Practice Exam 2: CompTIA Security+ SY0-201
The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam, and which topics you need to review further. Write down your answers on a separate sheet of paper so that you can take this exam again if necessary. Compare your answers against the answer key that follows this exam.
1. A customer’s computer is using FAT16 as its file system. What file system can you upgrade it to when using the convert command?
A. NTFS
B. HPFS
C. FAT32
D. NFS
2. Which of the following is a benign list of entries?
A. Access control list
B. Blacklist
C. Whitelist
D. Spam list
3. Which of these is an example of social engineering?
A. Asking for a username and password over the phone
B. Using someone else’s unsecured wireless network
C. Hacking into a router
D. Virus
4. Robert needs to access a resource. In the DAC model, what is used to identify him or other users?
A. Roles
B. ACLs
C. MAC
D. Rules
5. To prevent damage to a computer and its peripherals, the computer should be connected to what?
A. Power strip
B. Power inverter
C. AC to DC converter
D. UPS
6. Which device’s log file can show access control lists and who was allowed access and who wasn’t?
A. Firewall
B. PDA
C. Performance Monitor
D. IP proxy
7. Russ is using only documentation to test the security of a system. What type of testing methodology is this known as?
A. Active security analysis
B. Passive security analysis
C. Hybrid security analysis
D. Hands-on security analysis
8. Which of the following is not an advantage of NTFS over FAT32?
A. NTFS supports file encryption.
B. NTFS supports larger file sizes.
C. NTFS supports larger volumes.
D. NTFS supports more file formats.
9. John needs to install a web server that can offer SSL-based encryption. Which of the following ports is required for SSL transactions?
A. Port 80 inbound
B. Port 80 outbound
C. Port 443 inbound
D. Port 443 outbound
10. What is the most common reason that social engineering succeeds?
A. Lack of vulnerability testing
B. People share passwords
C. Lack of auditing
D. Lack of user awareness
11. Where are software firewalls usually located?
A. On routers
B. On servers
C. On clients
D. On every computer
12. Which of the following would not be considered part of a disaster recovery plan?
A. Hot site
B. Patch management software
C. Backing up computers
D. Tape backup
13. Where is the optimal place to have a proxy server?
A. In between two private networks
B. In between a private and a public network
C. In between two public networks
D. On all the servers
14. If a person takes control of a session between a server and a client, it is known as what type of attack?
A. DDoS
B. Smurf
C. Session hijacking
D. Malicious software
15. Rick has a local computer that uses software to generate and store key pairs. What type of PKI implementation is this?
A. Distributed key
B. Centralized
C. Hub and Spoke
D. Decentralized
16. You administer a bulletin board system for a rock and roll band. While reviewing logs for the board, you see one particular IP address posting spam multiple times per day. What is the best way to prevent this type of problem?
A. Block the IP address of the user.
B. Ban the user.
C. Disable ActiveX.
D. Implement CAPTCHA.
17. Making data appear as if it is coming from somewhere other than its original source is known as what?
A. Hacking
B. Phishing
C. Cracking
D. Spoofing
18. Which of the following tools uses ICMP?
A. Ping scanner
B. Port scanner
C. Image scanner
D. Barcode scanner
19. Which of the following types of scanners can locate a rootkit on a computer?
A. Image scanner
B. Barcode scanner
C. Malware scanner
D. Adware scanner
20. Your manager wants you to implement a type of intrusion detection system (IDS) that can be matched to certain types of traffic patterns. What kind of IDS is this?
A. Anomaly-based IDS
B. Signature-based IDS
C. Behavior-based IDS
D. Heuristic-based IDS
21. You are setting up auditing on a Windows XP Professional computer. If set up properly, which log should have entries?
A. Application log
B. System log
C. Security log
D. Maintenance log
22. Which type of malware does not require a user to execute a program to distribute the software?
A. Worm
B. Virus
C. Trojan horse
D. Stealth
23. A company has a high staff attrition rate. What should you as the network administrator do first? (Select the best answer.)
A. Review user permissions and access control lists.
B. Review group policies.
C. Review Performance logs.
D. Review the Application log.
24. Which of the following is not one of the steps of the incident response process?
A. Eradication
B. Recovery
C. Containment
D. Nonrepudiation
25. In which two environments would social engineering attacks be most effective? (Select the two best answers.)
A. Public building with shared office space
B. Company with a dedicated IT staff
C. Locked building
D. Military facility
E. Organization that has IT personnel with little training
26. Two items are needed before a user can be given access to the network. What are these two items? (Select the two best answers.)
A. Authentication and authorization
B. Authorization and identification
C. Identification and authentication
D. Password and authentication
27. Of the following, which is the best way for a person to find out what security holes exist on the network?
A. Run a port scan.
B. Use a network sniffer.
C. Perform a vulnerability assessment.
D. Use an IDS solution.
28. The IT director wants you to use a cryptographic algorithm that cannot be decoded by being reversed. Which of the following would be the best option?
A. Asymmetric
B. Symmetric
C. PKI
D. One-way function
29. Of the following definitions, which would be an example of eavesdropping?
A. Overhearing parts of a conversation
B. Monitoring network traffic
C. Another person looking through your files
D. A computer capturing information from a sender
30. Which of the following concepts does that Diffie-Hellman algorithm rely on?
A. Usernames and passwords
B. VPN tunneling
C. Biometrics
D. Key exchange
31. Which of the following is usually used with L2TP?
A. IPSec
B. SSH
C. PHP
D. SHA
32. Of the following, which best describes the difference between RADIUS and TACACS?
A. RADIUS is a remote access authentication service.
B. RADIUS separates authentication, authorization, and auditing capabilities.
C. TACACS is a remote access authentication service.
D. TACACS separates authentication, authorization. and auditing capabilities.
33. What is the most commonly seen security risk of using coaxial cable?
A. Data that emanates from the core of the cable
B. Crosstalk between the different wires
C. Chromatic dispersion
D. Time domain reflection
34. Heaps and stacks can be affected by which of the following attacks?
A. Buffer overflows
B. Root kits
C. SQL injection
D. Cross-site scripting
35. As part of your user awareness training, you recommend that users remove which of the following when they are done accessing the Internet?
