Chapter 2. Domain 2.0: Network Infrastructure
The network infrastructure is subject to myriad internal and external attacks through services, protocols, and open ports. It is imperative that you understand how to eliminate nonessential services and protocols, especially if the network has been in existence for some period of time and some services are no longer needed or have been forgotten. To stop many would-be attackers, you must understand the different types of attacks that can happen, along with how to implement a network design, components, and tools that can protect the infrastructure. Be sure to give yourself plenty of time to review all of these concepts. The following list identifies the key areas from Domain 2.0 (which counts as 20% of the exam) that you need to master:
Distinguish between network design elements and components.
Determine the appropriate use of network security tools to facilitate network security.
Apply the appropriate network tools to facilitate network security.
Explain the vulnerabilities and mitigations associated with network devices.
Explain the vulnerabilities and mitigations associated with various transmission media.
Explain the vulnerabilities and implement mitigations associated with wireless networking.
Practice Questions
Objective 2.1: Differentiate between the different ports & protocols, their respective threats, and mitigation techniques.
1. Which of the following ports should be blocked when it has been determined that an intruder has been using Telnet for unauthorized access?
A. 110
B. 21
C. 23
D. 443
Quick Answer: 107
Detailed Answer: 110
2. Which of the following ports should be blocked when it has been determined that an intruder has been using SNMP for unauthorized access? (Select all correct answers.)
A. 161
B. 162
C. 443
D. 4445
Quick Answer: 107
Detailed Answer: 110
3. Which of the following best describes TCP/IP hijacking?
A. Providing false identity information to gain unauthorized access
B. An established connection without specifying a username or password
C. An attacker takes control of a session between the server and a client
D. Redirecting traffic by changing the IP record for a specific domain
Quick Answer: 107
Detailed Answer: 110
4. Which of the following best describes spoofing?
A. Providing false identity information to gain unauthorized access
B. An established connection without specifying a username or password
C. An attacker takes control of a session between the server and a client
D. Redirecting traffic by changing the IP record for a specific domain
Quick Answer: 107
Detailed Answer: 110
5. Which of the following best describes a null session?
A. Providing false identity information to gain unauthorized access
B. An established connection without specifying a username or password
C. An attacker takes control of a session between the server and a client
D. Redirecting traffic by changing the IP record for a specific domain
Quick Answer: 107
Detailed Answer: 110
6. Which of the following best describes DNS poisoning?
A. Providing false identity information to gain unauthorized access
B. An established connection without specifying a username or password
C. An attacker taking control of a session between the server and a client
D. Redirecting traffic by changing the IP record for a specific domain
Quick Answer: 107
Detailed Answer: 110
7. Which of the following best describes a man-in-the-middle attack?
A. An attacker takes advantage of the add/grace period to monopolize names without ever paying for them.
B. Packets are captured, the pertinent information is extracted, and then packets are placed back on the network.
C. An attack that typically involves flooding a listening port on a machine with packets to disrupt service.
D. An attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other.
Quick Answer: 107
Detailed Answer: 111
8. Which of the following best describes a relay attack?
A. An attacker takes advantage of the add/grace period to monopolize names without ever paying for them.
B. Packets are captured, the pertinent information is extracted, and then packets are placed back on the network.
C. An attack that typically involves flooding a listening port on a machine with packets to disrupt service.
D. An attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other.
Quick Answer: 107
Detailed Answer: 111
9. Which of the following best describes a DDoS attack?
A. An attacker takes advantage of the add/grace period to monopolize names without ever paying for them.
B. Packets are captured, the pertinent information is extracted, and then packets are placed back on the network.
C. An attack that typically involves flooding a listening port on a machine with packets to disrupt the resources.
D. An attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other.
Quick Answer: 107
Detailed Answer: 111
10. Which of the following best describes DNS kiting?
A. An attacker takes advantage of the add/grace period to monopolize names without ever paying for them.
B. Packets are captured, the pertinent information is extracted, and then packets are placed back on the network.
C. An attack that typically involves flooding a listening port on a machine with packets to disrupt the resources.
D. An attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other.
Quick Answer: 107
Detailed Answer: 111
11. Which of the following methods can be used to mitigate DDoS attacks? (Select all correct answers.)
A. Setting up filters on external routers to drop all ICMP packets
B. Reducing the amount of time before the reset of an unfinished TCP connection
C. Increasing the amount of time before the reset of an unfinished TCP connection
D. Setting up a filter that denies traffic originating from the Internet that shows an internal network address
Quick Answer: 107
Detailed Answer: 111
12. Which of the following best describes the practice of deleting a domain name during the five-day AGP and immediately re-registering it for another five-day period?
A. TCP/IP hijacking
B. DNS tasting
C. DNS kiting
D. Domain spoofing
Quick Answer: 107
Detailed Answer: 112
13. Which of the following best describes ARP poisoning?
A. Broadcasting a fake or reply to an entire network
B. Changing the IP record for a specific domain
C. Sending fragmented UDP packets
D. Distributing zombie software
Quick Answer: 107
Detailed Answer: 112
14. Which of the following attacks is associated with services using an interprocess communication share such as network file and print sharing services?
A. DNS spoofing
B. Null sessions
C. ARP poisoning
D. DNS kiting
Quick Answer: 107
Detailed Answer: 112
15. Which of the following hundreds of ICMP packets have been sent to the host?
A. DNS spoofing
B. ARP poisoning
C. Man-in-the-middle
D. Denial of service
Quick Answer: 107
Detailed Answer: 112
16. Which of the following type of attacks is most likely being executed when an unauthorized service is relaying information to a source outside the network?
A. DNS spoofing
B. ARP poisoning
C. Man-in-the-middle
D. Denial of service
Quick Answer: 107
Detailed Answer: 112
17. Which of the following best describes the primary security issue with null sessions?
A. The sessions are not terminated properly.
B. The connection is not authenticated.
C. The connection is not encrypted.
D. The sessions are remotely controlled.
Quick Answer: 107
Detailed Answer: 112
18. Which of the following is most effective way to reduce null session vulnerability?
A. Reducing the reset time of an unfinished TCP connection
B. Using the signing capabilities of certificates
C. Setting up filters to drop all ICMP packets
D. Disabling NetBIOS over TCP/IP
Quick Answer: 107
Detailed Answer: 113
19. Which of the following are effective ways to mitigate spoofing attacks? (Select all correct answers.)
A. Editing the Registry on Windows-based computers to restrict anonymous access
B. Using IPsec to secure transmissions between critical servers and clients
C. Denying traffic originating from the Internet that shows an internal network address
D. Using the signing capabilities of certificates on servers and clients
Quick Answer: 107
Detailed Answer: 113
20. Running which of the following commands is the quickest way to tell which ports are open and which services are running on the machine?
A. netstat
B. nbtstat
C. ipconfig
D. msconfig
Quick Answer: 107
Detailed Answer: 113
21. Which of the following protocols is used for monitoring the health of network equipment, computer equipment, and devices?
A. SNAP
B. SMTP
C. SDLC
D. SNMP
Quick Answer: 107
Detailed Answer: 113
22. Which of the following are effective ways to protect the network infrastructure from attacks aimed at antiquated or unused ports and protocols? (Select all correct answers.)
A. Keeping only protocols installed by default
B. Allowing traffic only on necessary ports
C. Removing any unnecessary protocols
D. Allowing only traffic requested by users
Quick Answer: 107
Detailed Answer: 113
23. Which of the following sessions can typically result in TCP/IP hijacking? (Select all correct answers.)
A. Telnet
B. Web
C. Email
D. Samba
Quick Answer: 107
Detailed Answer: 113
24. Which of the following is the most effective method to mitigate session hijacking?
A. Denying traffic originating from the Internet that shows an internal network address
B. Forcing users to re-authenticate before allowing transactions to occur
C. Reducing the amount of time before the reset of an unfinished TCP connection
D. Setting up filters on external routers to drop all incoming ICMP packets
Quick Answer: 107
Detailed Answer: 113
25. When mitigating null session vulnerability, which of the following ports should be closed? (Select all correct answers.)
A. 161
B. 162
C. 139
D. 445
Quick Answer: 107
Detailed Answer: 114
26. When editing the Registry on Windows-based computers to restrict anonymous access, which of the following key values is restrictive without interfering with application functionality?
A. 0
B. 1
C. 2
D. 3
Quick Answer: 107
Detailed Answer: 114
27. Which of the following sessions can typically result in a man-in-the-middle attack? (Select all correct answers.)
A. Telnet
B. Wireless
C. Email
D. Samba
Quick Answer: 107
Detailed Answer: 114
28. Which of the following are issues associated with kited domains? (Select all correct answers.)
A. Search engines return more-relevant results.
B. Search engines return less-relevant results.
C. Capitalization on slight variations of website addresses.
D. Domain names that legitimate businesses use may be tied up.
Quick Answer: 107
Detailed Answer: 114
29. Which of the following are ways to minimize the effects of DNS poisoning when hosting your own DNS? (Select all correct answers.)
A. Checking that the hosting server is not open-recursive
B. Running operating systems from an account with lesser privileges
C. Using different servers for authoritative and recursive lookups
D. Disabling recursive access for networks to resolve names that are not in zone files
Quick Answer: 107
Detailed Answer: 114
30. Which of the following are the most effective methods to mitigate ARP poisoning on a large network? (Select all correct answers.)
A. Using equipment that offers port security
B. Using static mapping for IP addresses and ARP tables
C. Using script-based mapping for IP addresses and ARP tables
D. Deploying monitoring tools or an intrusion detection system (IDS)
Quick Answer: 107
Detailed Answer: 114
Objective 2.2: Distinguish between network design elements and components.
1. The organization requires email traffic in a DMZ segment, which of the following TCP ports will be open? (Select all correct answers.)
A. 110
B. 21
C. 25
D. 443
Quick Answer: 107
Detailed Answer: 114
2. Which of the following UDP ports must be open to allow SNMP traffic through the router?
A. 161
B. 162
C. 443
D. 4445
Quick Answer: 107
Detailed Answer: 114
3. Which of the following best describes a demilitarized zone (DMZ)?
A. A small network between the database servers and file servers
B. A small network between the internal network and the Internet
C. A portion of the internal network that uses web-based technologies
D. A portion of the internal infrastructure used in business-to-business relationships
Quick Answer: 107
Detailed Answer: 114
4. Which of the following best describes a virtual local-area network (VLAN)?
A. A method to allow multiple computers to connect to the Internet using one IP address
B. A method to unite network nodes physically into the same broadcast domain
C. A method to split one network into two using routers to connect them together
D. A method to unite network nodes logically into the same broadcast domain
Quick Answer: 107
Detailed Answer: 115
5. Which of the following best describes Network Address Translation (NAT)?
A. A method to allow multiple computers to connect to the Internet using one IP address
B. A method to unite network nodes physically into the same broadcast domain
C. A method to split one network into two using routers to connect them together
D. A method to unite network nodes logically into the same broadcast domain
Quick Answer: 107
Detailed Answer: 115
6. Which of the following best describes subnetting?
A. A method to allow multiple computers to connect to the Internet using one IP address
B. A method to unite network nodes physically into the same broadcast domain
C. A method to split one network into two using routers to connect them together
D. A method to unite network nodes logically into the same broadcast domain
Quick Answer: 107
Detailed Answer: 115
7. Which of the following is the most important security aspect of using Network Address Translation (NAT)?
A. It unites network nodes logically into the same broadcast domain.
B. It hides the internal network from the outside world.
C. It allows users to be grouped by department rather than location.
D. It allows external users to access necessary information.
Quick Answer: 107
Detailed Answer: 115
8. Which of the following is the most common reason networks are subnetted?
A. To allow logical division on the same broadcast domain
B. To hide the internal network from the outside world
C. For easier application of security policies
D. To control network traffic
Quick Answer: 107
Detailed Answer: 116
9. Which of the following private IP address ranges should be used for the internal network when there are 100 host systems?
A. 10.x.x.x
B. 172.16.x.x
C. 192.168.1.x
D. 224.1.1.x
Quick Answer: 107
Detailed Answer: 116
10. When a client machine receives an IP address of 169.254.0.15, it is an indication of which of the following?
A. The client cannot contact the DHCP server.
B. The client has a corrupt routing table.
C. The client has a manually configured address.
D. The client cannot contact the DNS server.
Quick Answer: 107
Detailed Answer: 116
11. Automatic Private IP Addressing (APIPA) is denoted by which of the following IP addresses?
A. 192.168.1.10
B. 169.254.0.5
C. 224.223.10.1
D. 172.16.15.84
Quick Answer: 107
Detailed Answer: 116
12. Which of the following best describes network access control (NAC)?
A. A method to allow multiple computers to connect to the Internet using one IP address
B. A method to split one network into two using routers to connect them together
C. A method to unite network nodes logically into the same broadcast domain
D. A method of enforcement that helps ensure computers are properly configured
Quick Answer: 107
Detailed Answer: 116
13. Which of the following IP address ranges can be used for the internal network when using NAT? (Select all correct answers.)
A. 10.x.x.x
B. 172.16.x.x
C. 192.168.1.x
D. 224.1.1.x
Quick Answer: 107
Detailed Answer: 116
14. Which of the following are basic components of NAC? (Select all correct answers.)
A. Access requestor
B. Network redirector
C. Policy enforcement point
D. Policy decision point
Quick Answer: 107
Detailed Answer: 117
15. Which of the following devices can be a policy enforcement point in NAC? (Select all correct answers.)
A. Hub
B. Switch
C. Firewall
D. Router
Quick Answer: 107
Detailed Answer: 117
16. Which of the following best describes the NAC method that performs an assessment as hosts come online, and then grants appropriate access?
