271 terms

Sec+ Review Questions

STUDY
PLAY

Terms in this set (...)

Which type of audit can be used to determine whether accounts have been established properly and verify that privilege creep isn't occurring?
A. Privilege audit
B. Usage audit
C. Escalation audit
D. Report audit
A. A privilege audit is used to determine that all groups, users, and other accounts have the appropriate privileges assigned according to the policies of an organization.
What kind of physical access device restricts access to a small number of individuals at one time?
A. Checkpoint
B. Perimeter security
C. Security zones
D. Mantrap
D. A mantrap limits access to a small number of individuals. It could be, for example, a small room. Mantraps typically use electronic locks and other methods to control access.
Which of the following is a set of voluntary standards governing encryption?
A. PKI
B. PKCS
C. ISA
D. SSL
B. Public-Key Cryptography Standards is a set of voluntary standards for public-key cryptography. This set of standards is coordinated by RSA.
Which protocol is used to create a secure environment in a wireless network?
A. WAP
B. WEP
C. WTLS
D. WML
B. Wired Equivalent Privacy (WEP) is designed to provide security equivalent to that of a wired network. WEP has vulnerabilities and isn't considered highly secure.
An Internet server interfaces with TCP/IP at which layer of the DOD model?
A. Transport layer
B. Network layer
C. Process layer
D. Internet layer
C. The Process layer interfaces with applications and encapsulates traffic through the Host-to-Host or Transport layer, the Internet layer, and the Network Access layer.
You want to establish a network connection between two LANs using the Internet. Which technology would best accomplish that for you?
A. IPSec
B. L2TP
C. PPP
D. SLIP
B. L2TP (Layer 2 Tunneling Protocol) is a tunneling protocol that can be used between LANs. L2TP isn't secure, and you should use IPSec with it to provide data security.
Which design concept limits access to systems from outside users while protecting users and systems inside the LAN?
A. DMZ
B. VLAN
C. I&A
D. Router
A. A DMZ (demilitarized zone) is an area in a network that allows restrictive access to untrusted users and isolates the internal network from access by external users and systems. It does so by using routers and firewalls to limit access to sensitive network resources.
In the key recovery process, which key must be recoverable?
A. Rollover key
B. Secret key
C. Previous key
D. Escrow key
C. A key recovery process must be able to recover a previous key. If the previous key can't be recovered, then all the information for which the key was used will be irrecoverably lost.
Which kind of attack is designed to overload a particular protocol or service?
A. Spoofing
B. Back door
C. Man in the middle
D. Flood
D. A flood attack is designed to overload a protocol or service by repeatedly initiating a request for service. This type of attack usually results in a DoS (denial of service) situation occurring because the protocol freezes or excessive bandwidth is used in the network as a result of the requests.
Which component of an IDS collects data?
A. Data source
B. Sensor
C. Event
D. Analyzer
B. A sensor collects data from the data source and passes it on to the analyzer. If the analyzer determines that unusual activity has occurred, an alert may be generated.
What is the process of making an operating system secure from attack called?
A. Hardening
B. Tuning
C. Sealing
D. Locking down
A. Hardening is the term used to describe the process of securing a system. This is accomplished in many ways, including disabling unneeded protocols.
The integrity objective addresses which characteristic of information security?
A. Verification that information is accurate
B. Verification that ethics are properly maintained
C. Establishment of clear access control of data
D. Verification that data is kept private and secure
A. To meet the goal of integrity, you must verify that information being used is accurate and hasn't been tampered with. Integrity is coupled with accountability to ensure that data is accurate and that a final authority exists to verify this, if needed.
Which mechanism is used by PKI to allow immediate verification of a certificate's validity?
A. CRL
B. MD5
C. SSHA
D. OCSP
D. Online Certificate Status Protocol (OCSP) is the mechanism used to immediately verify whether a certificate is valid. The Certificate Revocation List (CRL) is published on a regular basis, but it isn't current once it's published.
Which of the following is the equivalent of a VLAN from a physical security perspective?
A. Perimeter security
B. Partitioning
C. Security zones
D. Physical barrier
B. Partitioning is the process of breaking a network into smaller components that can each be individually protected. The concept is the same as building walls in an office building.
A user has just reported that he downloaded a file from a prospective client using IM. The user indicates that the file was called account.doc. The system has been behaving unusually since he downloaded the file. What is the most likely event that occurred?
A. Your user inadvertently downloaded a virus using IM.
B. Your user may have a defective hard drive.
C. Your user is hallucinating and should increase his medication.
D. The system is suffering from power surges.
A. IM and other systems allow unsuspecting users to download files that may contain viruses. Due to a weakness in the file extension naming conventions, a file that appears to have one extension may actually have another extension. For example, the file account. doc.vbs would appear in many applications as account.doc, but it's actually a Visual Basic script and could contain malicious code.
Which mechanism or process is used to enable or disable access to a network resource based on an IP address?
A. NDS
B. ACL
C. Hardening
D. Port blocking
B. Access control lists (ACLs) are used to allow or deny an IP address access to a network. ACL mechanisms are implemented in many routers, firewalls, and other network devices.
Which of the following would provide additional security to an Internet web server?
A. Changing the port address to 80.
B. Changing the port address to 1019.
C. Adding a firewall to block port 80.
D. Web servers can't be secured.
B. The default port for a web server is port 80. By changing the port to 1019, you force users to specify this port when they are using a browser. This action provides a little additional security for your website. Adding a firewall to block port 80 would secure your website so much that no one would be able to access it.
What type of program exists primarily to propagate and spread itself to other systems?
A. Virus
B. Trojan horse
C. Logic bomb
D. Worm
D. A worm is designed to multiply and propagate. Worms may carry viruses that cause system destruction, but that isn't their primary mission.
An individual presents herself at your office claiming to be a service technician. She wants to discuss your current server configuration. This may be an example of what type of attack?
A. Social engineering
B. Access control
C. Perimeter screening
D. Behavioral engineering
A. Social engineering is using human intelligence methods to gain access or information about your organization.
Which of the following is a major security problem with FTP servers?
A. Password files are stored in an unsecure area on disk.
B. Memory traces can corrupt file access.
C. User IDs and passwords are unencrypted.
D. FTP sites are unregistered.
C. In most environments, FTP sends account and password information unencrypted. This makes these accounts vulnerable to network sniffing.
Which system would you install to provide active protection and notification of security problems in a network connected to the Internet?
A. IDS
B. Network monitoring
C. Router
D. VPN
A. An intrusion detection system (IDS) provides active monitoring and rule-based responses to unusual activities on a network. A firewall provides passive security by preventing access from unauthorized traffic. If the firewall were compromised, the IDS would notify you based on rules it's designed to implement.
The process of verifying the steps taken to maintain the integrity of evidence is called what?
A. Security investigation
B. Chain of custody
C. Three A's of investigation
D. Security policy
B. The chain of custody ensures that each step taken with evidence is documented and accounted for from the point of collection. Chain of custody is the Who, What, When, Where, and Why of evidence storage.
What encryption process uses one message to hide another?
A. Steganography
B. Hashing
C. MDA
D. Cryptointelligence
A. Steganography is the process of hiding one message in another. Steganography may also be referred to as electronic watermarking.
Which policy dictates how computers are used in an organization?
A. Security policy
B. User policy
C. Use policy
D. Enforcement policy
C. The use policy is also referred to as the usage policy. It should state acceptable uses of computer and organizational resources by employees. This policy should outline consequences of noncompliance.
Which algorithm is used to create a temporary secure session for the exchange of key information?
A. KDC
B. KEA
C. SSL
D. RSA
B. The Key Exchange Algorithm (KEA) is used to create a temporary session to exchange key information. This session creates a secret key. When the key has been exchanged, the regular session begins.
You've been hired as a security consultant for a company that's beginning to implement handheld devices, such as PDAs. You're told that the company must use an asymmetric system. Which security standard would you recommend it implement?
A. ECC
B. PKI
C. SHA
D. MD
A. Elliptic Curve Cryptography (ECC) would probably be your best choice for a PDA. ECC is designed to work with smaller processors. The other systems may be options, but they require more computing power than ECC.
Which of the following backup methods will generally provide the fastest backup times?
A. Full backup
B. Incremental backup
C. Differential backup
D. Archival backup
B. An incremental backup will generally be the fastest of the backup methods because it backs up only the files that have changed since the last incremental or full backup.
You want to grant access to network resources based on authenticating an individual's retina during a scan. Which security method uses a physical characteristic as a method of determining identity?
A. Smart card
B. I&A
C. Biometrics
D. CHAP
C. Biometrics is the authentication process that uses physical characteristics, such as a palm print or retinal pattern, to establish identification.
Which access control method is primarily concerned with the role that individuals have in the organization?
A. MAC
B. DAC
C. RBAC
D. STAC
C. Role-Based Access Control (RBAC) is primarily concerned with providing access to systems that a user needs based on the user's role in the organization.
The process of investigating a computer system for clues into an event is called what?