A. Instant messaging
B. Cookies
C. Group policies
D. Temporary files
36. Which of these is not considered to be an in-line device?
A. Firewall
B. Router
C. CSU/DSU
D. HIDS
37. Your company expects its employees to behave in a certain way. How could a description of this behavior be documented?
A. Code of ethics
B. Chain of custody
C. Separation of duties
D. Acceptable use policy
38. What is the main purpose of a physical access log?
A. To enable authorized employee access
B. To show who exited the facility
C. To show who entered the facility
D. To prevent unauthorized employee access
39. After using NMAP to do a port scan of your server, you find that several ports are open. Which of the following should you do next?
A. Leave the ports open and monitor them for malicious attacks.
B. Run the port scan again.
C. Close all ports.
D. Examine the services and or processes that use those ports.
40. You have established a baseline for your server. Which of the following is the best tool to use to monitor any changes to that baseline?
A. Performance monitor
B. Antispyware
C. Antivirus software
D. Vulnerability assessments software
41. Which of the following factors should you consider when evaluating an asset of a company? (Select the two best answers.)
A. Its value to the company
B. Its replacement cost
C. Where it was purchased
D. Its salvage value
42. What ensures that a CRL is authentic and has not been modified?
A. The CRL can be accessed by anyone.
B. The CRL is digitally signed by the CA.
C. The CRL is always authentic.
D. The CRL is encrypted by the CA.
43. Your company has 1,000 users. Which of the following password management systems will work best for your company?
A. Multiple access methods
B. Synchronize passwords
C. Historical passwords
D. Self-service password resetting
44. You are using the following backup scheme. A full backup is made every Friday night at 6 P.M. Differential backups are made every other night at 6 P.M. Your database server fails on Thursday afternoon at 4 P.M. How many tapes will you need to restore the database server?
A. One
B. Two
C. Three
D. Four
45. What is the most common problem with UTP cable?
A. Crosstalk
B. Data emanation
C. Chromatic dispersion
D. Vampire tapping
46. What two security precautions can best help to protect against wireless network attacks?
A. Authentication and the WEP
B. Access control lists and WEP
C. Identification and WPA2
D. Authentication and WPA
47. In what way can you gather information from a remote printer?
A. HTTP
B. SNMP
C. CA
D. SMTP
48. Which of the following will an Internet filtering appliance analyze? (Select the three best answers.)
A. Content
B. Certificates
C. Certificate revocation lists
D. URLs
49. You are a forensics investigator. What is the most important reason for you to verify the integrity of acquired data?
A. To ensure that the data has not been tampered with
B. To ensure that a virus cannot be copied to the target media
C. To ensure that the acquired data is up-to-date
D. To ensure that the source data will fit on the target media
50. Which of the following is the proper order of functions for asymmetric keys?
A. Decrypt, validate, and code and verify
B. Sign, encrypt, decrypt, and verify
C. Encrypt, sign, decrypt, and verify
D. Decrypt, decipher, and code and encrypt
51. Which of the following is not a common criteria when authenticating users?
A. Something you do
B. Something you are
C. Something you know
D. Something you like
52. What does steganography replace in graphic files?
A. The least significant bit of each byte
B. The most significant bit of each byte
C. The least significant byte of each bit
D. The most significant byte of each bit
53. Of the following, what is the worst place to store a backup tape?
A. Near a bundle of fiber-optic cables
B. Near a power line
C. Near a server
D. Near an LCD screen
54. Critical equipment should always be able to get power. What is the correct order of devices that your critical equipment should draw power from?
A. Generator, line conditioner, UPS battery
B. Line conditioner, UPS battery, generator
C. Generator, UPS battery, line conditioner
D. Line conditioner, generator, UPS battery
55. In a discretionary access control model, who is in charge of setting permissions to a resource?
A. Owner of the resource
B. Administrator
C. Any user of the computer
D. Administrator and the owner
56. Jason needs to add several users to a group. Which of the following can help him to get the job done faster?
A. Propagation
B. Inheritance
C. Template
D. Access control lists
57. Michael has just completed monitoring and analyzing a web server. Which of the following indicates that the server might have been compromised?
A. The web server is sending hundreds of UDP packets.
B. The web server as a dozen connections to inbound port 80.
C. The web server has a dozen connections to inbound port 443.
D. The web server is showing a drop in CPU access speed., and hard disk access speed.
58. Which of the following is a vulnerability assessment tool?
A. John the Ripper
B. AirSnort
C. Nessus
D. Cain & Abel
59. Which of the following can determine which flags are set in a TCP/IP handshake?
A. Protocol analyzer
B. Port scanner
C. SYN/ACK
D. Performance monitor
60. You are a consultant for an IT company. Your boss asks you to determine the topology of the network. What is the best device to use in this circumstance?
A. Network mapper
B. Protocol analyzer
C. Port scanner
D. Vulnerability scanner
61. Whitelisting, blacklisting, and closing open relays are all mitigation techniques addressing what kind of threat?
A. Spyware
B. Spam
C. Viruses
D. Botnets
62. Which of the following enables a hacker to float a domain registration for a maximum of 5 days?
A. Kiting
B. DNS poisoning
C. Domain hijacking
D. Spoofing
63. From the following, select the best definition for ARP.
A. Resolves IP addresses to DNS names
B. Resolves IP addresses to hostnames
C. Resolves IP addresses to MAC addresses
D. Resolves IP addresses to DNS addresses
64. How are permissions defined in the mandatory access control model?
A. Access control lists
B. User roles
C. Defined by the user
D. Predefined access privileges
65. Which of the following cables suffers from chromatic dispersion if the cable is too long?
A. Twisted-pair cable
B. Fiber optic cable
C. Coaxial cable
D. USB cables
66. Which of following is the most basic form of IDS?
A. Anomaly based
B. Behavioral-based
C. Signature-based
D. Statistical-based
67. Which of the following encryption concepts is PKI based on?
A. Asymmetric
B. Symmetric
C. Elliptical curve
D. Quantum
68. Of the following, which type of fire suppression can prevent damage to computers and servers?
A. Class A
B. Water
C. CO2
D. Halon
69. You are in charge of PKI certificates. What should you implement so that stolen certificates cannot be used?
A. CRL
B. CAD
C. CA
D. CRT
70. You are the security administrator for your organization. You have just identified a malware incident. What should be your first response?
