Term
Who is responsible for establishing access permissions to network resources in the DAC access control model ?
(A) The system administrator
(B) The owner of the resource
(C) The system administrator and the owner of the resource
(D) The user requiring access to the resource |
|
Definition
|
|
Term
Which access control system allows the owner of a resource to establish access permissions to that resource ?
(A) MAC
(B) DAC
(C) RBAC
(D) None of the above |
|
Definition
|
|
Term
Choose the attack method or malicious code typically used by attackers to access a company's internal network through its remote access system ?
(A) A War dialer program
(B) Trojan horse
(C) DoS (Denial of Service) attack
(D) Worm |
|
Definition
|
|
Term
Which of the following details the primary advantage of implementing a multi-homed firewall ?
(A) A multi-homed firewall is relatively inexpensive to implement
(B) A multi-homed firewall's rules are easier to manage
(C) When a multi-homed firewall is compromised, only those systems residing in the DMZ (Demilitarized Zone) are vulnerable
(D) Attackers must get around two firewalls
|
|
Definition
|
|
Term
Choose the option that specifies an element which is NOT typically included in security requirements for network servers ?
(A) The absence of vulnerabilities utilized by known forms of attack against network servers
(B) The capability to allow administrative functions to all network users
(C) The capability to deny access to data on the network server except to data that should be accessible
(D) The capability to disable unnecessary network services that are included in the operating system or server software
|
|
Definition
|
|
Term
From the options, choose the attack which an IDS (Intrusion Detection System) cannot detect ?
(A) DoS (Denial of Service) attack
(B) Vulnerability exploits
(C) Spoofed e-mail
(D) Port scan attack |
|
Definition
|
|
Term
Which of the following network cable types is most vulnerable to electromagnetic interference (EMI) and radio frequency interference (RFI) ?
(A) Coaxial cable
(B) Unshielded Twisted Pair
(C) Shielded Twisted Pair
(D) Fiber optic cable |
|
Definition
|
|
Term
Which of the following types of network cables is less secure than coaxial cabling?
(A) Twisted-pair cables
(B) Fiber optic cable
(C) All of the above
|
|
Definition
|
|
Term
Which of the following security zones is closest to the internal network of the company, and can also be considered as being internal to the company ?
(A) Internet
(B) Intranet
(C) Extranet
(D) Perimeter network |
|
Definition
|
|
Term
From the options, choose the disadvantage of implementing an IDS (Intrusion Detection System) ?
(A) False positives
(B) Decrease in throughput
(C) Compatibility
(D) Administration |
|
Definition
|
|
Term
Which of the combinations here can be used to create an extranet?
(A) Two intranets
(B) Two perimeter networks
(C) One intranet and one perimeter network
(D) All of the above configurations
|
|
Definition
|
|
Term
Security for the extranet security zone can include a number of strategies. Choose the one that does not apply ?
(A) Using VPN connections
(B) Regularly auditing all services
(C) Use host-based firewalls for computers that contain confidential data
(D) Removing all unnecessary services
(E) Limiting the number of services provided |
|
Definition
|
|
Term
Overloading NAT allows the organization to use publicly assigned IP addresses over the Internet that is different from its private IP addresses. To do this, which type of mapping is performed by Overloading NAT ?
(A) Performs a one-to-one mapping of an internal IP address to an external IP address
(B) Maps multiple internal IP addresses to a range of external IP addresses
(C) Maps multiple internal IP addresses to one external IP address by employing a port-based mapping method |
|
Definition
|
|
Term
Which technology allows you to segment or group users that have similar data sensitivity levels together and thereby increase security ?
(A) Virtual local area network (VLAN)
(B) Network address translation (NAT)
(C) Tunneling
(D) None of the above |
|
Definition
|
|
Term
Which type of NAT configuration maps a range of internal IP addresses to a range of external IP address ?
(A) Static NAT
(B) Dynamic NAT
(C) Overloading NAT |
|
Definition
|
|
Term
A compromise of which device could result in a VLAN being compromised?
(A) Router
(B) Switch
(C) NAT server
(D) None of the above |
|
Definition
|
|
Term
| Which of the following devices used in one of the three major types of security topologies, is a one-interface device ? (A) Bastion host (B) Application gateway (C) Screened host gateway (D) Screened subnet gateway |
|
Definition
|
|
Term
From the options, choose the VPN (Virtual Private Network) tunneling protocol?
(A) AH (Authentication Header)
(B) SSH (Secure Shell)
(C) IPSec (Internet Protocol Security)
(D) DES (Data Encryption Standard) |
|
Definition
|
|
Term
Which concept correctly specifies the location where a system administrator would deploy a web server if that web server should be separated from other network servers ?
(A) A honey pot
(B) A hybrid subnet
(C) A DMZ (Demilitarized Zone)
(D) A VLAN (Virtual Local Area Network) |
|
Definition
|
|
Term
. From the options, which explains the general standpoint behind a DMZ (Demilitarized Zone) ?
(A) All systems on the DMZ can be compromised because the DMZ can be accessed from the Internet
(B) No systems on the DMZ can be compromised because the DMZ cannot be accessed from the Internet
(C) Only those systems on the DMZ that can be accessed from the Internet can be compromised
(D) No systems on the DMZ can be compromised because the DMZ is completely secure and cannot be accessed from the Internet |
|
Definition
|
|
Term
Which of the following descriptions best describes an IDS?
(A) Monitors network traffic and traffic patterns that could be indicative of attacks such as port scans and denial-of-service attacks
(B) Runs as software on a host computer system to monitor machine logs, system logs, and applications interactions
(C) Monitors the file structure of a system to determine if any system files were deleted or modified by an attacker
(D) A hardware device with software that monitors events in a system or network to identify when intrusions are taking place |
|
Definition
|
|
Term
Which of the following intrusion detection technologies work by monitoring the file structure of a system to determine whether any system files were deleted or modified by an attacker ?
(A) Network IDS
(B) Host-based IDS
(C) System integrity verifier (SIV)
(D) Log file monitor (LFM) |
|
Definition
|
|
Term
Which if the following technologies would you use if you need to implement a system that simulates a network of vulnerable devices, so that this network can be targeted by attackers ?
(A) A IDS
(B) A circuit-level firewall
(C) A honeypot
(D) A system integrity verifier |
|
Definition
|
|
Term
When using network monitoring systems to monitor workstations, which of the following elements should be reviewed because their information could indicate a possible attack ?
(A) Audit log and system log
(B) Hard disk space
(C) Network counters
(D) Network counters and access denied errors |
|
Definition
|
|
Term
A passive response is the most common type of response to a number of intrusions. Which of the following is not a passive response strategy ?
(A) Logging
(B) Notification
(C) Deception
(D) Shunning |
|
Definition
|
|
Term
Which of the following algorithms is the LEAST secure?
A. NTLM
B. MD5
C. LANMAN
D. SHA-1 |
|
Definition
|
|
Term
Which of the following logs might reveal the IP address and MAC address of a rogue device within the local network?
A. Security logs
B. DHCP logs
C. DNS logs
D. Antivirus logs
|
|
Definition
|
|
Term
Which of the following is an example of security personnel that administer access control functions, but do not administer audit functions?
A. Access enforcement
B. Separation of duties
C. Least privilege
D. Account management
|
|
Definition
|
|
Term
Which of the following principles should be applied when assigning permissions?
A. Most privilege
B. Least privilege
C. Rule based
D. Role based
|
|
Definition
|
|
Term
Which of the following network filtering devices will rely on signature updates to be effective?
A. Proxy server
B. Firewall
C. NIDS
D. Honeynet
|
|
Definition
|
|
Term
A user wants to implement secure LDAP on the network. Which of the following port numbers secure LDAP use by default?
A. 53
B. 389
C. 443
D. 636
|
|
Definition
|
|
Term
An administrator is trying to secure a network from threats originating outside the network. Which of the following devices provides protection for the DMZ from attacks launched from the Internet?
A. Antivirus
B. Content filter
C. Firewall
D. Proxy server
|
|
Definition
|
|
Term
Which of the following logical access controls would be MOST appropriate to use when creating an account for a temporary worker?
A. ACL
B. Account expiration
C. Time of day restrictions
D. Logical tokens
|
|
Definition
|
|
Term
How should a company test the integrity of its backup data?
A. By conducting another backup
B. By using software to recover deleted files
C. By restoring part of the backup
D. By reviewing the written procedures
|
|
Definition
|
|
Term
Which of the following would be BEST to use to apply corporate security settings to a device?
A. A security patch
B. A securityhotfix
C. An OS service pack
D. A security template
|
|
Definition
|
|
Term
Assigning proper security permissions to files and folders is the primary method of mitigating which of the following?
A. Hijacking
B. Policy subversion
C. Trojan
D. DoS
|
|
Definition
|
|
Term
Which of the following is a way to manage operating system updates?
A. Service pack management
B. Patch application
C. Hotfix management
D. Change management
|
|
Definition
|
|
Term
Which of the following is a security threat when a new network device is configured for first-time installation?
A. Attacker privilege escalation
B. Installation of a back door
C. Denial of Service (DoS)
D. Use of default passwords
|
|
Definition
|
|
Term
Which of the following can be used as a means for dual-factor authentication?
A. RAS and username/password
B. RADIUS and L2TP
C. LDAP and WPA
D. Iris scan and proximity card
|
|
Definition
|
|
Term
Which of the following should be implemented to have all workstations and servers isolated in their own broadcast domains?
A. VLANs
B. NAT
C. Access lists
D. Intranet
|
|
Definition
|
|
Term
Which of the following practices is MOST relevant to protecting against operating system security flaws?
A. Network intrusion detection
B. Patch management
C. Firewall configuration
D. Antivirus selection
|
|
Definition
|
|
Term
Which of the following algorithms is MOST closely associated with the signing of email messages?
A. MD5
B. TKIP
C. PGP
D. SHA-1
|
|
Definition
|
|
Term
Which of the following is the BEST way to reduce the number of accounts a user must maintain?
A. Kerberos
B. CHAP
C. SSO
D. MD5
|
|
Definition
|
|
Term
If a certificate has been compromised, which of the following should be done?
A. Run the recovery agent
B. Put the certificate on the CRL
C. Put the certificate in key escrow.
D. Suspend the certificate for further investigation
|
|
Definition
|
|
Term
Which of the following is a method of encrypting email?
A. S/MIME
B. SMTP
C. L2TP
D. VPN
|
|
Definition
|
|
Term
An administrator wants to proactively collect information on attackers and their attempted methods of gaining access to the internal network. Which of the following would allow the administrator to do this?
A. NIPS
B. Honeypot
C. DMZ
D. NIDS
|
|
Definition
|
|
Term
Which of the following BEST describes a private key in regards to asymmetric encryption?
A. The key owner has exclusive access to the private key.
B. Everyone has access to the private key on the CA.
C. Only the CA has access to the private key.
D. The key owner and a recipient of an encrypted email have exclusive access to the private key.
|
|
Definition
|
|
Term
If a user attempts to go to a website and notices the URL has changed, which of the following attacks is MOST likely the cause?
A. DLL injection
B. DDoS attack
C. DNS poisoning
D. ARP poisoning
|
|
Definition
|
|
Term
Which of the following is the main objective of steganography?
A. Message digest
B. Encrypt information
C. Hide information
D. Data integrity
|
|
Definition
|
|
Term
An administrator suspects that files are being copied to a remote location during off hours. The file server does not have logging enabled. Which of the following logs would be the BEST place to look for information?
A. Intrusion detection logs
B. Firewall logs
C. Antivirus logs
D. DNS logs
|
|
Definition
|
|
Term
| Which of the following is a reason why a company should disable the SSID broadcast of the wireless access points? A. Rogue access points B. War driving C. Weak encryption D. Session hijacking |
|
Definition
|
|
Term
| Which of the following attacks can be caused by a user being unaware of their physical surroundings? A. ARP poisoning B. Phishing C. Shoulder surfing D. Man-in-the-middle |
|
Definition
|
|
Term
| Which of the following threats is the MOST difficult to detect and hides itself from the operating system? A. Rootkit B. Adware C. Spyware D. Spam |
|
Definition
|
|
Term
| Which of the following risks would be reduced by implementing screen filters? A. Replay attacks B. Phishing C. Man-in-the-middle attacks D. Shoulder surfing |
|
Definition
|
|
Term
| Which of the following type of strategies can be applied to allow a user to enter their username and password once in order to authenticate to multiple systems and applications? A. Two-factor authentication B. Single sign-on C. Smart card D. Biometrics |
|
Definition
|
|
Term
Which of the following is MOST efficient for encrypting large amounts of data?
A. Hashing algorithms
B. Symmetric key algorithms
C. Asymmetric key algorithms
D. ECC algorithms
|
|
Definition
|
|
Term
Which of the following would be the MOST secure choice to implement for authenticating remote connections?
A. LDAP
B. 8021x
C. RAS
D. RADIUS
|
|
Definition
|
|
Term
User A is a member of the payroll security group. Each member of the group should have read/write permissions to a share. User A was trying to update a file but when the user tried to access the file the user was denied. Which of the following would explain why User A could not access the file?
A. Privilege escalation
B. Rights are not set correctly
C. Least privilege
D. Read only access
|
|
Definition
|
|
Term
Which of the following access control methods gives the owner control over providing permissions?
A. Role-Based Access Control (RBAC)
B. Rule-Based Access control (RBAC)
C. Mandatory Access Control (MAC)
D. Discretionary Access Control (DAC)
|
|
Definition
|
|
Term
Which of the following describes the process of securely removing information from media (E. g. hard drive) for future use?
A. Reformatting
B. Destruction
C. Sanitization
D. Deleting
|
|
Definition
|
|
Term
Which of the following would allow for secure key exchange over an unsecured network without a pre-shared key?
A. 3DES
B. AES
C. DH-ECC
D. MD5
|
|
Definition
|
|
Term
A programmer has decided to alter the server variable in the coding of an authentication function for a proprietary sales application. Before implementing the new routine on the production application server, which of the following processes should be followed?
A. Change management
B. Secure disposal
C. Password complexity
D. Chain of custody
|
|
Definition
|
|
Term
Which of the following encryption algorithms is decrypted in the LEAST amount of time?
A. RSA
B. AES
C. 3DES
D. L2TP
|
|
Definition
|
|
Term
After implementing file auditing, which of the following logs would show unauthorized usage attempts?
A. Performance
B. System
C. Security
D. Application
|
|
Definition
|
|
Term
Which of the following is a list of discrete entries that are known to be benign?
A. Whitelist
B. Signature
C. Blacklist
D. ACL
|
|
Definition
|
|
Term
During the implementation of LDAP, which of the following will typically be changed within the organizations software programs?
A. IP addresses
B. Authentication credentials
C. Non-repudiation policy
D. Network protocol
|
|
Definition
|
|
Term
End users are complaining about receiving a lot of email from online vendors and pharmacies. Which of the following is this an example of?
A. Trojan
B. Spam
C. Phishing
D. DNS poisoning
|
|
Definition
|
|
Term
Which of following can BEST be used to determine the topology of a network and discover unknown devices?
A. Vulnerability scanner
B. NIPS
C. Protocol analyzer
D. Network mapper
|
|
Definition
|
|
Term
Which of the following is a reason to implement security logging on a DNS server?
A. To monitor unauthorized zone transfers
B. To measure the DNS server performance
C. To perform penetration testing on the DNS server
D. To control unauthorized DNSDoS
|
|
Definition
|
|
Term
Which of the following is the LEAST intrusive way of checking the environment for known software
flaws?
A. Protocol analyzer
B. Vulnerability scanner
C. Port scanner
D. Penetration test
|
|
Definition
|
|
Term
Which of the following is an attack that is triggered by a specific event or by a date?
A. Logic bomb
B. Spam
C. Rootkit
D. Privilege escalation
|
|
Definition
|
|
Term
An administrator wants to setup their network with only one public IP address. Which of the following would allow for this?
A. DMZ
B. VLAN
C. NIDS
D. NAT
|
|
Definition
|
|
Term
An administrator suspects that multiple PCs are infected with a zombie. Which of the following tools could be used to confirm this?
A. Antivirus
B. Recovery agent
C. Spyware
D. Port scan
|
|
Definition
|
|
Term
Which of the following is a best practice for coding applications in a secure manner?
A. Input validation
B. Object oriented coding
C. Rapid Application Development (RAD)
D. Cross-site scripting
|
|
Definition
|
|
Term
Which of the following authentication methods would MOST likely prevent an attacker from being able to successfully deploy a replay attack?
A. TACACS
B. RAS
C. RADIUS
D. Kerberos
|
|
Definition
|
|
Term
Which of the following tools will allow the technician to find all open ports on the network?
A. Performance monitor
B. Protocol analyzer
C. Router ACL
D. Network scanner
|
|
Definition
|
|
Term
During a risk assessment it is discovered that only one system administrator is assigned several tasks critical to continuity of operations. It is recommended to cross train other system administrators to perform these tasks and mitigate which of the following risks?
A. DDoS
B. Privilege escalation
C. Disclosure of PII
D. Single point of failure
|
|
Definition
|
|
Term
After issuance a technician becomes aware that some keys were issued to individuals who are not authorized to use them. Which of the following should the technician use to correct this problem?
A. Recovery agent
B. Certificate revocation list
C. Key escrow
D. Public key recovery
|
|
Definition
|
|
Term
Which of the following allows a technician to correct a specific issue with a solution that has not been fully tested?
A. Patch
B. Hotfix
C. Security roll-up
D. Service pack
|
|
Definition
|
|
Term
Which of the following allows an attacker to embed a rootkit into a picture?
A. Trojan horse
B. Worm
C. Steganography
D. Virus |
|
Definition
|
|
Term
Which of the following is commonly used in a distributed denial of service (DDOS) attack?
A. Phishing
B. Adware
C. Botnet
D. Trojan
|
|
Definition
|
|
Term
Which of the following would an attacker use to footprint a system?
A. RADIUS
B. Password cracker
C. Port scanner
D. Man-in-the-middle attack
|
|
Definition
|
|
Term
An organization is installing new servers into their infrastructure. A technician is responsible for making sure that all new servers meet security requirements for uptime. In which of the following is the availability requirements identified?
A. Service level agreement
B. Performance baseline
C. Device manufacturer documentation
D. Security template
|
|
Definition
|
|
Term
When should a technician perform penetration testing?
A. When the technician suspects that weak passwords exist on the network
B. When the technician is trying to guess passwords on a network
C. When the technician has permission from the owner of the network
|
|
Definition
|
|
Term
Which of the following is an exploit against a device where only the hardware model and manufacturer are known?
A. Replay attack
B. Denial of service (DoS)
C. Privilege escalation
D. Default passwords
|
|
Definition
|
|
Term
A technician is implementing a new wireless network for an organization. The technician should be concerned with all of the following wireless vulnerabilities EXCEPT:
A. rogue access points
B. 802.11 mode.
C. weak encryption.
D. SSID broadcasts
|
|
Definition
|
|
Term
Which of the following BEST describes ARP?
A. Discovering the IP address of a device from the MAC address
B. Discovering the IP address of a device from the DNS name
C. Discovering the MAC address of a device from the IP address
D. Discovering the DNS name of a device from the IP address
|
|
Definition
|
|
Term
A technician wants to regulate and deny traffic to websites that contain information on hacking. Which of the following would be the BEST solution to deploy?
A. Internet content filter
B. Proxy
C. Protocol analyzer
D. NIDS
|
|
Definition
|
|
Term
An administrator has implemented a new SMTP service on a server. A public IP address translates to the internal SMTP server. The administrator notices many sessions to the server, and gets notification that the servers public IP address is now reported in a spam real-time block list.Which of the following is wrong with the server?
A. SMTP open relaying is enabled
B. It does not have a spam filter.
C. The amount of sessions needs to be limited.
D. The public IP address is incorrect
|
|
Definition
|
|
Term
Which of the following actions should be performed upon discovering an unauthorized wireless access point attached to a network?
A. Unplug the Ethernet cable from the wireless access point.
B. Enable MAC filtering on the wireless access point.
C. Run a ping against the wireless access point.
|
|
Definition
|
|
Term
Which of the following is a single server that is setup in the DMZ or outer perimeter in order to distract attackers?
A. Honeynet
B. DMZ
C. Honeypot
D. VLAN
|
|
Definition
|
|
Term
Which of the following technologies can be used as a means to isolate a host OS from some types of security threats?
A. Intrusion detection
B. Virtualization
C. Kiting
D. Cloning
|
|
Definition
|
|
Term
Which of the following will propagate itself without any user interaction?
A. Worm
B. Rootkit
C. Trojan
D. Virus
|
|
Definition
|
|
Term
Which of the following may be an indication of a possible system compromise?