A. Computer forensics
B. Virus scanning
C. Security policy
D. Evidence gathering
A. Computer forensics is the process of investigating a computer system to determine the cause of an incident. Part of this process would be gathering evidence.
Of the following types of security, which would be primarily concerned with someone stealing the server from the premises?
A. Physical security
B. Operational security
C. Management and policy
D. Authentication
A. Physical security is primarily concerned with the loss or theft of physical assets. This would include theft, fire, and other acts that physically deny a service or information to the organization.
Upper management has suddenly become concerned about security. As the senior network administrator, you are asked to suggest changes that should be implemented. Which of the following access methods should you recommend if the method is to be one that is primarily based on preestablished access and can't be changed by users?
A. MAC
B. DAC
C. RBAC
D. Kerberos
A. Mandatory Access Control (MAC) is oriented toward preestablished access. This access is typically established by network administrators and can't be changed by users.
Your office administrator is being trained to perform server backups. Which authentication method would be ideal for this situation?
A. MAC
B. DAC
C. RBAC
D. Security tokens
C. Role-Based Access Control (RBAC) allows specific people to be assigned to specific roles with specific privileges. A backup operator would need administrative privileges to back up a server. This privilege would be limited to the role and wouldn't be present during the employee's normal job functions.
You've been assigned to mentor a junior administrator and bring him up to speed quickly. The topic you're currently explaining is authentication. Which method uses a KDC to accomplish authentication for users, programs, or systems?
A. CHAP
B. Kerberos
C. Biometrics
D. Smart cards
B. Kerberos uses a Key Distribution Center (KDC) to authenticate a principle. The KDC provides a credential that can be used by all Kerberos-enabled servers and applications.
Which authentication method sends a challenge to the client that is encrypted and then sent back to the server?
A. Kerberos
B. PAP
C. DAC
D. CHAP
D. Challenge Handshake Authentication Protocol (CHAP) sends a challenge to the originating client. This challenge is sent back to the server, and the encryption results are compared. If the challenge is successful, the client is logged on.
After a careful risk analysis, the value of your company's data has been increased. Accordingly, you're expected to implement authentication solutions that reflect the increased value of the data. Which of the following authentication methods uses more than one authentication process
for a logon?
A. Multi-factor
B. Biometrics
C. Smart card
D. Kerberos
A. A multi-factor authentication method uses two or more processes for logon. A twofactor method might use smart cards and biometrics for logon.
Which of the following IP addresses is within the private address range?
A. 192.1.1.5
B. 192.168.0.10
C. 192.225.5.1
D. 192.255.255.255
B. The private address range includes IP addresses between 192.168.0.0 and 192.168.255.255.
After acquiring another company, your organization is in a unique position to create a new—much larger—network from scratch. You want to take advantage of this reorganization to implement the most secure environment that users, and anagers, can live with. You've already decided that the only way this will be possible is to implement security zones. Which of the following isn't an example of a type of security zone?
A. Internet
B. Intranet
C. Extranet
D. NAT
D. Network Address Translation (NAT) is a method of hiding TCP/IP addresses from other networks. The Internet, intranets, and extranets are the three most common security zones in use.
Which of the following protocols allows an organization to present a single TCP/IP address
to the Internet while utilizing private IP addressing across the LAN?
A. NAT
B. VLAN
C. DMZ
D. Extranet
A. Network Address Translation (NAT) allows an organization to present a single address to the Internet. Typically, the router or NAT server accomplishes this. The router or NAT server maps all inbound and outbound requests and maintains a table for returned messages.
You're the administrator for Mercury Technical. Due to several expansions, the network has grown exponentially in size within the past two years. Which of the following is a popular method for breaking a network into smaller private networks that can coexist on the same wiring and yet be unaware of each other?
A. VLAN
B. NAT
C. MAC
D. Security zone
A. Virtual local area networks (VLANs) break a large network into smaller networks. These networks can coexist on the same wiring and be unaware of each other. A router or other routing-type device would be needed to connect these VLANs.
Of the following services, which one would be most likely to utilize a retinal scan?
A. Auditing
B. Authentication
C. Access control
D. Data confidentiality
B. Authentication is a service that requests the principal user to provide proof of their identity. A retinal scan is a very secure form of evidence used in high-security companies and government agencies.
One of the vice presidents of the company calls a meeting with information technology after a recent trip to competitors' sites. She reports that many of the companies she visited granted access to their buildings only after fingerprint scans, and she wants similar technology employed at this company. Of the following, which technology relies on a physical attribute of the user for authentication?
A. Smart card
B. Biometrics
C. Mutual authentication
D. Tokens
B. Biometric technologies rely on a physical characteristic of the user to verify identity. Biometric devices typically use either a hand pattern or a retinal scan to accomplish this.
Which technology allows a connection to be made between two networks using a secure protocol?
A. Tunneling
B. VLAN
C. Internet
D. Extranet
A. Tunneling allows a network to make a secure connection to another network through the Internet or other network. Tunnels are usually secure and present themselves as extensions of both networks.
A new director of information technology has been hired, and you report directly to him. At the first meeting, he assigns you the task of identifying all the company resources that IT is responsible for and assigning a value to each. The process of determining the value of information or equipment in an organization is referred to as which of the following?
A. Asset identification
B. Risk assessment
C. Threat identification
D. Vulnerabilities scan
A. Asset identification is the process of identifying the types and values of assets in an organization.
You have been asked to address a management meeting and present the types of threats your organization could face from hackers. Which of the following would best categorize this type of information?
A. Asset identification
B. Risk assessment
C. Threat identification
D. Vulnerabilities
C. A threat assessment examines the potential for internal and external threats to your systems and information.
Over the years, your company has upgraded its operating systems and networks as it has grown. A recent survey shows that numerous databases on the network haven't been accessed in more than a year. Unfortunately, the survey doesn't identify who created or last accessed those databases. Which aspect of design goals would involve determining who owns a particular database file?
A. Auditing
B. Access control
C. Threat analysis
D. Accountability
D. Accountability involves identifying who owns or is responsible for the accuracy of certain information in an organization. The department or individual that is accountable for certain information would also be responsible for verifying accuracy in the event of a data tampering incident.
A user just complained to you that his system has been infected with a new virus. Which of the following would be a first step to take in addressing and correcting this problem?
A. Verifying that the most current virus definition file is installed
B. Reformatting the hard disk
C. Reinstalling the operating system
D. Disabling the user's e‑mail account
A. Your first step would be to verify that the user's antivirus software is the most current version. This includes checking the virus definition files.
You're awakened in the middle of the night by a frantic junior administrator. The caller reports that the guest account—which you have forbidden anyone to use—suddenly logged in and out of the network, and the administrator believes an attack occurred. Which of the following would be the most useful in determining what was accessed during an external attack?
A. System logs
B. Antivirus software
C. Kerberos
D. Biometrics
A. System logs will frequently tell you what was accessed and in what manner. These logs are usually explicit in describing the events that occurred during a security violation.
You want to install a server in the network area that provides web services to Internet clients. You don't want to expose your internal network to additional risks. Which method should you implement to accomplish this?
A. Install the server in an intranet.
B. Install the server in a DMZ.
C. Install the server in a VLAN.
D. Install the server in an extranet.
B. A DMZ is an area in a network that allows access to outside users while not exposing your internal users to additional threats.
Your company provides medical data to doctors from a worldwide database. Because of the sensitive nature of the data you work with, it's imperative that authentication be established on each session and be valid only for that session. Which of the following authentication methods provides credentials that are valid only during a single session?
A. Tokens
B. Certificate
C. Smart card
D. Kerberos
A. Tokens are created when a user or system successfully authenticates. The token is destroyed when the session is over.
Which type of attack denies authorized users access to network resources?
A. DoS
B. Worm
C. Logic bomb
D. Social engineering
A. A DoS attack is intended to prevent access to network resources by overwhelming or flooding a service or network.
As the security administrator for your organization, you must be aware of all types of attacks that can occur and plan for them. Which type of attack uses more than one computer to attack the victim?
A. DoS
B. DDoS
C. Worm
D. UDP attack
B. A DDoS attack uses multiple computer systems to attack a server or host in the network.
A server in your network has a program running on it that bypasses authorization. Which type of attack has occurred?
A. DoS
B. DDoS
C. Back door
D. Social engineering
C. In a back door attack, a program or service is placed on a server to bypass normal security procedures.
An administrator at a sister company calls to report a new threat that is making the rounds. According to him, the latest danger is an attack that attempts to intervene in a communications session by inserting a computer between the two systems that are communicating. Which of the following types of attacks does this constitute?
A. Man-in-the-middle attack
B. Back door attack
C. Worm
D. TCP/IP hijacking
A. A man-in-the-middle attack attempts to fool both ends of a communications session into believing the system in the middle is the other end.
You've discovered that an expired certificate is being used repeatedly to gain logon privileges. Which type of attack is this most likely to be?