A. Inline
B. Out-of-band
C. Switch based
D. Host based
Quick Answer: 107
Detailed Answer: 117
17. Which of the following is a business benefit associated with the use of NAC? (Select all correct answers.)
A. Compliance
B. Separation of duties
C. Improved security posture
D. Operational cost management
Quick Answer: 107
Detailed Answer: 117
18. Which of the following are ways to mitigate vulnerabilities associated with a PBX? (Select all correct answers.)
A. Changing any default passwords have been change
B. Physically securing the area where the PBX resides
C. Implementing an encryption solution
D. Putting a data-validation system in place
Quick Answer: 107
Detailed Answer: 117
19. Which of the following type of attacks is associated with the use of a PBX?
A. Man-in-the-middle
B. Buffer overflows
C. Denial of service
D. Social engineering
Quick Answer: 107
Detailed Answer: 117
20. Which of the following type of attacks are associated with the use of VoIP? (Select all correct answers.)
A. Man-in-the-middle
B. Buffer overflows
C. Denial of service
D. Social engineering
Quick Answer: 107
Detailed Answer: 118
21. Which of the following is an inherent security risk associated with using SIP as an alternative for VoIP?
A. It leaves the network open to long-distance toll fraud.
B. It leaves the network open to war-dialing attacks.
C. It leaves the network open to unauthorized transport of data.
D. It leaves the network open to war-driving attacks.
Quick Answer: 107
Detailed Answer: 118
22. Which of the following is an inherent security risk associated with using a PBX?
A. It leaves the network open to long-distance toll fraud.
B. It leaves the network open to war-dialing attacks.
C. It leaves the network open to unauthorized transport of data.
D. It leaves the network open to war-driving.
Quick Answer: 107
Detailed Answer: 118
23. Which of the following is an inherent security risk associated with using a modem pool?
A. It leaves the network open to long-distance toll fraud.
B. It leaves the network open to war-dialing attacks.
C. It leaves the network open to unauthorized transport of data.
D. It leaves the network open to war-driving.
Quick Answer: 107
Detailed Answer: 118
24. Which of the following solutions can help mitigate the risks and vulnerabilities associated with VoIP? (Select all correct answers.)
A. Authentication
B. Setting the callback features
C. Data validation
D. Implementing a firewall solution
Quick Answer: 107
Detailed Answer: 118
25. Which of the following solutions can help mitigate the risks and vulnerabilities associated with modems? (Select all correct answers.)
A. Authentication
B. Setting the callback features
C. Data validation
D. Implementing a firewall solution
Quick Answer: 107
Detailed Answer: 118
Objective 2.3: Determine the appropriate use of network security tools to facilitate network security.
1. Which of the following are functions of an intrusion detection system? (Select all correct answers.)
A. Prevent attacks
B. Analyze data
C. Identify attacks
D. Respond to attacks
Quick Answer: 108
Detailed Answer: 119
2. Which of the following best describes the difference between an intrusion detection system and a firewall?
A. IDSs control the information coming in and out of the network, whereas firewalls actually prevent attacks.
B. Firewalls control the information coming in and out of the network, whereas IDSs identifies unauthorized activity.
C. Firewalls control the information coming in and out of the network, whereas IDSs actually prevent attacks.
D. IDSs control the information coming in and out of the network, whereas firewalls identifies unauthorized activity.
Quick Answer: 108
Detailed Answer: 119
3. Which of the following best describes a host intrusion detection system?
A. Examines the information exchanged between machines
B. Attempts to prevent attacks in real time
C. Controls the information coming in and out of the network
D. Collects and analyzes data that originates on the local machine
Quick Answer: 108
Detailed Answer: 119
4. Which of the following best describes a network intrusion detection system?
A. Examines the information exchanged between machines
B. Attempts to prevent attacks in real time
C. Controls the information coming in and out of the network
D. Collects and analyzes data that originates on the local machine
Quick Answer: 108
Detailed Answer: 119
5. Which of the following best describes a network intrusion prevention system?
A. Examines the information exchanged between machines
B. Attempts to prevent attacks in real time
C. Controls the information coming in and out of the network
D. Collects and analyzes data that originates on the local machine
Quick Answer: 108
Detailed Answer: 119
6. Which of the following best describes an inline NIPS?
A. Sits inside the network to detect attacks after they occur
B. Sits outside of the network to detect attacks after they occur
C. Sits between the network and the Internet
D. Sits between the protected systems and the rest of the network
Quick Answer: 108
Detailed Answer: 119
7. Which of the following is true when implementing a NIPS? (Select all correct answers.)
A. The sensors must be placed on domain controllers to function properly.
B. The sensors must be physically inline to function properly.
C. It adds single points of failure to the network.
D. It adds additional redundancy to the network.
Quick Answer: 108
Detailed Answer: 119
8. Which of the following best describes fail-open technology in reference to the implementation of NIPS?
A. If the device fails, it provides application redundancy.
B. If the device fails, it will prevents a fire from starting.
C. If the device fails, it causes a complete network outage.
D. If the device fails, a complete network outage will be avoided.
Quick Answer: 108
Detailed Answer: 120
9. Which of the following best describes a firewall?
A. Examines the information exchanged between machines
B. Attempts to prevent attacks in real time
C. Controls the information coming in and out of the network
D. Collects and analyzes data that originates on the local machine
Quick Answer: 108
Detailed Answer: 120
10. Which of the following firewall technologies can distinguish between FTP commands?
A. Application-level gateway
B. Circuit-level gateway
C. Proxy gateway
D. SOCKS proxy
Quick Answer: 108
Detailed Answer: 120
11. Which of the following best describes a packet-filtering firewall?
A. Relies on algorithms to process application layer data
B. Operates at the OSI network layer
C. Operates at the OSI session layer
D. Examines traffic for application layer protocols
Quick Answer: 108
Detailed Answer: 120
12. Which of the following best describes a stateful-inspection firewall?
A. Relies on algorithms to process application layer data
B. Operates at the OSI network layer
C. Operates at the OSI session layer
D. Examines traffic for application layer protocols
Quick Answer: 108
Detailed Answer: 120
13. Which of the following best describes a circuit-level firewall?
A. Relies on algorithms to process application layer data
B. Operates at the OSI network layer
C. Operates at the OSI session layer
D. Examines traffic for application layer protocols
Quick Answer: 108
Detailed Answer: 120
14. Which of the following best describes an application-level firewall?
A. Relies on algorithms to process application layer data
B. Operates at the OSI network layer
C. Operates at the OSI session layer
D. Examines traffic for application layer protocols
Quick Answer: 108
Detailed Answer: 121
15. Which of the following are functions of proxy servers? (Select all correct answers.)
A. Caching
B. Logging
C. Addressing
D. Filtering
Quick Answer: 108
Detailed Answer: 121
16. Which of the following are examples of a bastion host? (Select all correct answers.)
A. Web server
B. Email server
C. Database server
D. DHCP server
Quick Answer: 108
Detailed Answer: 121
17. Which of the following should be implemented if the organization wants to substantially reduce Internet traffic?
A. Content filter
B. Proxy server
C. Protocol analyzer
D. Packet-filtering firewall
Quick Answer: 108
Detailed Answer: 121
18. Which of the following should be implemented if the organization wants a simple, good first line of defense?
A. Content filter
B. Proxy server
C. Protocol analyzer
D. Packet-filtering firewall
Quick Answer: 108
Detailed Answer: 122
19. Which of the following should be implemented if the organization wants to monitor unauthorized transfer of confidential information?
A. Content filter
B. Proxy server
C. Protocol analyzer
D. Packet-filtering firewall
Quick Answer: 108
Detailed Answer: 122
20. Which of the following should be implemented if the organization wants to troubleshoot network issues?
A. Content filter
B. Proxy server
C. Protocol analyzer
D. Packet-filtering firewall
Quick Answer: 108
Detailed Answer: 122
21. Which of the following should be implemented if the organization wants to capture proper documentation for forensic investigations and litigation purposes?
A. Content filter
B. Proxy server
C. Protocol analyzer
D. Packet-filtering
Quick Answer: 108
Detailed Answer: 122
22. Content filtering is integrated at which of the following levels?
A. Network level
B. Application level
C. System kernel level
D. Operating system level
Quick Answer: 108
Detailed Answer: 123
23. Which of the following is the biggest drawback of using content filtering?
A. Network bandwidth is reduced.
B. Daily updates required.
C. Terminology must be defined.
D. Opens the system to DoS attacks.
Quick Answer: 108
Detailed Answer: 123
24. Which of the following are functions of a protocol analyzer? (Select all correct answers.)
A. Monitor for unexpected traffic
B. Identify unnecessary protocols
C. Prevent SMTP relay from being exploited
D. Prevent DoS attacks by unauthorized parties
Quick Answer: 108
Detailed Answer: 123
25. Which of the following is true about the use of content filtering?
A. It will report all violations identified in one group of applications.
B. It will report only violations identified in the specified applications.
C. It will report only violations identified in one application at a time.
D. It will report all violations identified in all applications.
Quick Answer: 108
Detailed Answer: 123
Objective 2.4: Apply the appropriate network tools to facilitate network security.
1. Which of the following are objectives for the placement of firewalls? (Select all correct answers.)
A. Identify unnecessary protocols
B. Allow only traffic that is necessary
C. Provide notification of suspicious behavior
D. Monitor unauthorized transfer of information
Quick Answer: 108
Detailed Answer: 123
2. Which of the following is the most likely placement of each firewall when an organization is deploying only two of them?
A. One behind the DMZ and one between the intranet and the extranet
B. One in front of the DMZ and one between the intranet and the extranet
C. One in front of the DMZ and one between the DMZ and the internal network
D. One in front of the DMZ and one between the financial data and the user data
Quick Answer: 108
Detailed Answer: 124
3. Which of the following best describes the reason packet-filtering firewalls are considered unsecure as compared to other types of firewalls?
A. They allow packets regardless of communication patterns.
B. Due to physical placement, they are very accessible.
C. It is impossible to create a secure password for them.
D. They can be compromised with very little effort.
Quick Answer: 108
Detailed Answer: 124
4. Which of the following best describes why an organization would implement a proxy service firewall?
A. To prevent DoS attacks by unauthorized parties
B. To monitor unauthorized transfer of confidential information
C. To capture proper documentation for forensic investigations
D. To prevent user computers from directly accessing the Internet
Quick Answer: 108
Detailed Answer: 124
5. Which of the following best describes what governs the traffic of proxy service firewalls?
A. Settings
B. Rules
C. Policies
D. Guidelines
Quick Answer: 108
Detailed Answer: 124
6. Which of the following technologies would you implement when setting up a switched network and want to group users by department?
A. VPN
B. NAT
C. VLAN
D. DMZ
Quick Answer: 108
Detailed Answer: 124
7. Where would an organization place a web server that needs to be accessed by both the employees and by external customers?
A. VPN
B. NAT
C. VLAN
D. DMZ
Quick Answer: 108
Detailed Answer: 124
8. Which of the following would an organization implement to monitor the internal network and external traffic when the source of recent security breaches is unknown? (Select all correct answers.)
A. Firewall
B. Content filter
C. Host-based IDS
D. Network-based IDS
Quick Answer: 108
Detailed Answer: 125
9. Which of the following is the most likely placement of a proxy server when a small organization is deploying it for Internet connectivity?
A. On the internal network
B. Between the internal network and the Internet
C. Between the web server and file server
D. In parallel with IP routers
Quick Answer: 108
Detailed Answer: 125
10. Which of the following is the most likely placement of a proxy server when a small organization is deploying it for content caching?
A. On the internal network
B. Between the internal network and the Internet
C. Between the web server and file server
D. In parallel with IP routers
Quick Answer: 108
Detailed Answer: 125
11. Which of the following is the most likely placement of a proxy server when a small organization is deploying it both Internet connectivity and web content caching?
A. On the internal network
B. Between the internal network and the Internet
C. Between the web server and file server
D. In parallel with IP routers
Quick Answer: 108
Detailed Answer: 125
12. Which of the following is the most likely placement of a proxy server when a large organization is deploying it for Internet connectivity?
A. On the internal network
B. Between the internal network and the Internet
C. Between the web server and file server
D. In parallel with IP routers
Quick Answer: 108
Detailed Answer: 126
13. Which of the following best describes the mechanics of Internet content filtering?
A. Analyzes data against a database contained in the software
B. Analyzes data by scanning against a vendor provided rule base
C. Analyzes data against preset rules contained in the software
D. Analyzes data by matching against predefined traffic patterns
Quick Answer: 108
Detailed Answer: 126
14. Which of the following would be likely placements of a hardware network Internet content filtering device? (Select all correct answers.)
A. Behind the proxy/NAT point
B. On the individual user machines
C. In a DMZ with public addresses behind a packet-filtering router
D. Connected to the same network segment as the users monitored
Quick Answer: 108
Detailed Answer: 126
15. Which of the following is the most likely reason to place a proxy server in parallel with IP routers?
A. To allow for better content caching
B. To prevent direct access to the Internet
C. To allow for network load balancing
D. To prevent unauthorized transfer of data
Quick Answer: 108
Detailed Answer: 126
16. Which of the following are most likely placements of a network protocol analyzer? (Select all correct answers.)
A. Inline
B. On the outside of the DMZ
C. On the outside the Internet router
D. Between the devices of the traffic capture
Quick Answer: 108
Detailed Answer: 126
17. Which of the following is the most likely placement of placement of a packet-filtering firewall?
A. In the DMZ, between it and the internal network
B. On the internal network between servers
C. Between the Internet and the protected network
D. Securing the main perimeter
Quick Answer: 108
Detailed Answer: 127
18. Which of the following is the most common unintended consequence when deploying multiple firewalls?
A. Legitimate traffic gets blocked.
B. Increased network latency.
C. Increased attack vector.
D. Troubleshooting becomes complex.
Quick Answer: 108
Detailed Answer: 127
19. Which of the following is the most likely placement of placement of a proxy service firewall?
A. In the DMZ, between it and the internal network
B. On the internal network between servers
C. Between the Internet and the protected network
D. Securing the main perimeter
Quick Answer: 108
Detailed Answer: 127
20. Which of the following is the most likely placement of placement of a stateful-inspection firewall?
A. In the DMZ, between it and the internal network
B. On the internal network between servers
C. Between the Internet and the protected network
D. Securing the main perimeter
Quick Answer: 108
Detailed Answer: 127
Objective 2.5: Explain the vulnerabilities and mitigations associated with network devices.