A. A port monitor utility shows that there are many connections to port 80 on the Internet facing
web server
B. A performance monitor indicates a recent and ongoing drop in speed, disk space or memory
utilization from the baseline
C. A protocol analyzer records a high number of UDP packets to a streaming media server on the
Internet.
D. The certificate for one of the web servers has expired and transactions on that server begins to
drop rapidly
|
|
Definition
|
|
Term
Which of the following security policies is BEST to use when trying to mitigate the risks involved with allowing a user to access company email via their cell phone?
A. The cell phone should require a password after a set period of inactivity
B. The cell phone should only be used for company related emails.
C. The cell phone data should be encrypted according to NIST standards
D. The cell phone should have data connection abilities disabled.
|
|
Definition
|
|
Term
Which of the following improves security in a wireless system?
A. IP spoofing
B. MAC filtering
C. SSID spoofing
D. Closed network
|
|
Definition
|
|
Term
How many keys are utilized with asymmetric cryptography?
A. One
B. Two
C. Five
D. Seven
|
|
Definition
|
|
Term
Which of the following access control methods includes switching work assignments at preset intervals?
A. Job rotation
B. Mandatory vacations
C. Least privilege
D. Separation of duties
|
|
Definition
|
|
Term
Which of the following access control methods grants permissions based on the users position in the company?
A. Mandatory Access Control (MAC)
B. Rule-Based Access control (RBAC)
C. Discretionary Access Control (DAC)
D. Role-Based Access Control (RBAC)
|
|
Definition
|
|
Term
A small call center business decided to install an email system to facilitate communications in the office. As part of the upgrade the vendor offered to supply anti-malware software for a cost of $5,000 per year. The IT manager read there was a 90% chance each year that workstations would be compromised if not adequately protected. If workstations are compromised it will take three hours to restore services for the 30 staff. Staff members in the call center are paid $90 per hour. If the anti-malware software is purchased, which of the following is the expected net savings?
A. $900
B. $2,290
C. $2,700
D. $5,000
|
|
Definition
|
|
Term
A technician needs to detect staff members that are connecting to an unauthorized website. Which of the following could be used?
A. Protocol analyzer
B. Bluesnarfing
C. Host routing table
D. HIDS
|
|
Definition
|
|
Term
Which of the following is a way to logically separate a network through a switch?
A. Spanning port
B. Subnetting
C. VLAN
D. NAT
|
|
Definition
|
|
Term
Which of the following would be MOST useful to determine why packets from a computer outside the network are being dropped on the way to a computer inside the network?
A. HIDS log
B. Security log
C. Firewall log
D. System log
|
|
Definition
|
|
Term
Which of the following properly describes penetration testing?
A. Penetration tests are generally used to scan the network and identify open ports
B. Penetration tests are generally used to map the network and grab banners.
C. Penetration tests are generally used to exploit a weakness without permission and show how
an attacker might compromise a system
D. Penetration tests are generally used to demonstrate a weakness in a system and then provide
documentation on the weakness
|
|
Definition
|
|
Term
Which of the following requires an update to the baseline after installing new software on a machine?
A. Signature-based NIPS
B. Signature-based NIDS
C. Honeypot
D. Behavior-based HIDS
|
|
Definition
|
|
Term
An executive uses PKI to encrypt sensitive emails sent to an assistant. In addition to encrypting the body of the email, the executive wishes to encrypt the signature so that the assistant can verify that the email actually came from the executive. Which of the following asymmetric keys should the executive use to encrypt the signature?
A. Public
B. Private
C. Shared
D. Hash
|
|
Definition
|
|
Term
Which of the following can an attacker use to gather information on a system without having a user ID or password?
A. NAT
B. DNS poisoning
C. Null session
D. Spoofing
|
|
Definition
|
|
Term
Which of the following network tools would provide the information on what an attacker is doing to compromise a system?
A. Proxy server
B. Honeypot
C. Internet content filters
D. Firewall
|
|
Definition
|
|
Term
Which of the following ensures a user cannot deny having sent a message?
A. Availability
B. Integrity
C. Non-repudiation
D. Confidentiality
|
|
Definition
|
|
Term
Which of the following type of attacks would allow an attacker to capture HTTP requests and send back a spoofed page?
A. Teardrop
B. TCP/IP hijacking
C. Phishing
D. Replay
|
|
Definition
|
|
Term
When deploying 50 new workstations on the network, which of following should be completed FIRST?
A. Install a word processor.
B. Run the latest spyware.
C. Apply the baseline configuration
D. Run OS updates.
|
|
Definition
|
|
Term
Taking into account personal safety, which of the following types of fire suppression substances would BEST prevent damage to electronic equipment?
A. Foam
B. CO2
C. Halon
D. Water
|
|
Definition
|
|
Term
Which of the following increases the collision resistance of a hash?
A. Salt
B. Increase the input length
C. Rainbow Table
D. Larger key space
|
|
Definition
|
|
Term
All of the following provide confidentiality protection as part of the underlying protocol EXCEPT:
A. SSL.
B. SSH.
C. L2TP
D. IPSeC
|
|
Definition
|
|
Term
Password crackers are generally used by malicious attackers to:
A. verify system access
B. facilitate penetration testing
C. gain system access
D. sniff network passwords
|
|
Definition
|
|
Term
Which of the following is a publication of inactivated user certificates?
A. Certificate revocation list
B. Certificate suspension
C. Recovery agent
D. Certificate authority
|
|
Definition
|
|
Term
A malware incident has just been detected within a company. Which of the following should be the administrators FIRST response?
A. Removal
B. Containment
C. Recovery
D. Monitor
|
|
Definition
|
|
Term
Which of the following should a technician review when a user is moved from one department to another?
A. User access and rights
B. Data storage and retention policies
C. Users group policy
D. Acceptable usage policy
|
|
Definition
|
|
Term
On which of the following is a security technician MOST likely to find usernames?
A. DNS logs
B. Application logs
C. Firewall logs
D. DHCP logs
|
|
Definition
|
|
Term
Which of the following redundancy solutions contains hardware systems similar to the affected organization, but does not provide live data?
A. Hot site
B. Uninterruptible Power Supply (UPS)
C. Warm site
D. Cold site
|
|
Definition
|
|
Term
Which of the following type of attacks requires an attacker to sniff the network?
A. Man-in-the-Middle
B. DDoS attack
C. MAC flooding
D. DNS poisoning
|
|
Definition
|
|
Term
An administrator has been asked to encrypt credit card data. Which of the following algorithms would be the MOST secure with the least CPU utilization?
A. 3DES
B. AES
C. SHA-1
D. MD5
|
|
Definition
|
|
Term
Why are non-essential services appealing to attackers? (Choose TWO)
A.
Non-essential services are often appealing to attackers since less bandwidth is used.
B.
Non-essential services are often appealing to attackers since the surface area for the attack is reduced.
C.
Non-essential services are often appealing to attackers since root level access is offered.
D.
Non-essential services are often appealing to attackers since attacks are maintained that go unnoticed.
E.
Non-essential services are often appealing to attackers since it's not typically configured correctly or secured. |
|
Definition
|
|
Term
Which of the following terms represents a MAC (Mandatory Access Control) model?
A. Lattice
B. Bell La-Padula
C. BIBA
D. Clark and Wilson |
|
Definition
|
|
Term
The majority of commercial intrusion detection systems are:
A. Host-based
B. Identity-based
C. Signature-based
D. Network-based |
|
Definition
|
|
Term
Which of the following will you consider as clear-text protocols? (Choose all that apply)
A. Telnet
B. POP
C. FTP
D. SSH
E. All of the Above |
|
Definition
|
|
Term
Determine the access control model where users are assigned access rights based on their function within the organization?
A. This is a feature of Discretionary Access Control (DAC).
B. This is a feature of Rule Based Access Control (RBAC).
C. This is a feature of Role Based Access Control (RBAC).
D. This is a feature of Mandatory Access Control (MAC). |
|
Definition
|
|
Term
Which of the following password management systems is designed to provide availability for a large number of users?
A. self service password resets
B. locally saved passwords
C. multiple access methods
D. synchronized passwords |
|
Definition
|
|
Term
Which of the following represents the best method for securing a web browser?
A. Do not upgrade, as new versions tend to have more security flaws.
B. Disable any unused features of the web browser.
C. Connect to the Internet using only a VPN (Virtual Private Network) connection.
D. Implement a filtering policy for illegal, unknown and undesirable sites. |
|
Definition
|
|
Term
Which of the following protocols did Microsoft develop for use in VPNs?(Choose all that apply)
A. PPTP
B. IPSEC
C. OSPF
D. L2TP
E. None of the Above |
|
Definition
|
|
Term
Identify the access control model that makes use of security labels connected to the objects?
A. . You should make use of the Role Based Access Control (RBAC) model.
B. You should make use of the Mandatory Access Control (MAC) model.
C. You should make use of the Rule Based Access Control (RBAC) model.
D. You should make use of the Discretionary Access Control (DAC) model. |
|
Definition
|
|
Term
Under MAC, which of the following is true?
A. All that is expressly permitted is forbidden
B. All that is not expressly permitted is not forbidden
C. All that is not expressly permitted is forbidden
D. Both A and B
E. No Answer is Correct |
|
Definition
C
MAC is the acronym for Mandatory Access Control. It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.
Under MAC, you define who is allowed to access objects, and if you haven't defined an access right, access is not permitted. So, it is not the case that All that is expressly permitted is forbidden, or that All that is not expressly permitted is not forbidden |
|
|
Term
Which of the Following is an item most likely to be addressed in an Acceptable Use Policy
A. Acceptable password length
B. Security Measures users are expected to Follow
C. Schedule of testing
D. Authority and conditions for monitoring user activities
E. All of the Above |
|
Definition
|
|
Term
In order to perform a TCP hijacking attack, an attacker would be required to:
A. have a protocol analyzer intercept traffic between two hosts
B. know the IP addresses of both hosts and sequence numbers of the TCP/IP packets
C. perform a man-in-the-middle attack and communicate directly with two hosts
D. obtain the MAC address of the both hosts |
|
Definition
|
|
Term
Which of the following ports does a DNS (Domain Name Service) server require?
A. 21
B. 23
C. 53
D. 55 |
|
Definition
|
|
Term
When does CHAP (Challenge Handshake Authentication Protocol) perform the handshake process?
A. When establishing a connection and at anytime after the connection is established.
B. Only when establishing a connection and disconnecting.
C. Only when establishing a connection.
D. Only when disconnecting. |
|
Definition
A
CHAP performs the handshake process when first establishing a connection; and then at random intervals during the transaction session. |
|
|
Term
Which of the following is an example of a task-based control model?
A. It is an example of Rule Based Access Control (RBAC).
B. It is an example of Mandatory Access Control (MAC).
C. It is an example of Role Based Access Control (RBAC).
D. It is an example of Discretionary Access Control (DAC) |
|
Definition
|
|
Term
Covert channel is a communication channel that can be used for:
A. Violating the security
B. Strengthening the security policy
C. Hardening the system
D. Protecting the DMZ |
|
Definition
A
Covert channels: indirect ways for transmitting information with no explicit reading of confidential information. In other words, the communication is out in plain view, but "invisible" to those who don't know how to look for it. This kind of difficulty has induced some researchers to rethink from scratch the whole problem of guaranteeing security in computer systems. Some obscure techniques which can be utilized to create covert channels include hiding messages using the first letters of each word in a longer communication, blinking eyes in "Morse code" during a conversation, etc. Even something as mundane as some of the "signals" used by a baseball team, if non-obvious enough, could be considered a covert channel.
Covert channels are not a way to strengthen the security policy of an organization, hardening the system or protecting the DMZ -- they are a security risk, not a security-enhancing technique. |
|
|
Term
From a security perspective a performance baseline is MOST useful for:
A. detecting performance anomalies that may be due to security breaches
B. assuring that systems are working to their optimal capacity
C. knowing when security scans are going to finish
D. predicting the end of useful life for the firewall
E. All of the Above |
|
Definition
|
|
Term
You work as the security administrator at Certkiller .com. You set permissions on a file object in a network operating system which uses DAC (Discretionary Access Control). The ACL (Access Control List) of the file is as follows: Owner: Read, Write, Execute User A: Read, Write, - User B: -, -, - (None) Sales: Read,-, - Marketing: -, Write, - Other Read, Write, - User "A" is the owner of the file. User "B" is a member of the Sales group. What effective permissions does User "B" have on the file?
A. User B has read, write and execute permissions on the file
B. User B has read and write permissions on the file.
C. User B has no permissions on the file.
D. User B has read permissions on the file.
E. None of the Above |
|
Definition
C
The Owner is allowed to: Read, Write, & Execute User A is allowed to: Read, Write, & - Sales is allowed to: Read, -, - Marketing is allowed to: -, Write, - Others are allowed to: Red, Write, - And User B is allowed to do nothing! -,-,-(None) |
|
|
Term
DAC are characterized by many organizations as:
A. Preventive controls
B. Need-to-know controls
C. Mandatory adjustable controls
D. All of the Above
E. None of the Above |
|
Definition
B
DAC is the acronym for Discretionary Access Controls. Access controls that are not based on the policy are characterized as discretionary controls by the U.S. government and as need-to-know controls by other organizations. The latter term connotes least privilege - those who may read an item of data are precisely those whose tasks entail the need.
Preventive controls and mandatory adjustable controls do not characterize DAC. |
|
|
Term
Which if the following technologies would you use if you need to implement a system that simulates a network of vulnerable devices, so that this network can be targeted by attackers ?
A. A circuit-level firewall
B. A honeypot
C. A IDS
D. A system integrity verifier |
|
Definition
|
|
Term
Which services is provided by message authentication codes?
A. You make use of message authentication codes to provide the Key recovery service.
B. You make use of message authentication codes to provide the Fault recovery service.
C. You make use of message authentication codes to provide the Acknowledgement service.
D. You make use of message authentication codes to provide the Integrity service. |
|
Definition
|
|
Term
With regard to DAC (Discretionary Access Control), which of the following statements are true?
A. Files that don't have an owner CANNOT be modified.
B. The administrator of the system is an owner of each object.
C. The operating system is an owner of each object.
D. Each object has an owner, which has full control over the object.
E. None of the Above |
|
Definition
D
The DAC model allows the owner of a resource to establish privileges to the information they own. The DAC model would allow a user to share a file or use a file that someone else has shared. The DAC model establishes an ACL that identifies the users who have authorized to that information. This allows the owner to grant or revoke access to individuals or group of individuals based on the situation. This model is dynamic in nature and allows information to be shared easily between users.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 12 |
|
|
Term
Which of the following is a feature of the Rule based access control?
A. The use of tokens
B. The use of profiles
C. The use of information flow labels
D. The use of data flow diagrams |
|
Definition
B
Rule based access control is based on a specific profile for each user. Information can be easily changed for only one user but this scheme may become a burden in a very large environment. A rule-based access control unit will intercept every request to the server and compare the source specific access conditions with the rights of the user in order to make an access decision. A good example could be a firewall. Here a set of rules defined by the network administrator is recorded in a file. Every time a connection is attempted (incoming or outgoing), the firewall software checks the rules file to see if the connection is allowed. If it is not, the firewall closes the connection.
Information flow labels are usually associated with Mandatory Access Control (MAC). Data flow diagrams are most commonly used in software development, not in rule-based access control. Tokens are usually used for authentication, a function which is important for any type of access control. |
|
|
Term
Determine the two-factor authentication for an information system?
A. You should identify ATM card and PIN.
B. You should identify Photo ID and PIN.
C. You should identify Retina scan and mantrap.
D. You should identify Username and password. |
|
Definition
|
|
Term
Why are non-essential services appealing to attackers? (Choose TWO)
A. Non-essential services are often appealing to attackers since less bandwidth is used.
B. Non-essential services are often appealing to attackers since the surface area for the attack is reduced.
C. Non-essential services are often appealing to attackers since root level access is offered.
D. Non-essential services are often appealing to attackers since attacks are maintained that go unnoticed.
E. Non-essential services are often appealing to attackers since it's not typically configured correctly or secured. |
|
Definition
|
|
Term
Which of the following attacks could be the most successful when the security technology is properly implemented and configured?
A. Logical attacks
B. Physical attacks
C. Trojan Horse attacks
D. Social Engineering attacks
E. None of the Above |
|
Definition
D
Social Engineering attacks: in computer security systems, this type of attack is usually the most successful, especially when the security technology is properly implemented and configured. Usually, these attacks rely on the faults in human beings. An example of a social engineering attack has a hacker impersonating a network service technician. The serviceman approaches a low-level employee and requests their password for network servicing purposes. When using smartcards instead of passwords, this type of attack is a bit more difficult. Most people would not trust an impersonator wishing to have their smartcard and PIN for service purposes.
Logical, physical and Trojan horse attacks are often much less successful when security is properly implemented on a network. |
|
|
Term
Which of the following is an inherent flaw of DAC (Discretionary Access Control)?
A. DAC (Discretionary Access Control) relies only on the identity of the user or process, leaving room for a Trojan horse.
B. DAC (Discretionary Access Control) relies on certificates, allowing attackers to use those certificates.
C. DAC (Discretionary Access Control) does not rely on the identity of a user, allowing anyone to use an account.
D. DAC (Discretionary Access Control) has no known security flaws. |
|
Definition
A
In a DAC model, network users have some flexibility regarding how information is accessed. This model allows users to dynamically share information with other users. The process allows a more flexible environment, but it increases the risk of unauthorized disclosure of information. Administrators will have a more difficult time ensuring that information access is controlled and that only appropriate access is given.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 440 |
|
|
Term
When an attacker captures part of a communication and later sends the communication segment to the server whilst pretending to be the user it is known as a:
A. It is known as the TCP/IP hijacking attack.
B. It is known as the Man in the middle attack.
C. It is known as the Replay attack.
D. It is known as the Back door attack |
|
Definition
|
|
Term
Which of the following provides the strongest form of authentication?
A. one time password
B. biometrics
C. username and password
D. token |
|
Definition
B
Biometrics is the use of authenticating a user by scanning on of their unique physiological body parts. Just like in the movies, a user places their hand on a finger print scanner or they put their eyes against a retinal scanner. If the image matches what's on the database, it authenticates the user. Since a persons fingerprint, blood vessel print, or retinal image is unique the only way the system can authenticate is if the proper user is there. The only way an unauthorized user to get access is to physically kidnap the authorized user and force them through the system. For this reason, biometrics are the strongest (and the costliest) for of authentication. |
|
|
Term
A password represents:
A.
Something you have
B.
Something you know
C.
Something you are
D.
All of the Above
E.
None of the Above |
|
Definition
B
Authentication is accomplished through something you know, something you have and/or something you are. The canonical example of something you know is a password or pass phrase. You might type or speak the value. A number of schemes are possible for obtaining what you know. It might be assigned to you, or you may have picked the value yourself. Constraints may exist regarding the form the value can take, or the alphabet from which you are allowed to construct the value might be limited to letters only. If you forget the value, you may not be able to authenticate yourself to the system.
Something you have, would be a physical item you possess, such as a smartcard. Something you are, would be a personal characteristic of you, not a piece of information you know. |
|
|
Term
Creating a basic standard for application settings, security settings, and active services on every company laptop would be considered
A. group policy
B. baseline configuration
C. patch management
D. a security template |
|
Definition
|
|
Term
Which of the following access control methods allows access control decisions to be based on security labels associated with each data item and each user?
A. MACs (Mandatory Access Control)
B. RBACs (Role Based Access Control)
C. LBACs (List Based Access Control)
D. DACs (Discretionary Access Control) |
|
Definition
A
The MAC model is a static model that uses a predefined set of access privileges to files on the system. The system administrator establishes these parameters and associates them with an account, files or resources. The MAC model can be very restrictive.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 11 |
|
|
Term
Which of the following best describes an access control mechanism that allows the data owner to create and administer access control?
A. DACs (Discretionary Access Control)
B. LBACs (List Based Access Control)
C. RBACs (Role Based Access Control)
D. MACs (Mandatory Access Control) |
|
Definition
A
The DAC model allows the owner of a resource to establish privileges to the information they own. The DAC model would allow a user to share a file or use a file that someone else has shared. The DAC model establishes an ACL that identifies the users who have authorization to that information. This allows the owner to grant or revoke access to individuals or groups of individuals based on the situation. This model is dynamic in nature and allows information to be shared easily between users.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 12 |
|
|
Term
Which of the following is a characteristic of MAC (Mandatory Access Control)?