A. Man-in-the-middle attack
B. Back door attack
C. Replay attack
D. TCP/IP hijacking
C. A replay attack attempts to replay the results of a previously successful session to gain access.
A junior administrator comes to you in a panic. After looking at the log files, he has become convinced that an attacker is attempting to use an IP address to replace another system in the network to gain access. Which type of attack is this?
A. Man-in-the-middle attack
B. Back door attack
C. Worm
D. TCP/IP hijacking
D. TCP/IP hijacking is an attempt to steal a valid IP address and use it to gain authorization or information from a network.
A server on your network will no longer accept connections using the TCP protocol. The server indicates that it has exceeded its session limit. Which type of attack is probably occurring?
A. TCP ACK attack
B. Smurf attack
C. Virus attack
D. TCP/IP hijacking
A. A TCP ACK attack creates multiple incomplete sessions. Eventually, the TCP protocol hits a limit and refuses additional connections.
A smurf attack attempts to use a broadcast ping on a network; the return address of the ping may be a valid system in your network. Which protocol does a smurf attack use to conduct the attack?
A. TCP
B. IP
C. UDP
D. ICMP
D. A smurf attack attempts to use a broadcast ping (ICMP) on a network. The return address of the ping may be a valid system in your network. This system will be flooded with responses in a large network.
Your help desk has informed you that it received an urgent call from the vice president last night requesting his logon ID and password. What type of attack is this?
A. Spoofing
B. Replay attack
C. Social engineering
D. Trojan horse
C. Someone trying to con your organization into revealing account and password information is launching a social engineering attack.
A user calls you in a panic. He is receiving e‑mails from people indicating that he is inadvertently sending viruses to them. Over 200 such e‑mails have arrived today. Which type of attack has most likely occurred?
A. SAINT
B. Back door attack
C. Worm
D. TCP/IP hijacking
C. A worm is a type of malicious code that attempts to replicate using whatever means are available. The worm may not have come from the user's system; rather, a system with the user's name in the address book has attacked these people.
Your system has just stopped responding to keyboard commands. You noticed that this occurred when a spreadsheet was open and you dialed in to the Internet. Which kind of attack has probably occurred?
A. Logic bomb
B. Worm
C. Virus
D. ACK attack
A. A logic bomb notifies an attacker when a certain set of circumstances has occurred. This may in turn trigger an attack on your system.
You're explaining the basics of security to upper management in an attempt to obtain an increase in the networking budget. One of the members of the management team mentions that they've heard of a threat from a virus that attempts to mask itself by hiding code from antivirus software. What type of virus is he referring to?
A. Armored virus
B. Polymorphic virus
C. Worm
D. Stealth virus
A. An armored virus is designed to hide the signature of the virus behind code that confuses the antivirus software or blocks it from detecting the virus.
What kind of virus could attach itself to the boot sector of your disk to avoid detection and report false information about file sizes?
A. Trojan horse virus
B. Stealth virus
C. Worm
D. Polymorphic virus
B. A stealth virus reports false information to hide itself from antivirus software. Stealth viruses often attach themselves to the boot sector of an operating system.
A mobile user calls you from the road and informs you that his laptop is exhibiting erratic behavior. He reports that there were no problems until he downloaded a tic-tac-toe program from a site that he had never visited before. Which of the following terms describes a program that enters a system disguised in another program?
A. Trojan horse virus
B. Polymorphic virus
C. Worm
D. Armored virus
A. A Trojan horse enters with a legitimate program to accomplish its nefarious deeds.
Your system has been acting strangely since you downloaded a file from a colleague. Upon examining your antivirus software, you notice that the virus definition file is missing. Which type of virus probably infected your system?
A. Polymorphic virus
B. Retrovirus
C. Worm
D. Armored virus
B. Retroviruses are often referred to as anti-antiviruses. They can render your antivirus software unusable and leave you exposed to other, less-formidable viruses.
Internal users are reporting repeated attempts to infect their systems as reported to them by pop-up messages from their virus scanning software. According to the pop-up messages, the virus seems to be the same in every case. What is the most likely culprit?
A. A server is acting as a carrier for a virus.
B. You have a worm virus.
C. Your antivirus software has malfunctioned.
D. A DoS attack is under way.
A. Some viruses won't damage a system in an attempt to spread into all the other systems in a network. These viruses use that system as the carrier of the virus.
Your system log files report an ongoing attempt to gain access to a single account. This attempt has been unsuccessful to this point. What type of attack are you most likely experiencing?
A. Password guessing attack
B. Back door attack
C. Worm attack
D. TCP/IP hijacking
A. A password guessing attack occurs when a user account is repeatedly attacked using a variety of different passwords.
A user reports that he is receiving an error indicating that his TCP/IP address is already in use when he turns on his computer. A static IP address has been assigned to this user's computer, and you're certain this address was not inadvertently assigned to another computer. Which type of attack is most likely underway?
A. Man-in-the-middle attack
B. Back door attack
C. Worm
D. TCP/IP hijacking
D. One of the symptoms of a TCP/IP hijacking attack may be the unavailability of a TCP/IP address when the system is started.
You're working late one night, and you notice that the hard disk on your new computer is very active even though you aren't doing anything on the computer and it isn't connected to the Internet. What is the most likely suspect?
A. A disk failure is imminent.
B. A virus is spreading in your system.
C. Your system is under a DoS attack.
D. TCP/IP hijacking is being attempted.
B. A symptom of many viruses is unusual activity on the system disk. This is caused by the virus spreading to other files on your system.
You're the administrator for a large bottling company. At the end of each month, you routinely view all logs and look for discrepancies. This month, your e‑mail system error log reports a large number of unsuccessful attempts to log on. It's apparent that the e‑mail server is being targeted. Which type of attack is most likely occurring?
A. Software exploitation attack
B. Back door attack
C. Worm
D. TCP/IP hijacking
A. A software exploitation attack attempts to exploit weaknesses in software. A common attack attempts to communicate with an established port to gain unauthorized access. Most e‑mail servers use port 25 for e‑mail connections using SMTP.
Which of the following devices is the most capable of providing infrastructure security?
A. Hub
B. Switch
C. Router
D. Modem
C. Routers can be configured in many instances to act as packet-filtering firewalls. When configured properly, they can prevent unauthorized ports from being opened.
Upper management has decreed that a firewall must be put in place immediately, before your site suffers an attack similar to one that struck a sister company. Responding to this order, your boss instructs you to implement a packet filter by the end of the week. A packet filter performs which function?
A. Prevents unauthorized packets from entering the network
B. Allows all packets to leave the network
C. Allows all packets to enter the network
D. Eliminates collisions in the network
A. Packet filters prevent unauthorized packets from entering or leaving a network. Packet filters are a type of firewall that block specified port traffic.
Which device stores information about destinations in a network?
A. Hub
B. Modem
C. Firewall
D. Router
D. Routers store information about network destinations in routing tables. Routing tables contain information about known hosts on both sides of the router.
As more and more clients have been added to your network, the efficiency of the network has decreased significantly. You're preparing a budget for next year, and you specifically want to address this problem. Which of the following devices acts primarily as a tool to improve network efficiency?
A. Hub
B. Switch
C. Router
D. PBX
B. Switches create virtual circuits between systems in a network. These virtual circuits are somewhat private and reduce network traffic when used.
Which device is used to connect voice, data, pagers, networks, and almost any other conceivable
application into a single telecommunications system?
A. Router
B. PBX
C. HUB
D. Server
B. Many modern PBX (private branch exchange) systems integrate voice and data onto a single data connection to your phone service provider. In some cases, this allows an overall reduction in cost of operations. These connections are made using existing network connections such as a T1 or T3 network.
Most of the sales force have been told that they should no longer report to the office on a daily basis. From now on, they're to spend the majority of their time on the road calling on customers. Each member of the sales force has been issued a laptop computer and told to connect to the network nightly through a dial-up connection. Which of the following protocols is widely used today as a transport protocol for Internet dial-up connections?
A. SMTP
B. PPP
C. PPTP
D. L2TP
B. PPP can pass multiple protocols and is widely used today as a transport protocol for dial-up connections.
Which protocol is unsuitable for WAN VPN connections?
A. PPP
B. PPTP
C. L2TP
D. IPSec
A. PPP provides no security, and all activities are unsecure. PPP is primarily intended for dial-up connections and should never be used for VPN connections.
You've been given notice that you'll soon be transferred to another site. Before you leave, you're to audit the network and document everything in use and the reason why it's in use. The next administrator will use this documentation to keep the network running. Which of the following protocols isn't a tunneling protocol but is probably used at your site by tunneling protocols for network security?
A. IPSec
B. PPTP
C. L2TP
D. L2F
A. IPSec provides network security for tunneling protocols. IPSec can be used with many different protocols besides TCP/IP, and it has two modes of security.
A socket is a combination of which components?
A. TCP and port number
B. UDP and port number
C. IP and session number
D. IP and port number
D. A socket is a combination of IP address and port number. The socket identifies which application will respond to the network request.