1. Which of the following best describes privilege escalation?
A. A default set of user credentials
B. Data transmitted that can be easily sniffed
C. Accidental or intentional access to resources
D. Application code functions allowing unauthorized access
Quick Answer: 108
Detailed Answer: 128
2. Which of the following best describes a back door?
A. A default set of user credentials
B. Data transmitted that can be easily sniffed
C. Accidental or intentional access to resources
D. Application code functions allowing unauthorized access
Quick Answer: 108
Detailed Answer: 128
3. Which of the following satisfies organizational requirements for password complexity based on best practices?
A. Derived from common words found in the dictionary
B. A mixture of character case, numbers, and/or symbols
C. A random-generated password created by a program
D. Derived from personal information such as birthdates
Quick Answer: 108
Detailed Answer: 128
4. In a corporate environment, which of the following is most vulnerable to DoS attacks?
A. Internal user systems
B. Network resources
C. Network storage
D. Internal servers
Quick Answer: 108
Detailed Answer: 128
5. Which of the following best describes a denial-of-service (DoS) attack?
A. Intentional access to resources not intended for access by the user
B. Application code functions that allow unauthorized access to network resources
C. Attempt to block access attempt to block access by overwhelming network availability
D. Attempt to directly access the resources through unauthorized means
Quick Answer: 108
Detailed Answer: 128
6. Which of the following will reduce the vulnerability of a broadcast packet sniffer readily identifying a WAP?
A. Requiring WPA2 encryption
B. Turning off SSID broadcast
C. Turning off DHCP on the WAP
D. Restricting access by MAC addresses
Quick Answer: 108
Detailed Answer: 129
7. Which of the following is the best method to mitigate attacks against networking devices and services installed with a default set of user credentials?
A. Replacing them on an as-needed basis
B. Replacing them when an attack has been detected
C. Replacing them with unique strong logon credentials
D. Replacing them with the same strong logon credential
Quick Answer: 108
Detailed Answer: 129
8. Which of the following are ways to mitigate the vulnerabilities of wireless networks? (Select all correct answers.)
A. Requiring WPA2 encryption
B. Turning off SSID broadcast
C. Turning on DHCP on the WAP
D. Restricting access by MAC addresses
Quick Answer: 108
Detailed Answer: 129
9. Which of the following is the most common origin of back doors?
A. Created during application development
B. Created during system certification
C. Created during user interface testing
D. Created during implementation
Quick Answer: 108
Detailed Answer: 129
10. Which of the following should be performed when implementing distributed wireless network configurations spanning multiple buildings or open natural areas?
A. Land survey
B. Building inspection
C. OSHA inspection
D. Site survey
Quick Answer: 108
Detailed Answer: 130
11. Which of the following is most closely linked to privilege escalation?
A. SSID broadcast
B. Application flaws
C. Application development
D. Automated attacks
Quick Answer: 108
Detailed Answer: 130
12. Which of the following is most closely linked to packet sniffing?
A. SSID broadcast
B. Application flaws
C. Application development
D. Automated attacks
Quick Answer: 108
Detailed Answer: 130
13. Which of the following is most closely linked to weak passwords?
A. SSID broadcast
B. Application flaws
C. Application development
D. Automated attacks
Quick Answer: 108
Detailed Answer: 130
14. Which of the following is most closely linked to back doors?
A. SSID broadcast
B. Application flaws
C. Application development
D. Automated attacks
Quick Answer: 108
Detailed Answer: 131
15. Which of the following is most closely linked to default accounts?
A. Network resources
B. Application flaws
C. Network credentials
D. Automated attacks
Quick Answer: 108
Detailed Answer: 131
16. Which of the following is most closely linked to denial of service?
A. Network resources
B. SSID broadcast
C. Network credentials
D. Application development
Quick Answer: 108
Detailed Answer: 131
17. Which of the following best describes the situation where User A can read User B’s email without specific authorization?
A. Privilege escalation
B. Default accounts
C. Weak passwords
D. Back door
Quick Answer: 108
Detailed Answer: 132
18. Which of the following best describes the situation where a software designer puts in shortcut entry points to allow rapid code evaluation and testing?
A. Privilege escalation
B. Default accounts
C. Weak passwords
D. Back door
Quick Answer: 108
Detailed Answer: 132
19. Which of the following attacks are associated with weak passwords? (Select all correct answers.)
A. Packet sniffing
B. Automated attacks
C. Social engineering
D. Denial of service
Quick Answer: 108
Detailed Answer: 132
20. Which of the following attacks are associated with fringe service industries such as online casinos?
A. Packet sniffing
B. Automated attacks
C. Social engineering
D. Denial of service
Quick Answer: 108
Detailed Answer: 132
Objective 2.6: Explain the vulnerabilities and mitigations associated with various transmission media.
1. Which of the following is best defense against vampire taps?
A. Mandatory access control
B. Logical access control
C. Physical access control
D. Network access control
Quick Answer: 109
Detailed Answer: 133
2. Which of the following is the most critical in protecting switched networks?
A. Mandatory access control
B. Logical access control
C. Physical access control
D. Network access control
Quick Answer: 109
Detailed Answer: 133
3. Which of the following is true with regard to the use of hubs?
A. Hubs do not provide data isolation between endpoint ports.
B. Hubs provide data isolation between endpoint ports.
C. Hubs provide packet forwarding for routable addresses.
D. Hubs provide copying of packets to a monitoring connection.
Quick Answer: 109
Detailed Answer: 133
4. Which of the following is an inherent security risk associated with using hubs?
A. They allow any node to manage traffic to and from all other nodes on the same device.
B. They allow any node to observe data traffic to and from all other nodes on the same device.
C. They allow any node to examine encryption traffic to and from all other nodes on the same device.
D. They allow any node to encrypt traffic to and from all other nodes on the same device.
Quick Answer: 109
Detailed Answer: 133
5. In which of the following allows interception of data traffic without a detectable presence on the network?
A. Keylogger
B. Back door
C. Logic bomb
D. Vampire tap
Quick Answer: 109
Detailed Answer: 134
Objective 2.7: Explain the vulnerabilities and implement mitigations associated with wireless networking.
1. Which of the following best describes a major security issue when implementing WAPs?
A. WEP is the default encryption.
B. The SSID is broadcast in plain text.
C. They are hard to physically locate.
D. Any node can view the data of another node.
Quick Answer: 109
Detailed Answer: 134
2. Which of the following best describes why data emanation is a security risk in wireless networks? (Select all correct answers.)
A. It uses 802.1x transmissions that generate detectable radio-frequency signals funneled into one direction.
B. Sniffing the data may use many solutions to increase the distance over which detection is possible.
C. Sniffing the data may use many solutions to reduce the distance over which transmission is possible.
D. It uses 802.1x transmissions that generate detectable radio-frequency signals in all directions.
Quick Answer: 109
Detailed Answer: 134
3. Which of the following is the primary method to mitigate the vulnerabilities associated with communication over an 802.1x wireless link?
A. Authorization
B. Authentication
C. Encryption
D. Identification
Quick Answer: 109
Detailed Answer: 134
4. Which of the following type of attacks are associated with the use of wireless communication? (Select all correct answers.)
A. Packet sniffing
B. Session hijacking
C. Man-in-the-middle
D. Spam relaying
Quick Answer: 109
Detailed Answer: 134
5. Which of the best describes why session hijacking is possible in wireless communication?
A. There is no authorization mechanism.
B. There is no authentication mechanism.
C. The authentication mechanism is one-way.
D. The authorization mechanism is one-way.
Quick Answer: 109
Detailed Answer: 135
6. Which of the following best describes why a man-in-the-middle attack is possible in wireless communication?
A. The request for connection by the client is a bidirectional open broadcast.
B. The request for connection by the access point is a bidirectional open broadcast.
C. The request for connection by the access point is an omnidirectional open broadcast.
D. The request for connection by the client is an omnidirectional open broadcast.
Quick Answer: 109
Detailed Answer: 135
7. Which of the following best describes war-driving?
A. Driving around with a laptop system configured to listen for open access points
B. Dialing a large range of telephone numbers in search of devices that can be exploited
C. Marking landmarks to indicate the presence of an available access point
D. Accessing an open public WAP for a monthly fee or commission from the end user
Quick Answer: 109
Detailed Answer: 135
8. Which of the following best describes war-chalking?
A. Driving around with a laptop system configured to listen for open access points
B. Dialing a large range of telephone numbers in search of devices that can be exploited
C. Marking landmarks to indicate the presence of an available access point
D. Accessing an open public for a monthly fee or commission from the end user
Quick Answer: 109
Detailed Answer: 135
9. Which of the following best describes bluejacking?
A. Driving around system configured to listen for open access points
B. Sending broadcast spam from a nearby Bluetooth-enabled device
C. Deleting data on a Bluetooth device that has opened a connection
D. Marking landmarks to indicate an available open access point
Quick Answer: 109
Detailed Answer: 135
10. Which of the following best describes bluesnarfing?
A. Driving around system configured to listen for open access points
B. Sending broadcast spam from a nearby Bluetooth-enabled device
C. Deleting data on a Bluetooth device that has opened a connection
D. Marking landmarks to indicate an available open access point
Quick Answer: 109
Detailed Answer: 135
11. Which of the following is the bandwidth commonly associated with 802.11b communications?
A. 1.5MBps
B. 11Mbps
C. 100Mbps
D. 19.2Kbps
Quick Answer: 109
Detailed Answer: 136
12. Which of the following best describes a WLAN technology that uses Ethernet protocols?
A. Wi-Fi
B. i-Mode
C. Bluetooth
D. WAP
Quick Answer: 109
Detailed Answer: 136
13. Which of the following encryption standards currently is the most secure for Wi-Fi connections?
A. WAP
B. WPA2
C. WEP2
D. WEP
Quick Answer: 109
Detailed Answer: 136
14. Which of the following best describes the situation that allows using reflective tube waveguides such as a Pringle’s can to capture data?
A. Weak encryption
B. Session hijacking
C. War-driving
D. Data emanation
Quick Answer: 109
Detailed Answer: 136
15. Which of the following best describes the situation that allows a hijacker to wait until the authentication cycle is completed, then generate a signal that causes the client to think it has been disconnected from the access point?
A. Weak encryption
B. Session hijacking
C. War-driving
D. Data emanation
Quick Answer: 109
Detailed Answer: 136
16. Which of the following best describes what might allow data transacted over an 802.1x wireless link to be passed in clear form?
A. Weak encryption
B. Session hijacking
C. War-driving
D. Data emanation
Quick Answer: 109
Detailed Answer: 137
17. Which of the following best describes the situation where an attack is aimed at pairing with the attacker’s device for unauthorized access, modification, or deletion of data?
A. Bluejacking
B. Bluesnarfing
C. War-driving
D. War-chalking
Quick Answer: 109
Detailed Answer: 137
18. Which of the following best describes the situation that allows an attack aimed at the identification of existing wireless networks, the SSID used, and any known WEP keys?
A. Weak encryption
B. Session hijacking
C. War-driving
D. Data emanation
Quick Answer: 109
Detailed Answer: 137
19. Which of the following best describes the situation where an attack is aimed at generating messages that appear to be from the device itself?
A. Bluejacking
B. Bluesnarfing
C. War-driving
D. War-chalking
Quick Answer: 109
Detailed Answer: 138
20. In which of the following attacks would the implementation of a rogue AP with stronger signal strength than more remote permanent installations be found?
A. Weak encryption
B. Man-in-the-middle
C. War-driving
D. Data emanation
Quick Answer: 109
Detailed Answer: 138
21. When a client attempts to make an 802.1x-compliant connection, which of the following best describes how the AP authenticates the client?
A. Users provide a shared password.
B. Through hardware token authentication.
C. Through a basic challenge-response method.
D. Users provide an identifier along with a password.
Quick Answer: 109
Detailed Answer: 138
22. Using the Temporal Key Integrity Protocol (TKIP) or Wi-Fi Protected Access (WPA/WPA2) standards would be most useful in preventing which of the following attacks?
A. Weak encryption
B. Data emanation
C. Bluejacking
D. War-driving
Quick Answer: 109
Detailed Answer: 138
23. Which of the following are standard specifications included in the WAP standard?
A. Wireless Application Environment (WAE)
B. Wireless Session Layer (WSL)
C. Wireless Transport Layer Security (WTLS)
D. Wired Equivalent Privacy (WEP)
Quick Answer: 109
Detailed Answer: 138
24. The Wi-Fi Protected Access standards were developed by the Wi-Fi Alliance to replace which of the following?
A. DES
B. WAP
C. AES
D. WEP
Quick Answer: 109
Detailed Answer: 139
25. WSL is equivalent to which of the following layers of the OSI model?
A. Session
B. Transport
C. Network
D. Presentation
Quick Answer: 109
Detailed Answer: 139
Quick-Check Answer Key
Objective 2.1: Differentiate between the different ports & protocols, their respective threats, and mitigation techniques.
1. C
2. A, B
3. C
4. A
5. B
6. D
7. D
8. B
9. C
10. A
11. A, B, D
12. C
13. A
14. B
15. D
16. C
17. B
18. D
19. B, C, D
20. C
21. D
22. B, C
23. A, B
24. B
25. C, D
26. B
27. A, B
28. B, C, D
29. A, C, D
30. A, D
Objective 2.2: Distinguish between network design elements and components.
1. A, C
2. A, B
3. B
4. D
5. A
6. C
7. B
8. D
9. C
10. A
11. B
12. D
13. A, B, C
14. A, C, D
15. B, C, D
16. B
17. A, C, D
18. A, B
19. D
20. A, B, C
21. C
22. A
23. B
24. A, C
25. B, D
Objective 2.3: Determine the appropriate use of network security tools to facilitate network security.
1. B, C, D
2. B
3. D
4. A
5. B
6. D
7. B, C
8. D
9. C
10. A
11. B
12. A
13. C
14. D
15. A, B, C
16. A, B
17. B
18. D
19. A
20. C
21. A
22. D
23. C
24. A, B
25. B
Objective 2.4: Apply the appropriate network tools to facilitate network security.
1. B, C
2. C
3. A
4. D
5. B
6. C
7. D
8. C, D
9. B
10. A
11. B
12. D
13. A
14. A, C, D
15. C
16. A, D
17. C
18. B
19. A
20. D
Objective 2.5: Explain the vulnerabilities and mitigations associated with network devices.
1. C
2. D
3. B
4. B
5. C
6. B
7. C
8. A, B, D
9. A
10. D
11. B
12. A
13. D
14. C
15. C
16. A
17. A
18. D
19. B, C
20. D
Objective 2.6: Explain the vulnerabilities and mitigations associated with various transmission media.
1. C
2. C
3. A
4. B
5. D
Objective 2.7: Explain the vulnerabilities and implement mitigations associated with wireless networking.
1. B
2. D
3. C
4. A, B, C
5. C
6. D
7. A
8. C
9. B
10. C
11. B
12. A
13. B
14. D
15. B
16. A
17. B
18. C
19. A
20. B
21. C
22. A
23. A
24. D
25. A
Answers and Explanations
Objective 2.1: Differentiate between the different ports & protocols, their respective threats, and mitigation techniques.