A. use levels of security to classify users and data
B. allow owners of documents to determine who has access to specific documents
C. use access control lists which specify a list of authorized users
D. use access control lists which specify a list of unauthorized users |
|
Definition
A
Mandatory Access Control is a strict hierarchical model, first developed by governments and it is based on classifying data on importance and categorizing data by department. Users receive specific security clearances to access this data. For instance, the most important piece of data would have the highest classification, where only the President would of that department would have access; while the least important resources would be classified at the bottom where everyone in the organization including the janitors could access it. |
|
|
Term
All of the following are correct about LDAP EXCEPT:
A. most of the implementations use the x.500 directory model
B. some of the implementations use default TCP ports 389 and 636
C. some implementations use x.509 certificates for securing communications
D. all attributes will be encrypted |
|
Definition
|
|
Term
What model assigns sensitivity labels to users and their data?
A. You should identify the Discretionary Access Control (DAC) access control model.
B. You should identify the Role Based Access Control (RBAC) access control model.
C. You should identify the Mandatory Access Control (MAC) access control model.
D. You should identify the Rule Based Access Control (RBAC) access control model.
E. None of the Above |
|
Definition
|
|
Term
Which of the following access control methods provides the most granular access to protected objects?
A. Capabilities
B. Access control lists
C. Permission bits
D. Profiles |
|
Definition
B
Access control lists enable devices in your network to ignore requests from specified users or systems, or grant certain network capabilities to them. ACLs allow a stronger set of access controls to be established in your network. The basic process of ACL control allows the administrator to design and adapt the network to deal with specific security threats.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 235 |
|
|
Term
etermine the access control model where users are assigned access rights based on their function within the organization?
A. This is a feature of Discretionary Access Control (DAC).
B. This is a feature of Rule Based Access Control (RBAC).
C. This is a feature of Role Based Access Control (RBAC).
D. This is a feature of Mandatory Access Control (MAC). |
|
Definition
|
|
Term
Which authentication will provide a username, a password and undergo a thumb print scan to access a workstation?
A. The Biometric authentication best illustrates this scenario.
B. The Kerberos authentication best illustrates this scenario.
C. The Mutual authentication best illustrates this scenario.
D. The Multifactor authentication best illustrates this scenario. |
|
Definition
|
|
Term
Under MAC, a clearance is a
A. Privilege
B. Subject
C. Sensitivity
D. Object |
|
Definition
A
MAC is the acronym for Mandatory Access Control. It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.
In MAC, subjects (such as users) are each assigned a clearance (such as "secret" or "top secret"). Objects (containers for information, such as files) are assigned a sensitivity (classification, similar to clearance). When determining whether or not to grant a subject access to an object, the requesting subject's clearance is compared with the sensitivity of the object, and if the clearance is at or higher than the object's sensitivity level, access is granted. Therefore, a clearance functions as a privilege. |
|
|
Term
nforcing minimum privileges for general system users can be easily achieved through the use of:
A. IPSEC
B. TSTEC
C. PRVMIN
D. RBAC |
|
Definition
D
Ensuring least privilege requires identifying what the user's job is, determining the minimum set of privileges required to perform that job, and restricting the user to a domain with those privileges and nothing more. By denying to subjects transactions that are not necessary for the performance of their duties, those denied privileges couldn't be used to circumvent the organizational security policy. Although the concept of least privilege currently exists within the context of the TCSEC, requirements restrict those privileges of the system administrator. Through the use of RBAC (role based access control), enforced minimum privileges for general system users can be easily achieved. |
|
|
Term
Which of the following best describes a challenge-response session?
A. A workstation or system that generates a random challenge string that the user enters when prompted along with the proper PIN (Personal Identification Number).
B. A workstation or system that generates a random login ID that the user enters when prompted along with the proper PIN (Personal Identification Number).
C. A special hardware device that is used to generate random text in a cryptography system.
D. The authentication mechanism in the workstation or system does not determine if the owner should be authenticated. |
|
Definition
A
A common authentication technique whereby an individual is prompted (the challenge) to provide some private information (the response). Most security systems that rely on smart cards are based on challenge-response. A user is given a code (the challenge) which he or she enters into the smart card. The smart card then displays a new code (the response) that the user can present to log in. Reference: http://www.webopedia.com/TERM/C/challenge_response.html |
|
|
Term
For which of the following can biometrics be used?
A. Authentication
B. Authorization
C. Certification
D. Accountability |
|
Definition
A
Biometrics devices use physical characteristics to identify the user.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 18 |
|
|
Term
Which of the following protocols did Microsoft develop for use in VPNs? (Choose all that apply)
A. PPTP
B. IPSEC
C. OSPF
D. L2TP
E. None of the Above |
|
Definition
A,B
A protocol or set of communication rules called Point-to-Point Tunneling Protocol (PPTP) has been proposed that would make it possible to create a virtual private network (VPN) through "tunnels" over the Internet. This would mean that companies would no longer need their own leased lines for wide-area communication but could securely use the public networks. IPSec is more resource intensive, and provides higher security. IPSec is available in Windows 2000 and XP/.Net Operating Systems.
L2TP is a successor to PPTP. Its development was done by an industry coalition, and it includes the best features of PPTP and L2F. OSPF is a routing protocol. |
|
|
Term
Identify the method that should be used to ensure that the user is able to authenticate to the server and the server to the user?
A. You should make use of the Mutual authentication method.
B. You should make use of the Biometric authentication method.
C. You should make use of the Username/password authentication method.
D. You should make use of the Multifactor authentication method. |
|
Definition
|
|
Term
What access control model is a Windows file server an example of?
A. It is an example of a Discretionary Access Control (DAC) model
B. It is an example of a Role Based Access Control (RBAC) model.
C. It is an example of a Mandatory Access Control (MAC) model.
D. It is an example of a Rule Based Access Control (RBAC) model. |
|
Definition
|
|
Term
What authentication model uses a smart card and a User ID/Password for accessing network resources?
A. You should identify the Biometric authentication model.
B. You should identify the Multifactor authentication model.
C. You should identify the Mutual authentication model.
D. You should identify the Tokens authentication model. |
|
Definition
|
|
Term
Which of the following is the most costly method of an authentication?
A. Passwords
B. Tokens
C. Biometrics
D. Shared secrets |
|
Definition
C
Biometrics These technologies are becoming more reliable, and they will become widely used over the next few years. Many companies use smart cards as their primary method of access control. Implementations have been limited in many applications because of the high cost associated with these technologies. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 265 |
|
|
Term
Access controls that are not based on the policy are characterized as:
A. Mandatory controls
B. Discretionary controls
C. Secret controls
D. Corrective controls
E. Non of the Above |
|
Definition
B
Access controls that are not based on the policy are characterized as discretionary controls by the U.S. government and as need-to-know controls by other organizations. The latter term connotes least privilege - those who may read an item of data are precisely those whose tasks entail the need.
Mandatory controls are based on policy. Secret controls and corrective controls are not related to access control. |
|
|
Term
Which of the following is an effective measure against a certain type of brute force password attack?
A. Password history is used.
B. Password reuse is not allowed.
C. Any password used must not be word found in a dictionary.
D. All of the Above
E. None of the Above |
|
Definition
C
A brute force password attack involves trying many possible password values, to see if any result in access to an account. In order to help prevent dictionary-based attacks, in which the list of password values to try comes from a dictionary, it is useful to have a policy that any password used must not be a word found in a dictionary.
"Password reuse is not allowed" (i.e., rotating passwords), is a good policy, but not the one most closely related to helping prevent brute force password attacks. Password history must be used to prevent users from reusing passwords. For example, on many systems with such a facility the last 12 passwords used will be kept in the history. But as with policies against password re-use, password history is not as relevant to preventing brute force password attacks as is the policy against dictionary words. |
|
|
Term
Which of the following represents the best method for securing a web browser?
A. Do not upgrade, as new versions tend to have more security flaws.
B. Disable any unused features of the web browser.
C. Connect to the Internet using only a VPN (Virtual Private Network) connection.
D. Implement a filtering policy for illegal, unknown and undesirable sites. |
|
Definition
B
Features that make web surfing more exciting like: ActiveX, Java, JavaScript, CGI scripts, and cookies all poise security concerns. Disabling them (which is as easy as setting your browser security level to High) is the best method of securing a web browser, since its simple, secure, and within every users reach |
|
|
Term
Which of the following is a drawback of Network-based IDSs?
A. It is very costly to set up.
B. It is not effective.
C. It cannot analyze encrypted information.
D. It is very costly to manage.
E. All of the Above |
|
Definition
C
Network-based IDSs cannot analyze encrypted information. This problem is increasing as more organizations (and attackers) use virtual private networks. Most network-based IDSs cannot tell whether or not an attack was successful; they can only discern that an attack was initiated. This means that after a network-based IDS detects an attack, administrators must manually investigate each attacked host to determine whether it was indeed penetrated. |
|
|
Term
Which of the following is NOT a valid access control mechanism?
A. DAC (Discretionary Access Control) list.
B. SAC (Subjective Access Control) list.
C. MAC (Mandatory Access Control) list.
D. RBAC (Role Based Access Control) list. |
|
Definition
B
There is no such thing as a SAC (Subjective Access Control) list. |
|
|
Term
Which of the following will you consider as clear-text protocols? (Choose all that apply)
A.
Telnet
B.
POP
C.
FTP
D.
SSH
E.
All of the Above |
|
Definition
A,B,C
There are many clear-text protocols still in use today. Telnet is still alive and well. FTP and POP email both use clear-text protocols. Creating a server to emulate any of these services is trivial. Combining that and some DNS spoofing can cause "normal" traffic to come to your fake servers where the usernames and passwords can be obtained. |
|
|
Term
In a RADIUS architecture, which of the following acts as a client?
A. A Network Access Server
B. The end user
C. The authentication server
D. All of the Above
E. None of the Above |
|
Definition
A
A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to a designated RADIUS server, and then acting on the response, which is returned. Radius uses a centralized database, simplifying password management. The end user's computer does not make the RADIUS request. The NAS makes the request after receiving the network connection request from the end user. |
|
|
Term
You deploy a biometric authentication system in the Certkiller .com environment. Identify the tool that is reliable with the lowest cross over problem rate?
A. You should identify the fingerprint scanner
B. You should identify the hand scanner.
C. You should identify the facial scanner.
D. You should identify the retina scanner. |
|
Definition
|
|
Term
Which of the following intrusion detection technologies work by monitoring the file structure of a system to determine whether any system files were deleted or modified by an attacker ?
A. Log file monitor (LFM)
B. System integrity verifier (SIV)
C. Host-based IDS
D. Network IDS |
|
Definition
|
|
Term
How many ports in TCP/IP (Transmission Control Protocol/Internet Protocol) are vulnerable to being scanned, exploited, or attached?
A. 1,024
B. 32
C. 16,777,216
D. 65,535 |
|
Definition
|
|
Term
| Which of the following services should be logged for security purpose? A. bootp B. tftp C. sunrpc D. All of the Above E. No Answer is Correct |
|
Definition
| D Requests for the following services should be logged on all systems: systat, bootp, tftp, sunrpc, snmp, snmp-trap, nfs. This list is rather UNIX-centric, nevertheless, it's possible for many of those services to be running on Windows as well (if you're running them, log them!). |
|
|
Term
What type of attacks occurs when a rogue application has been planted on an unsuspecting user's workstation?
A. Social Engineering attacks
B. Logical attacks
C. Physical attacks
D. Trojan Horse attacks
E. None of the Above |
|
Definition
D
Trojan Horse attacks - This attack involves a rogue, Trojan horse application that has been planted on an unsuspecting user's workstation. The Trojan horse waits until the user submits a valid PIN from a trusted application, thus enabling usage of the private key, and then asks the smartcard to digitally sign some rogue data. The operation completes but the user never knows that their private key was just used against their will.
Physical attacks involve physical access to hardware such as a network cable or keyboard. Social engineering attacks are based on taking advantage of human interaction rather than technology itself. (Frequently, social engineering attacks don't even require access to a computer.) There is no such thing as a "logical" attack, although many attacks do involve the use of logic to figure out how an application works and where its security vulnerabilities may be. |
|
|
Term
Which of the following best describes an access control mechanism in which access control decisions are based on the responsibilities that an individual user or process has in an organization?
A. RBAC (Role Based Access Control)
B. DAC (Discretionary Access Control)
C. MAC (Mandatory Access Control)
D. All of the Above
E. None of the above. |
|
Definition
A
The RBAC model allows a user to act in a certain predetermined manner based on the role the user holds in the organization. Users can be assigned certain roles system wide. |
|
|
Term
A centralized database of remote users for a multi-site network typically uses
A. RADIUS
B. PAP
C. MS-CHAP
D. CHAP |
|
Definition
A
RADIUS (Remote Authentication Dial-In User Service) lowers administration costs and increases security by having a centralized database for authenticating remote users. PAP is the simplest of authentication protocols, which uses clear text. |
|
|
Term
Which of the following is NOT a good password deployment guideline?
A. Passwords must be changed at least once every 60 days, depending on your environment.
B. Passwords must not be the same as user id or login id.
C. Password aging must be enforced on all systems.
D. Password must be easy to memorize.
E. All of the Above |
|
Definition
D
Passwords should not be the same as the user ID, because that is one of the common passwords that common "password cracker" programs try, when attempting to discover passwords for accounts. Passwords must be changed at least once every 60 days (depending on your environment). Password aging or expiration must be enforced on all systems. Upon password expiration, if the password is not changed, only three grace logins must be allowed then the account must be disable until reset by an administrator or the help desk. Password reuse is not allowed (rotating passwords). |
|
|
Term
Which of the following must be deployed for Kerberos to function correctly?
A. Dynamic IP (Internet Protocol) routing protocols for routers and servers.
B. Separate network segments for the realms
C. Token authentication devices.
D. Time synchronization services for clients and servers. |
|
Definition
D
Time synchronization is crucial because Kerberos uses server and workstation time as part of the authentication process. |
|
|
Term
A passive response is the most common type of response to a number of intrusions. Which of the following is not a passive response strategy ?
A. Shunning
B. Deception
C. Notification
D. Logging
E. All of the Above |
|
Definition
|
|
Term
Which of the following access control methods relies on user security clearance and data classification?
A. RBAC (Role Based Access Control).
B. NDAC (Non-Discretionary Access Control).
C. MAC (Mandatory Access Control).
D. DAC (Discretionary Access Control). |
|
Definition
|
|
Term
| Which of the following are the main components of a Kerberos server? A. Authentication server, security database and privilege server. B. SAM (Sequential Access Method), security database and authentication server. C. Application database, security database and system manager. D. Authentication server, security database and system manager. |
|
Definition
|
|
Term
What technology involves the use of electronic wallet?
A. TLS
B. SSH
C. SHTTP
D. SET
E. All of the Above |
|
Definition
D
SET (Secure Electronic Transaction) is a system for ensuring the security of financial transactions on the Internet. It was supported initially by MasterCard, Visa, Microsoft, Netscape, and others. With SET, a user is given an electronic wallet (digital certificate) and a transaction is conducted and verified using a combination of digital certificates and digital signatures among the purchaser, a merchant, and the purchaser's bank in a way that ensures privacy and confidentiality. SET makes use of Netscape's Secure Sockets Layer (SSL (Secure Sockets Layer)), Microsoft's Secure Transaction Technology (STT), and Terisa System's Secure Hypertext Transfer Protocol (S-HTTP). SET uses some but not all aspects of a public key infrastructure (public key infrastructure).
TLS, SSL and SHTTP could all be used for this, but SET is specific to the financial services industry. |
|
|
Term
Why would reusing a ticket as a replay attack in Kerberos not be successful?
A. The tickets are digitally signed.
B. The tickets are used a token.
C. The tickets are encrypted.
D. The tickets are time stamped. |
|
Definition
|
|
Term
A smartcard represents:
A. Something you are
B. Something you know
C. Something you have
D. All of the Above
E. None of the Above |
|
Definition
C
Authentication is accomplished through something you know, something you have and/or something you are. One form of authentication requires possession of something ("something you have") such as a key, a smart card, a disk, or some other device. Whatever form it takes, the authenticating item should be difficult to duplicate and may require synchronization with systems other than the one to which you are requesting access. Highly secure environments may require you to satisfy multiple authentication criteria to guarantee authenticity.
Something you know, would be a piece of data known only to you, such as a password. Something you are, would be a physical characteristic of you, like your fingerprint. |
|
|
Term
With Discretionary access controls, who determines who has access and what privilege they have?
A. Only the administrators
B. Resource owners
C. End users
D. All of the Above
E. None of the Above |
|
Definition
B
Discretionary access controls can extend beyond limiting which subjects can gain what type of access to which objects. Administrators can limit access to certain times of day or days of the week. Typically, the period during which access would be permitted is 9 a.m. to 5 p.m. Monday through Friday. Such a limitation is designed to ensure that access takes place only when supervisory personnel are present, to discourage unauthorized use of data. Further, subjects' rights to access might be suspended when they are on vacation or leave of absence. When subjects leave an organization altogether, their rights must be terminated rather than merely suspended. Under this type of control, the owner determines who has access and what privilege they have.
If the end users of resources had control of who had access and what privileges they have, they would be able to access any resource, because they'd have the ability to change access controls at will. If only the administrators controlled access to resources, it would be a major job duty (as well as a bureaucratic bottleneck for users) that would take time away from other administrative activities. |
|
|
Term
Identify the access decisions based on a Mandatory Access Control (MAC) environment?
A.
Sensitivity labels are based on a Mandatory Access Control (MAC) environment.
B.
Access control lists are based on a Mandatory Access Control (MAC) environment.
C.
Group membership is based on a Mandatory Access Control (MAC) environment.
D.
Ownership is based on a Mandatory Access Control (MAC) environment. |
|
Definition
|
|
Term
To allow your Windows clients to connect to your Windows NT Server using the public network as a medium, what technology might you find useful? (Choose all that apply)
A. PPTP
B. L2TP
C. OSPF
D. IPSEC
E. All of the Above |
|
Definition
A,D
A protocol or set of communication rules called Point-to-Point Tunneling Protocol (PPTP) has been proposed that would make it possible to create a virtual private network (VPN) through "tunnels" over the Internet. This would mean that companies would no longer need their own leased lines for wide-area communication but could securely use the public networks. IPSec is more resource intensive, and provides higher security. IPSec is available in Windows 2000 and XP/.Net Operating Systems.
L2TP is a successor to PPTP. Its development was done by an industry coalition, and it includes the best features of PPTP and L2F. OSPF is a routing protocol. |
|
|
Term
All logs are kept on archive for a period of time. What determines this period of time?
A. Retention policies
B. Administrator preferences
C. MTTF
D. MTTR
E. All of the Above |
|
Definition
A
All logs collected are used in the active and passive monitoring process. All logs are kept on archive for a period of time, called a retention period. This period of time will be determined by your company policies. This allows the use of logs for regular audits, and annual audits if retention is longer then a year. Logs must be secured to prevent modification, deletion, and destruction.
Administrator preference is often used to determine certain things like how long logs are retained ... but since these decisions can affect the ability of the company to go back and research potential security issues, it is a corporate issue that should be governed by a deliberate policy statement.
MTTF and MTTR are not relevant to setting the time for which logs will be retained. MTTF (Mean Time To Failure, sometimes called MTBF, Mean Time Before Failure) is related to the average amount of time a piece of equipment will be in service before it fails. MTTR (Mean Time To Repair) is a measure of how long it will take to repair the equipment when it fails. |
|
|
Term
With Java, what can be embedded in a web browser, allowing programs to be executed as they are downloaded from the World Wide Web?
A. JVM
B. Bytecode
C. Interpreter
D. Just-in-time compiler
E. All of the Above |
|
Definition
B
Java is a modern, object-oriented language that has a syntax similar to C++. It also has dynamic binding, garbage collection, and a simple inheritance model. Java is a general-purpose computer language and is not limited to writing web applications. References to java bytecode can be embedded in a web browser, allowing programs to be executed as they are downloaded from the World Wide Web. The JVM on the user's machine can execute the Java bytecode using an interpreter, or use a just-in-time compiler to convert the bytecode into native machine code. |
|
|
Term
With RBAC, roles are:
A. Based on labels
B. Based on flows
C. Hierarchical
D. All of the Above
E. All equal |
|
Definition
C
With RBAC (role-based access control), security is managed at a level that corresponds closely to the organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. Roles can be hierarchical.
Roles are not all equal. The point of RBAC is that different rules can be assigned different security privileges. Labels (such as secret, top secret, etc.) are more usually associated with MAC (Mandatory Access Control). RBAC roles are not typically determined by information flows. |
|
|
Term
What is a protocol used for carrying authentication, authorization, and configuration information between a Network Access Server and a shared Authentication Server?
A.
RADIUS
B.
PPTP
C.
L2TP
D.