You're explaining protocols to a junior administrator shortly before you leave for vacation. The topic of Internet mail applications comes up, and you explain how communications are done now as well as how you expect them to be done in the future. Which of the following protocols is becoming the newest standard for Internet mail applications?
A. SMTP
B. POP
C. IMAP
D. IGMP
C. IMAP is becoming the most popular standard for e‑mail clients and is replacing POP protocols for mail systems. IMAP allows mail to be forwarded and stored in information areas called stores.
Which protocol is primarily used for network maintenance and destination information?
A. ICMP
B. SMTP
C. IGMP
D. Router
A. ICMP is used for destination and error reporting functions in TCP/IP. ICMP is routable and is used by programs such as Ping and Traceroute.
You're the administrator for Mercury Technical. A check of protocols in use on your server brings up one that you weren't aware was in use; you suspect that someone in HR is using it to send messages to multiple recipients. Which of the following protocols is used for group messages or multicast messaging?
A. SMTP
B. SNMP
C. IGMP
D. L2TP
C. IGMP is used for group messaging and multicasting. IGMP maintains a list of systems that belong to a message group. When a message is sent to a particular group, each system receives an individual copy.
Which device monitors network traffic in a passive manner?
A. Sniffer
B. IDS
C. Firewall
D. Web browser
A. Sniffers monitor network traffic and display traffic in real time. Sniffers, also called network monitors, were originally designed for network maintenance and troubleshooting.
Security has become the utmost priority at your organization. You're no longer content to act reactively to incidents when they occur—you want to start acting more proactively. Which system performs active network monitoring and analysis and can take proactive steps to protect a network?
A. IDS
B. Sniffer
C. Router
D. Switch
A. An IDS is used to protect and report network abnormalities to a network administrator or system. It works with audit files and rule-based processing to determine how to act in the event of an unusual situation on the network.
Which media is broken down into seven categories depending on capability?
A. Coax
B. UTP
C. Infrared
D. Fiber-optic cable
B. UTP is broken down into seven categories that define bandwidth and performance. The most common category is CAT 5, which allows 1000Mbps bandwidth. CAT 5 cabling is most frequently used with 100Base-T networks.
You're the network administrator for MTS. Within five months, your company will leave its rented office space and move into a larger facility. As the company has grown, so too has the value of its data. You're in a unique position to create a network layout at the new facility from scratch and incorporate needed security precautions. Which media is the least susceptible to interception or tapping?
A. Coax
B. UTP
C. STP
D. Fiber
D. Fiber networks are considered the most secure, although they can be tapped. Fiber networks use a plastic or glass conductor and pass light waves generated by a laser.
Which media offers line-of-sight broadband and baseband capabilities?
A. Coax
B. Infrared
C. Microwave
D. UTP
C. Microwave communications systems can offer huge bandwidth and operate with either baseband or broadband capabilities. Baseband communication uses a single channel, whereas broadband is a multichannel environment.
An evaluation is under way of the current forms of removable media allowed within the company. Once the evaluation has been completed, the policies and procedures for network and computer usage will be updated. Which of the following media should the policies dictate be used primarily for backup and archiving purposes?
A. Tape
B. CD-R
C. Memory stick
D. Removable hard drives
A. The most common backup and archiving media in large systems is tape. Of the choices given, tape provides the highest-density storage in the smallest package. CD-Rs and removable hard drives may also be used, but they generally don't have the storage capacity of equivalent tape cartridges.
Which media is susceptible to viruses?
A. Tape
B. Memory stick
C. CD-R
D. All of the above
D. All of these devices can store and pass viruses to uninfected systems. Make sure that all files are scanned for viruses before they're copied to these media.
You want to begin using a media format that can store personal information and is difficult to copy or counterfeit. Which of the following devices should be used for this purpose?
A. CD-R
B. Smart card
C. Flash card
D. Tape
B. Smart cards are used for access control, and they can contain a small amount of information. Smart cards are replacing magnetic cards, in many instances because they can store additional personal information and are harder to copy or counterfeit.
Which of the following can be used to monitor a network for unauthorized activity? (Choose two.)
A. Network sniffer
B. NIDS
C. HIDS
D. VPN
A, B. Network sniffers and NIDSs are used to monitor network traffic. Network sniffers are manually oriented, whereas an NIDS can be automated.
You're the administrator for Acme Widgets. After attending a conference on buzzwords for management, your boss informs you that an IDS should be up and running on the network by the end of the week. Which of the following systems should be installed on a host to provide IDS capabilities?
A. Network sniffer
B. NIDS
C. HIDS
D. VPN
C. A host-based IDS (HIDS) is installed on each host that needs IDS capabilities.
Which of the following is an active response in an IDS?
A. Sending an alert to a console
B. Shunning
C. Reconfiguring a router to block an IP address
D. Making an entry in the security audit file
C. Dynamically changing the system's configuration to protect the network or a system is an active response.
A junior administrator bursts into your office with a report in his hand. He claims that he has found documentation proving that an intruder has been entering the network on a regular basis. Which of the following implementations of IDS detects intrusions based on previously established rules that are in place on your network?
A. MD-IDS
B. AD-IDS
C. HIDS
D. NIDS
A. By comparing attack signatures and audit trails, a misuse-detection IDS determines whether an attack is occurring.
Which IDS function evaluates data collected from sensors?
A. Operator
B. Manager
C. Alert
D. Analyzer
D. The analyzer function uses data sources from sensors to analyze and determine whether an attack is under way.
During the creation of a new set of policies and procedures for network usage, your attention
turns to role definition. By default, which of the following roles is responsible for reporting the
results of an attack to a system operator or administrator?
A. Alert
B. Manager
C. Analyzer
D. Data source
B. The manager is the component that the operator uses to manage the IDS. The manager may be a graphical interface, a real-time traffic screen, or a command-line-driven environment.
What is a system that is intended or designed to be broken into by an attacker called?
A. Honeypot
B. Honeybucket
C. Decoy
D. Spoofing system
A. A honeypot is a system that is intended to be sacrificed in the name of knowledge. Honeypot systems allow investigators to evaluate and analyze the attack strategies used. Law enforcement agencies use honeypots to gather evidence for prosecution.
An emergency meeting of all administrators has been called at MTS. It appears that an unauthorized user has been routinely entering the network after hours. A response to this intrusion must be formulated by those assembled. What is the process of formulating a reaction to a computer attack officially called?
A. Incident response
B. Evidence gathering
C. Entrapment
D. Enticement
A. Incident response is the process of determining the best method of dealing with a computer security incident.
Which of the following is not a part of an incident response?
A. Identification
B. Investigating
C. Entrapment
D. Repairing
C. Entrapment is the process of encouraging an individual to perform an unlawful act that they wouldn't normally have performed.
Which protocol is mainly used to enable access to the Internet from a mobile phone or PDA?
A. WEP
B. WTLS
C. WAP
D. WOP
C. Wireless Application Protocol (WAP) is an open international standard for applications that use wireless communication.
Which protocol operates on 2.4GHz and has a bandwidth of 1Mbps or 2Mbps?
A. 802.11
B. 802.11a
C. 802.11b
D. 802.11g
A. 802.11 operates on 2.4GHZ. This standard allows for bandwidths of 1Mbps or 2Mbps.
You're outlining your plans for implementing a wireless network to upper management. Suddenly, a paranoid vice president brings up the question of security. Which protocol was designed to provide security to a wireless network and can be considered equivalent to the security of a wired network?
A. WAP
B. WTLS
C. WPA2
D. IR
C. Wi-Fi Protected Access 2 (WPA2) was intended to provide security that's equivalent to the security on a wired network and implements elements of the 802.11i standard.
Which of the following is a primary vulnerability of a wireless environment?
A. Decryption software
B. IP spoofing
C. A gap in the WAP
D. Site survey
D. A site survey is the process of monitoring a wireless network using a computer, wireless controller, and analysis software. Site surveys are easily accomplished and hard to detect.
As the administrator for MTS, you want to create a policy banning the use of instant messaging, but you're receiving considerable opposition from users. To lessen their resistance, you decide to educate them about the dangers inherent in IM. To which of the following types of attacks is IM vulnerable?
A. Malicious code
B. IP spoofing
C. Man-in-the-middle attacks
D. Replay attacks
A. IM users are highly susceptible to malicious code attacks such as worms, viruses, and Trojan horses. Ensure that IM users have up-to-date antivirus software installed.
What is the process of identifying the configuration of your network called?
A. Footprinting
B. Scanning
C. Jamming
D. Enumeration
B. Scanning is the process of gathering data about your network configuration and determining which systems are live.
During the annual performance review, you explain to your manager that this year you want to focus on looking at multiple sources of information and determining what systems your users may be using. You think this is a necessary procedure for creating a secure environment. What is the process of identifying your network and its security posture called?
A. Footprinting
B. Scanning
C. Jamming
D. Enumeration
A. Footprinting involves identifying your network and its security posture. Footprinting is done using multiple sources of information to determine what systems you may be using.