A. Containment
B. Removal
C. Recovery
D. Monitoring
71. Which of the following deals with the standard load for a server?
A. Patch management
B. Group policy
C. Port scanning
D. Configuration baseline
72. Which of the following cable media is the least susceptible to a tap?
A. Coaxial cable
B. Twisted-pair cable
C. Fiber-optic cable
D. CATV cable
73. Which of the following would lower the level of password security?
A. After a set number of failed attempts, the server will lock the user out, forcing them to call the administrator to reenable their account.
B. Passwords must be greater than eight characters and contain at least one special character.
C. All passwords are set to expire after 30 days.
D. Complex passwords that users cannot change are randomly generated by the administrator.
74. Which of the following are certificate-based authentication mapping schemes? (Select the two best answers.)
A. One-to-many mapping
B. One-to-one mapping
C. Many-to-many mapping
D. Many-to-one mapping
75. Of the following access control models, which use object labels?
A. Discretionary access control
B. Role-based access control
C. Rule-based access control
D. Mandatory access control
76. What is the best way to test the integrity of a company’s backed up data?
A. Conduct another backup.
B. Use software to recover deleted files.
C. Review written procedures.
D. Restore part of the backup.
77. Which of the following should be placed between the LAN and the Internet?
A. DMZ
B. HIDS
C. Domain controller
D. Extranet
78. Which of the following, when removed, will increase the security of a wireless access point?
A. MAC filtering
B. SSID
C. WPA
D. Firewall
79. Of the following, what two authentication mechanisms require something you physically possess? (Select the two best answers.)
A. Smart card
B. Certificate
C. USB flash drive
D. Username and password
80. Which of the following network protocols sends data between two computers while utilizing a secure channel?
A. SSH
B. SMTP
C. SNMP
D. P2P
81. What is the greatest risk of a virtual computer?
A. If a virtual computer fails, all other virtual computers immediately go offline.
B. If a virtual computer fails, the physical server goes offline.
C. If the physical server fails; all other physical servers immediately go offline.
D. If the physical server fails, all the virtual computers immediately go offline.
82. Of the following, which is a collection of servers that was set up to attract hackers?
A. DMZ
B. Honeypot
C. Honeynet
D. VLAN
83. Which of the following is the final step a user needs to take before that user can access domain resources?
A. Verification
B. Validation
C. Authorization
D. Authentication
84. Your company has six web servers. You are implementing load-balancing. What is this an example of?
A. UPS
B. Redundant servers
C. RAID
D. A warm site
85. The term Java Applet is best described by which of the following?
A. It increases the usability of web-enabled systems.
B. It is a programming language.
C. A web browser must have the capability to run Java applets.
D. It uses digital signatures for authentication.
86. You have three e-mail servers. What is it called when one server forwards e-mail to another?
A. SMTP relay
B. Buffer overflows
C. POP3
D. Cookies
87. How do most network-based viruses spread?
A. By CD and DVD
B. Through e-mail
C. By USB flash drive
D. By floppy disk
88. To gain access to your network, users must provide a thumbprint, username, and password. What type of authentication model is this?
A. Biometrics
B. Domain logon
C. Multifactor
D. Single sign-on
89. The IT director has asked you to set up an authentication model where users can enter their credentials one time, yet still access multiple server resources. What type of authentication model should you implement?
A. Smart card and biometrics
B. Three-factor authentication
C. SSO
D. VPN
90. A man pretending to be a data communications repair technician enters your building and states that there is networking trouble and he needs access to the server room. What is this an example of?
A. A man-in-the-middle attack
B. A virus
C. Social engineering
D. Chain of custody
91. Which of the following about authentication is false?
A. RADIUS is a client/server system that provides authentication, authorization, and accounting services.
B. PAP is insecure because usernames and passwords are sent as clear text.
C. MS-CHAPv1 is capable of mutual authentication of the client and server.
D. CHAP is more secure than PAP because it encrypts usernames and passwords.
92. Which of the following methods could identify when an unauthorized access has occurred?
A. Two factor authentication
B. Session termination
C. Previous logon notification
D. Session lock
93. Your boss wants you to properly log what happens on a database server. What are the most important concepts to think about while you do so? (Select the two best answers.)