IPSec
E.
None of the Above |
|
Definition
a
RADIUS is a protocol for carrying authentication, authorization, and configuration information between a Network Access Server, which desires to authenticate its links and a shared Authentication Server. RADIUS uses a centralized database for simplified management. RADIUS is a standard published in RFC2138 as mentioned above.
The other protocols listed are network communication protocols, not authentication protocols responsible for carrying traffic between a NAS and an Authentication Server. |
|
|
Term
Least privilege is defined as giving access to information:
A. based on sense of urgency from management
B. based on tenure at the company
C. needed to complete the task
D. that may be revealed to the public
E. All of the Above |
|
Definition
|
|
Term
ActiveX controls can be digitally signed using a technology called:
A. Java Applet
B. CGI
C. Sandbox
D. Authenticode
E. All of the Above |
|
Definition
D
The ActiveX code is bundled into a single file called an ActiveX control. ActiveX controls can be digitally signed using Microsoft's Authenticode technology. Internet Explorer can be configured to disregard any ActiveX control that isn't signed, to run only ActiveX controls that have been signed by specific publishers, or to accept ActiveX controls signed by any registered software publisher. ActiveX controls do not run in a sandbox. The burden is on the user to determine which ActiveX controls s/he feels are "safe" to run.
Applets and CGI are alternate types of content, and a sandbox refers to a protected area of the system in which web content runs. |
|
|
Term
Which of the following terms represents a MAC (Mandatory Access Control) model?
A.
Lattice
B.
Bell La-Padula
C.
BIBA
D.
Clark and Wilson |
|
Definition
A
The word lattice is used to describe the upper and lower level bounds of a user' access permission |
|
|
Term
Determine the authentication mechanisms that use key fob based identification systems? (Choose TWO)
A. Kerberos uses key fob based identification systems.
B. Token uses key fob based identification systems.
C. Biometrics uses key fob based identification systems.
D. Username/password uses key fob based identification systems.
E. Certificates uses key fob based identification systems. |
|
Definition
|
|
Term
You work as the security administrator at Certkiller .com. You want to ensure that only encrypted passwords are used during authentication. Which authentication protocol should you use?
A. PPTP (Point-to-Point Tunneling Protocol)
B. SMTP (Simple Mail Transfer Protocol)
C. Kerberos
D. CHAP (Challenge Handshake Authentication Protocol) |
|
Definition
D
CHAP is commonly used to encrypt passwords. It provides for on-demand authentication within an ongoing data transmission, that is repeated at random intervals during a session. The challenge response uses a hashing function derived from the Message Digest 5 (MD5) algorithm. |
|
|
Term
Why are clocks used in a Kerberos authentication system?
A.
To ensure proper connections.
B.
To ensure tickets expire correctly.
C.
To generate the seed value for the encryptions keys.
D.
To benchmark and set the optimal encryption algorithm. |
|
Definition
B
The actual verification of a client's identity is done by validating an authenticator. The authenticator contains the client's identity and a timestamp. To insure that the authenticator is up-to-date and is not an old one that has been captured by an attacker, the timestamp in the authenticator is checked against the current time. If the timestamp is not close enough to the current time (typically within five minutes) then the authenticator is rejected as invalid. Thus, Kerberos requires your system clocks to be loosely synchronized (the default is 5 minutes, but it can be adjusted in Version 5 to be whatever you want).
Reference: http://www.faqs.org/faqs/kerberos-faq/general/section-22.html |
|
|
Term
Which of the following provides the best protection against an intercepted password?
A. VPN (Virtual Private Network).
B. PPTP (Point-to-Point Tunneling Protocol).
C. One time password.
D. Complex password requirement. |
|
Definition
C
A one time password is simply a password that has to be changed every time you log on; effectively making any intercepted password good for only the brief interval of time before the legitimate user happens to login themselves. So by chance, if someone were to intercept a password it would probably already be expired, or be on the verge of expiration within a matter of hours. |
|
|
Term
Identify the authentication system where a unique username and password is used to access multiple systems within a company?
A. Challenge Handshake Authentication Protocol (CHAP) is used to access multiple systems within a company.
B. Single Sign-on is used to access multiple systems within a company.
C. Kerberos is used to access multiple systems within a company.
D. Mandatory Access Control (MAC) is used to access multiple systems within a company. |
|
Definition
|
|
Term
A company creates its own application that accesses the company databases and requires a unique login, based on the user’s domain account. The developer has an undocumented login for testing that does not need to be authenticated against the domain. Which of the following is a security issue regarding this scenario?
A. The login should be the same as the domain account for authentication purposes
B. The application should not be deployed if it is not fully tested
C. It is not considered best practice to have a user remember multiple logins
D. It can be used as a backdoor into the company’s databases |
|
Definition
|
|
Term
An administrator wishes to enable network auditing policies. Which of the following should the security administrator log?
A. Both logon successes and logon failures
B. Only logon failures for non-existent users
C. Only logon success
D. Only logon failures |
|
Definition
|
|
Term
Which of the following password generators is based on challenge-response mechanisms?
A. asynchronous
B. synchronous
C. cryptographic keys
D. smart cards |
|
Definition
A
An synchronous password generator, has an authentication server that generates a challenge (a large number or string) which is encrypted with the private key of the token device and has that token device's public key so it can verify authenticity of the request (which is independent from the time factor). That challenge can also include a hash of transmitted data, so not only can the authentication be assured; but also the data integrity. |
|
|
Term
You work as the security administrator at Certkiller .com. Certkiller has a RBAC (Role Based Access Control) compliant system for which you are planning the security implementation. There are three types of resources including files, printers, and mailboxes and four distinct departments with distinct functions including Sales, Marketing, Management, and Production in the system. Each department needs access to different resources. Each user has a workstation. Which roles should you create to support the RBAC (Role Based Access Control) model?
A. file, printer, and mailbox roles
B. sales, marketing, management, and production roles
C. user and workstation roles
D. allow access and deny access roles |
|
Definition
B
Each distinct department (sales, marketing, management, and production) has their own role in the company, which probably includes using the: filer server, print server, and mail server. So it would be wise to create roles for each department. |
|
|
Term
Which servers should be located on a private network?
A. You should place a File and print server on the private network.
B. You should place a Remote Access Server (RAS) on the private network.
C. You should place an E-mail server on the private network.
D. You should place a Web server on the private network. |
|
Definition
|
|
Term
Microsoft supports the _______________ and ______standards for use in extranet.
A. CORBA
B. IPSec
C. PPTP
D. DCOM |
|
Definition
B,C
Netscape, Oracle, and Sun Microsystems have announced an alliance to ensure that their extranet products can work together by standardizing on JavaScript and the Common Object Request Broker Architecture (CORBA). Microsoft supports the Point-to-Point Tunneling Protocol (PPTP) and IPSec.
CORBA and DCOM are programming technologies. |
|
|
Term
Identify the different types of certificate-based authentication? (Choose TWO)
A. Many-to-one mapping is a type of certificate-based authentication
B. One-to-one mapping is a type of certificate-based authentication.
C. One-to-many mapping is a type of certificate-based authentication.
D. Many-to-many mapping is a type of certificate-based authentication. |
|
Definition
|
|
Term
The Certkiller .com network contains of various departments that makes use of an access control model. The finance department only requires access to the personal data of staff and the marketing department only needs access to the production data. Which access control model is MOST suitable?
A.
The Discretionary Access Control (DAC) access control model would be most suitable.
B.
The Rule Based Access Control (RBAC) access control model would be most suitable.
C.
The Role Based Access Control (RBAC) access control model would be most suitable.
D.
The Mandatory Access Control (MAC) access control model would be most suitable.
|
|
Definition
|
|
Term
In the Lattice Based Access Control model, controls are applied to:
A. Objects
B. Scripts
C. Factors
D. Models
E. Both A and B |
|
Definition
A
Information flow is clearly central to confidentiality but to some extent it also applies to integrity. The basic work in this area was done around 1970 and was driven mostly by the defense sector. Information flow in computer systems is concerned with flow from one security class (also called security label) to another. These controls are applied to objects. An object is a container of information; an object can be a directory or file.
Controls are part of the Lattice Based Access Control (Mandatory Access Control) model, not applied to the model. Factors and scripts are not involved in the model.
|
|
|
Term
A firewall can be classified as a:
A. Rule based access control
B. Lattice based access control
C. Directory based access control
D. ID based access control
E. All of the Above |
|
Definition
A
Rule based access control is based on a specific profile for each user. Information can be easily changed for only one user but this scheme may become a burden in a very large environment. A rule-based access control unit will intercept every request to the server and compare the source specific access conditions with the rights of the user in order to make an access decision. A good example could be a firewall. Here a set of rules defined by the network administrator is recorded in a file. Every time a connection is attempted (incoming or outgoing), the firewall software checks the rules file to see if the connection is allowed. If it is not, the firewall closes the connection.
Lattice-based access control is associated with Mandatory Access Control (MAC). Directory based and ID based access controls are not relevant. |
|
|
Term
The majority of commercial intrusion detection systems are:
A. Host-based
B. Identity-based
C. Signature-based
D. Network-based |
|
Definition
D
The majority of commercial intrusion detection systems are network-based. These IDSs detect attacks by capturing and analyzing network packets. Listening on a network segment or switch, one network-based IDS can monitor the network traffic affecting multiple hosts that are connected to the network segment, thereby protecting those hosts.
Historically, IDS started out as host-based, which is the other major type of IDS. Identity-based and signature-based are not types of IDS. |
|
|
Term
When using network monitoring systems to monitor workstations, which of the following elements should be reviewed because their information could indicate a possible attack ?
A. Audit log and system log
B. Hard disk space
C. Network counters and access denied errors
D. Network counters |
|
Definition
|
|
Term
With _______________, access decisions are based on the roles that individual users have as part of an organization.
A.
Server based access control
B.
Rule based access control
C.
Token based access control
D.
Role based access control
E.
All of the Above |
|
Definition
D
With role-based access control, access decisions are based on the roles that individual users have as part of an organization. Users take on assigned roles (such as doctor, nurse, teller, manager). The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization.
Most access control systems are rule-based -- that is, they use a preset list of rules when deciding whether or not a user should have access to a resource; this is not specific to access control systems based on user role. Most networks use server-based access control to control access to network resources, however, local resources are typically under the control of the local machine. Neither is particularly unique to role-based access control. Some networks may use token-based access control, but that is not a requirement for role-based access control, either. |
|
|
Term
You are the network administrator at Certkiller .com. During a routing site audit of Certkiller 's wireless network, you discover an unauthorized Access Point under the desk of Sales department user. When questioned, she denies any knowledge of it, but informs you that her new boyfriend has been to visit her several times, including taking her to lunch one time. What type of attack have you become a victim of?
A. SYN Flood.
B. Distributed Denial of Service.
C. Man in the Middle attack.
D. TCP Flood.
E. None of the Above |
|
Definition
E
Social engineering is a process where an attacker attempts to acquire information about your network and system by talking to people in the organization. A social engineering attack may occur over the phone, be e-mail, or by a visit. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87 |
|
|
Term
What is the most common method of social engineering?
A. looking through users' trash for information
B. calling users and asking for information
C. e-mailing users and asking for information
D. e-mail |
|
Definition
B
Social engineering is a process where an attacker attempts to acquire information about your network and system by talking to people in the organization. A social engineering attack may occur over the phone, by e-mail, or by a visit.
Reference:
Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87 |
|
|
Term
In which of the following attacks does the attacker pretend to be a legitimate user?
A. Aliasing
B. Spoofing
C. Flooding
D. Redirecting
E. None of the Above |
|
Definition
B
A spoofing attack is simple an attempt by someone or something masquerading as someone else. This type of attack is usually considered an access attack.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 56 |
|
|
Term
You are the network administrator at Certkiller .com. You discover that your domain name server is resolving the domain name to the wrong IP (Internet Protocol) address and thus misdirecting Internet traffic. You suspect a malicious attack. Which of the following would you suspect?
A. reverse DNS (Domain Name Service)
B. brute force attack
C. Spoofing
D. DoS (Denial of Service) |
|
Definition
C
Spoofing is when you forge the source address of traffic, so it appears to come from somewhere else, preferably somewhere safe and trustworthy. Web spoofing is a process where someone creates a convincing copy of a legitimate website or a portion of the world wide web, so that when someone enters a site that they think is safe, they end up communicating directly with the hacker. To avoid this you should rely on certificates, IPSEC, and set up a filter to block internet traffic with an internal network address. |
|
|
Term
It has come to your attention that numerous e-mails are received from an ex employee. You need to determine whether the e-mails originated internally?
A. This can be accomplished by viewing the from line of the e-mails.
B. This can be accomplished by reviewing anti-virus logs on the ex employees computer.
C. This can be accomplished by replying to the e-mail and checking the destination e-mail address.
D. This can be accomplished by looking at the source IP address in the SMTP header of the e-mails. |
|
Definition
|
|
Term
What is used to verify the equipment status and modify the configuration or settings of network gadgets?
A. This can be accomplished by using SNMP.
B. This can be accomplished by using SMTP.
C. This can be accomplished by using CHAP.
D. This can be accomplished by using DHCP. |
|
Definition
|
|
Term
Identify the techniques apart from bribery and forgery that attackers use to socially engineer people? (Choose TWO)
A. Flattery is a most common method.
B. Dumpster diving is a most common method.
C. Phreaking is a most common method.
D. Assuming a position of authority is a most common method.
E. Who is search is a most common method. |
|
Definition
|
|
Term
What type of virus can hides itself by intercepting disk access requests?
A. Multipartite
B. Stealth
C. Interceptor
D. Polymorphic |
|
Definition
B
A stealth virus will attempt to avoid detection by masking itself from applications. It may attach itself to the boot sector of the hard drive. When a system utility or program runs, the stealth virus redirects commands around itself in order to avoid detection. An infected file may report a file size different from what is actually present in order to avoid detection.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 80 |
|
|
Term
Which of the following best describes TCP/IP (Transmission Control Protocol/Internet Protocol) session hijacking?
A. The TCP/IP (Transmission Control Protocol/Internet Protocol) session state is altered in a way that intercepts legitimate packets and allows a third party host to insert acceptable packets.
B. The TCP/IP (Transmission Control Protocol/Internet Protocol) session state is altered allowing third party hosts to create new IP (Internet Protocol) addresses.
C. The TCP/IP (Transmission Control Protocol/Internet Protocol) session state remains unaltered allowing third party hosts to insert packets acting as the server.
D. The TCP/IP (Transmission Control Protocol/Internet Protocol) session state remains unaltered allowing third party hosts to insert packets acting as the client. |
|
Definition
A
A detailed site on how to hijack a TCP/IP a session can be found at: http://staff.washington.edu/dittrich/talks/qsm-sec/script.html |
|
|
Term
What is an attack whereby two different messages using the same hash function produce a common message digest known as?
A. man in the middle attack.
B. ciphertext only attack.
C. birthday attack.
D. brute force attack. |
|
Definition
C
A birthday attack is based on the principle that amongst 23 people, the probability of 2 of them having the same birthday is greater the 50%. By that rational if an attacker examines the hashes of an entire organizations passwords, they'll come up with some common denominators. |
|
|
Term
Which of the following attacks can be mitigated against by implementing the following ingress/egress traffic filtering?
* Any packet coming into the network must not have a source address of the internal network.
* Any packet coming into the network must have a destination address from the internal network.
* Any packet leaving the network must have a source address from the internal network.
* Any packet leaving the network must not have a destination address from the internal networks.
* Any packet coming into the network or leaving the network must not have a source or destination address of a private address or an address listed in RFC19lS reserved space.
A. SYN (Synchronize) flooding
B. spoofing
C. DoS (Denial of Service) attacks
D. dictionary attacks
E. None of the Above |
|
Definition
B
By having strict addressing filters; an administrator prevents a spoofed address from gaining access. |
|
|
Term
The system administrator of the company has resigned. When the administrator's user ID is deleted, the system suddenly begins deleting files. What type of malicious code is this?
A. Logic bomb
B. Virus
C. Virus
D. Worm |
|
Definition
|
|
Term
Which type of attack is based on the probability of two different messages using the same hash function producing a common message digest?
A.
Differential cryptanalysis
B.
Differential linear cryptanalysis
C.
Birthday attack
D.
Statistical attack |
|
Definition
C
A good hashing algorithm should not produce the same hash value for two different messages. If the algorithm does produce the same value for two distinctly different messages, it is referred to as a collision. If an attacker finds an instance of a collision, he has more information to use when trying to break the cryptographic methods used. A complex way of attacking a one-way hash function is called the birthday attack. If an attacker has one hash value and wants to find a message that hashes to the same hash value, this process could take him years. However, if he just wants to find any two messages with the same hashing value, it could take him only a couple hours. |
|
|
Term
Which of the following attacks uses ICMP (Internet Control Message Protocol) and improperly formatted MTUs (Maximum Transmission Unit) to crash a target computer?
A. Man in the middle attack
B. Smurf attack
C. Ping of death attack
D. TCP SYN (Transmission Control Protocol / Synchronized) attack
E. None of the Above |
|
Definition
C
The Ping of Death attack involved sending IP packets of a size greater than 65,535 bytes to the target computer. IP packets of this size are illegal, but applications can be built that are capable of creating them. Carefully programmed operating systems could detect and safely handle illegal IP packets, but some failed to do this. Note: MTU packets that are bigger than the maximum size the underlying layer can handle are fragmented into smaller packets, which are then reassembled by the receiver. For ethernet style devices, the MTU is typically 1500. Incorrect Answers A: A man in the middle attack allows a third party to intercept and replace components of the data stream. B: The "smurf" attack, named after its exploit program, is one of the most recent in the category of network-level attacks against hosts. A perpetrator sends a large amount of ICMP echo (ping) traffic at IP broadcast addresses, all of it having a spoofed source address of a victim. D: In a TCP SYN attack a sender transmits a volume of connections that cannot be completed. This causes the connection queues to fill up, thereby denying service to legitimate TCP users. |
|
|
Term
A server or application that accepts more input than the server or application is expecting is known as:
A. It is known as a Denial of service (DoS).
B. It is known as a Buffer overflow.
C. It is known as a Brute force.
D. It is known as a Syntax error. |
|
Definition
|
|
Term
Why does social engineering attacks often succeed?
A. strong passwords are not required
B. lack of security awareness
C. multiple logins are allowed
D. audit logs are not monitored frequently |
|
Definition
B
Social engineering attacks work because of the availability heuristic, law of reciprocity, and law of consistency. In the past people have had experiences where a co-worker with a legitimate problem asked for help and been grateful for it. So by consistency, they feel the urge to help others again the way they've helped out somebody in the past. By availability, when someone asks for help, they associate that ask for help for every legitimate cry for help, and times when they needed help themselves and were helped; so essentially they're being a good Samaritan. If an awareness program were to be implemented where employees could be aware of social engineering tactics, they would be more likely to think about them, and be more suspect of an attack when someone does ask for a favor. With this knowledge in intuition, an employee will make a smarter decision. |
|
|
Term
Which program replicate independently across networks?
A. Spyware will replicate independently.
B. Worm will replicate independently.
C. Trojan horse will replicate independently.
D. Virus will replicate independently. |
|
Definition
|
|
Term
Which of the following type of attack CANNOT be deterred solely through technical means?
A. Dictionary.
B. Man in the middle.
C. DoS (Denial of Service).
D. Social engineering. |
|
Definition
D
Because of human rights laws, it is unlawful to use technology to directly control people's emotions and behaviors. For this reason social engineering attacks cannot be deterred through technical means. |
|
|
Term
Which of the following is the best defense against a man in the middle attack?
A. Virtual LAN (Local Area Network)
B. GRE (Generic Route Encapsulation) tunnel IPIP (Internet Protocol-within-Internet Protocol Encapsulation Protocol)
C. PKI (Public Key Infrastructure)
D. Enforcement of badge system |
|
Definition
C
PKI is a two-key system. Messages are encrypted with a public key. Messages are decrypted with a private key. If you want to send an encrypted message to someone, you would request their public key. You would encrypt the message using their public key and send it to them. They would then use their private key to decrypt the message.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 331 |
|
|
Term
What characteristic of TCP/IP (transmission Control Protocol/Internet Protocol) does TCP/IP (transmission Control Protocol/Internet Protocol) session hijacking exploit?