When an event is detected when it is happening, it is being detected in:
A. Present time
B. Here-and-now
C. Active time
D. Real time
D. When an event is detected when it is happening, is is said to be detected in Real time.
A user calls with a problem. Even though she has been told not to use instant messaging, she has been doing so. For some reason, she is now experiencing frequent interrupted sessions. You suspect an attack and inform her of this. What is the process of disrupting an IM session called?
A. Jamming
B. Broadcasting
C. Incident response
D. Site survey
A. Jamming is the process of intentionally disrupting communications in an IM session. Jamming is a loosely defined term, and it refers to any intentional disruption that isn't a DoS attack.
You've just received a call from an IM user in your office who visited an advertised website.
The user is complaining that his system is unresponsive and about a million web browser
windows have opened on his screen. What type of attack has your user experienced?
A. DoS
B. Malicious code
C. IP spoofing
D. Site survey
A. Your user has just encountered an application-level DoS attack. This type of attack is common and isn't usually fatal, but it's very annoying. Your user should restart his system, verify that the website didn't transmit a virus, and stay away from broadcasted websites.
A fellow administrator is reviewing the log files for the month when he calls you over. A number of IDS entries don't look right to him, and he wants to focus on those incidents. Which of the following terms best describes an occurrence of suspicious activity within a network?
A. Event
B. Occurrence
C. Episode
D. Enumeration
A. An IDS will announce an event through an alert when suspicious activity is encountered.
Which of the following terms refers to the process of establishing a standard for security?
A. Baselining
B. Security evaluation
C. Hardening
D. Methods research
A. Baselining is the process of establishing a standard for security.
You've been chosen to lead a team of administrators in an attempt to increase security. You're currently creating an outline of all the aspects of security that will need to be examined and acted upon. Which of the following terms describes the process of improving security in an NOS?
A. Common Criteria
B. Hardening
C. Encryption
D. Networking
B. Hardening is the process of improving the security of an operating system or application. One of the primary methods of hardening an OS is to eliminate unneeded protocols.
What is the method of establishing a protocol connection to a controller called?
A. Linkage
B. Networking
C. Binding
D. Access control
C. Binding is the process of associating one protocol with another protocol or to a network card.
You're evaluating the protocols in use on your network. After evaluation, you'll make a recommendation to the vice president of IT on protocols that should be removed from the systems. Which of the following protocols shouldn't be bound to TCP/IP, if at all possible, because it's a well-established target of attackers?
A. IPX/SPX
B. SMTP
C. NetBIOS
D. LDAP
C. NetBIOS shouldn't be bound to TCP/IP if at all possible. NetBIOS is a well-established target of attackers.
What tool is used in Windows Vista to encrypt an entire volume?
A. Bitlocker
B. Syslock
C. Drive Defender
D. NLock
A. Bitlocker provides drive encryption and is available with Windows Vista.
Your organization has created a new overseer position, and licensing has suddenly become an issue. Licenses need to be in existence and able to be readily produced for all proprietary software. Which of the following operating systems is an open-source product and not considered
proprietary?
A. Windows 2000
B. Novell NetWare
C. Linux
D. Mac OS
C. The open-source movement makes system source code available to developers and programmers. Linux is the operating system at the forefront of the open-source movement.
Which filesystem was primarily intended for desktop system use and offers limited security?
A. NTFS
B. NFS
C. FAT
D. AFS
C. FAT technology offers limited security options.
Your company has acquired a competitor's business. You've been assigned the role of formulating a strategy by which the servers on your existing network will communicate with those on the newly acquired network. All you know about the competitor is that it's using Novell's newest filesystem and it's a proprietary environment for servers. Which filesystem
is used in NetWare servers?
A. NSS
B. NTFS
C. AFS
D. FAT
A. NSS is Novell's newest filesystem. It's a proprietary environment for servers.
Which filesystem allows remote mounting of filesystems?
A. NTFS
B. FAT
C. AFS
D. NFS
D. Network File System (NFS) is the Unix standard for remote filesystems.
The administrator at MTS was recently fired, and it has come to light that he didn't install
updates and fixes as they were released. As the newly hired administrator, your first priority
is to bring all networked clients and servers up-to-date. What is a bundle of one or more
system fixes in a single product called?
A. Service pack
B. Hotfix
C. Patch
D. System install
A. A service pack is one or more repairs to system problems bundled into a single process or function.
Which of the following statements is not true?
A. You should never share the root directory of a disk.
B. You should share the root directory of a disk.
C. You should apply the most restrictive access necessary for a shared directory.
D. Filesystems are frequently based on hierarchical models.
B. Never share the root directory of a disk if at all possible. Doing so opens the entire disk to potential exploitation.
Your company does electronic monitoring of individuals under house arrest around the
world. Because of the sensitive nature of the business, you can't afford any unnecessary
downtime. What is the process of applying a repair to an operating system while the system
stays in operations called?
A. Upgrading
B. Service pack installation
C. Hotfix
D. File update
C. A hotfix is done while a system is operating. This reduces the necessity of taking a system out of service to fix a problem.
What is the process of applying manual changes to a program called?
A. Hotfix
B. Service pack
C. Patching
D. Replacement
C. A patch is a temporary workaround of a bug or problem in code that is applied manually. Complete programs usually replace patches at a later date.
A newly hired junior administrator will assume your position temporarily while you attend a conference. You're trying to explain the basics of security to her in as short a period of time as possible. Which of the following best describes an ACL?
A. ACLs provide individual access control to resources.
B. ACLs aren't used in modern systems.
C. The ACL process is dynamic in nature.
D. ACLs are used to authenticate users.
A. Access control lists allow individual and highly controllable access to resources in a network. An ACL can also be used to exclude a particular system, IP address, or user.
What product verifies that files being received by an SMTP server contain no suspicious code?
A. E‑mail virus filter
B. Web virus filter
C. Packet filter firewall
D. IDS
A. SMTP is the primary protocol used in e‑mail. An SMTP virus filter checks all incoming and outgoing e‑mails for suspicious code. If a file is potentially infected, the scanner notifies the originator and quarantines the file.
Users are complaining about name resolution problems suddenly occurring that were never an issue before. You suspect that an intruder has compromised the integrity of the DNS server on your network. What is one of the primary ways in which an attacker uses DNS?
A. Network footprinting
B. Network sniffing
C. Database server lookup
D. Registration counterfeiting
A. DNS records in a DNS server provide insights into the nature and structure of a network. DNS records should be kept to a minimum in public DNS servers. Network footprinting involves the attacker collecting data about the network to devise methods of intrusion.
LDAP is an example of which of the following?
A. Directory access protocol
B. IDS
C. Tiered model application development environment
D. File server
A. Lightweight Directory Access Protocol (LDAP) is a directory access protocol used to publish information about users. This is the computer equivalent of a phone book.
Your company is growing at a tremendous rate, and the need to hire specialists in various areas of IT is becoming apparent. You're helping to write the newspaper ads that will be used to recruit new employees, and you want to make certain that applicants possess the skills you need. One knowledge area in which your organization is weak is database intelligence. What is the primary type of database used in applications today that you can mention
in the ads?
A. Hierarchical
B. Relational
C. Network
D. Archival
B. Relational database systems are the most frequently installed database environments in use today.
The flexibility of relational databases in use today is a result of which of the following?
A. SQL
B. Hard-coded queries
C. Forward projection
D. Mixed model access
A. SQL is a powerful database access language used by most relational database systems.
You're redesigning your network in preparation for putting the company up for sale. The network, like all aspects of the company, needs to perform the best that it possibly can in order to be an asset to the sale. Which model is used to provide an intermediary server between the end user and the database?
A. One-tiered
B. Two-tiered
C. Three-tiered
D. Relational database
C. A three-tiered model puts a server between the client and the database.
What is the process of deriving an encrypted value from a mathematical process called?
A. Hashing
B. Asymmetric
C. Symmetric
D. Social engineering
A. Hashing algorithms are used to derive an encrypted value from a message or word.
During a training session, you want to impress upon users how serious security and, in particular, cryptography is. To accomplish this, you want to give them as much of an overview about the topic as possible. Which government agency should you mention is primarily responsible for establishing government standards involving cryptography for general-purpose government use?
A. NSA
B. NIST
C. IEEE
D. ITU
B. NIST is responsible for establishing the standards for general-purpose government encryption. NIST is also becoming involved in private-sector cryptography.
Assuming asymmetric encryption, if data is encoded with a value of 5, what would be used
to decode it?
A. 5
B. 1
C. 1/5
D. 0
C. With asymmetric encryption, two keys are used—one to encode and the other to decode. The two keys are mathematical reciprocals of each other.
You're a member of a consortium wanting to create a new standard that will effectively end all spam. After years of meeting, the group has finally come across a solution and now wants to propose it. The process of proposing a new standard or method on the Internet is referred to by which acronym?
A. WBS
B. X.509
C. RFC
D. IEEE
C. The Request for Comments (RFC) process allows all users and interested parties to comment on proposed standards for the Internet. The RFC editor manages the RFC process. The editor is responsible for cataloging, updating, and tracking RFCs through the process.