1. Answer: C. Telnet uses port 23. Answer A is incorrect because port 110 is used for POP3 incoming mail. Answer B is incorrect because port 21 is used for FTP. Port 443 is used by HTTPS; therefore, answer D is incorrect.
2. Answer: A, B. UDP ports 161 and 162 are used by SNMP. Answer C is incorrect because port 443 is used by HTTPS. Answer D is incorrect because port 4445 uses TCP/UDP for service type upnotifyp.
3. Answer: C. TCP/IP hijacking is the term used when an attacker takes control of a session between the server and a client. This can occur due to the TCP three-way handshake. The three-way handshake is the method used to establish and tear down network connections. Answer A is incorrect because it describes spoofing. Spoofing is a method of providing false identity information to gain unauthorized access. Answer B is incorrect because it describes a null session. A null session is a connection without specifying a username or password. Answer D is incorrect because it describes DNS poisoning. DNS poisoning allows a perpetrator to redirect traffic by changing the IP record for a specific domain, thus permitting the attacker to send legitimate traffic anywhere they choose.
4. Answer: A. Spoofing is a method of providing false identity information to gain unauthorized access. Answer B is incorrect because it describes a null session. A null session is a connection without specifying a username or password. Answer C is incorrect because it describes TCP/IP hijacking. TCP/IP hijacking is the term used when an attacker takes control of a session between the server and a client. Answer D is incorrect because it describes DNS poisoning. DNS poisoning allows a perpetrator to redirect traffic by changing the IP record for a specific domain, thus permitting the attacker to send legitimate traffic anywhere they choose.
5. Answer: B. A null session is a connection without specifying a username or password. Answer A is incorrect because it describes spoofing. Spoofing is a method of providing false identity information to gain unauthorized access. Answer C is incorrect because it describes spoofing. TCP/IP hijacking is the term used when an attacker takes control of a session between the server and a client. Answer D is incorrect because it describes DNS poisoning. DNS poisoning allows a perpetrator to redirect traffic by changing the IP record for a specific domain, thus permitting the attacker to send legitimate traffic anywhere they choose.
6. Answer: D. DNS poisoning allows a perpetrator to redirect traffic by changing the IP record for a specific domain. Query results that are forged and returned to the requesting client or recursive DNS query can poison the DNS records, thus permitting the attacker to send legitimate traffic anywhere they choose. Answer A is incorrect because it describes spoofing. Spoofing is a method of providing false identity information to gain unauthorized access. Answer B is incorrect because it describes a null session. A null session is a connection without specifying a username or password. Answer C is incorrect because it describes TCP/IP hijacking. TCP/IP hijacking is the term used when an attacker takes control of a session between the server and a client.
7. Answer: D. The man-in-the-middle attack takes place when an attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other. Answer A is incorrect; it describes DNS kiting. DNS kiting refers to the practice of taking advantage of the add/grace period (AGP) to monopolize domain names without ever paying for them. Answer B is incorrect; it describes a replay attack. In a replay attack, packets are captured by using sniffers. After the pertinent information is extracted, the packets are placed back on the network. Answer C is incorrect; it describes a denial-of-service attack. The purpose of a DoS attack is to disrupt the resources or services that a user would expect to have access to.
8. Answer: B. In a replay attack, packets are captured by using sniffers. After the pertinent information is extracted, the packets are placed back on the network. Answer A is incorrect; it describes DNS kiting. DNS kiting refers to the practice of taking advantage of the AGP to monopolize domain names without ever paying for them. Answer C is incorrect; it describes a denial-of-service attack. The purpose of a DoS attack is to disrupt the resources or services that a user would expect to have access to. Answer D is incorrect; it describes a man-in-the-middle attack. The man-in-the-middle attack takes place when an attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other.
9. Answer: C. The purpose of a denial of service (DoS) attack is to disrupt the resources or services that a user would expect to have access to. Answer A is incorrect; it describes DNS kiting. DNS kiting refers to the practice of taking advantage of the AGP to monopolize domain names without ever paying for them. Answer B is incorrect; it describes a replay attack. In a replay attack, packets are captured by using sniffers. After the pertinent information is extracted, the packets are placed back on the network. Answer D is incorrect; it describes a man-in-the-middle attack. The man-in-the-middle attack takes place when an attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other.
10. Answer: A. DNS kiting refers to the practice of taking advantage of the AGP to monopolize domain names without ever paying for them. Answer B is incorrect; it describes a replay attack. In a replay attack, packets are captured by using sniffers. After the pertinent information is extracted, the packets are placed back on the network. Answer C is incorrect; it describes a denial-of-service attack. The purpose of a DoS attack is to disrupt the resources or services that a user would expect to have access to. Answer D is incorrect; it describes a man-in-the-middle attack. The man-in-the-middle attack takes place when an attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other.
11. Answer: A, B, D. To help protect your network, you can set up filters on external routers to drop packets involved in these types of attacks. You should also set up another filter that denies traffic originating from the Internet that shows an internal network address. If the operating system allows it, reduce the amount of time before the reset of an unfinished TCP connection. Doing so makes it harder to keep resources unavailable for extended periods of time. Answer C is incorrect; increasing the amount of time before the reset of an unfinished TCP connection makes the resources unavailable for a longer period of time.
12. Answer: C. DNS kiting refers to the practice of taking advantage of the AGP to monopolize domain names without ever paying for them. How domain kiting works is that a domain name is deleted during the five-day AGP and immediately re-registered for another five-day period. Answer A is incorrect. TCP/IP hijacking is the term used when an attacker takes control of a session between the server and a client. Answer B is incorrect. Besides automatically registering domain names and placing advertising, domain kiters can track the amount of revenue generated. This is called domain tasting. It is used to test the profitability of domain names. Answer D is incorrect. Spoofing is a method of providing false identity information to gain unauthorized access.
13. Answer: A. Because ARP does not require any type of validation, as ARP requests are sent, the requesting devices believe that the incoming ARP replies are from the correct devices. This can allow a perpetrator to trick a device into thinking any IP is related to any MAC address. Answer B is incorrect because it describes DNS poisoning. Answer C is incorrect. A Teardrop attack sends fragmented UDP packets. Answer D is incorrect. In a DDoS attack, the attacker distributes zombie software that allows the attacker partial or full control of the infected computer system.
14. Answer: B. A null session is a connection without specifying a username or password. Null sessions are a possible security risk because the connection is not really authenticated. Answer A is incorrect because spoofing involves modifying the source address of traffic or source of information. Answer C is incorrect because ARP poisoning allows a perpetrator to trick a device into thinking that an incorrect IP address is related to a MAC address. The implementation of the ARP protocol is simple. The receipt of an ARP reply at any time causes the receiving computer to add the newly received information to its ARP cache without any type of verification. Answer D is incorrect because domain kiting refers to the practice of taking advantage of this AGP period to monopolize domain names without ever paying for them.
15. Answer: D. A denial-of-service (DoS) attack that attempts to block service or reduce activity on a host by sending ping requests directly to the victim using ICMP is called a ping flood. Answer A is incorrect because spoofing involves modifying the source address of traffic or source of information. Answer C is incorrect because a man-in-the middle attack is commonly used to gather information in transit between two hosts. Answer B is incorrect because the purpose of a DoS attack is to disrupt the resources or services that a user would expect to have access to.
16. Answer: C. A man-in-the-middle attack is commonly used to gather information in transit between two hosts. Answer A is incorrect because spoofing involves modifying the source address of traffic or source of information. ARP poisoning allows a perpetrator to trick a device into thinking any IP is related to any MAC address; therefore, Answer B is incorrect. Because the purpose of a DoS attack is to deny use of resources or services to legitimate users, answer D is incorrect.
17. Answer: B. A null session is a connection without specifying a username or password. Null sessions are a possible security risk because the connection is not really authenticated. Answer A is incorrect because the session is not abnormally terminated. Although answer C may be a concern, it is not the primary issue. Answer D is incorrect because null sessions are direct connections and are not remote controlled.
18. Answer: D. The most effective way to reduce null session vulnerability is by disabling NetBIOS over TCP/IP. Editing the Registry to restrict anonymous access is another method used to control null session access. After you have done this, verify that ports 139 and 445 are closed. Answer A is incorrect; reducing the amount of time before the reset of an unfinished TCP connection deals with DoS attacks. Answers B and C are incorrect; using the signing capabilities of certificates and denying traffic originating from the Internet that shows an internal network address are protective measures against spoofing.
19. Answer: B, C, D. To mitigate the effects of spoofing, you should set up a filter that denies traffic originating from the Internet that shows an internal network address. Using the signing capabilities of certificates on servers and clients allows web and email services to be more secure. The use of IPsec can secure transmissions between critical servers and clients. Answer A is incorrect because editing the Registry to restrict anonymous access is a method used to control null session access.
20. Answer: A. The quickest way to tell which ports are open and which services are running is to do a netstat operation on the machine. Answer B is incorrect; nbtstat is designed to help troubleshoot NetBIOS name resolution problems. Answer C is incorrect; ipconfig is used to troubleshoot IP address configuration. Answer D is incorrect; msconfig is used to configure startup services and on Windows computers.
21. Answer: D. SNMP is used for monitoring the health of network equipment, computer equipment, and devices like uninterruptible power supplies (UPS). Answer A is incorrect because SubNetwork Access Protocol (SNAP) defines how data is formatted for transmission and how access to the network is controlled. Answer B is incorrect because SMTP is used for email. Answer C is incorrect because The Synchronous Data Link Control (SDLC) protocol was developed by IBM to be used as the Layer 2 of the SNA hierarchical network.
22. Answer: B, C. The best way to protect the network infrastructure from attacks aimed at antiquated or unused ports and protocols is to remove any unnecessary protocols and create access control lists to allow traffic on necessary ports only. By doing so, you eliminate the possibility of unused and antiquated protocols being exploited and minimize the threat of an attack. Answer A is incorrect. It is not always necessary to keep protocols installed by default. Answer D is incorrect. Users should never control what goes in and out of the network.
23. Answer: A, B. TCP/IP hijacking commonly happens during Telnet and web sessions where security is lacking or when session timeouts are not configured properly. Answer C is incorrect because email is susceptible to spoofing not hijacking. Answer D is incorrect. Samba provides file and print services to SMB/CIFS clients for Linux-based operating systems.
24. Answer: B. Forcing a user to re-authenticate before allowing transactions to occur could help prevent this type of attack. Protection mechanisms include the use of unique initial sequence numbers (ISNs) and web session cookies. Answer A is incorrect because to mitigate the effects of spoofing, you should set up a filter that denies traffic originating from the Internet that shows an internal network address. Answers C and D are incorrect; to mitigate the vulnerability of DDoS attacks, reduce the amount of time before the reset of an unfinished TCP connection and set up filters on external routers.
25. Answer: C, D. The most effective way to reduce null session vulnerability is by disabling NetBIOS over TCP/IP. After you have this, verify that ports 139 and 445 are closed. Answers A and B are incorrect; Simple Network Management Protocol (SNMP) is often overlooked when checking for vulnerabilities because it uses User Datagram Protocol (UDP) ports 161 and 162.
26. Answer: B. The key default value is 0. Changing this value to 1, which is more restrictive, keeps a null session from seeing user accounts and admin shares. Changing the value to 2 is the most restrictive. This disables null session without explicit permissions. However, this setting may conflict with some applications that rely on null sessions. Keep in mind that even though you can change the Registry settings to try to prevent this type of attack, some tools sidestep this measure. If security is a major concern, you might have to consider not allowing any null sessions on your public and private networks. Based on this information, answers A, C, and D are incorrect.
27. Answer: A, B. The man-in-the-middle attack takes place when an attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other. This attack is common in Telnet and wireless technologies. Answer C is incorrect because email is susceptible to spoofing not hijacking. Answer D is incorrect. Samba provides file and print services to SMB/CIFS clients for Linux-based operating systems.
28. Answer: B, C, D. Kited domains present several issues. They force search engines to return less-relevant results, tie up domain names that legitimate businesses may want to use, and capitalize on slight variations of personal or business website addresses. Answer A is incorrect; kiting has just opposite effect.
29. Answer: A, C, D. To minimize the effects of DNS poisoning, check the DNS setup if you are hosting your own DNS. Be sure the DNS server is not open-recursive. An open-recursive DNS server responds any lookup request, without checking where it originates. Disable recursive access for other networks to resolve names that are not in your zone files. You can also use different servers for authoritative and recursive lookups and require that caches discard information except from the .com servers, and the root servers. Answer B is incorrect because it describes an effective way to deal with rootkits.
30. Answer: A, D. ARP poisoning is limited to attacks that are local based, so an intruder needs either physical access to your network or control of a device on your local network. To mitigate ARP poisoning on a small network, you can use static or script-based mapping for IP addresses and ARP tables. For large networks, use equipment that offers port security. Answers B and C are incorrect; they are solutions for small networks, not large networks.
Objective 2.2: Distinguish between network design elements and components.
1. Answer: A, C. Port 110 is used for POP3 incoming mail and port 25 is used for SMTP mail. Answer B is incorrect because port 21 is used for FTP. Port 443 is used by HTTPS; therefore, answer D is incorrect.
2. Answer: A, B. UDP ports 161 and 162 are used by SNMP. Answer C is incorrect because port 443 is used by HTTPS. Answer D is incorrect because port 4445 uses TCP/UDP for service type upnotifyp.
3. Answer: B. A demilitarized zone (DMZ) is a small network between the internal network and the Internet that provides a layer of security and privacy. Answer A is incorrect it describes a separate subnetwork. Answer C is incorrect because it describes an intranet. An intranet is a portion of the internal network that uses web-based technologies. The information is stored on web servers and accessed using browsers. Answer D is incorrect because it describes an extranet. An extranet is the public portion of the company’s IT infrastructure that allows resources to be used by authorized partners and resellers that have proper authorization and authentication. This type of arrangement is commonly used for business-to-business relationships.
4. Answer: D. The purpose of a virtual local-area network (VLAN) is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. VLANs provide a way to limit broadcast traffic in a switched network. Answer A is incorrect because it describes NAT, which allows multiple computers to connect to the Internet using one IP address. Answer B is incorrect; a switch is used to unite network nodes physically into the same broadcast domain. Answer C is incorrect because subnetting splits one network into two or more, using routers to connect each subnet.