A. The amount of virtual memory that you will allocate for this task
B. The amount of disk space you will require
C. The information that will be needed to reconstruct events later
D. Group policy information
94. Which of the following can enable you to find all the open ports on an entire network?
A. Protocol analyzer
B. Network scanner
C. Firewall
D. Performance monitor
95. Which of the following is the best practice to implement when securing log files?
A. Log all failed and successful login attempts.
B. Deny administrators access to log files.
C. Copy the logs to a remote log server.
D. Increase security settings for administrators.
96. What do hackers use malicious port scanning to accomplish?
A. The “fingerprint” of the operating system
B. The topology of the network
C. All the computer names on the network
D. All the usernames and passwords
97. Many companies send passwords via clear text. Which of the following can be used to view these passwords?
A. Rainbow table
B. port scanner
C. John the Ripper
D. Protocol analyzer
98. What does it mean if a hashing algorithm creates the same hash for two different downloads?
A. A hash is not encrypted.
B. A hashing chain has occurred.
C. A one-way hash has occurred.
D. A collision has occurred.
99. What would you use to control the traffic allowed in or out of a network? (Select the best answer.)
A. Access control lists
B. Firewall
C. Address resolution protocol
D. Discretionary access control
100. Which one of the following, originally used for ease of administration, can be the victim of malicious attack.
A. Zombies
B. Backdoors
C. Buffer overflow
D. Group policy
Answers to Practice Exam 2
Answers at a Glance
1. A
2. C
3. A
4. B
5. D
6. A
7. B
8. D
9. C
10. D
11. C
12. B
13. B
14. C
15. D
16. D
17. D
18. A
19. C
20. B
21. C
22. A
23. A
24. D
25. A and E
26. C
27. C
28. D
29. A
30. D
31. A
32. D
33. A
34. A
35. B
36. D
37. A
38. C
39. D
40. A
41. A and B
42. B
43. D
44. B
45. A
46. D
47. B
48. A, B, and D
49. A
50. C
51. D
52. A
53. B
54. B
55. A
56. C
57. D
58. C
59. A
60. A
61. B
62. A
63. C
64. D
65. B
66. C
67. A
68. C
69. A
70. A
71. D
72. C
73. D
74. B and D
75. D
76. D
77. A
78. B
79. A and C
80. A
81. D
82. C
83. C
84. B
85. C
86. A
87. B
88. C
89. C
90. C
91. C
92. C
93. B and C
94. B
95. C
96. A
97. D
98. D
99. A
100. B.
Answers with Explanations
- Answer: A. The convert command is used to upgrade FAT and FAT32 volumes to the more secure NTFS without loss of data. HPFS is the High Performance File System developed by IBM, and not used by Windows. NFS is the Network File System, something you would see in a storage area network. See the section titled “Hardening Operating Systems” in Chapter 3, “OS Hardening and Virtualization,” for more information.
- Answer: C. A whitelist is a trusted list, usually concerning e-mail addresses. A blacklist is a list of entries that are denied access. An access control list (ACL) defines what levels of access particular users and groups have. A spam list could be considered a blacklist as well. See the section titled “Rights, Permissions and Policies” in Chapter 9, “Access Control Methods and Models,” for more information.
- Answer: A. Social engineering is the practice of obtaining confidential information by manipulating people. Using someone else’s network is just theft. Hacking into a router is just that, hacking. And a virus is a self-spreading program that may or may not cause damage to files and applications. See the section titled “Social Engineering” within Chapter 15 “Policies, Procedures, and People,” for more information.
- Answer: B. Access control lists (ACL) are used in the Discretionary Access Control model. This is different from role-based, rule-based, and MAC (Mandatory Access Control) models. See the section titled “Access Control Models Defined” in Chapter 9, “Access Control Methods and Models,” for more information.
- Answer: D. A UPS (uninterruptible power supply) protects computer equipment against surges, spikes, sags, brownouts, and blackouts. Power strips, unlike surge protectors do not protect against surges. See the section titled “Redundancy Planning” in Chapter 14, “Redundancy and Disaster Recovery,” for more information.
- Answer: A. A firewall contains one or more access control lists (ACL) defining who is allowed access to the network. The firewall also shows attempts at access and whether they succeeded or failed. A personal digital assistant (PDA) might list who called or e-mailed, but as of the writing of this book does not use ACLs. Performance Monitor analyzes the performance of a computer, and an IP proxy deals with network address translation, hiding many private IP addresses behind one public address. Although the function of an IP proxy is often built into a firewall, the best answer would be firewall. See the section titled “Firewalls and Network Security” in Chapter 6, “Network Perimeter Security,” for more information.
- Answer: B. Passive security analysis or passive security testing would be one that possibly does not include a hands-on test. It is less tangible and often includes the use of documentation only. To better protect a system or network, you should also use active security analysis. See the section titled “Conducting Risk Assessments” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.
- Answer: D. NTFS and FAT32 support the same number of file formats. See the section titled “Hardening Operating Systems” within Chapter 3, “OS Hardening and Virtualization,” for more information.
- Answer: C. For clients to connect to the server via SSL, the server must have inbound port 443 open. The outbound ports on the server are of little consequence for this concept, and inbound port 80 is used by HTTP. See the section titled “Ports, Protocols, and Malicious Attacks” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
- Answer: D. User awareness is extremely important when attempting to defend against social engineering attacks. Vulnerability testing and auditing are definitely important as part of a complete security plan, but will not necessarily help defend against social engineering, and definitely not as much as user awareness training. People should not share passwords. See the section titled “Social Engineering” in Chapter 15, “Policies, Procedures, and People,” for more information.
- Answer: C. Software-based firewalls, such as the Windows Firewall, are normally running on the client computers. Though a software-based firewall could also be run on a server, it is not as common. Also, a SOHO router might have a built-in firewall, but not all routers will have firewalls. See the section titled “Firewalls and Network Security” within Chapter 6 “Network Perimeter Security,” for more information.
- Answer: B. Patching a system is part of the normal maintenance of a computer. In the case of a disaster to a particular computer, the computer’s OS and latest service pack would have to be reinstalled. The same would be true in the case of a disaster to a larger area, such as the building. Hot sites, backing up computers, and tape backup are all components of a disaster recovery plan. See the section titled “Disaster Recovery Planning and Procedures” in Chapter 14, “Redundancy and Disaster Recovery,” for more information.
- Answer: B. Proxy servers should normally be between the private and the public network. This way, they can act as a go between for all the computers located on the private network. This applies especially to IP proxy servers but might also include HTTP proxy servers. See the section titled “Firewalls and Network Security” in Chapter 6, “Network Perimeter Security,” for more information.
- Answer: C. Session hijacking (or TCP/IP hijacking) is when an unwanted mediator takes control of the session between a client and a server (for example, an FTP or HTTP session). See the section titled “Ports, Protocols, and Malicious Attacks” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
- Answer: D. When creating key pairs, PKI has two methods: centralized and decentralized. Centralized is when keys are generated at a central server and are transmitted to hosts. Decentralized is when keys are generated and stored on a local computer system for use by that system. See the section titled “Public Key Infrastructure” in Chapter 13, “PKI and Encryption Protocols,” for more information.
- Answer: D. By implementing CAPTCHA, another level of security is added that users have to complete before they can register to and/or post to a bulletin board. Although banning a user or the user’s IP address can help to eliminate that particular person from spamming the site, the best way is to add another level of security such as CAPTCHA. This applies to all persons who attempt to attack the bulletin board. See the section titled “Rights, Permissions, and Policies” in Chapter 9, “Access Control Methods and Models,” for more information.
- Answer: D. Spoofing is when a malicious user makes data or e-mail appear to be coming from somewhere else. See the section titled “Ports, Protocols, and Malicious Attacks” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
- Answer: A. A ping scanner uses the Internet Control Message Protocol (ICMP) to conduct its scans. Ping uses ICMP as its underlying protocol and IP and ARP. Image scanners are found in printers and as standalone items that scan images, photos, and text into a computer. Barcode scanners scan barcodes, for example at the supermarket. See the section titled “Firewalls and Network Security” in Chapter 6, “Network Perimeter Security,” for more information.