A. The fact that TCP/IP (transmission Control Protocol/Internet Protocol) has no authentication mechanism, thus allowing a clear text password of 16 bytes
B. The fact that TCP/IP (transmission Control Protocol/Internet Protocol) allows a packet to be spoofed and inserted into a stream, thereby enabling commands to be executed on the remote host
C. The fact that TCP/IP (transmission Control Protocol/Internet Protocol) has no authentication mechanism, and therefore allows connectionless packets from anyone
D. The fact that TCP/IP (transmission Control Protocol/Internet Protocol) allows packets to be tunneled to an alternate network |
|
Definition
B
TCP/IP's connection orientated nature, and lack of natural security makes it easy to hijack a session by spoofing. |
|
|
Term
Which of the following is an example of the theft of network passwords without the use of software tools?
A. Trojan programs.
B. Social engineering.
C. Sniffing.
D. Hacking. |
|
Definition
B
Social engineering is any means of using people to seek out information. These people practice espionage to: break in without detection, disguise themselves in, trick others into giving them access, or trick others into giving them information. |
|
|
Term
Which of the following is most common method of accomplishing DDoS (Distributed Denial of Service) attacks?
A. Internal host computers simultaneously failing.
B. Overwhelming and shutting down multiple services on a server.
C. Multiple servers or routers monopolizing and over whelming the bandwidth of a particular server or router.
D. An individual e-mail address list being used to distribute a virus. |
|
Definition
C
A distributed denial of service attack takes place from within, and is usually the doing of a disgruntled worker. They set up a zombie software that takes over numerous servers, and routers within the network to overwhelm the systems bandwidth. A and B are incorrect because a DDoS doesn't fail or shut down the servers, it merely compromises them. |
|
|
Term
How can you monitor the online activities of a user?
A. Viruses will permit monitoring of online activities.
B. Spy ware will permit monitoring of online activities.
C. Logic bomb will permit monitoring of online activities.
D. Worms will permit monitoring of online activities. |
|
Definition
|
|
Term
What can be sued for credit card information theft? (Choose TWO)
A. A Worm will permit credit card theft.
B. A SPIM will permit credit card theft.
C. An Adware will permit credit card theft.
D. A Phishing will permit credit card theft.
E. A Virus will permit credit card theft. |
|
Definition
|
|
Term
Which of the following is a DoS (Denial of Service) attack that exploits TCP's (Transmission Control Protocol) three-way handshake for new connections?
A. SYN (Synchronize) flood.
B. ping of death attack.
C. land attack.
D. buffer overflow attack.
E. None of the Above |
|
Definition
A
The SYN flood attack works when a source system floods and end system with TCP SYN requests, but intentionally does not send out acknowledgements (ACK). Since TCP needs confirmation, the receiving computer is stuck with half-open TCP sessions, just waiting for acknowledgement so it can reset the port. Meanwhile the connection buffer is being overflowed, making it difficult or impossible for valid users to connect, therefore their service is denied. |
|
|
Term
Identify the port that permits a user to login remotely on a computer?
A. Port 3389
B. Port 8080
C. Port 143
D. Port 23 |
|
Definition
|
|
Term
What should the minimum length of a password be to deter dictionary password cracks?
A. 6 characters
B. 8 characters
C. 10 characters
D. 12 characters
E. 16 characters |
|
Definition
|
|
Term
What should a network administrator's first course of action be on receiving an e-mail alerting him to the presence of a virus on the system if a specific executable file exists?
A. Investigate the e-mail as a possible hoax with a reputable anti-virus vendor.
B. Immediately search for and delete the file if discovered.
C. Broadcast a message to the entire organization to alert users to the presence of a virus.
D. Locate and download a patch to repair the file. |
|
Definition
A
If a virus threat is for real, the major anti-virus players like Symantec, McAfee, or Sophos will know about it before you, and they will have details on their sites. Incorrect answers: Searching for and deleting a file is not only a waste of time with today's OS's complex directory systems, but its also ineffective. One can miss a file, the file could be hidden, the wrong file can be deleted, and worst of all: when you delete a file it doesn't really get completely deleted, instead it gets sent to a 'recycle bin.' Broadcasting an alert and creating panic isn't the right thing to do, because it will waste bandwidth, and perhaps terrorizing the users is the original intent of the attack. The act of locating and downloading a patch isn't just time consuming, but there's a chance that the patch itself could be the virus, or the process of resetting the computer could activate the virus. |
|
|
Term
Identify the type of attack that CGI scripts are vulnerable to?
A. It is vulnerable to Buffer overflows.
B. It is vulnerable to Cross site scripting.
C. It is vulnerable to DNS spoofing.
D. It is vulnerable to SQL injection. |
|
Definition
|
|
Term
What is a program that can infect other programs by modifying them to include a version of it called?
A. Replicator
B. Virus
C. Trojan horse
D. Logic bomb |
|
Definition
B
A virus can do many things and including itself in a program is one of them. A virus is a program intended to damage a computer system. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 533 |
|
|
Term
Why is certificate expiration important?
A. Renewing the log files will keep it from getting too large.
B. If given sufficient tile brute force techniques will probably to break the key.
C. It will use more processing power when the encryption key is used long.
D. It prevents the server from using the identical key for two sessions. |
|
Definition
|
|
Term
Identify the ports utilized by e-mail users? (Choose TWO)
A. You should identify port 143
B. You should identify port 3389
C. You should identify port 110
D. You should identify port 334
E. You should identify port 23 |
|
Definition
|
|
Term
Which of the following can distribute itself without using a host file?
A. Virus.
B. Trojan horse.
C. Logic bomb.
D. Worm. |
|
Definition
D
Worms are dangerous because they can enter a system by exploiting a 'hole' in an operating system. They don't' need a host file, and they don't need any user intervention to replicate by themselves. Some infamous worms were: Morris, Badtrans, Nimda, and Code Red. |
|
|
Term
Identify the malicious code that enters the system via a freely distributed game that is purposely installed and played?
A. It can enter a system by means of a logic bomb.
B. It can enter a system by means of a Trojan horse.
C. It can enter a system by means of a worm.
D. It can enter a system by means of an e-mail attachment. |
|
Definition
|
|
Term
You receive an e-mail to reset the online banking username and password. When you attempt to access the link the URL appearing in the browser does not match the link. What is this known as?
A. This situation is known as redirecting.
B. This situation is known as spoofing.
C. This situation is known as hijacking.
D. This situation is known as phishing. |
|
Definition
|
|
Term
Which of the following is the best defense against man in the middle attacks?
A. A firewall
B. Strong encryption
C. Strong passwords
D. Strong authentication |
|
Definition
|
|
Term
Identify the attack that targets a web server if numerous computers send a lot of FIN packets at the same time with spoofed source IP addresses?
A. This attack is known as SYN flood.
B. This attack is known as DDoS
C. This attack is known as Brute force.
D. This attack is known as XMAS tree scan. |
|
Definition
|
|
Term
As the security administrator you monitor traces from IDS and detect the subsequent data:
Date Time Source IP Destination IP Port Type
10/21 0845 192.168.155.28 10.1.20.1 20 SYN
10/21 0850 192.168.155.28 10.1.20.1 21 SYN
10/21 0900 192.168.155.28 10.1.20.1 23 SYN
10/21 0910 192.168.155.28 10.1.20.1 25 SYN
You need to determine what will occur?
A. An expected TCP/IP traffic will occur.
B. A Port scanning will occur.
C. A SYN Flood will occur.
D. A Denial of Service (DoS) will occur. |
|
Definition
|
|
Term
Identify the malicious code that enters a system and stay inactive until a user opens that particular program then starts to delete the contents of attached network drives and removable storage devices?
A. The malicious code is known as logic bomb.
B. The malicious code is known as Trojan horse.
C. The malicious code is known as honeypot.
D. The malicious code is known as worm. |
|
Definition
|
|
Term
t has come to your attention that the telephone account for the employees in your department is extremely high. You check the print out and discover that 4,500 text messages is sent daily to random numbers. What is the best option to stop this excessive text messaging?
A. This can be accomplished by installing personal firewalls on the mobile phones.
B. This can be accomplished by installing HIDS on the mobile phones.
C. This can be accomplished by installing logging software on the mobile phones.
D. This can be accomplished by installing antivirus software on the mobile phones. |
|
Definition
|
|
Term
In which of the following would an attacker impersonate a dissatisfied customer of a company and requesting a password change on the customer's account?
A. Hostile code.
B. Social engineering.
C. IP (Internet Protocol) spoofing.
D. Man in the middle attack. |
|
Definition
B
Social engineering is using deception to engineer human emotions into granting access. |
|
|
Term
Which of the following is the major difference between a worm and a Trojan horse?
A. Worms are spread via e-mail while Trojan horses are not.
B. Worms are self replicating while Trojan horses are not.
C. Worms are a form of malicious code while Trojan horses are not.
D. There is no difference. |
|
Definition
B
A worm is different from a virus. Worms reproduce themselves, are self-contained and do not need a host application to be transported. The Trojan horse program may be installed as part of an installation process. They do not reproduce or self replicate.
Reference:
Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, pp 83, 85 |
|
|
Term
What is the scenario named where a user receives an e-mail requesting personal data as well as bank account details?
A. This can be described as a hoax.
B. This can be described as packet sniffing.
C. This can be described as phishing.
D. This can be described as spam. |
|
Definition
|
|
Term
Which of the following is a security breach that does not usually result in the theft of information or other security loss but the lack of legitimate use of that system?
A. CRL
B. DoS
C. ACL
D. MD2
E. None of the above |
|
Definition
B
DOS attacks prevent access to resources by users authorized to use those resources. An attacker may attempt to bring down an e-commerce website to prevent or deny usage by legitimate customers.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 53 |
|
|
Term
Loki, NetCaZ, Masters Paradise and NetBus are examples of what type of attack?
A. brute force
B. spoofing
C. man in the middle
D. back door
E. None of the Above |
|
Definition
D
Since backdoor's are publicly marketed/distributed software applications, they are characterized by having a trade name. |
|
|
Term
Malicious port scanning determines the _______.
A. computer name
B. fingerprint of the operating system
C. physical cabling topology of a network
D. user ID and passwords
E. All of the Above |
|
Definition
B
Malicious port scanning is an attempt to find an unused port that the system won't acknowledge. Several programs now can use port scanning for advanced host detection and operating system fingerprinting. With knowledge of the operating system, the hacker can look up known vulnerabilities and exploits for that particular system. |
|
|
Term
A technician is rebuilding the infrastructure for an organization. The technician has been tasked with making sure that the virtualization technology is implemented securely. Which of the following is a concern when implementing virtualization technology?
A. The technician should verify that the virtual servers are dual homed so that traffic is securely
separated.
B. The technician should verify that the virtual servers and the host have the latest service packs
and patches applied.
C. The technician should subnet the network so each virtual server is on a different network
segment.
D. The technician should perform penetration testing on all the virtual servers to monitor
performance. |
|
Definition
|
|
Term
A technician is reviewing the logical access control method an organization uses. One of the senior managers requests that the technician prevent staff members from logging on during nonworking days. Which of the following should the technician implement to meet managements request?
A. Enforce Kerberos
B. Deploy smart cards
C. Time of day restrictions
D. Access control lists |
|
Definition
|
|
Term
How would a technician implement a security patch in an enterprise environment?
A. Download the patch from the vendors secure website and install it on the most vulnerable
workstation
B. Download the patch from the vendors secure website, test the patch and install it on all
workstations.
C. Download the patch from the vendors secure website and install it as needed
D. Download the patch from the Internet, test the patch and install it on all of the
productionservers.WBerlin |
|
Definition
|
|
Term
Which of the following is considered the weakest encryption?
A. AES
B. DES
C. SHA
D. RSA |
|
Definition
|
|
Term
Which of the following encryption schemes is the public key infrastructure based on?
A. Quantum
B. Elliptical curve
C. Asymmetric
D. Symmetric |
|
Definition
|
|
Term
Which of the following BEST describes the term war driving?
A. Driving from point to point with a laptop and an antenna to find unsecured wireless access
points.
B. Driving from point to point with a wireless scanner to read other users emails through the
access point.
C. Driving from point to point with a wireless network card and hacking into unsecured wireless
access points.
D. Driving from point to point with a wireless scanner to use unsecured access points |
|
Definition
|
|
Term
Users on a network report that they are receiving unsolicited emails from an email address that does not change. Which of the following steps should be taken to stop this from occurring?
A. Configure a rule in eachusers router and restart the router.
B. Configure rules on the users host and restart the host.
C. Install an anti-spam filter on the domain mail servers and filter the email address.
D. Install an ACL on the firewall to block traffic from the sender and filter the IP address. |
|
Definition
|
|
Term
Which of the following is a true statement with regards to a NIDS?
A. A NIDS monitors and analyzes network traffic for possible intrusions
B. A NIDS is installed on the proxy server
C. A NIDS prevents certain types of traffic from entering a network.
D. A NIDS is normally installed on the email server. |
|
Definition
|
|
Term
technician suspects that a piece of malware is consuming too many CPU cycles and slowing down a system. Which of the following will help determine the amount of CPU cycles that are being consumed?
A. Install HIDS to determine the CPU usage
B. Run performance monitor to evaluate the CPU usage
C. Install malware scanning software
D. Use a protocol analyzer to find the cause of the traffic |
|
Definition
|
|
Term
Which of the following are characteristics of a hash function? (Select TWO).
A. One-way
B. Encrypts a connection
C. Ensures data can be easily decrypted
D. Fixed length output
E. Requires a key |
|
Definition
|
|
Term
Which of the following is the MOST secure alternative for administrative access to a router?
A. SSH
B. Telnet
C. rlogin
D. HTTP |
|
Definition
|
|
Term
Which of the following might an attacker resort to in order to recover discarded company documents?
A. Phishing
B. Insider theft
C. Dumpster diving
D. Shoulder surfing |
|
Definition
|
|
Term
Which of the following creates a security buffer zone between two rooms?
A. Mantrap
B. DMZ
C. Turnstile
D. Anti-pass back |
|
Definition
|
|
Term
Which of the following virtual machine components monitors and manages the various virtual instances?
A. VMOS
B. VCPU
C. Hypervisor
D. Virtual supervisor |
|
Definition
|
|
Term
A smurf attack is an example of which of the following threats?
A. ARP Poisoning
B. DoS
C. TCP/IP Hijacking
D. Man-in-the-middle |
|
Definition
|
|
Term
Which of the following is a security trait of a virtual machine?
A. Provides additional resources for testing
B. Provides real-time access to all system processes
C. Provides a read-only area for executing code
D. Provides a restricted environment for executing code |
|
Definition
|
|
Term
An unauthorized user intercepted a users password and used this information to obtain the companys administrator password. The unauthorized user can use the administrators password to access sensitive information pertaining to client data. Which of the following is this an example of?
A. Session hijacking
B. Least privilege
C. Privilege escalation
D. Network address translation |
|
Definition
|
|
Term
sers are utilizing thumb drives to connect to USB ports on company workstations. A technician is concerned that sensitive files can be copied to the USB drives. Which of the following mitigation techniques would address this concern? (Select TWO).
A. Disable the USB root hub within the OS.
B. Install anti-virus software on the USB drives
C. Disable USB within the workstations BIOS.
D. Apply the concept of least privilege to USB devices
E. Run spyware detection against all workstations |
|
Definition
|
|
Term
An administrator has developed an OS install that will implement the tightest security controls possible. In order to quickly replicate these controls on all systems, which of the following should be established?
A. Take screen shots of the configuration options
B. Create an image from the OS install.
C. Create a boot disk for the operating system
D. Implement OS hardening procedures |
|
Definition
|
|
Term
A user has decided that they do not want an internal LAN segment to use public IP addresses. The user wants to translate them as private IP addresses to a pool of public IP addresses to identify them on the Internet. Which of the following does the user want to implement?
A. IPSec
B. NAT
C. SSH
D. SFTP |
|
Definition
|
|
Term
An administrator has been studying stateful packet inspection and wants to implement this security technique on the network. Which of the following devices could the administrator use to BEST utilize stateful packet inspection?
A. Hub
B. IDS
C. Switch
D. Firewall |
|
Definition
|
|
Term
n administrator wants to ensure that that no equipment is damaged when there is a fire or false alarm in the server room. Which of the following type of fire suppression systems should be used?
A. Carbon Dioxide
B. Hydrogen Peroxide
C. Wet pipe sprinkler
D. Deluge sprinkler |
|
Definition
|
|
Term
An administrator wants to replace telnet with a more secure protocol to manage a network device.
Which of the following should be implemented on the network?
A. SMTP
B. SNMP
C. SFTP
D. SSH |
|
Definition
|
|
Term
A user is attempting to receive digitally signed and encrypted email messages from a remote office. Which of the following protocols does the system need to support?
A. SMTP
B. S/MIME
C. ISAKMP
D. IPSec |
|
Definition
|
|
Term
An administrator does not want anyone to VPN from inside the network to a remote office or network. Which of the following protocols should be blocked outbound on the network?
A. TPM
B. OVAL
C. SNMP
D. ISAKMP |
|
Definition
|
|
Term
ll of the following are symmetric key algorithms EXCEPT:
A. ECC
B. Rijndael.
C. 3DES.
D. RC4 |
|
Definition
|
|
Term
Which of the following is a way to encrypt session keys using SSL?
A. Session keys are sent unencrypted
B. Session keys are encrypted using an asymmetric algorithm.
C. Session keys are sent in clear text because they are private keys
D. Session keys are encrypted using a symmetric algorithm
|
|
Definition
|
|
Term
Which of the following can reduce the risk associated with password guessing attacks? (Select TWO).
A. Implement single sign-on.
B. Implement shared passwords.
C. Implement account-lockout thresholds.
D. Implement shadow passwords.
E. Implement stronger password complexity policies.
|
|
Definition
|
|
Term
Which of the following is a common practice in forensic investigation?
A. Performing a Gutman sanitization of the drive
B. Performing a binary copy of the systems storage media
C. Performing a file level copy of the systems storage media
D. Performing a sanitization of the drive
|
|
Definition
|
|
Term
Which of the following is done to ensure appropriate personnel have access to systems and networks? (Select TWO).
A. Conduct periodic penetration testing assessments.
B. Conduct periodic personnel employment verifications
C. Conduct rights review of users and groups
D. Conduct virus scan.
E. Conduct vulnerability assessments.
|
|
Definition
|
|
Term
Which of the following is the BEST process of removing PII data from a disk drive before reuse?
A. Destruction
B. Sanitization
C. Reformatting
D. Degaussing
|
|
Definition
|
|
Term
When assigning permissions, which of the following concepts should be applied to enable a person to perform their job task?
A. Rule based
B. Discretionary access control (DAC)
C. Least privilege
D. Role based
|
|
Definition
|
|
Term
While conducting a review of the system logs, a user had attempted to log onto the network over 250 times. Which of the following type of attacks is MOST likely occurring?
A. Brute force
B. Phishing
C. Spamming
D. DNS spoofing
|
|
Definition
|
|
Term
Users do not want to enter credentials to each server or application to conduct their normal work. Which of the following type of strategies will resolve this issue?
A. Smart card
B. Two-factor authentication
C. Biometrics
D. SSO
|
|
Definition
|
|
Term
A user was trying to update an open file but when they tried to access the file they were denied. Which of the following would explain why the user could not access the file?
A. Audit only access
B. Execute only access
C. Rights are not set correctly
D. Write only access
|
|
Definition
|
|
Term
Which of the following is an important reason for password protecting the BIOS?
A. To maintain password complexity requirements
B. To prevent system start-up without knowing the password
C. To keep a user from changing the boot order of the system
D. To keep a virus from overwriting the BIOS
|
|
Definition
|
|
Term
Which of the following is the primary security risk with coaxial cable?
A. Diffusion of the core light source
B. Data emanation from the core
C. Crosstalk between the wire pairs
D. Refraction of the signal
|
|
Definition
|
|
Term
Which of the following is a collection of patches?
A. A security template
B. A service pack
C. A security hotfix
D. A security baseline
|
|
Definition
|
|
Term
Which of the following is the BEST place where the disaster recovery plan should be kept?
A. Printed out and kept in the desk of the CIO
B. At multiple offsite locations
C. Multiple copies printed out and kept in the server room
D. On the network file server
|
|
Definition
|
|
Term
Which of the following is established immediately upon evidence seizure?
A. Start the incident respond plan
B. Damage and loss control
C. Chain of custody
D. Forensic analysis
|
|
Definition
|
|
Term
Which of the following algorithms have the smallest key space?
A. IDEA
B. SHA-1
C. AES
D. DES
|
|
Definition
|
|
Term
Which of the following is the MOST recent addition to cryptography?
A. AES
B. DES
C. 3DES
D. PGP
|
|
Definition
|
|
Term
Which of the following allows a technician to scan for missing patches on a device without actually attempting to exploit the security problem?
A. A vulnerability scanner
B. Security baselines
C. A port scanner
D. Group policy
|
|
Definition
|
|
Term
Which of the following uses a key ring?