5. Answer: A. NAT allows multiple computers to connect to the Internet using one IP address. Answer B is incorrect; a switch is used to unite network nodes physically into the same broadcast domain Answer C is incorrect because subnetting splits one network into two or more, using routers to connect each subnet. Answer D is incorrect because the purpose of a virtual local-area network (VLAN) is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. VLANs provide a way to limit broadcast traffic in a switched network.
6. Answer: C. Subnetting splits one network into two or more, using routers to connect each subnet. Answer A is incorrect. NAT allows multiple computers to connect to the Internet using one IP address. Answer B is incorrect; a switch is used to unite network nodes physically into the same broadcast domain. Answer D is incorrect because the purpose of a virtual local-area network (VLAN) is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. VLANs provide a way to limit broadcast traffic in a switched network.
7. Answer: B. Network Address Translation (NAT) acts as a liaison between an internal network and the Internet. It allows multiple computers to connect to the Internet using one IP address. An important security aspect of NAT is that it hides the internal network from the outside world. Answers A and C are incorrect because the purpose of a virtual local-area network (VLAN) is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. VLANs provide a way to limit broadcast traffic in a switched network. Answer D is incorrect; a DMZ allows external users to access information that the organization deems necessary.
8. Answer: D. Subnetting can be done for several reasons. If you have a Class C address and 1,000 clients, you will have to subnet the network or use a custom subnet mask to accommodate all the hosts. The most common reason networks are subnetted is to control network traffic by limiting broadcast domains, which limits broadcast storms. Answers A and C are incorrect because the purpose of a virtual local-area network (VLAN) is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. VLANs provide a way to limit broadcast traffic in a switched network. Answer B is incorrect; an important security aspect of NAT is that it hides the internal network from the outside world.
9. Answer: C. There are specific reserved private IP addresses for use on an internal network. In a Class C network, valid nonroutable host IDs are from 192.168.0.1 to 192.168.255.254. Network addresses with the first byte between 192 and 223 are Class C and can have about 250 hosts. Answer A is incorrect because it is a Class A address. Valid host IDs are from 10.0.0.1 to 10.255.255.254. Network addresses with the first byte between 1 and 126 are Class A and can have about 17 million hosts each. Answer B is incorrect because it is a Class B addresses; valid host IDs are from 172.16.0.1 through 172.31.255.254. Network addresses with the first byte between 128 and 191 are Class B and can have about 65,000 hosts each. Answer D is incorrect because network addresses with the first byte between 224 and 239 are Class D and are used for multicasting.
10. Answer: A. Another address range to keep in mind when designing IP address space is Automatic Private IP Addressing (APIPA). In the event that no Dynamic Host Configuration Protocol (DHCP) server is available at the time that the client issues a DHCP lease request, the client is automatically configured with an address from the 169.254.0.1 through 169.254.255.254 range. Answer B is incorrect because if the client has a corrupt routing table will not be able to reach the proper destination. Answer C is incorrect because if the client has a manually configured address it is not usually in the 169.254.x.x address range. If the client cannot contact the DNS server, the message displayed is “Cannot contact DNS server, therefore Answer D is incorrect.”
11. Answer: B. In the event that no Dynamic Host Configuration Protocol (DHCP) server is available at the time that the client issues a DHCP lease request, the client is automatically configured with an address from the 169.254.0.1 through 169.254.255.254 range. Answer A is incorrect because it is a Class C internal address. Answer C is incorrect because it is a Class D address. Answer D is incorrect because it is a Class B internal address.
12. Answer: D. One of the most effective ways to protect the network from malicious hosts is to use network access control (NAC). NAC offers a method of enforcement that helps ensure that computers are properly configured. The premise behind NAC is to secure the environment by examining the user’s machine and, based on the results, grant access accordingly. Answer A is incorrect because it describes the function of NAT. Answer B is incorrect because it describes the function of subnetting. Answer C is incorrect because it describes the function of a VLAN.
13. Answer: A, B, C. In a Class C network, valid nonroutable host IDs are from 192.168.0.1 to 192.168.255.254. Network addresses with the first byte between 192 and 223 are Class C and can have about 250 hosts. Answer A is incorrect because it is a Class A address. Valid host IDs are from 10.0.0.1 to 10.255.255.254. Network addresses with the first byte between 1 and 126 are Class A and can have about 17 million hosts each. Answer B is incorrect because it is a Class B addresses; valid host IDs are from 172.16.0.1 through 172.31.255.254. Network addresses with the first byte between 128 and 191 are Class B and can have about 65,000 hosts each. Answer D is incorrect because network addresses with the first byte between 224 and 239 are Class D and are reserved for multicasting.
14. Answer: A, C, D. The basic components of NAC products are the Access requestor (AR), which is the device that requests access; the policy decision point (PDP), which is the system that assigns a policy based on the assessment; and the policy enforcement point (PEP), which is the device that enforces the policy. Answer B is incorrect. The network redirector, or redirector, is an operating system driver that sends data to and receives data from a remote device.
15. Answer: B, C, D. The policy enforcement point is the device that enforces the policy. This device may be a switch, firewall, or router. Answer A is incorrect; a hub cannot enforce policy.
16. Answer: B. The four ways NAC systems can be integrated into the network are inline, out-of-band, switch based, and host based. An out-of-band intervenes and performs an assessment as hosts come online, and then grants appropriate access. Answer A is incorrect. An appliance in the line usually sits between the access and the distribution switches. Answer C is incorrect. Switch based is similar to in-band NAC except enforcement occurs on the switch itself. Answer D is incorrect. Host based relies on an installed host agent to assess and enforce access policy devices.
17. Answer: A, C, D. In addition to providing the ability to enforce security policy, contain noncompliant users, and mitigate threats, NAC offers a number of business benefits. The business benefits include compliance, a better security posture, and operational cost management. Answer B is incorrect. Separation of duties is one of the key concepts of internal controls. It is not a business benefit. It is the most difficult and sometimes the most costly one to achieve.
18. Answer: A, B. To protect your network, make sure the PBX is in a secure area, any default passwords have been changed, and only authorized maintenance is done. Many times, hackers can gain access to the phone system via social engineering because this device is usually serviced through a remote maintenance port. Answers C and D are incorrect because these are solution associated with mitigating vulnerabilities associated with VoIP.
19. Answer: D. Many times, hackers can gain access to the phone system via social engineering because this device is usually serviced through a remote maintenance port. To protect your network, make sure the Private Branch Exchange (PBX) is in a secure area, any default passwords have been changed, and only authorized maintenance is done. Answer A is incorrect. Man-in-the-middle attacks are executed between the SIP phone and a SIP proxy, allowing the audio to be manipulated, causing dropped, rerouted, or playback calls. Answers B and C are incorrect; they are associated with VoIP. VoIP PBX servers are susceptible to the same type of exploits as other network servers. These attacks include DoS and buffer overflows, with DoS being the most prevalent.
20. Answer: A, B, C. Man-in-the-middle attacks are executed between the SIP phone and a SIP proxy, allowing the audio to be manipulated, causing dropped, rerouted, or playback calls. VoIP PBX servers are susceptible to the same type of exploits as other network servers. These attacks include DoS and buffer overflows, with DoS being the most prevalent. Answer D is incorrect. Many times, hackers can gain access to the phone system via social engineering because this device is usually serviced through a remote maintenance port.
21. Answer: C. Session Initiation Protocol (SIP) is commonly used in instant messaging, but it can also be used as an alternative for VoIP. Using SIP can leave VoIP networks open to unauthorized transport of data. Answer A is incorrect because long-distance toll fraud is associated with a PBX. Answer B is incorrect; war-dialing attacks take advantage of unsecure modems. Answer D is incorrect because war-driving attacks take advantage of wireless networks.
22. Answer: A. For years, PBX-type systems have been targeted by hackers, mainly to get free long-distance service. The vulnerabilities that phone networks are subject to include social engineering, long-distance toll fraud, and breach of data privacy. Answer B is incorrect war-dialing attacks take advantage of unsecure modems. Answer C is incorrect. Session Initiation Protocol (SIP) is commonly used in instant messaging, but it can also be used as an alternative for VoIP. Using SIP can leave VoIP networks open to unauthorized transport of data. Answer D is incorrect. War-driving is used to intercept wireless communications by driving around looking for unsecured wireless networks.
23. Answer: B. Leaving modems open for incoming calls with little to no authentication for users dialing in can be a clear security vulnerability in the network. For example, war-dialing attacks take advantage of this situation. War-dialing is the process by which an automated software application is used to dial numbers in a given range to determine whether any of the numbers are serviced by modems that accept dial-in requests. Answer A is incorrect because long-distance toll fraud is associated with a PBX. Answer C is incorrect; using SIP can leave VoIP networks open to unauthorized transport of data. Answer D is incorrect because war-driving attacks take advantage of wireless networks.
24. Answer: A, C. Implementing the following solutions can help mitigate the risks and vulnerabilities associated with VoIP: encryption, authentication, data validation, and nonrepudiation. VoIP is basically based on a TCP/IP network, and Therefore, technologies that are used to secure IP networks can be used for VoIP, too. Answer B is incorrect because callback features are associated with the use of modems. Answer D is incorrect because encryption and firewall solutions are associated with the use of cable modems.
25. Answer: B, D. Setting the callback features to have the modem call the user back at a preset number and using encryption and firewall solutions will help keep the environment safe from attacks. Answers A and C are incorrect; implementing encryption, authentication, data validation, and nonrepudiation can help mitigate the risks and vulnerabilities associated with VoIP.
Objective 2.3: Determine the appropriate use of network security tools to facilitate network security.
1. Answer: B, C, D. The three basic areas of hardening are operating system, network, and application intrusion detection systems are designed to analyze data, identify attacks, and respond to the intrusion. Answer A is incorrect because preventing attacks is associated with an intrusion prevention system.
2. Answer: B. IDSs are different from firewalls in that firewalls control the information that gets in and out of the network, whereas IDSs can identify unauthorized activity. IDSs are also designed to catch attacks in progress within the network, not just on the boundary between private and public networks. Intrusion prevention differs from intrusion detection in that it actually prevents attacks instead of only detecting the occurrence of an attack. Based on this information, answers A, C, and D are incorrect.
3. Answer: D. A HIDS collects and analyzes data that originates on the local machine. Answer A is incorrect; a NIDS tries to locate packets not allowed on the network that the firewall missed and looks at the information exchanged between machines. Answer B is incorrect; intrusion prevention differs from intrusion detection in that it actually prevents attacks in real time instead of only detecting the occurrence. Answer C is incorrect because firewalls control the information that gets in and out of the network.
4. Answer: A. A NIDS tries to locate packets not allowed on the network that the firewall missed and looks at the information exchanged between machines. Answer B is incorrect; intrusion prevention differs from intrusion detection in that it actually prevents attacks in real time instead of only detecting the occurrence. Answer C is incorrect because firewalls control the information that gets in and out of the network. Answer D is incorrect; a HIDS collects and analyzes data that originates on the local machine.
5. Answer: B. Intrusion prevention differs from intrusion detection in that it actually prevents attacks in real time instead of only detecting the occurrence. Answer A is incorrect; a NIDS tries to locate packets not allowed on the network that the firewall missed and looks at the information exchanged between machines. Answer C is incorrect because firewalls control the information that gets in and out of the network. Answer D is incorrect; a HIDS collects and analyzes data that originates on the local machine.
6. Answer: D. An inline NIPS works like a Layer 2 bridge. It sits between the systems that need to be protected and the rest of the network. They proactively protect machines against damage from attacks that signature-based technologies cannot detect, as most NIPS solutions have the ability to look at application layer protocols such as HTTP, FTP, and SMTP. Answers A and B are incorrect because a NIPS detects attacks as they are occurring not after they occur. This is more of a function of an IDS. Answer C is incorrect because it describes a firewall.
7. Answer: B, C. When implementing a NIPS, keep in mind that the sensors must be physically inline to function properly. This adds single points of failure to the network. Answer A is incorrect because sensors are not placed on domain controllers. Answer D is incorrect because the sensors add single points of failure to the network, not redundancy.
8. Answer: D. When implementing a NIPS, keep in mind that the sensors must be physically inline to function properly. This adds single points of failure to the network. A good way to prevent this issue is to use fail-open technology. This means that if the device fails, it does not cause a complete network outage; instead, it acts like a patch cable. Answer A is incorrect because fail open has nothing to do with application redundancy. Answer B is incorrect; a NIPS fail-open has nothing to do with fire. Answer C is incorrect because it does not cause a complete network outage; instead, it acts like a patch cable.
9. Answer: C. A firewall is a component placed on computers and networks to help eliminate undesired access by the outside world. It can be composed of hardware, software, or a combination of both. Answer A is incorrect; a NIDS tries to locate packets not allowed on the network that the firewall missed and looks at the information exchanged between machines. Answer B is incorrect because intrusion prevention actually prevents attacks in real time instead of only detecting the occurrence. Answer D is incorrect; a HIDS collects and analyzes data that originates on the local machine.
10. Answer: A. An application-level gateway understands services and protocols. Answer C is too generic to be a proper answer. Answer B is incorrect because a circuit-level gateway’s decisions are based on source and destination addresses. Answer D is incorrect because SOCKS proxy is an example of a circuit-level gateway.
11. Answer: B. A packet-filtering firewall is typically a router. Packets can be filtered based on IP addresses, ports, or protocols. They operate at the network layer (Layer 3) of the OSI model. Packet-filtering solutions are generally considered less-secure firewalls because they still allow packets inside the network, regardless of communication pattern within the session. Answer A is incorrect because it describes the function of a stateful- inspection firewall. A stateful-inspection firewall is a combination of all types of firewalls. This firewall relies on algorithms to process application layer data. Answer C is incorrect; a circuit-level gateway operates at the OSI session layer (Layer 5) by monitoring the TCP packet flow to determine whether the session requested is a legitimate one. Answer D is incorrect. With an application-level gateway, all traffic is examined to check for OSI application layer (Layer 7) protocols that are allowed. Examples of this type of traffic are File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP).
12. Answer: A. A stateful-inspection firewall is a combination of all types of firewalls. This firewall relies on algorithms to process application layer data. Answer B is incorrect. A packet-filtering firewall is typically a router. Packets can be filtered based on IP addresses, ports, or protocols. They operate at the network layer (Layer 3) of the OSI model. Packet-filtering solutions are generally considered less-secure firewalls because they still allow packets inside the network, regardless of communication pattern within the session. Answer C is incorrect; a circuit-level gateway operates at the OSI session layer (Layer 5) by monitoring the TCP packet flow to determine whether the session requested is a legitimate one. Answer D is incorrect. With an application-level gateway, all traffic is examined to check for OSI application layer (Layer 7) protocols that are allowed. Examples of this type of traffic are File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP).
