Flashcards in Topic 3: Network Security Deck (29)
Which of the following concepts are MOST important for a company's long term health in the event of a disaster? (Select TWO).
B. Implementing acceptable use policy
C. Offsite backups
D. Uninterruptable power supplies
E. Vulnerability scanning
Explanation: In case of disaster you must protect your data. Some of the most common strategies for data protection include: backups made to tape and sent off-site at regular intervals backups made to disk on-site and automatically copied to off-site disk, or made directly to off-site disk the use of high availability systems which keep both the data and system replicated off-site (making the main site redundant), enabling continuous access to systems and data, even after a disaster.
An organization notices a large amount of malware and virus incidents at one satellite office, but hardly any at another. All users at both sites are running the same company image and receive the same group policies. Which of the following has MOST likely been implemented at the site with the fewest security issues?
A. Consent to monitoring
B. Business continuity measures
C. Vulnerability scanning
D. End-user awareness training
Explanation: Users should have security awareness training and should have all accepted and signed acceptable use policy (AUP) agreements. User awareness training is one of the most significant countermeasures the company can implement.
Which of the following technologies is designed to keep systems uptime running in the event of a disaster?
A. High availability
B. Load balancing
C. Quality of service
D. Caching engines
Explanation: If a network switch or router stops operating correctly (meaning that a network fault occurs), communication through the network could be disrupted, resulting in a network becoming unavailable to its users. Therefore, network availability, called uptime, is a major design consideration.
A network technician is assisting the company with developing a new business continuity plan.
Which of the following would be an appropriate suggestion to add to the plan?
A. Build redundant links between core devices
B. Physically secure all network equipment
C. Maintain up-to-date configuration backups
D. Perform reoccurring vulnerability scans
Explanation: The business continuity plan focuses on the tasks carried out by an organization to ensure that critical business functions continue to operate during and after a disaster. By keeping redundant links between core devices critical business services can be kept running if one link is unavailable during a disaster.
Which of the following describes a smurf attack?
A. Attack on a target using spoofed ICMP packets to flood it
B. Intercepting traffic intended for a target and redirecting it to another
C. Spoofed VLAN tags used to bypass authentication
D. Forging tags to bypass QoS policies in order to steal bandwidth
Explanation: The Smurf Attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP Broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on.
A malicious user floods a switch with frames hoping to redirect traffic to the user's server. Which of the following attacks is the user MOST likely using?
A. DNS poisoning
B. ARP poisoning
D. SYN attack
Explanation: Address Resolution Protocol poisoning (ARP poisoning) is a form of attack in which an attacker changes the Media Access Control (MAC) address and attacks an Ethernet LAN by changing the target computer's ARP cache with a forged ARP request and reply packets. This modifies the layer -Ethernet MAC address into the hacker's known MAC address to monitor it. Because the ARP replies are forged, the target computer unintentionally sends the frames to the hacker's computer first instead of sending it to the original destination. As a result, both the user's data and privacy are compromised.
An attacker has connected to an unused VoIP phone port to gain unauthorized access to a network. This is an example of which of the following attacks?
A. Smurf attack
B. VLAN hopping
C. Blue snarfing
D. Spear phishing
Explanation: The VoIP phone port can be used to attack a VLAN on the local network. VLAN hopping is a computer security exploit, a method of attacking networked resources on a Virtual LAN (VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible.
Packet analysis reveals multiple GET and POST requests from an internal host to a URL without any response from the server. Which of the following is the BEST explanation that describes this scenario?
A. Compromised system
B. Smurf attack
C. SQL injection attack
Explanation: As the extra unexplainable traffic comes from an internal host on your network we can assume that this host has been compromised. If your system has been compromised, somebody is probably using your machine--possibly to scan and find other machines to compromise
A technician needs to ensure that new systems are protected from electronic snooping of Radio Frequency emanations. Which of the following standards should be consulted?
Explanation: Tempest was the name of a government project to study the ability to understand the data over a network by listening to the emanations. Tempest rooms are designed to keep emanations contained in that room to increase security of data communications happening there.
A company has decided to update their usage policy to allow employees to surf the web unrestricted from their work computers. Which of the following actions should the IT security team implement to help protect the network from attack as a result of this new policy?
A. Install host-based anti-malware software
B. Implement MAC filtering on all wireless access points
C. Add an implicit deny to the core router ACL
D. Block port 80 outbound on the company firewall
E. Require users to utilize two-factor authentication
Explanation: To protect the computers from employees installing malicious software they download on the internet, antimalware should be run on all systems. After a single machine in a company is compromised and is running malicious software (malware), the attacker can then use that single computer to proceed further into the internal network using the compromised host as a pivot point. The malware may have been implemented by an outside attacker or by an inside disgruntled employee.
Which of the following would be the result of a user physically unplugging a VoIP phone and connecting it into another interface with switch port security enabled as the default setting?