- Answer: C. Malware scanners can locate rootkits and other types of malware. These types of scanners are often found in antimalware software from manufacturers such as McAfee, Norton, Viper, and so on. Adware scanners (quite often free) only scan for adware. Always have some kind of antimalware software running on live client computers! See the section titled “Computer Systems Security Threats” in Chapter 2, “Computer Systems Security,” for more information.
- Answer: B. When using an IDS, particular types of traffic patterns refers to signature-based IDS. See the section titled “NIDS Versus NIPS” in Chapter 6, “Network Perimeter Security,” and “Monitoring Methodologies” in Chapter 11, “Monitoring and Auditing,” for more information.
- Answer: C. After Auditing is turned on and specific resources are configured for auditing, you need to check the Event Viewer’s Security log for the entries. These could be successful logons or misfired attempts at deleting files; there are literally hundreds of options. The Application log contains errors, warnings, and informational entries about applications. The System log deals with drivers, system files, and so on. A maintenance log can be used to record routine maintenance procedures. See the section titled “Conducting Audits” in Chapter 11, “Monitoring and Auditing,” for more information.
- Answer: A. Worms self-replicate and do not require a user to execute a program to distribute the software across networks. All the other answers do require user intervention. Stealth refers to a type of virus. See the section titled “Computer Systems Security Threats” in Chapter 2, “Computer Systems Security,” for more information.
- Answer: A. The first thing an administrator should do when he notices that the company has a high attrition rate is to conduct a thorough review of user permissions, rights, and access control lists. A review of group policies might also be necessary but is not as imperative. Performance logs and the Application log will probably not pertain to that the company has a lot of employees being hired and leaving the company. See the section titled “Rights, Permissions, and Policies” in Chapter 9, “Access Control Methods and Models,” for more information.
- Answer: D. Nonrepudiation, although an important part of security, is not part of the incident response process. Eradication, containment, and recovery are all parts of the incident response process. See the section titled “Legislative and Organizational Policies” in Chapter 15, “Policies, Procedures, and People,” for more information.
- Answer: A and E. Public buildings, shared office space, and companies with employees that have little training are all environments where social engineering attacks are common and would be most successful. See the section titled “Social Engineering” in Chapter 15, “Policies, Procedures, and People,” for more information.
- Answer: C. Before a user can be given access to the network, the network needs to identify them and authenticate them. Later users may be authorized to use particular resources on the network. Part of the authentication scheme may include a username and password. This would be known as an access control method. See the section titled “Access Control Models Defined” in Chapter 9, “Access Control Methods and Models,” for more information.
- Answer: C. The best way to find all the security holes that exist on a network is to perform a vulnerability assessment. This may include using a port scanner and a network sniffer and perhaps using some sort of IDS. See the section titled “Assessing Vulnerability with Security Tools” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.
- Answer: D. In cryptography, the one-way function is one option of an algorithm that cannot be reversed in an attempt to decode data. See the section titled “Cryptography Concepts” in Chapter 12, “Encryption and Hashing Concepts,” for more information.
- Answer: A. Eavesdropping is when someone is listening to a conversation that she is not part of. A security administrator should keep in mind that someone could always be listening and try to protect against this. See the section titled “Social Engineering” in Chapter 15, “Policies, Procedures, and People,” or more information.
- Answer: D. The Diffie-Hellman algorithm relies on key exchange before data can be sent. Usernames and passwords are considered a type of authentication. VPN tunneling is done to connect a remote client to a network. Biometrics is the science of identifying a person by one of his physical attributes. See the section titled “Encryption Algorithms” in Chapter 12, “Encryption and Hashing Concepts,” for more information.
- Answer: A. IPSec is usually used with L2TP. SSH is a more secure way of connecting to remote computers. PHP is a type of language commonly used on the web. SHA is a type of hashing algorithm. See the section titled “Security Protocols” in Chapter 13, “PKI and Encryption Protocols,” for more information.
- Answer: D. Unlike RADIUS, TACACS separates authentication, authorization. and auditing capabilities. The other three answers are incorrect and are not differences between RADIUS and TACACS. See the section titled “Security Protocols” in Chapter 13, “PKI and Encryption Protocols.” for more information.
- Answer: A. Coaxial cable suffers from the emanation of data from the core of the cable, which can be accessed. Crosstalk occurs on twisted-pair cable. Chromatic dispersion occurs on fiber optic cable. Time domain reflection is a concept used by a TDR. See the section titled “Securing Wired Networks and Devices” in Chapter 7, “Securing Network Media and Devices,” for more information.
- Answer: A. Stacks and heaps are data structures that can be affected by buffer overflows. Value types are stored in a stack, whereas reference types are stored in a heap. A good coder will try to keep these running efficiently. See the section titled “Securing Other Applications” in Chapter 4, “Application Security,” for more information.
- Answer: B. The best answer is cookies. Cookies can be used for authentication and session tracking and can be read as plain text. They can be used by spyware and can track people without their permission. It is also wise to delete temporary Internet files as opposed to temporary files. See the section titled “Securing the Browser” in Chapter 4, “Application Security,” for more information.
- Answer: D. HIDS, or host-based intrusion detection systems, are not considered to be an inline device. This is because they run on an individual computer. Firewalls, routers, and CSU/DSUs are inline devices. See the section titled “Implementing Security Applications” in Chapter 2, “Computer Systems Security,” for more information.
- Answer: A. The code of ethics describes how a company wants its employees to behave. A chain of custody is a legal and chronological paper trail. Separation of duties means that more than one person is required to complete a job. Acceptable use policy is a set of rules that restrict how a network or a computer system may be used. See the section titled “Legislative and Organizational Policies” in Chapter 15, “Policies, Procedures, and People,” for more information.
- Answer: C. A physical access log’s main purpose is to show who entered the facility and when. Different access control and authentication models will be used to enable or prevent employee access. See the section titled “Physical Security” in Chapter 8, “Physical Security and Authentication Models,” for more information.