Mary claims that she didn't make a phone call from her office to a competitor and tell them about developments her company is working on. Telephone logs, however, show that such a call was placed from her phone, and time clock records show she was the only person working at the time. What do these records provide?
A. Integrity
B. Confidentiality
C. Authentication
D. Nonrepudiation
D. Nonrepudiation offers undisputable proof that a party was involved in an action.
Mercury Technical Solutions has been using SSL in a business-to-business environment for a number of years. Despite the fact that there have been no compromises in security, the new IT manager wants to use stronger security than SSL can offer. Which of the following protocols is similar to SSL but offers the ability to use additional security protocols?
A. TLS
B. SSH
C. RSH
D. X.509
A. TLS is a security protocol that uses SSL, and it allows the use of other security protocols.
MAC is an acronym for what as it relates to cryptography?
A. Media access control
B. Mandatory access control
C. Message authentication code
D. Multiple advisory committees
C. A MAC as it relates to cryptography is a method of verifying the integrity of an encrypted message. The MAC is derived from the message and the key.
You've been brought in as a security consultant for a small bicycle manufacturing firm. Immediately you notice that it's using a centralized key-generating process, and you make a note to dissuade them from that without delay. What problem is created by using a centralized keygenerating process?
A. Network security
B. Key transmission
C. Certificate revocation
D. Private key security
B. Key transmission is the largest problem from among the choices given. Transmitting private keys is a major concern. Private keys are typically transported using out-of-band methods to ensure security.
Which of the following terms refers to the prevention of unauthorized disclosure of keys?
A. Authentication
B. Integrity
C. Access control
D. Nonrepudiation
C. Access control refers to the process of ensuring that sensitive keys aren't divulged to unauthorized personnel.
As the head of IT for MTS, you're explaining some security concerns to a junior administrator who has just been hired. You're trying to emphasize the need to know what is important and what isn't. Which of the following is not a consideration in key storage?
A. Environmental controls
B. Physical security
C. Hardened servers
D. Administrative controls
A. Proper key storage requires that the keys be physically stored in a secure environment. This may include using locked cabinets, hardened servers, and effective physical and administrative controls.
What is the primary organization for maintaining certificates called?
A. CA
B. RA
C. LRA
D. CRL
A. A certificate authority (CA) is responsible for maintaining certificates in the PKI environment.
Due to a breach, a certificate must be permanently revoked, and you don't want it to ever be used again. What is often used to revoke a certificate?
A. CRA
B. CYA
C. CRL
D. PKI
C. A Certificate Revocation List (CRL) is created and distributed to all CAs to revoke a certificate or key.
Which organization can be used to identify an individual for certificate issue in a PKI environment?
A. RA
B. LRA
C. PKE
D. SHA
B. A local registration authority (LRA) can establish an applicant's identity and verify that the applicant for a certificate is valid. The LRA sends verification to the CA that issues the certificate.
Kristin, from Payroll, has left the office on maternity leave and won't return for at least six weeks. You've been instructed to suspend her key. Which of the following statements is true?
A. In order to be used, suspended keys must be revoked.
B. Suspended keys don't expire.
C. Suspended keys can be reactivated.
D. Suspending keys is a bad practice.
C. Suspending keys is a good practice: It disables a key, making it unusable for a certain period of time. This can prevent the key from being used while someone is gone. The key can be reactivated when that person returns.
What document describes how a CA issues certificates and what they are used for?
A. Certificate policies
B. Certificate practices
C. Revocation authority
D. CRL
A. The certificate policies document defines what certificates can be used for.
After returning from a conference in Jamaica, your manager informs you that he has learned that law enforcement has the right, under subpoena, to conduct investigations using keys. He wants you to implement measures to make such an event run smoothly should it ever happen. What is the process of storing keys for use by law enforcement called?
A. Key escrow
B. Key archival
C. Key renewal
D. Certificate rollover
A. Key escrow is the process of storing keys or certificates for use by law enforcement. Law enforcement has the right, under subpoena, to conduct investigations using these keys.
The CRL takes time to be fully disseminated. Which protocol allows a certificate's authenticity to be immediately verified?
A. CA
B. CP
C. CRC
D. OCSP
D. Online Certificate Status Protocol (OCSP) can be used to immediately verify a certificate's authenticity.
Which set of specifications is designed to allow XML-based programs access to PKI services?
A. XKMS
B. XMLS
C. PKXMS
D. PKIXMLS
A. XML Key Management Specification (XKMS) is designed to allow XML-based programs access to PKI services.
An attack that is based on the statistical probability of a match in a key base is referred to as what?
A. Birthday attack
B. DoS attack
C. Weak key attack
D. Smurf attack
A. Birthday attacks are based on the statistical likelihood of a match. As the key length grows, the probability of a match decreases.
A brainstorming session has been called. The moderator tells you to pull out a sheet of paper and write down your security concerns based on the technologies that your company uses. If your company uses public keys, what should you write as the primary security concern?
A. Privacy
B. Authenticity
C. Access control
D. Integrity
D. Public keys are created to be distributed to a wide audience. The biggest security concern regarding their use is ensuring that the public keys maintain their integrity. This can be accomplished by using a thumbprint or a second encryption scheme in the certificate or key.
Which plan or policy helps an organization determine how to relocate to an emergency site?
A. Disaster-recovery plan
B. Backup site plan
C. Privilege management policy
D. Privacy plan
A. The disaster-recovery plan deals with site relocation in the event of an emergency, natural disaster, or service outage.
Although you're talking to her on the phone, the sound of the administrative assistant's screams of despair can be heard down the hallway. She has inadvertently deleted a file that the boss desperately needs. Which type of backup is used for the immediate recovery of a lost file?
A. Onsite storage
B. Working copies
C. Incremental backup
D. Differential backup
B. Working copies are backups that are usually kept in the computer room for immediate use in recovering a system or lost file.
Which system frequently has audit files/transaction logs that can be used for recovery?
A. Database system
B. Application server
C. Backup server
D. User system
A. Large-scale database systems usually provide an audit file process that allows transactions to be recovered in the event of a data loss.
You're trying to rearrange your backup procedures to reduce the amount of time they take each evening. You want the backups to finish as quickly as possible during the week. Which backup system backs up only the files that have changed since the last backup?
A. Full backup
B. Incremental backup
C. Differential backup
D. Backup server
B. An incremental backup backs up files that have changed since the last full or partial backup.
Which backup system backs up all the files that have changed since the last full backup?
A. Full backup
B. Incremental backup
C. Differential backup
D. Archival backup
C. A differential backup backs up all the files that have changed since the last full backup.
You're a consultant brought in to advise MTS on its backup procedures. One of the first problems
you notice is that the company doesn't utilize a good tape-rotation scheme. Which backup
method uses a rotating schedule of backup media to ensure long-term information storage?
A. Grandfather, Father, Son method
B. Full Archival method
C. Backup Server method
D. Differential Backup method
A. The Grandfather, Father, Son backup method is designed to provide a rotating schedule of backup processes. It allows for a minimum usage of backup media, and it still allows for long-term archiving.
Which site best provides limited capabilities for the restoration of services in a disaster?
A. Hot site
B. Warm site
C. Cold site
D. Backup site
B. Warm sites provide some capabilities in the event of a recovery. The organization that wants to use a warm site will need to install, configure, and reestablish operations on systems that may already exist at the warm site.
You're the head of information technology for MTS and have a brother in a similar position for ABC. Both companies are approximately the same size and are located several hundred miles apart. As a benefit to both companies, you want to implement an agreement that would allow either company to use resources at the other site should a disaster make a building unusable. What type of agreement between two organizations provides mutual use of their sites in the event of an emergency?
A. Backup-site agreement
B. Warm-site agreement
C. Hot-site agreement
D. Reciprocal agreement
D. A reciprocal agreement is between two organizations and allows one to use the other's site in an emergency.
The process of automatically switching from a malfunctioning system to another system is
called what?
A. Fail safe
B. Redundancy
C. Fail-over
D. Hot site
C. Fail-over occurs when a system that is developing a malfunction automatically switches processes to another system to continue operations.
You've been brought in as a temporary for FRS, Inc. The head of IT assigns you the task of evaluating all servers and their disks and making a list of any data not stored redundantly. Which disk technology isn't fault tolerant?
A. RAID 0
B. RAID 1
C. RAID 3
D. RAID 5
A. RAID 0 is a method of spreading data from a single disk over a number of disk drives. It's used primarily for performance purposes.
Which agreement outlines performance requirements for a vendor?
A. MTBF
B. MTTR
C. SLA
D. BCP
C. A service-level agreement (SLA) specifies performance requirements for a vendor. This agreement may use MTBF and MTTR as performance measures in the SLA.
Your company is about to invest heavily in an application written by a new startup. Because it is such a sizable investment, you express your concerns about the longevity of the new company and the risk this organization is taking. You propose that the new company agree to store its source code for use by customers in the event that it ceases business. What is this model called?