A. The VoIP phone would request a new phone number from the unified communications server.
B. The VoIP phone would cause the switch interface, that the user plugged into, to shutdown.
C. The VoIP phone would be able to receive incoming calls but will not be able to make outgoing calls.
D. The VoIP phone would request a different configuration from the unified communications server.
Explanation: Without configuring any other specific parameters, the switchport security feature will only permit one MAC address to be learned per switchport (dynamically) and use the shutdown violation mode; this means that if a second MAC address is seen on the switchport the port will be shutdown and put into the err-disabled state.
A network technician has been tasked to configure a new network monitoring tool that will examine interface settings throughout various network devices. Which of the following would need to be configured on each network device to provide that information in a secure manner?
Explanation: The network monitoring need to use a network management protocol. SNMP has become the de facto standard of network management protocols. The security weaknesses of SNMPv1 and SNMPv2c are addressed in SNMPv3.
A technician wants to securely manage several remote network devices. Which of the following should be implemented to securely manage the devices?
Explanation: To manage the remote network devices, we need to use a network management protocol. SNMP has become the de facto standard of network management protocols. The security weaknesses of SNMPv1 and SNMPv2c are addressed inSNMPv3.
A technician needs to secure web traffic for a new e-commerce website. Which of the following will secure traffic between a web browser and a website?
Explanation: Secure SocketsLayer (SSL) provides cryptography and reliability for upper layers (Layers 5–7) of the OSI model. SSL (and TLS) provide secure web browsing (web traffic) via Hypertext Transfer Protocol Secure (HTTPS).
A company has seen an increase in ransomware across the enterprise. Which of the following should be implemented to reduce the occurrences?
A. ARP inspection
B. Intrusion detection system
C. Web content filtering
D. Port filtering
Explanation: Ransomware is a type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed. The best way to avoid ransomware include proactive measures like the following: Don’t click on any URL or open an attachment you are not expecting. Implement an email content filtering service Install a web content filtering service Invest in leading end point security software solutions
A company wants to make sure that users are required to authenticate prior to being allowed on the network. Which of the following is the BEST way to accomplish this?
C. Single sign-on
Explanation: For security purposes, some switches require users to authenticate themselves (that is, provide credentials, such as a username and password, to prove who they are) before gaining access to the rest of the network. A standards-based method of enforcing user authentication is IEEE 802.1X.
A wireless network technician for a local retail store is installing encrypted access points within the store for real-time inventory verification, as well as remote price checking capabilities, while employees are away from the registers. The store is in a fully occupied strip mall that has multiple neighbors allowing guest access to the wireless networks. There is a finite known number of approved handheld devices needing to access the store's wireless network. Which of the following is the BEST security method to implement on the access points?
A. Port forwarding
B. MAC filtering
D. IP ACL
Explanation: MAC filtering allows traffic to be permitted or denied based on a device’s MAC address. We make a MAC filtering which contains the MAC addresses of all approved devices that need to access the wireless network. This ensures that only approved devices are given access to the network.
A network technician has set up an FTP server for the company to distribute software updates for their products. Each vendor is provided with a unique username and password for security. Several vendors have discovered a virus in one of the security updates. The company tested all files before uploading them but retested the file and found the virus. Which of the following could the technician do for vendors to validate the proper security patch?
A. Use TFTP for tested and secure downloads
B. Require biometric authentication for patch updates
C. Provide an MD5 hash for each file
D. Implement a RADIUS authentication
Explanation: If we put an MD5 has for each file, we can see if the file has been changed or not. MD5 is an algorithm that is used to verify data integrity through the creation of a 128-bit message digest from data input (which may be a message of any length) that is claimed to be as unique to that specific data as a fingerprint is to the specific individual.
During a check of the security control measures of the company network assets, a network administrator is explaining the difference between the security controls at the company. Which of the following would be identified as physical security controls? (Select THREE).
C. Man traps
E. Cipher locks
Explanation: Physical security is the protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damage to an enterprise, agency, or institution. This includes protection from fire, natural disasters, burglary, theft, vandalism, and terrorism. C: A mantrap is a mechanical physical security devices for catching poachers and trespassers. They have taken many forms, the most usual being like a large foothold trap, the steel springs being armed with teeth which met in the victim's leg. D: Biometric authentication is a type of system that relies on the unique biological characteristics of individuals to verify identity for secure access to electronic systems. Biometric authentication is a physical security device. E: Cipher locks are used to control access to areas such as airport control towers, computer rooms, corporate offices, embassies, areas within financial institutions, research and development laboratories, and storage areas holding weapons, controlled substances, etc. Cipher locks are physical security devices.
Which of the following physical security controls prevents an attacker from gaining access to a network closet?