- Answer: D. If you find ports open that you don’t expect, be sure to examine the services and or processes that use those ports. You may have to close some or all those ports. When you finish with your examination, and after you have taken action, run the port scan again to verify that those ports are closed. See the section titled “Assessing Vulnerability with Security Tools” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.
- Answer: A. Performance monitoring software can be used to create a baseline and monitor for any changes to that baseline. An example of this would be the Performance console within Windows Server 2003. See the section titled “Using Tools to Monitor Systems and Networks” in Chapter 11, “Monitoring and Auditing,” for more information.
- Answer: A. and B. When evaluating assets of a company, it is important to know the replacement cost of those assets and the value of the assets to the company. If the assets were lost or stolen, the salvage value is not important, and although you may want to know where the assets were purchased from, it is not one of the best answers. See the section titled “Disaster Recovery Planning and Procedures” in Chapter 14, “Redundancy and Disaster Recovery,” for more information.
- Answer: B. Certificate revocation lists or CRLs are digitally signed by the certificate authority for security purposes. If a certificate is compromised, it will be revoked and placed on the CRL. CRLs are later generated and published periodically. See the section titled “Public Key Infrastructure” in Chapter 13, “PKI and Encryption Protocols,” or more information.
- Answer: D. It would be difficult for administrators to deal with thousands of users passwords; therefore, the best management system for a company with 1,000 users would be self-service password resetting. See the section titled “Rights, Permissions, and Policies” in Chapter 9, “Access Control Methods and Models,” for more information.
- Answer: B. You need two tapes to restore the database server, the full backup tape made on Friday and the differential backup tape made on Wednesday. Only the last differential tape is needed. When restoring the database server, the technician must remember to start with the full backup tape. See the section titled “Disaster Recovery Planning and Procedures” in Chapter 14, “Redundancy and Disaster Recovery,” or more information.
- Answer: A. Of the listed answers, crosstalk is the most common problem with UTP cable. Although data emanation can be a problem with UTP cable, it is more common with coaxial cable, as is vampire tapping. Chromatic dispersion is a problem with fiber optic cable. See the section titled “Securing Wired Networks and Devices” in Chapter 7, “Securing Network Media and Devices,” for more information.
- Answer: D. The best two security precautions are authentication and WPA. Although WPA2 is more secure than WPA, the term identification is not correct. WEP is a deprecated wireless encryption protocol and should be avoided. See the section titled “Securing Wireless Networks” in Chapter 7, “Securing Network Media and Devices,” for more information.
- Answer: B. SNMP (Simple Network Management Protocol) enables you to gather information from a remote printer. HTTP is the hypertext transfer protocol that deals with the transfer of web pages. A CA is a certificate authority, and SMTP is the Simple Mail Transfer Protocol. See the section titled “Using Tools to Monitor Systems and Networks” in Chapter 11, “Monitoring and Auditing,” for more information.
- Answer: A, B, and D. Internet filtering appliances will analyze just about all the data that comes through. However, certificate revocation lists will most likely not be analyzed. Remember that CRLs are published only periodically. See the section titled “Public Key Infrastructure” in Chapter 13, “PKI and Encryption Protocols,” for more information.
- Answer: A. Before analyzing any acquired data, you want to make sure that the data has not been tampered with, so you should verify the integrity of the acquired data before analysis. See the section titled “Legislative and Organizational Policies” in Chapter 15, “Policies, Procedures, and People,” for more information.
- Answer: C. The proper order of functions for asymmetric keys is as follows: encrypt, sign, decrypt, and verify. See the section titled “Cryptography Concepts” in Chapter 12, “Encryption and Hashing Concepts,” for more information.
- Answer: D. Common criteria when authenticating users includes something you do, something you are, something you know, and something you have. A person’s likes and dislikes are not common criteria; although, they may be asked as secondary questions when logging into a system. See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.
- Answer: A. Steganography replaces the least significant bit of each byte. It would be impossible to replace a byte of each bit, because a byte is larger than a bit; a byte is eight bits. See the section titled “Cryptography Concepts” in Chapter 12, “Encryption and Hashing Concepts,” or more information.
- Answer: B. Backup tapes should be kept away from power sources including power lines, CRT monitors, speakers, and so on. And admin should keep backup tapes away from sources that might emit EMI. LCD screens, servers, and fiber optic cables have low EMI emissions. See the section titled “Disaster Recovery Planning and Procedures” in Chapter 14, “Redundancy and Disaster Recovery,” for more information.
- Answer: B. The line conditioner is constantly serving critical equipment with clean power. It should be first and should always be on. The UPS battery should kick in only if there is a power outage. Finally, the generator should kick in only when the UPS battery is about to run out of power. Quite often, the line conditioner and UPS battery will be the same device. However, the line conditioner function will always be used, but the battery comes into play only when there is a power outage, or brownout. See the section titled “Redundancy Planning” in Chapter 14, “Redundancy and Disaster Recovery,” for more information.
- Answer: A. In the discretionary access control model (DAC), the owner of the resource is in charge of setting permissions. In a mandatory access control (MAC) model, the administrator is in charge. See the section titled “Access Control Models Defined” in Chapter 9, “Access Control Methods and Models,” for more information.
- Answer: C. By using a template, you can add many users to a group at one time simply by applying the template to the users. Propagation and inheritance deal with how permissions are exchanged between parent folders and subfolders. Access control lists show who was allowed access to a particular resource. See the section titled “Rights, Permissions, and Policies” in Chapter 9, “Access Control Methods and Models,” for more information.
- Answer: D. If the web server is showing a drop in processor and hard disk access speed, it might have been compromised. Further analysis and comparison to a pre-existing baseline would be necessary. All the other answers are common for a web server. See the section titled “Using Tools to Monitor Systems and Networks” in Chapter 11, “Monitoring and Auditing,” for more information.
- Answer: C. Nessus is a vulnerability assessment tool. AirSnort is used to crack wireless encryption codes. John the Ripper and Cain & Abel are password cracking programs. See the section titled “Assessing Vulnerability with Security Tools” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.