A. AES
B. DES
C. PGP
D. RSA
|
|
Definition
|
|
Term
Sending a patch through a testing and approval process is an example of which of the following?
A. Disaster planning
B. Change management
C. Acceptable use policies
D. User education and awareness training
|
|
Definition
|
|
Term
Which of the following is the MOST likely to generate static electricity?
A. Low humidity and high temperature
B. High humidity and low temperature
C. Low humidity and low temperature
D. High humidity and high temperature
|
|
Definition
|
|
Term
A company decides that the purchasing agent and the accounts receivable agent should exchange positions in order to allow for more oversight of past transactions. Which of the following is this an example of?
A. Least privilege
B. Implicit deny
C. Separation of duties
D. Job rotation
|
|
Definition
|
|
Term
A user complains that the color laser printer continuously gives an access denied message while attempting to print a text document. The administrator logs onto the PC and prints successfully. Which of the following should the administrator check FIRST?
A. That the printer has the correct size of paper in each of the trays
B. That the toner should be changed in the printer
C. That the user has sufficient rights to print to the printer
D. That the user is attempting to print to the correct printer tray
|
|
Definition
|
|
Term
Which of the following allows a technician to view the security permissions of a file?
A. The access control list
B. The security baseline
C. The data emanation
D. The local security template
|
|
Definition
|
|
Term
A user is convinced that someone is attempting to use their user account at night. Which of the following should an administrator check FIRST in order to prove or disprove this claim?
A. The IDS logs
B. The security application logs
C. The local security logs
D. The firewall logs
|
|
Definition
|
|
Term
A user reports that a web based application is not working after a browser upgrade. Before the upgrade, a login box would appear on the screen and disappear after login. The login box does not appear after the upgrade. Which of the following BEST describes what to check FIRST?
A. That the software based firewall application trusts this site
B. That the pop-up blocker application trusts this site
C. That the antivirus application trusts this site
D. That the anti-spam application trusts this site
|
|
Definition
|
|
Term
A technician suspects that one of the network cards on the internal LAN is causing a broadcast storm. Which of the following would BEST diagnose which NIC is causing this problem?
A. The NIDS log file
B. A protocol analyzer
C. The local security log file
D. The local firewall log file
|
|
Definition
|
|
Term
Which of the following would require a pre-sharing of information before a home user could attach to a neighbors wireless adapter?
A. Anonymous connections enabled
B. SSID broadcasting disabled
C. SSID broadcasting enabled
D. Encryption disabled
|
|
Definition
|
|
Term
Which of the following are MOST likely to be analyzed by Internet filter appliances/servers? (Select THREE).
A. Certificates
B. Keys
C. TLSs
D. URLs
E. Content
F. CRLs
|
|
Definition
|
|
Term
A flat or simple role-based access control (RBAC) embodies which of the following principles?
A. Users assigned to roles, permissions are assigned to groups, controls applied to groups and
permissions acquired by controls
B. Users assigned permissions, roles assigned to groups and users acquire additional permissions
by being a member of a group
C. Roles applied to groups, users assigned to groups and users acquire permissions by being a
member of the group
D. Users assigned to roles, permissions are assigned to roles and users acquire permissions by
being a member of the role
|
|
Definition
|
|
Term
Which of the following organizational documentation describes how tasks or job functions should be conducted?
A. Standards
B. Guideline
C. Policy
D. Procedures
|
|
Definition
|
|
Term
An administrator notices on the monthly firewall log that many of the internal PCs are sending packets on a routine basis to a single external PC. Which of the following BEST describes what is occurring?
A. The remote PC has a spam slave application running and the local PCs have a spam master application running
B. The remote PC has a zombie master application running and the local PCs have a zombie slave application running.
C. The remote PC has a spam master application running and the local PCs have a spam slave application running
D. The remote PC has a zombie slave application running and the local PCs have a zombie master application running
|
|
Definition
|
|
Term
An administrator is running a network monitoring application that looks for behaviors on the network outside the standard baseline that has been established. This is typical of a(n):
A. signature-based tool
B. protocol analyzer
C. honeynet
D. anomaly-based tool.
|
|
Definition
|
|
Term
A CRL contains a list of which of the following type of keys?
A. Both public and private keys
B. Steganographic keys
C. Private keys
D. Public keys
|
|
Definition
|
|
Term
Which of the following methods will help to identify when unauthorized access has occurred?
A. Implement two-factor authentication
B. Implement previous logon notification.
C. Implement session termination mechanism
D. Implement session lock mechanism
|
|
Definition
|
|
Term
A single sign-on requires which of the following?
A. Multifactor authentication
B. One-factor authentication
C. A trust model between workstations
D. A unified trust model
|
|
Definition
|
|
Term
A company needs to have multiple servers running low CPU utilization applications. Which of the following is the MOST cost efficient method for accomplishing this?
A. Install multiple high end servers, sharing a clustered network operating system.
B. Install a single low end server, running multiple virtual servers
C. Install a single high end server, running multiple virtual servers.
D. Install multiple low end servers, each running a network operating system.
|
|
Definition
|
|
Term
If an administrator does not have a NIDS examining network traffic, which of the following could be used to identify an active attack?
A. Protocol analyzer
B. Penetration testing tool
C. Networkmapper
D. Vulnerability scanner
|
|
Definition
|
|
Term
Frequent signature updates are required by which of the following security applications? (Select TWO).
A. Antivirus
B. PGP
C. Firewall
D. PKI
E. IDS
|
|
Definition
|
|
Term
Which of the following describes the difference between a secure cipher and a secure hash?
A. A hash produces a variable output for any input size, a cipher does not.
B. A cipher produces the same size output for any input size, a hash does not.
C. A cipher can be reversed, a hash cannot.
D. A hash can be reversed, a cipher cannot.
|
|
Definition
|
|
Term
An administrator wants to block users from accessing a few inappropriate websites as soon as possible. The existing firewall allows blocking by IP address. To achieve this goal the administrator will need to:
A. upgrade to a DNS based filter to achieve the desired result
B. use the company AUP to achieve the desired result.
C. upgrade to a URL based filter to achieve the desired result.
D. upgrade to a text based filter to achieve the desired result.
|
|
Definition
|
|
Term
Which of the following BEST describes risk analysis?
A. Monitoring and acceptance
B. Evaluation and assessment
C. Assessment and eradication
D. Mitigation and repudiation
|
|
Definition
|
|
Term
Which of the following would BEST allow for fast, highly secure encryption of a USB flash drive?
A. SHA-1
B. MD5
C. 3DES
D. AES256
|
|
Definition
|
|
Term
Which of the following organizational documentation provides high level objectives that change infrequently?
A. Standards
B. Policy
C. Procedures
D. Guideline
|
|
Definition
|
|
Term
Configuration baselines should be taken at which of the following stages in the deployment of a new system?
A. Before initial configuration
B. Before loading the OS
C. After a user logs in
D. After initial configuration
|
|
Definition
|
|
Term
Which of the following is a risk associated with a virtual server?
A. If the physical server crashes, all of the local virtual servers go offline immediately
B. If the physical server crashes, all of the physical servers nearby go offline immediately.
C. If a virtual server crashes, all of the virtual servers go offline immediately.
D. If a virtual server crashes, all of the physical servers go offline immediately
|
|
Definition
|
|
Term
When choosing an antivirus product, which of the following are the MOST important security considerations? (Select TWO).
A. The frequency of signature updates
B. The ability to scan encrypted files
C. The availability of application programming interface
D. The number of emails that can be scanned
E. The number of viruses the software can detect
|
|
Definition
|
|
Term
All of the following are where backup tapes should be kept EXCEPT:
A. near a fiber optic cable entrance.
B. near a shared LCD screen
C. near a power line.
D. near a high end server.
|
|
Definition
|
|
Term
Which of the following is an example of two-factor authentication for an information system?
A. ATM card and PIN
B. Username and password
C. Retina and fingerprint scanner
D. Photo ID and PIN
|
|
Definition
|
|
Term
Which of the following authentication mechanisms performs better in a secure environment?
A. RADIUS because it is a remote access authentication service
B. TACACS because it encrypts client-server negotiation dialogs.
C. RADIUS because it encrypts client-server passwords.
D. TACACS because it is a remote access authentication service
|
|
Definition
|
|
Term
Which of the following would BEST allow an administrator to quickly find a PC with a blank database administrator password?
A. Protocol analyzer
B. Vulnerability scanner
C. Rainbow tables
D. Security access logs
|
|
Definition
|
|
Term
Which of the following describes software that is often written solely for a specific customer's application?
A. Rootkit
B. Hotfix
C. Service pack
D. Patch
|
|
Definition
|
|
Term
Security templates are used for which of the following purposes? (Select TWO)
A. To ensure that email is encrypted by users of PGP
B. To ensure that PKI will work properly within thecompanys trust model
C. To ensure that performance is standardized across all servers
D. To ensure that all servers start from a common security configuration
E. To ensure that servers are in compliance with the corporate security policy
|
|
Definition
|
|
Term
Which of the following is the BEST order in which crucial equipment should draw power?
A. Uninterruptible Power Supply (UPS) battery, UPS line conditioner, backup generator
B. Backup generator, UPS line conditioner, UPS battery
C. Backup generator, UPS battery, UPS line conditioner
D. UPS line conditioner, UPS battery, and backup generator
|
|
Definition
|
|
Term
Which of the following describes a spanned switch port in the context of IDS traffic analysis?
A. An association of a set of destination ports with a single source port
B. An association of a set of source ports with a single destination port
C. An association of a set of source ports with multiple destination ports and an IDS sensor
D. An association of a set of destination ports with an IDS sensor
|
|
Definition
|
|
Term
In which of the following situations would it be appropriate to install a hotfix?
A. A patch in a service pack fixes the issue, but too many extra patches are included.
B. A patch is not available and workarounds do not correct the problem
C. A patch is available, but has not yet been tested in a production environment.
D. A patch is too large to be distributed via a remote deployment tool.
|
|
Definition
|
|
Term
The data custodian in an organization is responsible for:
A. recoverability of the data.
B. classification of the data.
C. completeness of the data
D. accuracy of the data.
|
|
Definition
|
|
Term
A programmer creates an application to accept data from a websitE. A user places more information than the program expects in the input field resulting in the back end database placing the extra information into the databasE. Which of the following is this an example of?
A. Java input error
B. Cross-site scripting
C. Buffer overflow
D. SQL injection
|
|
Definition
|
|
Term
A technician is deciding between implementing a HIDS on the database server or implementing a NIDS. Which of the following are reasons why a NIDS may be better to implement? (Select TWO).
A. Many HIDS require frequent patches and updates.
B. Many HIDS are not able to detect network attacks.
C. Many HIDS have a negative impact on systemperformance
D. Many HIDS only offer a low level of detection granularity.
E. Many HIDS are not good at detecting attacks on database servers.
|
|
Definition
|
|
Term
A user logs into their network with a smart carD. Which of the following keys is used?
A. Cipher key
B. Shared key
C. Public key
D. Privatekey
|
|
Definition
|
|
Term
Port 3535 is typically blocked for outbound traffic on a companys LAN. An end-user has recently purchased a legitimate business program that needs to make outbound calls using this port. Which of the following steps should a technician take to allow this? (Select TWO).
A. Open the port on thecompanys proxy server
B. Open the port on thecompanys firewall
C. Change theusers subnet mask
D. Open the port on the users personal software firewall
E. Open the port on the VLAN
|
|
Definition
|
|
Term
After a system risk assessment was performed it was found that the cost to mitigate the risk was higher than the expected loss if the risk was actualized. In this instance, which of the following is the BEST course of action?
A. Accept the risk
B. Mitigate the risk
C. Reject the risk
D. Run a new risk assessment
|
|
Definition
|
|
Term
A small call center business decided to install an email system to facilitate communications in the office. As part of the upgrade the vendor offered to supply anti-malware software for a cost of $5,000 per year. The IT manager read there was a 90% chance each year that workstations would be compromised if not adequately protecteD. If workstations are compromised it will take three hours to restore services for the 30 staff. Staff members in the call center are paid $90 per hour. If determining the risk, which of the following is the annual loss expectancy (ALE)?
A. $2,700
B. $4,500
C. $5,000
D. $7,290
|
|
Definition
|
|
Term
An administrator is assigned to monitor servers in a data center. A web server connected to the Internet s suddenly experiences a large spike in CPU activity. Which of the following is the MOST likely cause?
A. Spyware
B. Trojan
C. Privilege escalation
D. DoS
|
|
Definition
|
|
Term
A technician is performing an assessment on a router and discovers packet filtering is employed. Which of the following describes a security concern with stateless packet filtering?
A. Packet payload is not checked
B. State connections are retained by the router
C. Router performance is reduced
D. Loose routing cannot determine the exact path a packet must follow.
|
|
Definition
|
|
Term
All of the following require periodic updates to stay accurate EXCEPT:
A. signature based HIDS.
B. pop-up blocker applications.
C. antivirus applications.
D. rootkit detection applications.
|
|
Definition
|
|
Term
When is the correct time to discuss the appropriate use of electronic devices with a new employee?
A. At time of hire
B. At time of first correspondence
C. At time of departure
D. At time of first system login
|
|
Definition
|
|
Term
Virtualized applications, such as virtualized browsers, are capable of protecting the underlying operating system from which of the following?
A. Malware installation from suspects Internet sites
B. Man-in-the-middle attacks
C. Phishing and spam attacks
D. DDoS attacks against the underlying OS
|
|
Definition
|
|
Term
A financial institution performed a risk assessment on the DLT backup system used to store customer account details. The main risk highlighted was the long-term retention of electronically stored datA. Which of the following is the MOST likely reason for the risk being raised?
A. Compatibility of media and application systems
B. Application systems and technical staff
C. Compatibility and retention of data on the media
D. Retention of data on the media
|
|
Definition
|
|
Term
All of the following are steps in the incident response process EXCEPT:
A. eradication.
B. repudiation.
C. recovery.
D. containment.
|
|
Definition
|
|
Term
An organization has recently implemented a work from home program. Employees need to connect securely from home to the corporate network. Which of the following encryption technologies might BEST accomplish this?
A. PPTP
B. IPSec
C. L2TP
D. PPPoE
|
|
Definition
|
|
Term
Pre-shared keys apply to which of the following?
A. CA
B. PGP
C. TPM
D. Digital signature
|
|
Definition
|
|
Term
Which of the following is the quickest method to create a secure test server for a programmer?
A. Install a network operating system on new equipment.
B. Create a virtual server on existing equipment
C. Install a network operating system on existing equipment
D. Create a virtual server on new equipment
|
|
Definition
|
|
Term
Threats to a network could include: (Select TWO)
A. penetration testing.
B. network audits.
C. disgruntled employees
D. dial-up access.
E. disabled user accounts
|
|
Definition
|
|
Term
Which of the following BEST describes the differences between SHA-1 and MD5?
A. MD5 produces variable length message digests
B. SHA-1 produces few collisions than MD5
C. MD5 produces few collisions than SHA-1
D. SHA-1 produces fixed length message digests.
|
|
Definition
|
|
Term
The service provided by message authentication code (MAC) hash is:
A. fault tolerance.
B. key recovery.
C. data recovery.
D. integrity.
|
|
Definition
|
|
Term
Which of the following scenarios is MOST likely to benefit from using a personal software firewall on a laptop?
A. Remote access user connecting via SSL VPN
B. Office laptop connected to the enterprise LAN
C. Remote access user connecting via corporate dial-in server
D. Office laptop connected to a homeusers network
|
|
Definition
|
|
Term
Three generally accepted activities of patch management are: determining which patches are needed, applying the patches and which of the following?
A. Updating the firewall configuration to include the patches
B. Running a NIDS report to list the remaining vulnerabilities
C. Auditing for the successful application of the patches
D. Backing up the patch file executables to a network share
|
|
Definition
|
|
Term
Which of the following is setup within a router?
A. ARP
B. DMZ
C. OVAL
D. DDoS
|
|
Definition
|
|
Term
Which of the following would BEST allow an administrator to quickly find a rogue server on the network?
A. Review security access logs
B. A networkmapper
C. A protocol analyzer
D. Review DNS logs
|
|
Definition
|
|
Term
A user is going to dispose of some old hard drives. Which of the following should the user do to the drives before disposing of them?
A. Reformat the hard drives once.
B. Use a certified wipe program to erase data
C. Install antivirus on the drives
D. Run anti-spyware on the drives
|
|
Definition
|
|
Term
Which of the following facilitates the creation of an unencrypted tunnel between two devices?
A. AES
B. HTTPS
C. L2TP
D. PPTP
|
|
Definition
|
|
Term
An antivirus server keeps flagging an approved application that the marketing department has installed on their local computers as a threat. This is an example of:
A. false negative.
B. false positive.
C. true negative
D. true positive
|
|
Definition
|
|
Term
ll of the following are symmetric key algorithms EXCEPT:
A. ECC
B. Rijndael.
C. 3DES.
D. RC4 |
|
Definition
|
|
Term
During a web session, a user transfers answers to a form page on which private information will be required. On this page, what protocol is responsible for the secure session?
Answer
a.
SSL/TLS
b.
IPSec
c.
ISAKMP
d.
SSH |
|
Definition
|
|
Term
What is the common term used to describe a hacker using a lookup tool and gaining access to a DNS server?
Answer
a.
DNS poisoning
b.
DNS footprinting
c.
DNS spoofing
d.
DDoS |
|
Definition
|
|
Term
Which of the following statements best describes CHAP?s authentication procedure?
Answer
a.
The client sends an encrypted password. The server sends an encrypted challenge to the client. If both work, the server processes the reply and either permits access or denies it.
b.
The client sends an encrypted password. The server decrypts the password and compares it to the password associated with the client. The server processes this reply and either permits or denies access.
c.
The initiator sends a logon request from the client to the server. The server sends a challenge back to the client. The challenge is encrypted and then sent back to the server. The server compares the value from the client and, if the information matches, grants authorization.
d.
The client requests authentication from the server. The server sends a password. The client evaluates this password against a list for that server. The client sends a password. The server processes this reply and either permits or denies access. |
|
Definition
|
|
Term
What can be used to encrypt data over an unsecure public network such as the Internet?
Answer
a.
Router
b.
Hot site
c.
Intranet
d.
VPN |
|
Definition
|
|
Term
You’re in the process of implementing VLANs throughout the organization in order to increase security. Which of the following hardware devices is used to create security segments on a LAN?
Answer
a.
Gateway
b.
Router
c.
Firewall
d.
Switch |
|
Definition
|
|
Term
An administrator from the central office calls in a panic. He relays that he has heard from a reliable source that the company is about to be the target of a smurf attack, and he wants all sites to be aware of the potential problems. Which of the following options represents a type of smurf attack?
Answer
a.
Logic bomb
b.
Negative Operational Stability
c.
DoS
d.
Trojan horse |
|
Definition
|
|
Term
A popular topic in the media has been the recovery of sensitive data from computers that have been thrown away or donated to charity by companies. What security policy should be designed to cover this possibility?
Answer
a.
Disposal/destruction
b.
SLA
c.
Privacy
d.
Acceptable use |
|
Definition
|
|
Term
Which type of cryptographic attack involves capturing a large amount of encrypted data and using statistical analysis and numerical modeling to defeat the encryption algorithm and decrypt the data?
Answer
a.
Birthday attack
b.
Strong key attack
c.
Weak key attack
d.
Mathematical attack |
|
Definition
|
|
Term
You’re designing a new network infrastructure so that your company can allow unauthenticated users connecting from the Internet to access certain areas. Your goal is to protect the internal network while providing access to those areas. You decide to put the web server on a separate subnet open to public contact. What is this subnet called?
Answer
a.
Screened supernet
b.
Bastion host
c.
DMZ
d.
VLAN |
|
Definition
|
|
Term
Kerberos utilizes keys to grant permission to set up a session with a resource server. Which of the following is a single service or server that stores, distributes, and maintains cryptographic session keys?
Answer
a.
KEA server
b.
KDC server
c.
CA server
d.
DEA server |
|
Definition
|
|
Term
Which term describes the act of driving about looking for unsecured wireless LANs in a geographic area?
Answer
a.
Tuning
b.
Snooping
c.
War dialing
d.
War driving |
|
Definition
|
|
Term
It has been a long time since a security problem has occurred, and you suspect that users have gotten lazy in following the password rules outlined in the usage manual. Having overheard part of a conversation, you believe that some users are using items such as password as their password, and you need to bring this issue to their attention immediately before anything happens. What do you call an attack that exploits the likelihood of a common password being used?
Answer
a.
Weak key attack
b.
Man-in-the-middle attack
c.
Birthday attack
d.