A. Code escrow
B. SLA
C. BCP
D. CA
A. Code escrow allows customers to access the source code of installed systems under specific conditions, such as the bankruptcy of a vendor.
Which policy describes how computer systems may be used within an organization?
A. Due care policy
B. Acceptable-use policy
C. Need-to-know policy
D. Privacy policy
B. The acceptable-use policy dictates how computers can be used within an organization. This policy should also outline the consequences of misuse.
You're the administrator for STM and have been summoned to an unannounced audit. The auditor states that he is unable to find anything in writing regarding confidentiality of customer records. Which policy should you produce?
A. Separation-of-duties policy
B. Due care policy
C. Physical access policy
D. Document destruction policy
B. Due-care policies dictate the expected precautions to be used to safeguard client records.
Which policy dictates how an organization manages certificates and certificate acceptance?
A. Certificate policy
B. Certificate access list
C. CA accreditation
D. CRL rule
A. A certificate policy dictates how an organization uses, manages, and validates certificates.
You're giving hypothetical examples during a required security training session when the subject of certificates comes up. A member of the audience wants to know how a party is verified as genuine. Which party in a transaction is responsible for verifying the identity of a certificate holder?
A. Subscriber
B. Relying party
C. Third party
D. Omni registrar
C. The third party is responsible for assuring the relying party that the subscriber is genuine.
Which of the following would normally not be part of an incident-response policy?
A. Outside agencies (that require status)
B. Outside experts (to resolve the incident)
C. Contingency plans
D. Evidence collection procedures
C. A contingency plan wouldn't normally be part of an incident-response policy. It would be part of a disaster-recovery plan.
MTS is in the process of increasing all security for all resources. No longer will the legacy method of assigning rights to users as they're needed be accepted. From now on, all rights must be obtained for the network or system through group membership. Which of the following groups is used to manage access in a network?
A. Security group
B. Single sign-on group
C. Resource sharing group
D. AD group
A. A security group is used to manage user access to a network or system.
Which process inspects procedures and verifies that they're working?
A. Audit
B. Business continuity plan
C. Security review
D. Group privilege management
A. An audit is used to inspect and test procedures within an organization to verify that those procedures are working and up-to-date. The result of an audit is a report to management.
The present method of requiring access to be strictly defined on every object is proving too cumbersome for your environment. The edict has come down from upper management that access requirements should be reduced slightly. Which access model allows users some flexibility for information-sharing purposes?
A. DAC
B. MAC
C. RBAC
D. MLAC
A. DAC allows some flexibility in information-sharing capabilities within the network.
Which policy includes all aspects of an organization's security?
A. Security management policy
B. Information security policy
C. Physical security policy
D. Information classification policy
A. All aspects of security in the organization are included in the security management policy, including the policies in options B, C, and D.
You're assisting with a policy review to make certain your company has in place all the policies it should. One of your fellow administrators mentions that he has never seen anything detailing information sensitivity and usage. Which policy would cover this topic?
A. Security policy
B. Information classification policy
C. Use policy
D. Configuration management policy
B. The information classification policy discusses information sensitivity and access to information.
Which policy identifies the software and hardware components that can be used in an organization?
A. Backup policy
B. Configuration management policy
C. Inventory policy
D. Use policy
B. The configuration management policy is concerned with how systems are configured and what software can be install
Which of the following involves keeping records about how your network or organization changes over time?
A. Change documentation
B. Use policy
C. Systems architecture
D. BIA
A. Change documentation involves keeping records about how your network or organization changes over time.
The process of ensuring that all policies, procedures, and standards are met is a function of which process?
A. Education
B. Enforcement
C. Responsibility
D. Change management
B. Enforcement of policies, procedures, and standards is essential for effective sustainability of security efforts. The saying "Inspect what you expect" is relevant in this situation.
Mercury Technical Services is formulating a set of guidelines that outline the components of effective security management. After these have been tried and tested at the Anderson branch, they will be rolled out to all other divisions. What is this set of guidelines called? A. Best practices
B. Forensics
C. Chain of evidence
D. Use policy
A. The term best practices refers to the essential elements of an effective security management effort.
Which policy identifies the files and data that must be archived?
A. Information classification policy
B. Use policy
C. Logs and inventories policy
D. Information retention policy
D. Information retention policies dictate what information must be archived and how long those archives must be kept.
Which policy defines upgrade and systems requirements?
A. Configuration management policy
B. Use policy
C. Logs and inventory policy
D. Backup policy
A. Configuration management policy dictates the configurations and upgrades of systems in an organization.
A policy review is under way. The new head of HR wants to show that a formal policy exists for every aspect of IT. You've been assigned the role of producing whatever information he asks for. Which policy dictates the processes used to create archival copies of records?
A. Backup policy
B. Security policy
C. Use policy
D. User management policy
A. The backup policy identifies the methods used to archive electronic and paper file systems. This policy works in conjunction with the information retention and storage policies.
Which topic would not normally be covered in a user-oriented security-awareness program?
A. Security management policy
B. Use policy
C. Network technology and administration
D. Account and password criteria
C. Network technology and administration would not be covered in a user security awareness program. Issues of policy, responsibilities, and importance of security would be key aspects of this program.
You're a new hire at SMT. One of your job responsibilities is to provide monthly training sessions on security topics over lunch. You want to prioritize the presentations and first give those that are the most important. Which group would most benefit from an overall briefing on security threats and issues?
A. Management
B. Users
C. Developers
D. Network administrators
A .Managers would derive the most benefit from a high-level explanation of security threats and issues. Users need to know how to follow the policies and why they are important. Developers and network administrators need specific and focused information on how to better secure networks and applications.
Thanks to the awarding of a grant, you'll now be able to replace all the outdated workstations with newer models. Many of those workstations will be coming from the business office. Which of the following should occur when a computer system becomes surplus?
A. All files should be erased.
B. Disk drives should be initialized.
C. Disk drives should be formatted.
D. Computer screens should be degaussed.
B. The only way to guarantee that data and applications on a disk drive are unreadable is to perform a low-level initialization of the storage media, thereby setting every storage location into a newly initialized state. This process is also referred to as disk wiping.
BIOS-based passwords are typically lost when what occurs on a workstation?
A. Electrical power is removed.
B. The cover is removed.
C. The computer's battery is removed and replaced.
D. The hard drive is changed.
C. The removal and replacement of the computer battery will often cause the loss of values stored in the BIOS.
Which type of policy should define the use of USB devices?
A. Information retention policy
B. Configuration management policy
C. Change documentation
D. Acceptable use policy
D. The acceptable use policy should clearly define the use of USB devices within an organization.
You are interested in simplifying security management at your site. The simplest way to manage users is by assigning them to which of the following entities?
A. Groups
B. Pools
C. Units
D. Categories
A. Users should be placed in groups and managed by membership in those groups.
Which of the following hold permissions for users and groups, such as Read-Only, Full Control, or Change?
A. Group policies
B. Access control lists
C. SIDs
D. DNS
B. Access control lists (ACLs) hold permissions for users and groups.
If you want to carefully govern who can reset the password of a user object, which of the following permissions should you focus on?
A. Logical token
B. Landlord
C. Domain password
D. Change
C. The domain password permission identifies who can reset the password of a user object.
Which of the following are most similar in content to certificates?
A. Password policies
B. Device access policies
C. Datagrams
D. Logical tokens
D. Logical tokens are similar in content to certificates. They contain the rights and access privileges of the token bearer.
Which of the following allow you to automatically implement restrictions on operating system components?
A. Group policies
B. Access control lists
C. SIDs
D. DNS
A. Group policies allow you to automatically implement restrictions on operating system components.
Which type of policy should define the use of cell phones within an organization?
A. Information retention policy
B. Configuration management policy
C. Change documentation
D. Acceptable use policy
D. The acceptable use policy should clearly define the use of cell phones within an organization.
In information security, what are the three main goals? (Select the three best answers.)
A. Auditing
B. Integrity
C. Nonrepudiation
D. Confidentiality
E. Risk Assessment
F. Availability
B, D, and F. Confidentiality, integrity, and availability (known as CIA or the CIA triad) are the three main goals when it comes to information security. Another goal within information security is accountability.
To protect against malicious attacks, what should you think like?
A. Hacker
B. Network admin
C. Spoofer
D. Auditor
A. To protect against malicious attacks, think like a hacker. Then, protect and secure like a network security administrator.
Tom sends out many e-mails containing secure information to other companies. What concept should be implemented to prove that Tom did indeed send the e-mails?
A. Authenticity
B. Nonrepudiation
C. Confidentiality
D. Integrity
B. You should use nonrepudiation to prevent Tom from denying that he sent the e-mails.
Which of the following does the A in CIA stand for when it comes to IT security? Select the best answer.