- Answer: A. A protocol analyzer can look inside of the packets that make up a TCP/IP handshake. Information that can be viewed includes SYN, which is synchronize sequence numbers, and ACK, which is acknowledgment field significant. Port scanners and performance monitor do not have the capability to view flags set in a TCP/IP handshake, nor can they look inside of packets in general. See the section titled “Using Tools to Monitor Systems and Networks” in Chapter 11, “Monitoring and Auditing,” for more information.
- Answer: A. A network mapper is the best tool to use to determine the topology of the network and to find out what devices and computers reside on that network. An example of this would be LAN Surveyor. See the section titled “Assessing Vulnerability with Security Tools” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.
- Answer: B. Closing open relays, white listing, and blacklisting are all mitigation techniques that address spam. Spam e-mail is a serious problem for all companies and must be filtered as much is possible. See the section titled “Computer Systems Security Threats” in Chapter 2, “Computer Systems Security,” or more information.
- Answer: A. Kiting is the practice of monopolizing domain names without paying for them. Newly registered domain names can be canceled with a full refund during an initial 5-day window, which is known as an AGP, or add grace period. See the section titled “Ports, Protocols, and Malicious Attacks” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
- Answer: C. The address resolution protocol, or ARP, resolves IP addresses to MAC addresses. DNS resolves from IP addresses to hostnames’ word domain names, and vice versa. RARP resolves MAC addresses to IP addresses. See the section titled “Ports, Protocols, and Malicious Attacks” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
- Answer: D. The mandatory access control model uses predefined access privileges to define which users have permission to resources. See the section titled “Access Control Models Defined” in Chapter 9, “Access Control Methods and Models,” for more information.
- Answer: B. Fiber optic cable is the only one listed that might suffer from chromatic dispersion because it is the only cable based on light. All the other answers are based on electricity. See the section titled “Securing Wired Networks and Devices” in Chapter 7, “Securing Network Media and Devices,” for more information.
- Answer: C. Signature-based IDS is the most basic form of intrusion detection system (IDS). This monitors packets on the network and compares them against a database of signatures. Anomaly based, behavioral-based, and statistical-based are all more complex forms of IDS. See the section titled “Monitoring Methodologies” in Chapter 11, “Monitoring and Auditing,” for more information.
- Answer: A. The public key infrastructure, or PKI, is based on the asymmetric encryption concept. Symmetric, elliptical curve, and quantum are all different encryption schemes that PKI does not use. See the section titled “Public Key Infrastructure” in Chapter 13, “PKI and Encryption Protocols,” for more information.
- Answer: C. CO2 is the best answer because it displaces oxygen; fire needs oxygen; without it the fire will go out. CO2 is the only answer that will not damage computers because it is a gas. All the others have substances that can damage computers. See the section titled “Environmental Controls” in Chapter 15, “Policies, Procedures, and People,” for more information.
- Answer: A. You should implement a certificate revocation list or CRL so that stolen certificates cannot be used. See the section titled “Public Key Infrastructure” in Chapter 13, “PKI and Encryption Protocols,” for more information.
- Answer: A. Most organizations’ incident response procedures specify that containment of the malware incident should be first. Next would be the removal, then recovery of any damaged systems, and finally monitoring, which should be going on at all times. See the section titled “Legislative and Organizational Policies” in Chapter 15, “Policies, Procedures, and People,” or more information.
- Answer: D. A configuration baseline deals with the standard load of a server. By measuring the traffic that passes through the server’s network adapter, you can create a configuration baseline over time. See the section titled “Using Tools to Monitor Systems and Networks” in Chapter 11, “Monitoring and Auditing,” for more information.
- Answer: C. Fiber-optic cable is the least susceptible to a tap because it operates on the principle of light as opposed to electricity. All the other answers suffer from data emanation because they are all copper-based. See the section titled “Securing Wired Networks and Devices” in Chapter 7, “Securing Network Media and Devices,” for more information.
- Answer: D. To have a secure password scheme, passwords should be changed by the user. They should not be generated by the administrator. All the other answers would increase the level of password security. See the section titled “Rights, Permissions, and Policies” in Chapter 9, “Access Control Methods and Models,” for more information.
- Answer: B and D. When dealing with certificate authentication, asymmetric systems use one-to-one mappings and many-to-one mappings. See the section titled “Public Key Infrastructure” in Chapter 13, “PKI and Encryption Protocols,” for more information.
- Answer: D. The mandatory access control (MAC) model uses object and subject labels; DAC and RBAC do not. See the section titled “Access Control Models Defined” in Chapter 9, “Access Control Methods and Models,” for more information.
- Answer: D. The best way to test the integrity of backed up data is to restore part of that backup. Conducting another backup will tell you whether the backup procedure is working properly; if necessary after testing the integrity of the backup and after the restore, a person might need to use software to recover deleted files. It’s always important to review written procedures and amend them if needed. See the section titled “Disaster Recovery Planning and Procedures” in Chapter 14, “Redundancy and Disaster Recovery,” for more information.
- Answer: A. A demilitarized zone, or DMZ, should be placed between the LAN and the Internet. In many cases it will be part of a three-leg firewall scheme. Host-based intrusion detection systems are placed on an individual computer, usually within the LAN. Domain controllers should be protected and are normally on the LAN as well. An extranet can include parts of the Internet and parts of one or more LANs; normally it connects two companies utilizing the power of the Internet. See the section titled “Network Design” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
- Answer: B. By removing the security set identifier, or SSID, the wireless access point will be more secure and will be tougher for wardrivers to access that network. Of course, no new clients can connect to the wireless access point. MAC filtering, WPA, and firewalls are all components that increase the security of a wireless access point. See the section titled “Securing Wireless Networks” in Chapter 7, “Securing Network Media and Devices,” for more information.
- Answer: A and C. Two of the authentication mechanisms that require something you physically possess include smart cards and USB flash drives. Key fobs and card keys would also be part of this category. Certificates are granted from a server and are stored on a computer as software. The username/password mechanism is a common authentication scheme, but they are something that you type and not something that you physically possess. See the section titled “Physical Security” in Chapter 8, “Physical Security and Authentication Models,” for more information.