Mathematical attack
|
|
Definition
|
|
Term
SSL is designed to establish a secure connection between two computers, and S-HTTP is designed to send individual messages securely. Which of the following protocols combines SSL and HTTP?
Answer
a.
DES
b.
PDQ
c.
TLS
d.
HTTPS |
|
Definition
|
|
Term
The security committee at your organization is presently debating which certificate format to use for PKI. One of the managers states that he sees no reason not to use the certificate format supported by the International Telecommunications Union (ITU), and others agree. What is the most common certificate format used in the PKI environment and the one the manager is referring to?
Answer
a.
X.509
b.
X.508
c.
PKE
d.
RSA |
|
Definition
|
|
Term
Which of the following choices helps to ensure confidentiality? (Choose two.)
Answer
a.
Using digital signatures
b.
Using hashing
c.
The strength of encryption
d.
The method used to deliver keys securely to their intended recipient |
|
Definition
|
|
Term
You’re explaining security to several newly hired web designers when the question of what a worm is comes up. What should your response be?
Answer
a.
A worm is a password-guessing algorithm.
b.
A worm is an attack that prevents a legitimate client from receiving service.
c.
A worm is a self-replicating, self-contained chunk of malicious code.
d.
A worm is a segment of code that waits for a certain condition to be true before it performs a malicious act. |
|
Definition
|
|
Term
What are two of the most important factors to consider when you’re formulating a risk assessment? (Choose two.)
Answer
a.
The remedy
b.
The probability that an event will occur
c.
The cost of an event
d.
The source of an event
|
|
Definition
|
|
Term
During a security audit, you must differentiate between symmetric and asymmetric algorithms in use at your site. Which of the following options is a symmetric algorithm?
Answer
a.
Diffe-Hellman
b.
ECC
c.
RSA
d.
3DES |
|
Definition
|
|
Term
You receive an e-mail stating that a virus has been discovered and your system has become infected. It includes instructions on cleaning your system and protecting your system against future infections and encouragement to forward the message to your coworkers and friends. What is the first thing you should do?
Answer
a.
Follow the e-mail?s instructions.
b.
Report the message to your internal security team.
c.
Check the veracity of the message.
d.
Delete the message.
|
|
Definition
|
|
Term
MTS is in the process of implementing PKI and is looking for help from someone—not to issue certificates, but to serve as a middleman in the process. Which term describes the organization that can assist in the PKI certificate process?
Answer
a.
CRL
b.
CA
c.
RA
d.
SM |
|
Definition
|
|
Term
Which of the following choices is a technology designed specifically to protect e-mail?
Answer
a.
MD5
b.
RADIUS
c.
S/MIME
d.
SSL |
|
Definition
|
|
Term
You suspect that hackers are examining your network and looking for ways to enter. Which of the following tools is used to gather information about how your network is configured?
Answer
a.
Enumeration
b.
Tunneling
c.
Scanning
d.
Footprinting |
|
Definition
|
|
Term
What are the two main wire-level protocols that IPSec uses? (Choose two.)
Answer
a.
AH
b.
ESP
c.
EAP
d.
TLS |
|
Definition
|
|
Term
What is the final step in designing and deploying a backup strategy?
Answer
a.
Testing the restoration process
b.
Using backup media of sufficient capacity
c.
Imposing a backup policy requiring all important files to be stored on file servers
d.
Storing back-ups off site
|
|
Definition
|
|
Term
Which port does LDAP utilize by default?
Answer
a.
139
b.
110
c.
389
d.
143 |
|
Definition
|
|
Term
When you?re designing a fire protection policy for a server vault, which of the following options is least important?
Answer
a.
Device protection
b.
Human compatibility
c.
Fast detection and suppression
d.
Emergency shutdown procedures
|
|
Definition
|
|
Term
With PGP, a document is encoded using a public key and a session key. Within the PGP vocabulary, the end result is known as what?
Answer
a.
Securetext
b.
Cybertext
c.
Ciphertext
d.
Payload |
|
Definition
|
|
Term
Which type of backup includes all files created or modified since the last full backup and does not turn off the archive bit?
Answer
a.
Differential
b.
Grandfather
c.
Standard
d.
Incremental |
|
Definition
|
|
Term
A specific subnet of your network contains four servers, which regularly communicate large volumes of data. These servers have no need to communicate with other devices anywhere else in the network. However, other devices in the subnet where they reside do need to communicate to the rest of the network. Which of the following tools is most appropriate for managing the connection between the subnet and the rest of the network?
Answer
a.
A NAT proxy
b.
A tunnel
c.
A router
d.
A bridge |
|
Definition
|
|
Term
Which of the following options represents the correct order of a complete incident response cycle?
Answer
a.
Identifying, investigating, documenting, repairing, and adjusting procedures
b.
Identifying, investigating, repairing, documenting, and adjusting procedures
c.
Adjusting procedures, identifying, investigating, repairing, and documenting
d.
Investigating, identifying, repairing, documenting, and adjusting procedures
|
|
Definition
|
|
Term
When you explain security to upper management, what three steps (in order of occurrence) should you describe for a computer forensics investigation?
Answer
a.
Acquire the evidence. Authenticate the recovered evidence. Analyze the evidence without modification.
b.
Acquire the evidence. Re-create the incident on the compromised system. Analyze the evidence through modification.
c.
Acquire the evidence. Authenticate the recovered evidence. Analyze the evidence through modification.
d.
Examine the evidence. Authenticate the recovered evidence. Analyze the evidence through modification. |
|
Definition
|
|
Term
What is one of the most significant benefits of a network-based intrusion detection system (N-IDS)?
Answer
a.
Latency
b.
Cost
c.
Administrative overhead
d.
Transparency |
|
Definition
|
|
Term
When can standard instant messaging tools be used on a secured network so that security vulnerabilities are not introduced?
Answer
a.
Only during normal working hours
b.
Never
c.
Only when logged on as a non-admin user
d.
Only when a firewall or proxy is in use |
|
Definition
|
|
Term
You have been authorized to purchase a software program that will monitor network traffic and watch for specific patterns that might indicate hacker traffic. What type of program should you purchase?
Answer
a.
Intrusion detection system (IDS)
b.
Gateway
c.
Packet sniffer
d.
Content filter |
|
Definition
|
|
Term
What are the two modes within IPSec for AH and ESP? (Choose two.)
Answer
a.
Tunnel mode
b.
Transport mode
c.
Decrypt mode
d.
Encrypt mode |
|
Definition
|
|
Term
From a statistical standpoint, which of the following entities poses the greatest threat to network security?
Answer
a.
External hackers
b.
Internal threats
c.
External crackers
d.
Social engineering |
|
Definition
|
|
Term
What is the primary issue that limits the effectiveness of a firewall?
Answer
a.
Encrypted traffic
b.
Multiple source and destinations of traffic
c.
High-speed traffic
d.
Different service protocols in traffic |
|
Definition
|
|
Term
A file with which filename extension should not be allowed as an e-mail attachment?
Answer
a.
.doc
b.
.xls
c.
.pif
d.
.txt |
|
Definition
|
|
Term
An application running on a network operating system (NOS) with a directory service can use NOS authentication or NOS authentication combined with application internal authentication. Removing the option to use the internal authentication would normally be considered a security improvement. What is this security measure called?
Answer
a.
Network operating system hardening
b.
Application hardening
c.
Operating system hardening
d.
Device hardening |
|
Definition
|
|
Term
A disaster recovery plan is currently being formulated. Given that you’re in the planning stages and budget isn’t yet a concern, what types of alternative sites should you consider? (Choose all that apply.)
Answer
a.
Stealth site
b.
Warm site
c.
Hot site
d.
Cold site |
|
Definition
|
|
Term
What port does TACACS use?
Answer
a.
TCP and UDP 49
b.
UDP 53
c.
TCP 443
d.
TCP 143 |
|
Definition
|
|
Term
A company-wide policy is being created to define various security levels. Which of the following systems of access control would use documented security levels like CONFIDENTIAL or SECRET for information?
Answer
a.
RBAC
b.
BBC
c.
MAC
d.
DAC |
|
Definition
|
|
Term
You’re a security consultant for MTS and discussing encryption with a customer. They inform you that their current encryption system requires the use of the same key on both ends of the system. What type of encryption system are they using?
Answer
a.
Symmetric
b.
Hashing
c.
Asymmetric
d.
MD |
|
Definition
|
|
Term
Which form of IPSec should you use for encryption on a LAN for internal security?
Answer
a.
EAP
b.
L2TP
c.
Transport
d.
Channeling |
|
Definition
|
|
Term
What form of transmission encapsulates the payload of a packet but leaves the header in its original form?
Answer
a.
Portioning mode
b.
Transport mode
c.
Half-duplex mode
d.
Tunnel mode |
|
Definition
|
|
Term
You?re in the process of securing the IT infrastructure by using authentication methods. The methods you intend to implement include cameras, smart cards, biometric devices, and security personnel to protect access to locked rooms that contain network equipment and servers. This type of security is an example of which of the following options? (Choose all that apply.)
Answer
a.
Softening
b.
Access control
c.
Biometrics
d.
Physical barriers |
|
Definition
|
|
Term
What is the first step in deploying a firewall?
Answer
a.
Develop a firewall policy.
b.
Test the deployment in a lab environment.
c.
Perform comparisons of vendor products.
d.
Define the filtering rules.
|
|
Definition
|
|
Term
What is one of the primary advantages of using decentralized/distributed key generation?
Answer
a.
More processing power required at the root server
b.
No single point of failure
c.
More points of failure
d.
Simpler key management
|
|
Definition
|
|
Term
What form of password-cracking attack is always successful if given enough time, no matter how long the password?
Answer
a.
Rainbow tables
b.
Brute force
c.
Hybrid
d.
Dictionary |
|
Definition
|
|
Term
Which of the following terms describes the investigation of a filesystem and Registry while searching for proof of past malicious activity?
Answer
a.
Logging
b.
Incident analysis
c.
Forensics
d.
Baselining |
|
Definition
|
|
Term
What is another word for tunneling?
Answer
a.
Bandwidth throttling
b.
Encapsulation
c.
Transport mode
d.
Encryption |
|
Definition
|
|
Term
What network device can you use to prevent a desktop computer on the network from promiscuously sniffing the packets of other computers on the same subnetwork?
Answer
a.
Firewall
b.
Switch
c.
Modem
d.
Router |
|
Definition
|
|
Term
Your organization is planning to add wireless nodes to the existing LAN and wants to maintain as much security as possible. What security layer is used in Wireless Application Protocol (WAP)?
Answer
a.
WIZS
b.
802.11a
c.
802.11b
d.
WTLS |
|
Definition
|
|
Term
Viewing the activity logs, you suspect that an attack is underway. It appears as if TCP acknowledgments are being intercepted by a hacker, causing the packets to be resent and subsequently intercepted by the hacker without the receiving computer’s knowledge. What type of attack is underway?
Answer
a.
Rootkit
b.
Back door
c.
Replay
d.
Trojan horse |
|
Definition
|
|
Term
You’re frantically trying to ascertain the current level of security of your network after a suspected incident. You call the main office and tell them that you need a key sent immediately using a method other than the encryption process. What is this type of process called?
Answer
a.
Out-of-band transmittal
b.
Message digest
c.
Certificate management
d.
Social engineering |
|
Definition
|
|
Term
What is the primary difference between an extranet and a DMZ?
Answer
a.
One is used to host temporary users while the other is used to host external users.
b.
One is deployed by an outsourcing company while the other is deployed by a consultant.
c.
One is for internal use only while the other is for external use only.
d.
One is accessible by a limited number of select visitors while the other is accessible by all possible users. |
|
Definition
|
|
Term
As part of your role and responsibility as a security manager, you must give an educational presentation every two months to upper management. The topic assigned to you for the next meeting is cryptography, and you want to make your presentation as concise and understandable as possible. Which of the following options is not a benefit of cryptography and shouldn’t be discussed in the presentation?
Answer
a.
Authenticity
b.
Access
c.
Integrity
d.
Confidentiality |
|
Definition
|
|
Term
You’re explaining keys to your coworkers, and someone asks what key escrow is. Which of the following answers should you give?
Answer
a.
It’s a form of CRL.
b.
It’s a common function of the CA root to create new keys.
c.
It’s the function of the KDC.
d.
It’s a trusted third-party provider that stores clients’ private keys. |
|
Definition
|
|
Term
Mercury Technical Solutions has declared that all clients must use S/MIME by the end of the year. Which of the following statements is true of the S/MIME security features?
Answer
a.
S/MIME uses asymmetric encryption algorithms for confidentiality and digital certificates for authentication.
b.
S/MIME uses asymmetric encryption algorithms for confidentiality and RADIUS for authentication.
c.
S/MIME uses symmetric encryption algorithms for confidentiality and digital certificates for authentication.
d.
S/MIME uses symmetric encryption algorithms for confidentiality and PGP for authentication. |
|
Definition
|
|
Term
You have a new website that utilizes Active Server Pages using XML. A portion of the site requires PKI. What protocol can you use to allow XML to access PKI?
Answer
a.
ISAKMP
b.
XKMS
c.
SSL/TLS
d.
PPTP |
|
Definition
|
|
Term
Which of the following choices best defines the delivery method used in a Trojan horse attack?
Answer
a.
A Trojan horse disguises itself as a false positive in an antivirus progra
b.
A Trojan horse is activated when a predefined logic event occurs.
c.
A Trojan horse can be delivered on a floppy, on a CD, or in an e-mail attachment.
d.
A Trojan horse is embedded in an installation package for an application or in the application itself. It can create a back door or replace an existing application. |
|
Definition
|
|
Term
Access control lists (ACLs) can be configured on router interfaces for inbound and outbound packets. Which of the following choices isn’t typically configured in an ACL?
Answer
a.
Source and/or destination IP address
b.
Source and/or destination port number
c.
Source and/or destination protocol number
d.
Datagram content |
|
Definition
|
|
Term
Which organization developed the 802.11 standard?
Answer
a.
WECA
b.
IEEE
c.
WEP
d.
BBN |
|
Definition
|
|
Term
What is the primary goal of risk management?
Answer
a.
Minimize security cost expenditures.
b.
Assign responsibilities to job roles.
c.
Remove all risks from an environment.
d.
Reduce risk to an acceptable level.
|
|
Definition
|
|
Term
Your company is implementing a new web server that will allow for electronic transactions. In order to simplify interaction with customers, you want to store personal information about them on their own computers, but you’re concerned about security. What technology do most web servers use to store information on a client computer for use in their interaction with a web server?
Answer
a.
ActiveX
b.
Worm
c.
JavaScript
d.
Cookie |
|
Definition
|
|
Term
The head of IT has made a pronouncement that all services must be hardened, and you have been assigned the DNS service as your primary responsibility. Which of the following choices is an example of DNS hardening?
Answer
a.
Allow DNS updates and requests from external sources.
b.
Configure DNS to accept secure updates only from internal authenticated client computers.
c.
Allow anonymous zone transfer requests.
d.
Put the authoritative DNS server that is responsible for handling internal host databases on the DMZ. |
|
Definition
|
|
Term
Which of the following technologies is not directly associated with LAN private wireless networking?
Answer
a.
WAP
b.
WPA
c.
802.11g
d.
WEP |
|
Definition
|
|
Term
Which of the following combinations lists (from top to bottom) the types of certificate servers that exist in a certificate hierarchy?
Answer
a.
RA, CA, LRA
b.
RA, LRA, CA
c.
CA, LRA, RA
d.
CA, RA, LRA |
|
Definition
|
|
Term
| Which port does SSH utilize by default? Answer a. 80 b. 25 c. 49 d. 22 |
|
Definition
|
|
Term
You have been asked to give a speech on security to upper management. What are two primary access control methods that you should mention that are commonly combined in computer systems today? (Choose two.)
Answer
a.
MAC
b.
SAC
c.
RBAC
d.
DAC |
|
Definition
|
|
Term
You’re in the process of designing a network for a new company. The company is being created from scratch to carry out processes currently performed by a number of other corporations. You know the company will start out large and grow quickly, and you want to plan for that growth. Which of the following terms identifies the standard that is being used to implement wide-scale encryption systems?
Answer
a.
Symmetric
b.
Asymmetric
c.
PKE
d.
PKI |
|
Definition
|
|
Term
What is the strongest session key that SSL v.3.0 currently supports?
Answer
a.
64 bit
b.
40 bit
c.
128 bit
d.
256 bit |
|
Definition
|
|
Term
When NAT is used, which of the following RFCs is relevant?
Answer
a.
RFC 1918
b.
RFC 1087
c.
RFC 2138
d.
RFC 1492 |
|
Definition
|
|
Term
Which account do attackers often target on a database application?
Answer
a.
Database local account
b.
Root
c.
Administrator/Systems
d.
Supervisor |
|
Definition
|
|
Term
In order to shut down the main power to your building, two people must enter a password known only to them. Requiring two people to perform a sensitive task such as this is known as ___________________ ?
Answer
a.
Separation of duties/dual control
b.
Privacy
c.
SLA
d.
Need to know |
|
Definition
|
|
Term
Which type of RAID utilizes disk striping with parity?
Answer
a.
RAID 0
b.
RAID 1
c.
RAID 3
d.
RAID 5 |
|
Definition
|
|
Term
Which of the following practices should be implemented to harden workstations and servers?
A. Log on only as the administrator
B. Install only needed software
C. Check the logs regularly.
D. Report all security incidents. |
|
Definition
|
|
Term
To evaluate the security compliance of a group of servers against best practices, which of the following BEST applies?
A. Get a patch management report.
B. Conduct a penetration test.
C. Run a vulnerability assessment tool
D. Install a protocol analyzer. |
|
Definition
|
|
Term
| Which of the following organizational documentation provides high level objectives that change infrequently? A. Standards B. Policy C. Procedures D. Guideline |
|
Definition
|
|
Term
Which of the following describes a spanned switch port in the context of IDS traffic analysis?
A. An association of a set of destination ports with a single source port
B. An association of a set of source ports with a single destination port
C. An association of a set of source ports with multiple destination ports and an IDS sensor
D. An association of a set of destination ports with an IDS sensor |
|
Definition
|
|
Term
Which of the following organizational documentation describes how tasks or job functions should be conducted?
A. Standards
B. Guideline
C. Policy
D. Procedures |
|
Definition
|
|
Term
Which of the following would be the easiest to use in detection of a DDoS attack?
A. Performance monitor
B. Application log
C. System log
D. Protocol analyzer |
|
Definition
|
|
Term
Which of the following ports does SNMP run on?
A. 25
B. 110
C. 161
D. 443 |
|
Definition
|
|
Term
Which of the following logs would reveal activities related to an ACL?
A. Mobile device
B. Transaction
C. Firewall
D. Performance |
|
Definition
|
|
Term
Which of the following devices should be deployed to protect a network against attacks launched from a business to business intranet? (Select TWO).
A. NIPS
B. Content filter
C. HIPS
D. Firewall
E. NIDS |
|
Definition
|
|
Term
Which of the following allows attackers to gain control over the web camera of a system?
A. ActiveX component
B. SQL injection
C. Cross-site scripting
D. XML |
|
Definition
|
|
Term
Which of the following should be included in a forensic toolkit?
A. Compressed air
B. Tape recorder
C. Fingerprint cards
D. Digital camera |
|
Definition
|
|
Term
An administrator is worried about an attacker using a compromised user account to gain administrator access to a system. Which of the following is this an example of?
A. Man-in-the-middle attack
B. Protocol analysis
C. Privilege escalation
D. Cross-site scripting |
|
Definition
|
|
Term
In regards to physical security, which of the following BEST describes an access control system which implements a non-trusted but secure zone immediately outside of the secure zone?
A. Smart card
B. Defense-in-depth
C. Mantrap
D. DMZ |
|
Definition
|
|
Term
IPSec connection parameters are stored in which of the following?
A. Security association database
B. Security payload index
C. Security parameter index
D. Certificate authority |
|
Definition
|
|
Term
Which of the following encryption algorithms has the largest overhead?
A. AES256
B. 3DES
C. AES
D. RSA |
|
Definition
|
|
Term
A technician notices delays in mail delivery on the mail server. Which of the following tools could be used to determine the cause of the service degradation?
A. Port scanner
B. Performance monitor
C. ipconfig /all
D. TFTP |
|
Definition
|
|
Term
Which of the following describes a hash algorithms ability to avoid the same output from two guessed inputs?
A. Collision avoidance
B. Collision resistance
C. Collision strength
D. Collision metric |
|
Definition
|
|
Term
All of the following are part of the disaster recovery plan EXCEPT:
A. obtaining management buy-in.
B. identifying all assets.
C. system backups.
D. patch management software. |
|
Definition
|
|
Term
When using a single sign-on method, which of the following could adversely impact the entire network?