13. Answer: C. A circuit-level gateway operates at the OSI session layer (Layer 5) by monitoring the TCP packet flow to determine whether the session requested is a legitimate one. Answer A is incorrect. A stateful-inspection firewall is a combination of all types of firewalls. This firewall relies on algorithms to process application layer data. Answer B is incorrect; a packet-filtering firewall is typically a router. Packets can be filtered based on IP addresses, ports, or protocols. They operate at the network layer (Layer 3) of the OSI model. Packet-filtering solutions are generally considered less-secure firewalls because they still allow packets inside the network, regardless of communication pattern within the session. Answer D is incorrect. With an application-level gateway, all traffic is examined to check for OSI application layer (Layer 7) protocols that are allowed. Examples of this type of traffic are File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP).
14. Answer: D. With an application-level gateway, all traffic is examined to check for OSI application layer (Layer 7) protocols that are allowed. Examples of this type of traffic are File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP). Answer A is incorrect. A stateful-inspection firewall is a combination of all types of firewalls. This firewall relies on algorithms to process application layer data. Answer B is incorrect. A packet-filtering firewall is typically a router. Packets can be filtered based on IP addresses, ports, or protocols. They operate at the network layer (Layer 3) of the OSI model. Packet-filtering solutions are generally considered less-secure firewalls because they still allow packets inside the network, regardless of communication pattern within the session. Answer C is incorrect; a circuit-level gateway operates at the OSI session layer (Layer 5) by monitoring the TCP packet flow to determine whether the session requested is a legitimate one.
15. Answer: A, B, D. Proxy servers are used for security, logging, and caching. When the proxy server receives a request for an Internet service, it passes through filtering requirements and checks its local cache of previously downloaded web pages. Answer C is incorrect. Addressing is a function of a DHCP server.
16. Answer: A, B. An exposed server that provides public access to a critical service, such as a web or email server, may be configured to isolate it from an organization’s network and to report attack attempts to the network administrator. Such an isolated server is referred to as a bastion host, named for the isolated towers that were used to provide castles advanced notice of pending assault. Answer C is incorrect. Database servers are generally contained on the internal network. Answer D is incorrect. DHCP servers give out IP addresses on the internal network.
17. Answer: B. When a proxy server receives a request for an Internet service, it passes through filtering requirements and checks its local cache of previously downloaded web pages. Because web pages are stored locally, response times for web pages are faster, and traffic to the Internet is substantially reduced. Answer A is incorrect. Internet content filters use a collection of terms, words, and phrases that are compared to content from browsers and applications. This type of software can filter content from various types of Internet activity and applications, such as instant messaging, email, and office documents. It can be used to monitor and stop the disclosure of the organization’s proprietary or confidential information. Answer C is incorrect. Protocol analyzers help you troubleshoot network issues by gathering packet-level information across the network. These applications capture packets and decode the information into readable data for analysis. Answer D is incorrect; a packet-filtering firewall filters packets based on IP addresses, ports, or protocols and is a simple, good first line of defense.
18. Answer: D. A packet-filtering firewall filters packets based on IP addresses, ports, or protocols and is a simple, good first line of defense. Answer A is incorrect. Internet content filters use a collection of terms, words, and phrases that are compared to content from browsers and applications. This type of software can filter content from various types of Internet activity and applications, such as instant messaging, email, and office documents. It can be used to monitor and stop the disclosure of the organization’s proprietary or confidential information. Answer B is incorrect. When a proxy server receives a request for an Internet service, it passes through filtering requirements and checks its local cache of previously downloaded web pages. Because web pages are stored locally, response times for web pages are faster, and traffic to the Internet is substantially reduced. Answer C is incorrect. Protocol analyzers help you troubleshoot network issues by gathering packet-level information across the network. These applications capture packets and decode the information into readable data for analysis.
19. Answer: A. Internet content filters use a collection of terms, words, and phrases that are compared to content from browsers and applications. This type of software can filter content from various types of Internet activity and applications, such as instant messaging, email, and office documents. It can be used to monitor and stop the disclosure of the organization’s proprietary or confidential information. Answer B is incorrect. When a proxy server receives a request for an Internet service, it passes through filtering requirements and checks its local cache of previously downloaded web pages. Because web pages are stored locally, response times for web pages are faster, and traffic to the Internet is substantially reduced. Answer C is incorrect. Protocol analyzers help you troubleshoot network issues by gathering packet-level information across the network. These applications capture packets and decode the information into readable data for analysis. Answer D is incorrect; a packet-filtering firewall filters packets based on IP addresses, ports, or protocols and is a simple, good first line of defense.
20. Answer: C. Protocol analyzers help you troubleshoot network issues by gathering packet-level information across the network. These applications capture packets and decode the information into readable data for analysis. Answer A is incorrect. Internet content filters use a collection of terms, words, and phrases that are compared to content from browsers and applications. This type of software can filter content from various types of Internet activity and applications, such as instant messaging, email, and office documents. It can be used to monitor and stop the disclosure of the organization’s proprietary or confidential information. Answer B is incorrect. When a proxy server receives a request for an Internet service, it passes through filtering requirements and checks its local cache of previously downloaded web pages. Because web pages are stored locally, response times for web pages are faster, and traffic to the Internet is substantially reduced. Answer D is incorrect; a packet-filtering firewall filters packets based on IP addresses, ports, or protocols and is a simple, good first line of defense.
21. Answer: A. Internet content filters use a collection of terms, words, and phrases that are compared to content from browsers and applications. Because content filtering uses screen captures of each violation with time-stamped data, it provides proper documentation for forensic investigations and litigation purpose. Answer B is incorrect. When a proxy server receives a request for an Internet service, it passes through filtering requirements and checks its local cache of previously downloaded web pages. Because web pages are stored locally, response times for web pages are faster, and traffic to the Internet is substantially reduced. Answer C is incorrect. Protocol analyzers help you troubleshoot network issues by gathering packet-level information across the network. These applications capture packets and decode the information into readable data for analysis. Answer D is incorrect; a packet-filtering firewall filters packets based on IP addresses, ports, or protocols and is a simple, good first line of defense.
22. Answer: D. Content filtering is integrated at the operating system level so that it can monitor events such as opening files via Windows Explorer. It can be used to monitor and stop the disclosure of the organization’s proprietary or confidential information. Based on the previous information, answers A, B, and C are incorrect because content filtering is integrated at the operating system level.
23. Answer: C. Unlike antivirus and antispyware applications, content monitoring does not require daily updates to keep the database effective and current. On the downside, content filtering needs to be “trained.” For example, to filter nonpornographic material, the terminology must be input and defined in the database. Answer A is incorrect because content filtering helps control bandwidth costs. Answer B is incorrect based on the previous stated information. Answer D is incorrect. Packet-filtering solutions are generally considered less-secure firewalls because they still allow packets inside the network, regardless of communication pattern within the session. This leaves the system open to DoS attacks.
24. Answer: A, B. Protocol analyzers can do more than just look at packets. They prove useful in many other areas of network management, such as monitoring the network for unexpected, unwanted, and unnecessary traffic. For example, if the network is running slowly, a protocol analyzer can tell you whether necessary protocols are running on the network. Answers C and D are incorrect; attack prevention is a function of an intrusion prevention system not a protocol analyzer.
25. Answer: B. Content filtering will report only on violations identified in the specified applications listed for the filtering application. In other words, if the application will filter only Microsoft Office documents and a user chooses to use open Office, the content will not be filtered. Based on the above information, answers A, C, and D are incorrect; content filtering will report only on violations identified in the specified applications listed for the filtering application.
Objective 2.4: Apply the appropriate network tools to facilitate network security.
1. Answer: B, C. The main objective for the placement of firewalls is to allow only traffic that the organization deems necessary and provide notification of suspicious behavior. Answer A is incorrect because this is the function of a protocol analyzer. Answer D is incorrect because Internet content filters monitor unauthorized transfer of confidential information.
2. Answer: C. Most organizations deploy, at a minimum, two firewalls. The first firewall is placed in front of the DMZ to allow requests destined for servers in the DMZ or to route requests to an authentication proxy. The second firewall is placed to allow outbound requests. All initial necessary connections are located on the DMZ machines. For example, a RADIUS server may be running in the DMZ for improved performance and enhanced security, even though its database resides inside the company intranet. Answer A is incorrect; the first firewall should be deployed in front of the DMZ, not behind it. Answer B is incorrect; although the extranet would be located in the DMZ, and the intranet is located on the internal network, it is between the DMZ and the internal network where the firewall should be placed. Answer D is incorrect; although you may have a firewall between the user data and financial data, if you are only deploying two, the second one should go between the DMZ and the internal network.
3. Answer: A. A packet-filtering firewall is typically a router. Packets can be filtered based on IP addresses, ports, or protocols. They operate at the Network layer (Layer 3) of the Open Systems Interconnection (OSI) model. Packet-filtering solutions are generally considered less secure firewalls because they still allow packets inside the network, regardless of communication patterns within the session. Answer B is incorrect; all firewalls should be physically secure. Answer C is incorrect because secure passwords for firewalls can easily be created. Answer D is incorrect because compromising a secure router takes quite a bit of effort.
4. Answer: D. Proxy service firewalls are go-betweens for the network and the Internet. They can be used hide the internal addresses from the outside world through NAT. This does not allow the computers on the network to directly access the Internet. Answer A is incorrect because it describes the function of an intrusion detection system. Answers B and C are incorrect because they describe functions associated with an Internet content filtering system not a proxy service firewall.
5. Answer: B. Proxy service firewalls are go-betweens for the network and the Internet. They hide the internal addresses from the outside world and don’t allow the computers on the network to directly access the Internet. This type of firewall has a set of rules that the packets must pass to get in or out. Because the firewall check traffic against a set of rules, setting, policies and guidelines are incorrect. Therefore, answers A, C, and D are incorrect.
6. Answer: C. The purpose of a VLAN is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. Answer A is incorrect because a virtual private network (VPN) is a network connection that allows you access via a secure tunnel created through an Internet connection. Answer B is incorrect because NAT acts as a liaison between an internal network and the Internet. Answer D is incorrect because a DMZ is a small network between the internal network and the Internet that provides a layer of security and privacy.
7. Answer: D. A DMZ is a small network between the internal network and the Internet that provides a layer of security and privacy. Answer A is incorrect because a virtual private network (VPN) is a network connection that allows you access via a secure tunnel created through an Internet connection. Answer B is incorrect because NAT acts as a liaison between an internal network and the Internet. Answer C is incorrect. The purpose of a VLAN is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network.
8. Answer: C, D. Because you want to monitor both types of traffic, the IDSs should be used together. Network-based intrusion detection systems monitor the packet flow and try to locate packets that are not allowed for one reason or another and may have gotten through the firewall. Host-based intrusion detection systems monitor communications on a host-by-host basis and try to filter malicious data. These types of IDSs are good at detecting unauthorized file modifications and user activity. A firewall protects computers and networks from undesired access by the outside world; therefore, answer A is incorrect. Answer B is incorrect because Internet content filters use a collection of terms, words, and phrases that are compared to content from browsers and applications. Because content filtering uses screen captures of each violation with time-stamped data, it provides proper documentation for forensic investigations and litigation purpose.
9. Answer: B. Proxy servers can be placed between the private network and the Internet for Internet connectivity. If the organization is using the proxy server for both Internet connectivity and web content caching, the proxy server should be placed between the internal network and the Internet, with access for users who are requesting the web content. Answer A is incorrect; proxy servers are usually placed internally for web content caching. Answer C is incorrect. A firewall is usually placed between a web server and an internal file server. Answer D is incorrect. In some proxy server designs, such as for a large organization, the proxy server is placed in parallel with IP routers. This design allows for network load balancing by forwarding of all HTTP and FTP traffic through the proxy server and all other IP traffic through the router.
10. Answer: A. Proxy servers are usually placed internally for web content caching. Answer B is incorrect; Proxy servers can be placed between the private network and the Internet for Internet connectivity. If the organization is using the proxy server for both Internet connectivity and web content caching, the proxy server should be placed between the internal network and the Internet, with access for users who are requesting the web content. Answer C is incorrect. A firewall is usually placed between a web server and an internal file server. Answer D is incorrect. In some proxy server designs, such as for a large organization, the proxy server is placed in parallel with IP routers. This design allows for network load balancing by forwarding of all HTTP and FTP traffic through the proxy server and all other IP traffic through the router.
11. Answer: B. Proxy servers can be placed between the private network and the Internet for Internet connectivity. If the organization is using the proxy server for both Internet connectivity and web content caching, the proxy server should be placed between the internal network and the Internet, with access for users who are requesting the web content. Answer A is incorrect; proxy servers are usually placed internally for web content caching. Answer C is incorrect. A firewall is usually placed between a web server and an internal file server. Answer D is incorrect. In some proxy server designs, such as for a large organization, the proxy server is placed in parallel with IP routers. This design allows for network load balancing by forwarding of all HTTP and FTP traffic through the proxy server and all other IP traffic through the router.
12. Answer: D. In some proxy server designs, such as for a large organization, the proxy server is placed in parallel with IP routers. This design allows for network load balancing by forwarding of all HTTP and FTP traffic through the proxy server and all other IP traffic through the router. Answer A is incorrect; proxy servers are usually placed internally for web content caching. Answer C is incorrect. A firewall is usually placed between a web server and an internal file server. Answer B is incorrect. Proxy servers can be placed between the private network and the Internet for Internet connectivity. If the organization is using the proxy server for both Internet connectivity and web content caching, the proxy server should be placed between the internal network and the Internet, with access for users who are requesting the web content.
13. Answer: A. Internet content filtering works by analyzing data against a database contained in the software. Content filtering reports only on violations identified in the specified applications listed for the filtering application. In other words, if the application will only filter Microsoft Office documents and a user chooses to use Open Office, the content will not be filtered. Answers B and C are incorrect; they describe functions associated with firewalls. Answer D is incorrect; analyzing traffic patterns is associated with an intrusion detection systems.