- Answer: A. SSH, or Secure Shell, enables two computers to send data via a secure channel. SMTP is the Simple Mail Transfer Protocol, which deals with e-mail. SNMP is the Simple Network Management Protocol, which enables the monitoring of remote systems. P2P is the abbreviated version of peer-to-peer network. See the section titled “Security Protocols” in Chapter 13, “PKI and Encryption Protocols,” for more information.
- Answer: D. The biggest risk of running a virtual computer is that it will go offline immediately if the server that it is housed on fails. All other virtual computers on that particular server will also go offline immediately. See the section titled “Virtualization Technology” in Chapter 3, “OS Hardening and Virtualization,” for more information.
- Answer: C. A honeynet is a collection of servers that is set up to attract hackers. A honeypot is usually one computer or one server that has the same purpose. A DMZ is the demilitarized zone, which is in between the LAN and the Internet. A VLAN is a virtual LAN. See the section titled “Network Design” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
- Answer: C. Before a user can gain access to domain resources, the final step is to be authorized to those resources. Previously the user should have provided identification to be authenticated. See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.
- Answer: B. Load balancing is a method used when you have redundant servers. In this case, the six web servers will serve data equally to users. The UPS is an uninterruptible power supply, and RAID is a redundant array of inexpensive disks. A warm site is a secondary site that a company can use in the case of a disaster that can be up and running within a few hours or a day. See the section titled “Redundancy Planning” in Chapter 14, “Redundancy and Disaster Recovery,” for more information.
- Answer: C. To run Java applets, a web browser must have that option enabled. Java itself is what increases the usability of web-enabled systems, and Java is a programming language. It does not use digital signatures for authentication. See the section titled “Securing the Browser” in Chapter 4, “Application Security,” for more information.
- Answer: A. The SMTP relay is when one server forwards e-mail to other e-mail servers. Buffer overflows are attacks that can be perpetuated on web pages. POP3 is another type of e-mail protocol, and cookies are small text files stored on the client computer that remember information about which computers session with a website. See the section titled “Network Design” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
- Answer: B. E-mail is the number one reason why network-based viruses spread. All a person needs to do is double-click the attachment within the e-mail and the virus will do its thing, which is most likely to spread through the user’s address book. Removable media such as CDs, DVDs, USB flash drives, and floppy disks can spread viruses, but they are not nearly as common as e-mail. See the sections titled “Computer Systems Security Threats” and “Securing Computer Hardware and Peripherals,” in Chapter 2, “Computer Systems Security” for more information.
- Answer: C. Multifactor authentication means that the user must provide two different types of identification. The thumbprint is an example of biometrics. Username and password are example of a domain logon. Single sign-on would be only one type of authentication that enables the user access to multiple resources. See the sections titled “Authentication Models and Components” and “Physical Security” in Chapter 8, “Physical Security and Authentication Models,” for more information.
- Answer: C. Single sign-on or SSO enables users to access multiple servers and multiple resources while entering their credentials only one time. The type of authentication can vary but will generally be a user name and password. Smart cards and biometrics are examples of two-factor authentication. VPN is short for virtual private network. See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.
- Answer: C. Any person pretending to be a data communications repair person would be attempting a social engineering attack. See the section titled “Social Engineering” in Chapter 15, “Policies, Procedures, and People,” for more information.
- Answer: C. MS-CHAPv1 is not capable of mutual authentication of the client and server. All the other statements are true. See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.
- Answer: C. Previous logon notification can identify if unauthorized access has occurred. Two-factor authentication means that person will supply two forms of identity before being authenticated to a network or system. Session termination is a mechanism that can be implemented to end an unauthorized access. Session lock mechanisms can be employed to lock a particular user or IP address out of the system. See the section titled “Access Control Models Defined” in Chapter 9, “Access Control Methods and Models,” for more information.
- Answer: B and C. It is important to calculate how much disk space you will require for the logs of your database server and verify that you have that much disk space available on the hard drive. It is also important to plan what information will be needed in the case that you need to reconstruct events later. Group policy information and virtual memory is not important for this particular task. See the section titled “Monitoring Methodologies” in Chapter 11, “Monitoring and Auditing,” for more information.
- Answer: B. A network scanner is a port scanner used to find open ports on multiple computers on the network. A protocol analyzer is used to delve into packets. A firewall protects a network, and a performance monitor is used to create baselines for and monitor a computer. See the section titled “Assessing Vulnerability with Security Tools” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.
- Answer: C. It is important to copy the logs to a secondary server in case something happens to the primary log server; this way you have another copy of any possible security breaches. Blocking all failed and successful login attempts might not be wise, because it will create many entries. The rest of the answers are not necessarily good ideas when working with log files. See the section titled “Using Tools to Monitor Systems and Networks” in Chapter 11, “Monitoring and Auditing,” or more information.
- Answer: A. Port scanning can be used in a malicious way to find out all the openings to a computer’s operating system; this is known as the “fingerprint” of the operating system. Port scanning cannot find out the topology of the network, computer names, usernames, or passwords. See the section titled “Assessing Vulnerability with Security Tools” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.
- Answer: D. A protocol analyzer can delve into the packets that were sent across the network that contain the clear text passwords. Rainbow tables and John the Ripper deal with cracking passwords that were previously encrypted; they aren’t necessary if the password were sent via clear text. Port scanners scan computers for any open ports. See the section titled “Assessing Vulnerability with Security Tools” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.
- Answer: D. If a hashing algorithm generates the same hash for two different messages within two different downloads, a collision has occurred, and the implementation of the hashing algorithm should be investigated. See the section titled “Hashing Basics” in Chapter 12, “Encryption and Hashing Concepts,” for more information.
- Answer: A. Access control lists can be used to control the traffic allowed in or out of a network. They are usually included as part of a firewall and are the better answer because they specifically will control the traffic. Address resolution protocol, or ARP, resolves IP addresses to MAC addresses. In the discretionary access control model, the owner controls permissions of resources. See the section titled “Access Control Models Defined” in Chapter 9, “Access Control Methods and Models,” for more information.
- Answer: B. Backdoors were originally created to ease administration. However, hackers quickly found that they could use these backdoors for a malicious attack. See the section titled “Securing Other Applications” in Chapter 4, “Application Security,” for more information.