B. Proximity readers
C. Motion sensors
D. IP cameras
Explanation: A proximity card is a physical card which used to get access to a physical area such as a network closet. It is a "contactless" smart card which can be read without inserting it into a reader device, as required by earlier magnetic stripe cards such as credit cards and "contact" type smart cards. The proximity cards are part of the Contactless card technologies. Held near an electronic reader for a moment they enable the identification of an encoded number. Note: Physical security is the protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damage to an enterprise, agency, or institution. This includes protection from fire, natural disasters, burglary, theft, vandalism, and terrorism.
A technician needs to install software onto company laptops to protect local running services, from external threats. Which of the following should the technician install and configure on the laptops if the threat is network based?
A. A cloud-based antivirus system with a heuristic and signature based engine
B. A network based firewall which blocks all inbound communication
C. A host-based firewall which allows all outbound communication
D. A HIDS to inspect both inbound and outbound network communication
Explanation: A host-based firewall is a computer running firewall software that can protect the computer itself. For example, it can prevent incoming connections to the computer and allow outbound communication only.
A technician is setting up a computer lab. Computers on the same subnet need to communicate with each other using peer to peer communication. Which of the following would the technician MOST likely configure?
A. Hardware firewall
B. Proxy server
C. Software firewall
D. GRE tunneling
Explanation: A host-based firewall is a computer running firewall software that can protect the computer itself. A software firewall would be the most cost effective in a lab scenario.
A firewall ACL is configured as follows:
10. Deny Any Trust to Any DMZ eq to TCP port 22
11. Allow 10.200.0.0/16 to Any DMZ eq to Any
12. Allow 10.0.0.0/8 to Any DMZ eq to TCP ports 80, 443
13. Deny Any Trust to Any DMZ eq to Any
A technician notices that users in the 10.200.0.0/16 network are unable to SSH into servers in the DMZ. The company wants 10.200.0.0/16 to be able to use any protocol, but restrict the rest of the 10.0.0.0/8 subnet to web browsing only. Reordering the ACL in which of the following manners would meet the company's objectives?
A. 11, 10, 12, 13
B. 12, 10, 11, 13
C. 13, 10, 12, 11
D. 13, 12, 11, 10
Explanation: ACL are processed in TOP DOWN process in routers or switches. This means that when a condition in the ACL is met, all processing is stopped. We start by allowing any protocol on the 10.200.0.0/16 subnet:11. Allow 10.200.0.0/16 to AnyDMZ eq to Any We then deny any traffic on TCP port 22:10. Deny Any Trust to Any DMZ eq to TCP port 22 We allow browsing (port 80 and 443) on the 10.0.0.0/8 subnet: Allow 10.0.0.0/8 to Any DMZ eq to TCP ports 80, 443 Finally, we deny all other traffic:13. Deny Any Trust to Any DMZ eq to Any
A technician is installing a surveillance system for a home network. The technician is unsure which ports need to be opened to allow remote access to the system. Which of the following should the technician perform?
A. Disable the network based firewall
B. Implicit deny all traffic on network
C. Configure a VLAN on Layer 2 switch
D. Add the system to the DMZ
Explanation: By putting the system in the DMZ (demilitarized zone) we increase the security, as the system should be opened for remote access. A DMZ is a computer host or small network inserted as a "neutral zone" between a company's private network and the outside public network. It prevents outside users from getting direct access to a server that has company data. A DMZ often contains servers that should be accessible from the public Internet.
The ability to make access decisions based on an examination of Windows registry settings, antivirus software, and AD membership status is an example of which of the following NAC features?
A. Quarantine network
B. Persistent agents
C. Posture assessment
D. Non-persistent agents
Explanation: Network Admission Control (NAC) can permit or deny access to a network based on characteristics of the device seeking admission, rather than just checking user credentials. For example, a client’s OS, Windows Registry settings, AD membership status, and version of antivirus software could be checked against a set of requirements before allowing the client to access a network. This process of checking a client’s characteristics is called posture assessment.
Which of the following types of network would be set up in an office so that customers could access the Internet but not be given access to internal resources such as printers and servers?
A. Quarantine network
B. Core network
C. Guest network
D. Wireless network
Explanation: A wireless guest network could be set up so that it has limited access (no access to local resources) but does provide Internet access for guest users.
Which of the following is a security benefit gained from setting up a guest wireless network?
A. Optimized device bandwidth
B. Isolated corporate resources
C. Smaller ACL changes
D. Reduced password resets
Explanation: A wireless guest network could be set up so that it has limited access (no access to local resources) but does provide Internet access for guest users. The corporate resources would be inaccessible (isolated) from the guest network.
Ann, a network technician, was asked to remove a virus. Issues were found several levels deep within the directory structure. To ensure the virus has not infected the .mp4 files in the directory, she views one of the files and believes it contains illegal material. Which of the following forensics actions should Ann perform?
A. Erase the files created by the virus
B. Stop and escalate to the proper authorities
C. Check the remaining directories for more .mp4 files
D. Copy the information to a network drive to preserve the evidence
Explanation: Computer forensics is about legal evidence found in computers and digital storage. A plan should include first responders securing the area and then escalating to senior management and authorities when required by policy or law.