14. Answer: A, C, D. Network Internet content filters can be hardware or software. Many network solutions combine both. Hardware appliances are usually connected to the same network segment as the users they will monitor. Other configurations include being deployed behind a firewall or in a DMZ, with public addresses behind a packet-filtering router. These appliances use access control filtering software on the dedicated filtering appliance. The device monitors every packet of traffic that passes over a network. Answer B is incorrect; network Internet content filters would not be placed on the individual systems. If this were true, they would become host-based content filters.
15. Answer: C. In some proxy server designs, the proxy server is placed in parallel with IP routers. This design allows for network load balancing by forwarding of all HTTP and FTP traffic through the proxy server and all other IP traffic through the router. Answer A is incorrect; proxy servers are usually placed internally for content caching not in parallel with IP routers. Answer B is incorrect; Proxy servers can be placed between the private network and the Internet for Internet connectivity. Answer D is incorrect because it describes Internet content filters. This type of software can filter content from various types of Internet activity and applications, such as instant messaging, email, and office documents. It can be used to monitor and stop the disclosure of the organization’s proprietary or confidential information.
16. Answer: A, D. Protocol analyzers can be placed inline or in between the devices from which you want to capture the traffic. If you are analyzing SAN traffic, the analyzer can be placed outside the direct link with the use of an optical splitter. The analyzer is placed to capture traffic between the host and the monitored device. Answers B and C are incorrect because protocol analyzers are used to troubleshoot internal network issues and Therefore, they would not be placed outside the network.
17. Answer: C. A packet-filtering firewall is best suited for simple networks or used to protect a network that is used mainly for Internet access. The placement of a packet-filtering firewall is between the Internet and the protected network. It filters all traffic entering or leaving the network. Answer A is incorrect because proxy service firewalls allow organizations to offer services securely to Internet users. All servers hosting public services are placed in the demilitarized zone (DMZ) with the proxy firewall between the DMZ and the internal network. Answer B is incorrect; firewalls are not usually placed in between servers on the internal network, VLANs are used to separate resources. Answer D is incorrect because a stateful-inspection firewall is suited for main perimeter security. Stateful-inspection firewalls can thwart port scanning by closing off ports until a connection to the specific port is requested.
18. Answer: B. When deploying multiple firewalls, you might experience network latency. If you do, check the placement of the firewalls and possibly reconsider the topology to be sure you get the most out of the firewalls. Answer A is incorrect. If the access lists are configured correctly, legitimate traffic should not be blocked. This is true whether you are using 1 firewall or 10 firewalls. Answer C is incorrect, using multiple firewalls will reduce the attack vector, not increase it. Answer D is incorrect. Troubleshooting should become less complex because each firewall is configured for the traffic it will filter.
19. Answer: A. Proxy service firewalls allow organizations to offer services securely to Internet users. All servers hosting public services are placed in the demilitarized zone (DMZ) with the proxy firewall between the DMZ and the internal network. Answer B is incorrect; firewalls are not usually placed in between servers on the internal network, VLANs are used to separate resources. Answer C is incorrect because A packet-filtering firewall is best suited for simple networks or used to protect a network that is used mainly for Internet access. The placement of a packet-filtering firewall is between the Internet and the protected network. It filters all traffic entering or leaving the network. Answer D is incorrect because a stateful-inspection firewall is suited for main perimeter security. Stateful-inspection firewalls can thwart port scanning by closing off ports until a connection to the specific port is requested.
20. Answer: D. A stateful-inspection firewall is suited for main perimeter security. Stateful-inspection firewalls can thwart port scanning by closing off ports until a connection to the specific port is requested. Answer A is incorrect because proxy service firewalls allow organizations to offer services securely to Internet users. All servers hosting public services are placed in the demilitarized zone (DMZ) with the proxy firewall between the DMZ and the internal network. Answer B is incorrect; firewalls are not usually placed in between servers on the internal network, VLANs are used to separate resources. Answer C is incorrect because a packet-filtering firewall is best suited for simple networks or used to protect a network that is used mainly for Internet access. The placement of a packet-filtering firewall is between the Internet and the protected network. It filters all traffic entering or leaving the network.
Objective 2.5: Explain the vulnerabilities and mitigations associated with network devices.
1. Answer: C. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. An example of the latter would be if User A could read User B’s email without specific authorization. Answer A is incorrect because it describes default accounts. Answer B is incorrect because data transmitted over a wireless network using 802.1x that can be easily “sniffed” is referred to as data emanations. Answer D is incorrect because a back door is an application code function created intentionally or unintentionally, which allow unauthorized access to networked resources.
2. Answer: D. A back door is an application code function created intentionally or unintentionally, which allow unauthorized access to networked resources. Answer A is incorrect because it describes default accounts. Answer B is incorrect because data transmitted over a wireless network using 802.1x that can be easily “sniffed” is referred to as data emanations. Answer C is incorrect. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. An example of the latter would be if User A could read User B’s email without specific authorization.
3. Answer: B. Complexity means a mixture of character case, numbers, and/or symbols. Answers A and D are incorrect because automated and social-engineering assaults on passwords are easier when a password is short, and lacking in complexity, such as those derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdates, family names, pet names, and similar details. Answer C is incorrect because random generated passwords created by a program and often too complex for users to remember. This causes the users to write down the passwords and store them somewhere easily accessible. This goes against best practices.
4. Answer: B. Unlike resources located on the local system, network resources are much more vulnerable to DoS attacks. These attacks attempt to block access to resources by overwhelming network availability, instead of attempting to directly access the resources through unauthorized means. By blocking access to a website or network resource, the attacker effectively prevents authorized availability. Answer A is incorrect because a DoS focuses on network resources not local resources. Answer C is incorrect; viruses and worms ranked the highest for sheer number of attacks against network storage. Answer D is incorrect; DoS attacks are launched against servers in the DMZ, not the internal network, unless there is not a DMZ in place. However, corporate networks usually have some type of segmentation keeping the internal network and DMZ separated making this answer choice incorrect.
5. Answer: C. Unlike resources located on the local system, network resources are much more vulnerable to DoS attacks. These attacks attempt to block access to resources by overwhelming network availability, instead of attempting to directly access the resources through unauthorized means. By blocking access to a website or network resource, the attacker effectively prevents authorized availability. Answer A is incorrect because privilege escalation is the intentional access to resources not intended for access by the user. Answer B is incorrect; a back door is an application code function created intentionally or unintentionally, which allow unauthorized access to networked resources. Answer D is incorrect; attempting to directly access the resources through unauthorized means would fall along the lines of a spoofing attack.
6. Answer: B. Wireless networks often announce their service set identifier (SSID) to allow mobile devices to discover available WAPs. Turning off this broadcast can reduce the vulnerability of a broadcast packet sniffer readily identifying a WAP, but is not truly secure because the SSID is broadcast in plain text whenever a client connects to the network. As long as the SSID broadcast is turned on the WAP will be identifiable. Therefore, answers A, C, and D are incorrect. These solutions can help mitigate the risks associated with using wireless communication, but they will reduce the vulnerability associated with identifying the WAP.
7. Answer: C. Many networking devices and services are initially installed with a default set of user credentials, such as Oracle’s Scott/Tiger and IBM’s qsecofr/qsecofr. Unless these credentials are removed and replaced with unique strong logon credentials, they present an avenue for network attack because they are known to potential attackers. Answer A is incorrect because replacing them on an as-needed basis is not proper policy. Answer B is incorrect; replacing them when an attack has been detracted is reactive instead of proactive. Answer D is incorrect because using the same logon credential for all devices and services leaves them all vulnerable should the password be compromised.
8. Answer: A, B, D. Wireless networks often announce their service set identifier (SSID) to allow mobile devices to discover available WAPs. Turning off this broadcast can reduce the vulnerability of a broadcast packet sniffer readily identifying a WAP, but is not truly secure because the SSID is broadcast in plain text whenever a client connects to the network. Turning off SSID broadcast should be considered a “best practice,” along with conducting the site survey, selecting channels not already in use in the area, requiring WPA2 (or newer) encryption, and restricting access to a known list of Wi-Fi MAC addresses where possible. Answer C is incorrect because turning on DHCP will allow a rogue client to automatically connect. Therefore, it increases the vulnerability.
9. Answer: A. Back doors are application code functions created intentionally or unintentionally that enable unauthorized access to networked resources. Many times during application development, software designers put in shortcut entry points to allow rapid code evaluation and testing. If not removed before application deployment, such entry points can present the means for an attacker to gain unauthorized access later. Other back doors may be inserted by the application designers purposefully, presenting later threats to the network if applications are never reviewed by another application designer before deployment. Answer B is incorrect because back doors are associated with code development not system certification. Answer C is incorrect because during user interface testing, the users do not have access to the code and cannot create back doors. Answer D is incorrect because the code has already been developed and tested during the implementation phase. At this point, there is not access to the code itself.
10. Answer: D. To optimize network layout within each unique location, a site survey is necessary before implementing any WLAN solution. This is particularly important in distributed wireless network configurations spanning multiple buildings or open natural areas, where imposing structures and tree growth may affect network access in key areas. Answers A, B, and C are incorrect. Land surveys, building inspections, and OSHA inspections are agency-related functions and cannot be conducted by the organization.
11. Answer: B. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. Answer A is incorrect because it describes the vulnerability of a broadcast packet sniffer readily identifying a WAP. Answer C is incorrect. Back doors represent application code functions created intentionally or unintentionally, which allow unauthorized access to networked resources. Answer D is incorrect because automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity, derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details.
12. Answer: A. Wireless networks often announce their service set identifier (SSID) to allow mobile devices to discover available WAPs. Turning off this broadcast can reduce the vulnerability of a broadcast packet sniffer readily identifying a WAP, but is not truly secure because the SSID is broadcast in plain text whenever a client connects to the network. Answer B is incorrect. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. Answer C is incorrect. Back doors represent application code functions created intentionally or unintentionally, which allow unauthorized access to networked resources. Answer D is incorrect because automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity, derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details.
13. Answer: D. Automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity, derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details. Answer A is incorrect because it describes the vulnerability of a broadcast packet sniffer readily identifying a WAP. Answer B is incorrect. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. Answer C is incorrect. Back doors represent application code functions created intentionally or unintentionally, which allow unauthorized access to networked resources.
14. Answer: C. Back doors represent application code functions created intentionally or unintentionally, which allow unauthorized access to networked resources. Many times during application development, software designers put in shortcut entry points to allow rapid code evaluation and testing. If not removed before application deployment, such entry points can present the means for an attacker to gain unauthorized access later. Answer A is incorrect because it describes the vulnerability of a broadcast packet sniffer readily identifying a WAP. Answer B is incorrect. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. Answer D is incorrect because automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity, derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details.
15. Answer: C. Many networking devices and services are initially installed with a default set of user credentials, such as Oracle’s Scott/Tiger and IBM’s qsecofr/qsecofr. Unless these credentials are removed and replaced with unique strong logon credentials, they present an avenue for network attack. Answer A is incorrect. Network resources are much more vulnerable to DoS attacks. These attacks attempt to block access to resources by overwhelming network availability, instead of attempting to directly access the resources through unauthorized means. Answer B is incorrect. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. Answer D is incorrect because automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity, derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details.
16. Answer: A. Network resources are much more vulnerable to DoS attacks. These attacks attempt to block access to resources by overwhelming network availability, instead of attempting to directly access the resources through unauthorized means. Answer B is incorrect. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. Answer C is incorrect. Many networking devices and services are initially installed with a default set of user credentials. Unless these credentials are removed and replaced with unique strong logon credentials, they present an avenue for network attack. Answer D is incorrect because automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity, derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details.
17. Answer: A. Privilege escalation represents the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. An example of the latter is if User A can read User B’s email without specific authorization. Answer B is incorrect. Many networking devices and services are initially installed with a default set of user credentials. Unless these credentials are removed and replaced with unique strong logon credentials, they present an avenue for network attack. Answer C is incorrect. Any resource exposed on a network may be attacked to gain unauthorized access. The most common form of authentication and user access control is the username/password combination, which can be significantly weakened as a security measure if a “weak” password is selected. Answer D is incorrect. Back doors are application code functions created intentionally or unintentionally that enable unauthorized access to networked resources. Many times during application development, software designers put in shortcut entry points to allow rapid code evaluation and testing. If not removed before application deployment, such entry points can present the means for an attacker to gain unauthorized access later.
18. Answer: D. Back doors are application code functions created intentionally or unintentionally that enable unauthorized access to networked resources. Many times during application development, software designers put in shortcut entry points to allow rapid code evaluation and testing. If not removed before application deployment, such entry points can present the means for an attacker to gain unauthorized access later. Answer A is incorrect. Privilege escalation represents the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. An example of the latter is if User A can read User B’s email without specific authorization. Answer B is incorrect. Many networking devices and services are initially installed with a default set of user credentials. Unless these credentials are removed and replaced with unique strong logon credentials, they present an avenue for network attack. Answer C is incorrect. Any resource exposed on a network may be attacked to gain unauthorized access. The most common form of authentication and user access control is the username/password combination, which can be significantly weakened as a security measure if a “weak” password is selected.
19. Answer: B, C. Automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity (complexity here meaning a mixture of character case, numbers, and symbols), derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details. Answer A is incorrect because it is attack associated with WAPs announcing their service set identifier (SSID). Answer D is incorrect because DoS attacks are often used for Internet extortion schemes, where an attacking botnet of tens of thousands of zombied client systems can be used to consume all available connections to a business website.
20. Answer: D. DoS attacks are often used for Internet extortion schemes, where an attacking botnet of tens of thousands of zombied client systems can be used to consume all available connections to a business website. Many fringe service industries, such as online casinos, are regularly targeted with this type of attack. Answer A is incorrect because it is attack associated with WAPs announcing their service set identifier (SSID). Answers B and C are incorrect; automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity (complexity here meaning a mixture of character case, numbers, and symbols), derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details.
Objective 2.6: Explain the vulnerabilities and mitigations associated with various transmission media.
1. Answer: C. Data traffic over coaxial network cabling can be intercepted and inspected by an attacker through the use of a vampire tap, which pierces the cable at an arbitrary point and allows direct connection to the data transport wiring. Similar technologies can be applied to modern fiber optic media, allowing interception of data traffic without a detectable presence on the network. Physical access control to areas where network media is exposed is critical to protecting against unauthorized taps. Vampire taps are physical in nature. Answers A, B, and D are incorrect because they controls that are configured using software and are not physical in nature.
