Security Fundamentals

Question 1

What are the four categories of physical threats

Answer 1

Administrative, electrical, environmental, hardware

Question 2

Electrical threats

Answer 2

inadequate power, unconditioned power, and total loss of power

Question 3

A ___ is a good line of defense against electrical threats

Answer 3

UPS generator

Question 4

Hardware threats

Answer 4

physical damage, component damage

Question 5

To prevent hardware threats

Answer 5

restrict physical access, log physical access

Question 6

Environmental threats

Answer 6

temperature, and humidity

Question 7

Environmental threats can be mitigated by climate control systems and ___

Answer 7

monitoring the environment

Question 8

Administrative threats

Answer 8

maintenance errors, poorly labeled cables

Question 9

Administrative threats can be mitigated by

Answer 9

using a clear labeling system, maintaining an adequate supply of of spare parts, proper handling of electrical equipment at all times

Question 10

Reconnaissance attacks

Answer 10

passive attacks that are designed to gather information about a network or network device

Question 11

Examples of reconnaissance attacks

Answer 11

packet sniffing, ping sweeps, port scans

Question 12

Packet sniffing is limited to ___ networks

Answer 12

broadcast

Question 13

Packet sniffing attacks rely on ___ mode operation

Answer 13

promiscuous

Question 14

Packet sniffing attacks can identify

Answer 14

unencrypted passwords

Question 15

Packet sniffing attacks can be mitigated by

Answer 15

switched networks, encrypted connections

Question 16

Packet sniffers are commonly used to

Answer 16

extract clear text passwords from network traffic

Question 17

Ping sweeps

Answer 17

are used to determine which IP addresses are active within a particular range

Question 18

Ping sweeps rely on ___ protocol

Answer 18

ICMP

Question 19

Ping sweeps can be mitigated by

Answer 19

disabling ICMP

Question 20

Port scans

Answer 20

are used to discover active services, operating system revision, and configured network services

Question 21

Port scans can be detected by

Answer 21

IDS

Question 22

Access attacks

Answer 22

are used to gain unauthorized access to network systems

Question 23

Common access attacks

Answer 23

password attacks, buffer overflow

Question 24

Cisco password best practices

Answer 24

combination of upper and lower case letters
numbers and punctuation
five plus characters
no real words, slang, jargon
not based on personal information

Question 25

Buffer overflow attacks

Answer 25

exploit software vulnerabilities to execute malicious code

Question 26

A buffer overflow occurs when a

Answer 26

program writes data beyond the region of memory that has been allocated to that program
an attacker can use the BO to write arbitrary code into memory and have the code executed by the program

Question 27

Mitigate buffer overflow attacks

Answer 27

host based IPS, (HIPS), executable space protection, safe programming libraries

Question 28

___ are the most common form of logical access control

Answer 28

passwords

Question 29

Local passwords are configured on

Answer 29

the device to which the user is authenticating

Question 30

Local passwords are stored in the ___

Answer 30

startup configuration

Question 31

Local passwords are visible in the ___

Answer 31

running configuration

Question 32

Local passwords are stored as ___ but can be encrypted

Answer 32

plain text

Question 33

When configuring an encrypted password, you can create multiple privilege levels from 0 to 15. Which privilege level is granted to a user if the privilege level has not been configured in enable password or enable secret commands

Answer 33

15

Question 34

Level 0 password encryption

Answer 34

indicates that a password is unencrypted

Question 35

Level 5 password encryption

Answer 35

indicates that the password is an MD5 hash

Question 36

Level 7 password encryption

Answer 36

indicates that the password was encrypted using Cisco’s original password algorithm

Question 37

service password-encryption

Answer 37

encrypts all existing and future passwords

Question 38

no service password-encryption

Answer 38

does not decrypt existing passwords

Question 39

Passwords must be changed every __ days

Answer 39

90

Question 40

A password must be __ days old before it can be changed

Answer 40

2

Question 41

A password cannot be reused until it has been changed ___ times

Answer 41

10

Question 42

Passwords must be at least ___ characters long

Answer 42

8

Question 43

Password strings must contain a certain amount of complexity that includes

Answer 43

numbers, letters, and symbols

Question 44

Type 1 authentication

Answer 44

something you know

Question 45

Type 2 authentication

Answer 45

something you have

Question 46

Type 3 authentication

Answer 46

something you are

Question 47

ACLs

Answer 47

are sets of rules that identify traffic

Question 48

Standard ACLs

Answer 48

based on the source IP address alone

Question 49

Extended ACLs

Answer 49

identify traffic based on the source IP, destination IP, protocol and port number

Question 50

Named ACLs

Answer 50

can either be standard or extended ACLs

Question 51

implicit deny rule

Answer 51

traffic is dropped unless it is matched by an ACL statement that is configured with the permit keyword

Question 52

In order for a device to take action on matched traffic, ACLs must first be applied to an

Answer 52

interface, line, route map, or other configuration that supports ACLs

Question 53

Standard ACLs are numbered in a range from ___ to ___ or from ___ to ___

Answer 53

1 to 99
1300 to 1999

Question 54

Extended ACLs are numbered in a range from ___

Answer 54

100 to 199
2000 to 2699

Question 55

PKI encrypts communications based on

Answer 55

public and private key pair

Question 56

PKI certs can be used in place of

Answer 56

traditional authentication credentials

Question 57

DHCP spoofing attack

Answer 57

a rouge DHCP server is installed on the network in an attempt to intercept DHCP requests

and respond with its own IP address as the gateway default address

Question 58

DHCP snooping

Answer 58

monitors DHCP traffic between a trusted DHCP server and untrusted hosts

Question 59

DHCP snooping binding table

Answer 59

contains mappings between host MAC addresses, IP address, VLANs, and switchports

Question 60

ip dhcp snooping

Answer 60

globally enables the DHCP snooping feature

Question 62

DHCP snooping is not enabled on any interfaces until the ___ command is issued

Answer 62

ip dhcp snooping vlan vlan-range

Question 63

show ip dhcp snooping

Answer 63

verify DHCP snooping configuration on a switch

Question 64

show ip dhcp snooping binding

Answer 64

view IP-to-MAC

Question 65

DAI uses ___ transactions to track IP address-to-MAC address bindings

Answer 65

DHCP

Question 66

DAI enhances security by

Answer 66

intercepting, logging, and discarding ARP packets that have invalid IP-to-MAC address bindings

Question 67

DAI is configured ___ on a switch for specific VLANs

Answer 67

globally

Question 68

You cannot configure DAI on ___ interfaces

Answer 68

specific

Question 69

All ports on a switch are ___ by default

Answer 69

active

Question 70

By default all switchports use ___ to negotiate trunk mode

Answer 70

dynamic trunking protocol

Question 71

switchport nonegotiate

Answer 71

prevents any attempts by the switch to negotiate by using DTP

Question 72

port security protect

Answer 72

the switch will discard the traffic

Question 73

port security restrict

Answer 73

the switch will discard the traffic, log the unauthorized entry attempt, increment the Security Violation counter, and send a SNMP trap message

Question 74

port security shutdown

Answer 74

the switch will discard the traffic, log the unauthorized entry attempt, increment the Security Violation counter, and place the port into the error-disabled state

Question 75

By default, a switchport with port security enabled will be configured for ___ mode

Answer 75

shutdown

Question 76

To enable an interface that is in the error-disabled state, you must manually

Answer 76

issue the shutdown command, followed by the no shutdown command