A. Workstation
B. Biometrics
C. Web server
D. Authentication server |
|
Definition
|
|
Term
| When installing and securing a new system for a home user which of the following are best practices? (Select THREE). A. Use a strong firewall. B. Block inbound access to port 80 C. Apply all system patches D. Use input validation E. Install remote control software F. Apply all service packs. |
|
Definition
|
|
Term
A new Internet content filtering device installed in a large financial institution allows IT administrators to log in and manage the device, but not the content filtering policy. Only the IT security operation staff can modify policies on the Internet filtering device. Which of the following is this an example of?
A. Role-Based Access Control (RBAC)
B. Mandatory Access Control (MAC)
C. Lightweight Directory Access Protocol (LDAP)
D. Discretionary Access Control (DAC) |
|
Definition
|
|
Term
Which of the following describes a static NAT?
A. A static NAT uses a one to many mapping.
B. A static NAT uses a many to one mapping.
C. A static NAT uses a many to many mapping.
D. A static NAT uses a one to one mapping. |
|
Definition
|
|
Term
A virtual server implementation attack that affects the:
A. OS kernel will affect all virtual instances.
B. disk partition will affect all virtual instances
C. system registry will affect all virtual instances.
D. RAM will affect all virtual instances |
|
Definition
|
|
Term
The method of controlling how and when users can connect in from home is called which of the following?
A. Remote access policy
B. Terminal access control
C. Virtual Private Networking (VPN)
D. Remote authentication |
|
Definition
|
|
Term
A botnet zombie is using HTTP traffic to encapsulate IRC traffic. Which of the following would detect this encapsulated traffic?
A. Vulnerability scanner
B. Proxy server
C. Anomaly-based IDS
D. Rootkit |
|
Definition
|
|
Term
Which of the following BEST describes external security testing?
A. Conducted from outside the perimeter switch but inside the firewall
B. Conducted from outside the building that hosts the organizations servers
C. Conducted from outside the organizations security perimeter
D. Conducted from outside the perimeter switch but inside the border router |
|
Definition
|
|
Term
Which of the following is a security reason to implement virtualization throughout the network infrastructure?
A. To analyze the various network traffic with protocol analyzers
B. To centralize the patch management of network servers
C. To isolate the various network services and roles
D. To implement additional network services at a lower cost |
|
Definition
|
|
Term
Who is ultimately responsible for the amount of residual risk?
A. The senior management
B. The security technician
C. The organizations security officer
D. The DRP coordinator |
|
Definition
|
|
Term
Which of the following is the BEST reason for an administrator to use port address translation (PAT) instead of NAT on a new corporate mail gateway?
A. PAT provides the mail gateway with protection on port 24
B. PAT allows external users to access the mail gateway on random ports.
C. PAT provides the mail gateway with protection on port 25
D. PAT allows external users to access the mail gateway on pre-selected ports. |
|
Definition
|
|
Term
Which of the following is the main limitation with biometric devices?
A. The false rejection rate
B. They are expensive and complex
C. They can be easily fooled or bypassed
D. The error human factor |
|
Definition
|
|
Term
After conducting a risk assessment, the main focus of an administrator should be which of the following?
A. To report the results of the assessment to the users
B. To ensure all threats are mitigated
C. To ensure all vulnerabilities are eliminated
D. To ensure risk mitigation activities are implemented |
|
Definition
|
|
Term
Which of the following is true regarding authentication headers (AH)?
A. The authentication information is a keyed hash based on all of the bytes in the packet.
B. The authentication information hash will increase by one if the bytes remain the same on transfer.
C. The authentication information hash will remain the same if the bytes change on transfer.
D. The authentication information may be the same on different packets if the integrity remains in place. |
|
Definition
|
|
Term
To determine whether a system is properly documented and to gain insight into the systems security aspects that are only available through documentation is the purpose of:
A. hybrid security testing techniques.
B. active security testing techniques.
C. passive security testing techniques.
D. invasive security testing techniques. |
|
Definition
|
|
Term
Which of the following systems is BEST to use when monitoring application activity and modification?
A. RADIUS
B. OVAL
C. HIDS
D. NIDS |
|
Definition
|
|
Term
From a security standpoint, which of the following is the BEST reason to implement performance monitoring applications on network systems?
A. To detect network intrusions from external attackers
B. To detect integrity degradations to network attached storage
C. To detect host intrusions from external networks
D. To detect availability degradations caused by attackers |
|
Definition
|
|
Term
Which of the following tools will allow a technician to detect security-related TCP connection anomalies?
A. Logical token
B. Performance monitor
C. Public key infrastructure
D. Trusted platform module |
|
Definition
|
|
Term
Which of the following is the MOST important thing to consider when implementing an IDS solution?
A. The cost of the device
B. Distinguishing between false negatives
C. Distinguishing between false positives
D. The personnel to interpret results |
|
Definition
|
|
Term
Which of the following if disabled will MOST likely reduce, but not eliminate the risk of VLAN jumping?
A. LAN manager
B. ARP caching
C. DTP on all ports
D. TACACS |
|
Definition
|
|
Term
Which of the following is the BEST method for securing the data on a coaxial network?
A. Weld all terminators to the cable ends.
B. Run all cables through a conduit.
C. Make sure all terminators are grounded.
D. Run all new cables parallel to existing alternating current (AC) cabling. |
|
Definition
|
|
Term
Which of the following is used for securing communication between a client and a server?
A. NTLM
B. SHA-1
C. MD5
D. SMTP |
|
Definition
|
|
Term
While auditing a list of active user accounts, which of the following may be revealed?
A. Accounts with weak passwords
B. Passwords with dictionary words
C. Passwordsthat are blank
D. Accounts that need to be removed |
|
Definition
|
|
Term
Which of the following should be considered when implementing logging controls on multiple systems? (Select TWO).
A. VLAN segment of the systems
B. Systems clock synchronization
C. Systems capacity and performance
D. External network traffic
E. Network security zone of the systems |
|
Definition
|
|
Term
Which of the following is the critical piece of an encrypted communication that must be kept secret?
A. The key exchange algorithm
B. The initial salt value
C. The encryption algorithm
D. The final CRC of the key packet |
|
Definition
|
|
Term
Which of the following is the BEST way to mass deploy security configurations to numerous workstations?
A. Securityhotfix
B. Configuration baseline
C. Patch management
D. Security templates |
|
Definition
|
|
Term
Which of the following NAC scanning types is the LEAST intrusive to the client?
A. Open ID
B. Agent based
C. Agentless
D. ActiveX |
|
Definition
|
|
Term
A company runs a backup after each shift and the main concern is how quickly the backups are completed between shifts. Recovery time should be kept to a minimum. The administrator decides that backing up all the data that has changed during the last shift is the best way to go. This would be considered a:
A. differential backup.
B. incremental backup.
C. shadow copy.
D. full backup. |
|
Definition
|
|
Term
Which of the following BEST describes actions pertaining to user account reviews? (Select TWO).
A. User account reports are periodically extracted from systems and employment verification isperformeD.
B. User accounts and their privileges are periodically extracted from systems and reports are kept for auditing purposes
C. User accounts and their privileges are periodically extracted from systems and are reviewed for the appropriate level of authorization
D. User accounts reports are periodically extracted from systems and end users are informed
E. User accounts reports are periodically extracted from systems and user access dates are verified |
|
Definition
|
|
Term
Which of the following requires the server to periodically request authentication from the client?
A. EAP
B. CHAP
C. WPA2
D. RAS |
|
Definition
|
|
Term
Which of the following could be used to institute a tunneling protocol for security?
A. PX/SPX
B. EAP
C. IPSec
D. FTP |
|
Definition
|
|
Term
Which of the following is a reason why DNS logs should be archived?
A. For complying with payment card industry (PCI) requirements
B. For complying with PII requirements
C. For use in disaster recovery of the DNS server
D. For use in an investigation in the future |
|
Definition
|
|
Term
The GREATEST security concern in regards to data leakage with USB devices is:
A. speed
B. physical size.
C. OS compatibility.
D. storage capacity. |
|
Definition
|
|
Term
Which of the following is a best practice auditing procedure?
A. Mitigate vulnerabilities
B. Review user access and rights
C. Set strong password requirements
D. Draft an email retention policy |
|
Definition
|
|
Term
Which of the following describes a weakness of the hash functions?
A. Collision
B. Birthday attack
C. Collusion
D. Man-in-the-middle |
|
Definition
|
|
Term
Virtual machines are MOST often used by security researchers for which of the following purposes?
A. To provide a secure virtual environment to conduct online deployments
B. To provide a virtual collaboration environment to discuss security research
C. To provide an environment where new network applications can be tested
D. To provide an environment where malware can be executed with minimal risk to equipment and software |
|
Definition
|
|
Term
Executing proper logging procedures would be the proper course of action in which of the following scenarios? (Select TWO).
A. Need to prevent access to a file or folder
B. Need to know which files have been accessed
C. Need to know who is logging on to the system
D. Need to prevent users from logging on to the system
E. Need to capture monitor network traffic in real time |
|
Definition
|
|
Term
Which of the following are recommended security measures when implementing system logging procedures? (Select TWO)
A.
Perform a binary copy of the system.
B.
Apply retention policies on the log files.
C.
Collect system temporary files.
D.
Perform hashing of the log files.
E.
Perform CRC checks. |
|
Definition
|
|
Term
Users and computers are generally grouped into domains for security purposes. Which of the following is a common attribute used to determine which domain a user or computer belongs to?
A. MAC address
B. Location
C. Password
D. OS |
|
Definition
|
|
Term
Which of the following should be considered when executing proper logging procedures? (Select TWO).
A. The information that is needed to reconstruct events
B. The number of disasters that may occur in one year
C. The password requirements for user accounts
D. The virtual memory allocated on the log server
E. The amount of disk space required |
|
Definition
|
|
Term
Which of the following prevents damage to evidence during forensic analysis?
A. Write-only drive connectors
B. Drive sanitization tools
C. Read-only drive connectors
D. Drive recovery tools |
|
Definition
|
|
Term
All of the following can be found in the document retention policy EXCEPT:
A. type of storage media
B. password complexity rules.
C. physical access controls.
D. retention periods. |
|
Definition
|
|
Term
Which of the following malicious activities might leave traces in a DNS log file?
A. Hijacking
B. Poisoning
C. Caching
D. Phishing |
|
Definition
|
|
Term
Malware that uses virtualization techniques can be difficult to detect because of which of the following?
A. A portion of the malware may have been removed by the IDS.
B. The malware may be using a Trojan to infect the system.
C. The malware may be implementing a proxy server for command and control.
D. The malware may be running at a more privileged level than the antivirussoftwarE |
|
Definition
|
|
Term
Which of the following algorithms is faster when encrypting data?
A. Symmetric key algorithms
B. Public key algorithms
C. Whole disk encryption algorithms
D. Asymmetric key algorithms |
|
Definition
|
|
Term
All of the following are attributes of an x.509 certificate EXCEPT:
A. the symmetric key of the owner.
B. the public key of the owner.
C. the version of the certificate
D. the issuer. |
|
Definition
|
|
Term
Which of the following would be disabled to prevent SPIM?
A. P2P
B. ActiveX controls
C. Instant messaging
D. Internet mail |
|
Definition
|
|
Term
A user sees an MD5 hash number beside a file that they wish to download. Which of the following BEST describes a hash?
A. A hash is a unique number that is generated based upon the TCP/IP transmission header and should be verified before download.
B. A hash is a unique number that is generated based upon the files contents and used as the SSL key during download
C. A hash is a unique number that is generated after the file has been encrypted and used as the SSL key during download.
D. A hash is a unique number that is generated based upon the files contents and should be verified after download. |
|
Definition
|
|
Term
According to a good disaster recovery plan, which of the following must happen during a power outage before an uninterruptible power supply (UPS) drains its battery?
A. The PKI CA is relocated
B. The backup generator activates.
C. The single point of failure is remedied
D. Full electrical service is restored |
|
Definition
|
|
Term
Which of the following would give a technician the MOST information regarding an external attack on the network?
A. Internet content filter
B. Proxy server
C. NIDS
D. Firewall |
|
Definition
|
|
Term
A technician finds that a malicious user has introduced an unidentified virus to a single file on the network. Which of the following would BEST allow for the user to be identified?
A. Access logs
B. Performance log
C. Firewall logs
D. Antivirus logs |
|
Definition
|
|
Term
Which of the following would BEST allow an administrator to find the IP address of an external attacker?
A. Antivirus logs
B. DNS logs
C. Firewall logs
D. Performance logs |
|
Definition
|
|
Term
Which of the following could be used by a technician needing to send data while ensuring that any data tampering is easily detectible?
A. NTLM
B. LANMAN
C. SHA-1
D. AES |
|
Definition
|
|
Term
Which of the following BEST allows for a high level of encryption?
A. AES with ECC
B. DES with SHA-1
C. PGP with SHA-1
D. 3DES with MD5 |
|
Definition
|
|
Term
A companys accounting application requires users to be administrators for the software to function correctly. Because of the security implications of this, a network administrator builds a user profile which allows the user to still use the application but no longer requires them to have administrator permissions. Which of the following is this an example of?
A. Configuration baseline
B. Group policy
C. Security template
D. Privilege escalation |
|
Definition
|
|
Term
A company is addressing backup and recovery issues. The company is looking for a compromise between speed of backup and speed of recovery. Which of the following is the BEST recommendation?
A. Full backups every day
B. Daily differential backups
C. Full backups weekly with differential backups daily
D. Weekly differential with incremental backups daily |
|
Definition
|
|
Term
Setting a baseline is required in which of the following? (Select TWO).
A. Anomaly-based monitoring
B. NIDS
C. Signature-based monitoring
D. NIPS
E. Behavior-based monitoring |
|
Definition
|
|
Term
Which of the following sites has the means (E. g. equipment, software, and communications) to facilitate a full recovery within minutes?
A. Warm site
B. Hot site
C. Reciprocal site
D. Cold site
|
|
Definition
|
|
Term
When conducting an environmental security assessment, which of the following items should be included in the assessment? (Select THREE).
A. HVAC
B. Card access system
C. Off-site data storage
D. Logical access
E. Utilities
F. Fire detection |
|
Definition
|
|
Term
Which of the following security steps must a user complete before access is given to the network?
A. Authentication and password
B. Identification and authentication
C. Identification and authorization
D. Authentication and authorization |
|
Definition
|
|
Term
An administrator wants to obtain a view of the type of attacks that are being targeted against the network perimeter. The recommended placement of a NIDS would be:
A. inside the proxy.
B. inside the DMZ.
C. outside the proxy.
D. outside the firewall.
E. inside the firewall. |
|
Definition
|
|
Term
Which of the following is the perfect encryption scheme and is considered unbreakable when properly used?
A. Running key cipher
B. Concealment cipher
C. One-time pad
D. Steganography |
|
Definition
|
|
Term
When using a digital signature, the message digest is encrypted with which of the following keys?
A. Receivers private key
B. Receivers public key
C. Senders public key
D. Senders private key |
|
Definition
|
|
Term
Which of the following BEST applies to steganography?
A. Algorithms are not used to encryptdatA.
B. Algorithms are used to encryptdatA.
C. Keys are used to encryptdatA.
D. Keys are concealed in thedatA. |
|
Definition
|
|
Term
Which of the following can steganography be used for?
A. Watermark graphics for copyright.
B. Decrypt data in graphics.
C. Encrypt a message in WAV files.
D. Encrypt data in graphics. |
|
Definition
|
|
Term
Steganography could be used by attackers to
A. encrypt and conceal messages in microdots
B. decrypt data stored in unused disk spacE
C. encrypt and decrypt messages in graphics
D. hide and conceal messages in WAV files |
|
Definition
|
|
Term
Which of the following BEST describes how steganography can be accomplished in graphic files?
A. Replacing the most significant byte of each bit
B. Replacing the least significant byte of each bit
C. Replacing the most significant bit of each byte
D. Replacing the least significant bit of each byte |
|
Definition
|
|
Term
An application developer is looking for an encryption algorithm which is fast and hard to break if a large key size is used. Which of the following BEST meets these requirements?
A. Transposition
B. Substitution
C. Symmetric
D. Asymmetric |
|
Definition
|
|
Term
Which of the following if used incorrectly would be susceptible to frequency analysis?
A. Asymmetric algorithms
B. Transposition ciphers
C. Symmetric algorithms
D. Stream ciphers |
|
Definition
|
|
Term
Password crackers:
A. are sometimes able to crack both passwords and physical tokens
B. cannot exploit weaknesses in encryption algorithms.
C. cannot be run remotely.
D. are sometimes able to crack both Windows and UNIX passwords |
|
Definition
|
|
Term
A firewall differs from a NIDS in which of the following ways?
A. A firewall attempts to detect patterns and a NIDS operates on a rule list.
B. A firewall operates on a rule list and a NIDS attempts to detect patterns.
C. A firewall prevents inside attacks and a NIDS prevents outside attacks.
D. A firewall prevents outside attacks and a NIDS prevents inside attacks. |
|
Definition
|
|
Term
A vulnerability has recently been identified for a servers OS. Which of the following describes the BEST course of action?
A. Shutdown all affected servers until management can benotifieD.
B. Visit a search engine and search for a possible patch.
C. Wait for an automatic update to be pushed out to the server from the manufacturer.
D. Visit the operating systemmanufacturers website for a possible patch.
|
|
Definition
|
|
Term
An accountant has logged onto the company's external banking website. An administrator using a TCP/IP monitoring tool discovers that the accountant was actually using a spoofed banking website. Which of the following could have caused this attack? (Select TWO).
A. Altered hosts file
B. Networkmapper
C. Packet sniffing
D. DNS poisoning
E. Bluesnarfing |
|
Definition
|
|
Term
A periodic security audit of group policy can:
A. show that data is being correctly backed up.
B. show that PII data is being properly protected.
C. show that virus definitions are up to date on all workstations.
D. show that unnecessary services are blocked on workstations. |
|
Definition
|
|
Term
Which of the following describes a common problem encountered when conducting audit log reviews?
A. The timestamp for the servers are not synchronized.
B. The servers are not synchronized with the clients.
C. The audit logs cannot be imported into a spreadsheet.
D. The audit logs are pulled from servers on different days. |
|
Definition
|
|
Term
A technician is conducting a web server audit and discovers that SSLv2 is implementeD. The technician wants to recommend that the organization consider using TLS. Which of the following reasons could the technician use to support the recommendation?
A. SSLv2 reduces serverperformancE.
B. SSLv2 is susceptible to network sniffing.
C. SSLv2 only uses message authentication code values
D. SSLv2 is susceptible to man-in-the-middle attacks |
|
Definition
|
|
Term
Which of the following is a security risk when using peer-to-peer software?
A. Cookies
B. Multiple streams
C. Data leakage
D. Licensing |
|
Definition
|
|
Term
Heaps and stacks are susceptible to which of the following?
A. Cross-site scripting
B. Rootkits
C. Buffer overflows
D. SQL injection |
|
Definition
|
|
Term
All of the following are inline devices EXCEPT:
A. NIPS.
B. firewalls.
C. HIDS.
D. routers. |
|
Definition
|
|
Term
Which of the following is the BEST approach when reducing firewall logs?
A. Review chronologically
B. Discard known traffic first.
C. Search for encrypted protocol usage.
D. Review each protocol one at a time. |
|
Definition
|
|
Term
Which of the following encryption algorithms relies on the inability to factor large prime numbers?
A. Elliptic Curve
B. AES256
C. RSA
D. SHA-1 |
|
Definition
|
|
Term
If a company has a distributed IT staff, each being responsible for separate facilities, which of the following would be the BEST way to structure a directory information tree?
A. By department
B. By location
C. By role
D. By name |
|
Definition
|
|
Term
Which of the following is placed in promiscuous mode, in line with the data flow, to allow a NIDS to monitor the traffic?
A. Console
B. Sensor
C. Filter
D. Appliance |
|
Definition
|
|
Term
In a NIDS, which of the following provides a user interface?
A. Filter
B. Screen
C. Console
D. Appliance |
|
Definition
|
|
Term
Which of the following is the MOST important consideration when developing a disaster recovery plan?
A. Management buy-in
B. The cost of the project
C. The amount of personnel
D. D. The planning team |
|
Definition
|
|
Term
| You work as the security administrator at Tesking.com. One morning you discover that a user named Mia Hamm has used her user account to log on to a network server. Mia has then executed a program and been able to perfrom operations which only a network administrator or security admin should be able to. What type of attack has occurred? A. Trojan horse B. Secuirty policy removal C. Privilege escalation attack D. Subseven back door |
|
Definition
|
|
