networks. They are meant for smaller groups of remote users. Telephony is not a solution for heavily utilized networks—quite the opposite; often networks are the solution for telephony usage. See the section titled “Network Design” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
98
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
You ran a penetration test against your two database servers and found out that each of them could be compromised with the default database user account and password. Which of the following did you forget to do to your database servers?
A. OS hardening
B. Patch management
C. Virtualization
D. Application hardening
```
Answer: D. Application hardening
Explanation: Part of application hardening is renaming (or disabling) default accounts and setting complex passwords. If this is not done, it becomes very easy for attackers to compromise the application. OS hardening is not correct in this instance because it is the database that can be compromised using the default database username/password. Databases are considered to be applications, not operating systems. Patch management won’t affect the default user account. The account has to be secured manually. Virtualization of operating systems doesn’t come into play here, although it could help to have backup virtual images made in the case that the database server is compromised. See the section titled “Hardening Operating Systems” in Chapter 3, “OS Hardening and Virtualization,” for more information.
99
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
Which of the following is the best fire suppression system to use if you do not want any equipment to be damaged?
A. Wet pipe sprinkler
B. Deluge sprinkler
C. Carbon dioxide
D. Wet chemical fire extinguisher
```
Answer: C. Carbon dioxide
Explanation: Carbon dioxide fire extinguishers are the best fire suppression system to use if you don’t want your equipment to be damaged. All the other answers can seriously damage equipment such as networking devices and servers. A carbon dioxide fire extinguisher is gaseous. There is only a slight chance of ESD damage, but that is rare. See the section titled “Environmental Controls” in Chapter 15, “Policies, Procedures, and People,” for more information.
100
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.
```
You have implemented an X.509 PKI. One of the private keys has been compromised before the certificate’s regular expiration date.
What should you do?
A. Validate the certificate.
B. Revoke the certificate.
C. Register the certificate.
D. Put the certificate in escrow.
```
Answer: B. Revoke the certificate.
Explanation: If a certificate is compromised before its regular expiration date, you should revoke the certificate. At this point it should be added to the certificate revocation list and published. The certificate should not be used again. It should not be validated or registered. It should also not be put in escrow unless a third party specifically requests it. See the section titled “Public Key Infrastructure” in Chapter 13, “PKI and Encryption Protocols.”