2. Answer: C. Physical access control to the networking closet is critical to protect switched networks against any exposed supervisory ports that can be exploited by an attacker. Although answers A, B, and D are possible methods to control access, if physical access in not secured, the controls will not do any good. Therefore, these answers are incorrect.
3. Answer: A. Before the development of network switches, hubs were commonly used to distribute data packets to endpoint ports. Hubs do not provide data isolation between endpoint ports, allowing any node to observe data traffic to and from all other nodes on the same device. Answer B is incorrect because switches provide data isolation between endpoint ports, not hubs. Answer C is incorrect because routers provide packet forwarding for routable addresses, not hubs. Answer D is incorrect because in port mirroring the switch sends a copy of network packets to a monitoring network connection.
4. Answer: B. Certain types of networking equipment provide attackers with access to inspect network traffic for interception of user credentials, security encryption traffic, and other forms of sensitive transmitted data. Hubs do not provide data isolation between endpoint ports, allowing any node to observe data traffic to and from all other nodes on the same device. Answer A is incorrect because a network hub is a fairly unsophisticated broadcast device and it does not manage any of the traffic that comes through it. The BIOS holds information necessary to boot the computer. Answers C and D are incorrect; hubs operate at Layer 2 of the OSI model and know nothing about encryption.
5. Answer: D. Data traffic over coaxial network cabling can be intercepted and inspected by an attacker through the use of a vampire tap, which pierces the cable at an arbitrary point and allows direct connection to the data transport wiring. Similar technologies can be applied to modern fiber-optic media, allowing interception of data traffic without a detectable presence on the network. Answer A is incorrect; good antivirus software will find commercial keyloggers. Answer B is incorrect; there are applications available to find back doors, especially those created by malware. Answer B is incorrect; checks for unauthorized modification of code would prevent logic bombs.
Objective 2.7: Explain the vulnerabilities and implement mitigations associated with wireless networking.
1. Answer: B. Wireless networks often announce their service set identifier (SSID) to allow mobile devices to discover available Wireless Access Points (WAPs). Turning off this broadcast can reduce the vulnerability of a wireless packet sniffer detecting broadcasts that readily identify a WAP. In this particular instance, the WAP is not secure because the SSID is broadcast in plain text whenever a client connects to the network. Answer A is incorrect because WAPs by default do not have encryption enabled. Answer C is incorrect because if physical access is limited, the risk is mitigated. Answer D is incorrect because it describes the characteristics of a hub.
2. Answer: D. 802.1x transmissions generate detectable radio-frequency signals in all directions. Persons who wanting to “sniff” the data transmitted over the network may use many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides. Answer A is incorrect because the radio-frequency signals are generated in all directions not is one direction. Answers B and D are incorrect because data emanation is what allows for the sniffing of the data, not why data emanation is a risk.
3. Answer: C. Without the use of a mandated encryption standard, data transmitted over an 802.1x wireless link may be passed in clear form. Additional forms of encryption may be implemented, such as the Wired Equivalent Privacy (WEP) and the Advanced Encryption Standard (AES), but transport encryption mechanisms suffer from the fact that a determined listener can obtain enough traffic data to calculate the encoding key in use. Answers A, B, and D are incorrect because authorization, authentication, and identification are access control methods, not methods to mitigate data transmissions.
4. Answer: A, B, C. Wireless communications are susceptible to data emanation, weak encryption, session hijacking, man-in-the-middle attacks, and war-driving. Answer D is incorrect because spam relaying is associated open SMTP relays in email servers.
5. Answer: C. Because the authentication mechanism is one-way, it is easy for a hijacker to wait until the authentication cycle is completed and then generate a signal to the client that causes the client to think it has been disconnected from the access point, while at the same time beginning to transmit data traffic pretending to be from the original client. Answers A and D are incorrect. Both of these answers deal with authorization and session hijacking deals with authentication. Answer B is incorrect because it is not true that an authentication mechanism is not there. It exists and is one-way.
6. Answer: D. The request for connection by the client is an omnidirectional open broadcast. It is possible for a hijacker to act as an access point to the client, and as a client to the true network access point, allowing the hijacker to follow all data transactions with the ability to modify, insert, or delete packets at will. Answer A is incorrect because request for connection by the client is an omnidirectional open broadcast. Answers B and C are incorrect; the connection request is made by the client not the access point.
7. Answer: A. A popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer B is incorrect because it describes war dialing. Answer C is incorrect because it describes war-chalking. Answer D incorrect because it describes a hotspot.
8. Answer: C. War-chalking utilizes a set of symbols and shorthand details to provide specifics needed to connect using a business access point. This is done by marking buildings, curbs, and other landmarks to indicate the presence of an available access point and its connection details. Answer A is incorrect. A popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer B is incorrect because it describes war dialing. Answer D incorrect because it describes a hotspot.
9. Answer: B. Mobile devices equipped for Bluetooth short-range wireless connectivity, such as laptops, cell phones, and PDAs, are subject to receiving text and message broadcast spam sent from a nearby Bluetooth-enabled transmitting device in an attack referred to as bluejacking. Answer A is incorrect. A popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer C is incorrect because it describes bluesnarfing. Answer D is incorrect. War-chalking utilizes a set of symbols and shorthand details to provide specifics needed to connect using a business access point. This is done by marking buildings, curbs, and other landmarks to indicate the presence of an available access point and its connection details.
10. Answer: C. Although typically benign, attackers use bluejacking to generate messages that appear to be from the device itself. This leads users to follow obvious prompts and establish an open Bluetooth connection to the attacker’s device. Once paired with the attacker’s device, the user’s data becomes available for unauthorized access, modification, or deletion, which is an attack referred to as bluesnarfing. Answer B is incorrect. Mobile devices equipped for Bluetooth short-range wireless connectivity, such as laptops, cell phones, and PDAs, are subject to receiving text and message broadcast spam sent from a nearby Bluetooth-enabled transmitting device in an attack referred to as bluejacking. Answer A is incorrect. A popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer D is incorrect. War-chalking utilizes a set of symbols and shorthand details to provide specifics needed to connect using a business access point. This is done by marking buildings, curbs, and other landmarks to indicate the presence of an available access point and its connection details.
11. Answer: B. The 802.11b WLAN specification allows up to 11Mbps wireless connectivity. Answer A is incorrect because 1.5MBps is a common speed for cable modem and T1 connectivity. Answer C is incorrect because 100Mbps is a common wired LAN data transfer rate. Answer D is incorrect because 19.2Kbps specifies a common modem bandwidth limit.
12. Answer: A. The 802.11b (Wi-Fi) standard uses the CSMA/CA connectivity methods commonly found in Ethernet connectivity. Answers B and D are incorrect because both WAP and i-Mode are standards used by mobile devices such as cell phones, pagers, and PDAs and are not used to specify WLAN standards. Answer C is incorrect because Bluetooth is based on a different transmission protocol.
13. Answer: B. The WPA2 standard implements the 802.11i-2004 protocols, and is currently the highest standard for Wi-Fi communication security. Answer A is incorrect because a WAP refers to both handheld devices as well as wireless access points. Answer C is incorrect because WEP2 is a stopgap enhancement to WEP present in some of the early 802.11i drafts. Answer D is incorrect because the WEP standard was proven to be unsecure and has been replaced by the newer WPA standards.
14. Answer: D. Data emanation happens because 802.1x transmissions generate detectable radio-frequency signals in all directions. Persons wanting to sniff the data transmitted over the network may use many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides (such as the popular Pringle’s can) and flying devices overhead to increase detection range without interference from building structures. Answer A is incorrect because without the use of a mandated encryption standard, data transacted over an 802.1x wireless link may be passed in clear form and attackers can take advantage of this weak or nonexistent encryption. Answer B is incorrect because the wireless authentication mechanism is one-way, allowing session hijacking. Answer C is incorrect because a popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving.
15. Answer: B. Because the authentication mechanism is one-way, it is easy for a hijacker to wait until the authentication cycle is completed and then generate a signal to the client that causes the client to think it has been disconnected from the access point, while at the same time beginning to transact data traffic pretending to be the original client. Answer A is incorrect because without the use of a mandated encryption standard, data transacted over an 802.1x wireless link may be passed in clear form, and attackers can take advantage of this weak or nonexistent encryption. Answer C is incorrect because a popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer D is incorrect. Persons wanting to “sniff” the data transmitted over the wireless network may use many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides (such as the popular Pringle’s can) and flying devices overhead to increase detection range without interference from building structures.
16. Answer: A. Without the use of a mandated encryption standard, data transacted over an 802.1x wireless link may be passed in clear form and attackers can take advantage of this weak or nonexistent encryption. Answer B is incorrect because the wireless authentication mechanism is one-way, allowing session hijacking. Answer C is incorrect because a popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer D is incorrect. Persons wanting to “sniff” the data transmitted over the wireless network may use many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides (such as the popular Pringle’s can) and flying devices overhead to increase detection range without interference from building structures.
17. Answer: B. Although typically benign, attackers can use bluejacking to generate messages that appear to be from the device itself, leading users to follow obvious prompts and establish an open Bluetooth connection to the attacker’s device. Once paired with the attacker’s device, the user’s data becomes available for unauthorized access, modification, or deletion, which is a more aggressive attack referred to as bluesnarfing. Answer A is incorrect. Mobile devices equipped for Bluetooth short-range wireless connectivity, such as laptops, cell phones, and PDAs, are subject to receiving text and message broadcast spam sent from a nearby Bluetooth-enabled transmitting device in an attack referred to as bluejacking. Answer C is incorrect. A popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer D is incorrect. War-chalking utilizes a set of symbols and shorthand details to provide specifics needed to connect using a business access point. This is done by marking buildings, curbs, and other landmarks to indicate the presence of an available access point and its connection details.
18. Answer: C. War-driving is aimed at identification of existing wireless networks, the service set identifier (SSID) used to identify the wireless network, and any known WEP keys. Answer A is incorrect because without the use of a mandated encryption standard, data transacted over an 802.1x wireless link may be passed in clear form and attackers can take advantage of this weak or nonexistent encryption. Answer B is incorrect because the wireless authentication mechanism is one way, allowing session hijacking. Answer D is incorrect. Persons wanting to “sniff” the data transmitted over the wireless network may use many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides (such as the popular Pringle’s can) and flying devices overhead to increase detection range without interference from building structures.
19. Answer: A. Mobile devices equipped for Bluetooth short-range wireless connectivity, such as laptops, cell phones, and PDAs, are subject to receiving text and message broadcast spam sent from a nearby Bluetooth-enabled transmitting device in an attack referred to as bluejacking. Answer B is incorrect. Although typically benign, attackers can use bluejacking to generate messages that appear to be from the device itself, leading users to follow obvious prompts and establish an open Bluetooth connection to the attacker’s device. Once paired with the attacker’s device, the user’s data becomes available for unauthorized access, modification, or deletion, which is a more aggressive attack referred to as bluesnarfing. Answer C is incorrect. A popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer D is incorrect. War-chalking utilizes a set of symbols and shorthand details to provide specifics needed to connect using a business access point. This is done by marking buildings, curbs, and other landmarks to indicate the presence of an available access point and its connection details.
20. Answer: B. Because the request for connection by the client is an omnidirectional open broadcast, it is possible for a hijacker to act as an access point to the client, and as a client to the true network access point, allowing the hijacker to follow all data transactions with the ability to modify, insert, or delete packets at will. By implementing a rogue AP with stronger signal strength than more remote permanent installations, the attacker can cause a wireless client to preferentially connect to their own stronger nearby connection using the wireless device’s standard roaming handoff mechanism. Answer A is incorrect. Without the use of a mandated encryption standard, data transacted over an 802.1x wireless link may be passed in clear form and attackers can take advantage of this weak or nonexistent encryption. Answer C is incorrect because a popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer D is incorrect. Persons wanting to “sniff” the data transmitted over the wireless network may use many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides (such as the popular Pringle’s can) and flying devices overhead to increase detection range without interference from building structures.
21. Answer: C. When a client attempts to make an 802.1x-compliant connection, the client attempts to contact a wireless access point (AP). The AP authenticates the client through a basic challenge-response method, and then provides connectivity to a wired network or serves as a bridge to a secondary wireless AP. Answers A and D are incorrect because there is no user interaction in the authentication process. Answer B is incorrect because a hardware token is a security token that is used in multifactor authentication. It has nothing to do with how a client authenticates to a WAP.
22. Answer: A. New standards that involve time-changing encryption keys may help with weal key encryption, such as the Temporal Key Integrity Protocol (TKIP) and Wi-Fi Protected Access (WPA/WPA2) standard. Answer B is incorrect. Persons wanting to “sniff” the data transmitted over the wireless network may use many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides (such as the popular Pringle’s can) and flying devices overhead to increase detection range without interference from building structures. Answer C is incorrect. Mobile devices equipped for Bluetooth short-range wireless connectivity, such as laptops, cell phones, and PDAs, are subject to receiving text and message broadcast spam sent from a nearby Bluetooth-enabled transmitting device in an attack referred to as bluejacking. D is incorrect because a popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving.
23. Answer: A. Wireless Application Environment (WAE) specifies the framework used to develop applications for mobile devices, including cell phones, data pagers, and PDAs. Answers B and C are incorrect. Wireless Session Layer (WSL), Wireless Transport Layer (WTL), and Wireless Transport Layer Security (WTLS) are the specifications that are included in the WAP standard. Answer D is incorrect because specifications for the Wired Equivalent Privacy (WEP) standard are detailed within the 802.11b (Wi-Fi) specification. This specification details a method of data encryption and authentication that may be used to establish a more secured wireless connection.
24. Answer: D. The Wi-Fi Protected Access (WPA and later WPA2) standards were developed by the Wi-Fi Alliance to replace the WEP protocol while the 802.11i standard was being developed. The WPA includes many of the functions of the 802.11i protocol but relies on the Rivest Cipher 4 (RC4), which is considered vulnerable to keystream attacks. The later WPA2 standard was certified to include the full 802.11i standard after its final approval. Answers A and C are incorrect because they are encryptions standards are not associated with the Wi-Fi Alliance. Answer C is incorrect because a WAP refers to both handheld devices as well as wireless access points.
25. Answer: A. Wireless Session Layer (WSL) is equivalent to the session layer of the Open Systems Interconnection (OSI) model. Based on this information, answers B, C, and D are incorrect.