A. Accountability
B. Assessment
C. Availability
D. Auditing
C. Availability is what the "A" in "CIA" stands for, as in "the availability of data." Together the acronym stands for confidentiality, integrity, and availability. Although accountability is important and is often included as a fourth component of the CIA triad, it is not the best answer. Assessment and auditing are both important concepts when checking for vulnerabilities and reviewing and logging, but they are not considered to be part of the CIA triad.
Which of the following is the greatest risk when it comes to removable storage?
A. Integrity of data
B. Availability of data
C. Confidentiality of data
D. Accountability of data
C. For removable storage, the confidentiality of data is the greatest risk because removable storage can easily be removed from the building and shared with others. Although the other factors of the CIA triad are important, any theft of removable storage can destroy the confidentiality of data, and that makes it the greatest risk.
When it comes to information security, what is the I in CIA?
A. Insurrection
B. Information
C. Indigestion
D. Integrity
D. The I in CIA stands for integrity. Together CIA stands for confidentiality, integrity, and availability. Accountability is also a core principle of information security.
You are developing a security plan for your organization. Which of the following is an example of a physical control?
A. Password
B. DRP
C. ID card
D. Encryption
C. An ID card is an example of a physical security control. Passwords and encryption are examples of technical controls. A disaster recovery plan (DRP) is an example of an administrative control.
When is a system completely secure?
A. When it is updated
B. When it is assessed for vulnerabilities
C. When all anomalies have been removed
D. Never
D. A system can never truly be completely secure. The scales are always tipping back and forth; a hacker develops a way to break into a system, then an administrator finds a way to block that attack, and then the hacker looks for an alternative method. It goes on and on; be ready to wage the eternal battle!
A group of compromised computers that have software installed by a worm is known as which of the following?
A. Botnet
B. Virus
C. Honeypot
D. Zombie
A. A botnet is a group of compromised computers, usually working together, with malware that was installed by a worm or a Trojan horse.
What are some of the drawbacks to using HIDS instead of NIDS on a server? (Select the two best answers.)
A. A HIDS may use a lot of resources that can slow server performance.
B. A HIDS cannot detect operating system attacks.
C. A HIDS has a low level of detection of operating system attacks.
D. A HIDS cannot detect network attacks.
A and D. Host-based intrusion detection systems (HIDS) run within the operating system of a computer. Because of this, they can slow a computer's performance. Most HIDS do not detect network attacks well (if at all). However, a HIDS can detect operating system attack and will usually have a high level of detection for those attacks.
Which of the following computer security threats can be updated automatically and remotely? (Select the best answer.)
A. Virus
B. Worm
C. Zombie
D. Malware
C. Zombies (also known as zombie computers) are systems that have been compromised without the knowledge of the owner. A prerequisite is the computer must be connected to the Internet so that the hacker or malicious attack can make its way to the computer and be controlled remotely. Multiple zombies working in concert often form a botnet. See the section "Computer Systems Security Threats" earlier in this chapter for more information.
Which of the following is the best mode to use when scanning for viruses?
A. Safe Mode
B. Last Known Good Configuration
C. Command Prompt only
D. Boot into Windows normally
A. Safe Mode should be used (if your AV software supports it) when scanning for viruses.
Which of the following is a common symptom of spyware?
A. Infected files
B. Computer shuts down
C. Applications freeze
D. Pop-up windows
D. Pop-up windows are common to spyware. The rest of the answers are more common symptoms of viruses.
What are two ways to secure the computer within the BIOS? (Select the two best answers.)
A. Configure a supervisor password.
B. Turn on BIOS shadowing.
C. Flash the BIOS.
D. Set the hard drive first in the boot order.
A and D. Configuring a supervisor password in the BIOS disallows any other user to enter the BIOS and make changes. Setting the hard drive first in the BIOS boot order disables any other devices from being booted off, including floppy drives, optical drives, and USB flash drives. BIOS shadowing doesn't have anything to do with computer security, and although flashing the BIOS may include some security updates, it's not the best answer.
Dan is a network administrator. One day he notices that his DHCP server is flooded with information. He analyzes it and finds that the information is coming from more than 50 computers on the network. Which of the following is the most likely reason?
A. Virus
B. Worm
C. Zombie
D. PHP script
B. A worm is most likely the reason that the server is being bombarded with information by the clients; perhaps it is perpetuated by a botnet. Because worms self-replicate, the damage can quickly become critical.
Which of the following is not an example of malicious software?
A. Rootkits
B. Spyware
C. Viruses
D. Browser
D. A web browser (for example, Internet Explorer) is the only one listed that is not an example of malicious software. Although a browser can be compromised in a variety of ways by malicious software, the application itself is not the malware.
Which type of attack uses more than one computer?
A. Virus
B. DoS
C. Worm
D. DDoS
D. A DDoS, or distributed denial of service, attack uses multiple computers to make its attack, usually perpetuated on a server. None of the other answers use multiple computers.
What are the two ways that you can stop employees from using USB flash drives? (Select the two best answers.)
A. Utilize RBAC.
B. Disable USB devices in the BIOS.
C. Disable the USB root hub.
D. Enable MAC filtering.
B and C. By disabling all USB devices in the BIOS, a user cannot use his flash drive. Also, the user cannot use the device if you disable the USB root hub within the operating system.
Which of the following does not need updating?
A. HIDS
B. Antivirus software
C. Pop-up blockers
D. Antispyware
C. Pop-up blockers do not require updating to be accurate. However, hostbased intrusion detection systems, antivirus software, and antispyware all need to be updated to be accurate.
Which of the following are Bluetooth threats? (Select the two best answers.)
A. Bluesnarfing
B. Blue bearding
C. Bluejacking
D. Distributed denial of service
A and C. Bluesnarfing and bluejacking are the names of a couple Bluetooth threats. Another attack could be aimed at a Bluetooth device's discovery mode. To date there is no such thing as blue bearding, and a distributed denial of service attack uses multiple computers attacking one host.
What is a malicious attack that executes at the same time every week?
A. Virus
B. Worm
C. Bluejacking
D. Logic bomb
D. A logic bomb is a malicious attack that executes at a specific time. Viruses normally execute when a user inadvertently runs them. Worms can selfreplicate at will. And bluejacking deals with Bluetooth devices.
Which of these is true for active inception?
A. When a computer is put between a sender and receiver
B. When a person overhears a conversation
C. When a person looks through files
D. When a person hardens an operating system
A. Active inception (aka active interception) normally includes a computer placed between the sender and the receiver to capture information.
Tim believes that his computer has a worm. What is the best tool to use to remove that worm?
A. Antivirus software
B. Antispyware software
C. HIDS
D. NIDS
A. Antivirus software is the best option when removing a worm. It may be necessary to boot into Safe Mode to remove this worm when using antivirus software.
Which of the following types of scanners can locate a rootkit on a computer?
A. Image scanner
B. Barcode scanner
C. Malware scanner
D. Adware scanner
C. Malware scanners can locate rootkits and other types of malware. These types of scanners are often found in anti-malware software from manufacturers such as McAfee, Norton, Vipre, and so on. Adware scanners (often free) can scan for only adware. Always have some kind of antimalware software running on live client computers!
Which type of malware does not require a user to execute a program to distribute the software?
A. Worm
B. Virus
C. Trojan horse
D. Stealth
A. Worms self-replicate and do not require a user to execute a program to distribute the software across networks. All the other answers do require user intervention. Stealth refers to a type of virus.
Which of these is not considered to be an inline device?
A. Firewall
B. Router
C. CSU/DSU
D. HIDS
D. HIDS or host-based intrusion detection systems are not considered to be an inline device. This is because they run on an individual computer. Firewalls, routers, and CSU/DSUs are inline devices.
Whitelisting, blacklisting, and closing open relays are all mitigation techniques addressing what kind of threat?
A. Spyware
B. Spam
C. Viruses
D. Botnets
B. Closing open relays, whitelisting, and blacklisting are all mitigation techniques that address spam. Spam e-mail is a serious problem for all companies and must be filtered as much as possible.
How do most network-based viruses spread?
A. By CD and DVD
B. Through e-mail
C. By USB flash drive
D. By floppy disk
B. E-mail is the number one reason why network-based viruses spread. All a person needs to do is double-click the attachment within the e-mail, and the virus will do its thing, which is most likely to spread through the user's address book. Removable media such as CDs, DVDs, USB flash drives, and floppy disks can spread viruses but are not nearly as common as e-mail.
Which of the following defines the difference between a Trojan horse and a worm? (Select the best answer.)
A. Worms self-replicate but Trojan horses do not.
B. The two are the same.
C. Worms are sent via e-mail; Trojan horses are not.
D. Trojan horses are malicious attacks; worms are not.
A. The primary difference between a Trojan horse and a worm is that worms will self-replicate without any user intervention; Trojan horses do not selfreplicate.
Which of the following types of viruses hides its code to mask itself?
A. Stealth virus
B. Polymorphic virus
C. Worm
D. Armored virus
D. An armored virus attempts to make disassembly difficult for an antivirus software program. It thwarts attempts at code examination. Stealth viruses attempt to avoid detection by antivirus software altogether. Polymorphic viruses change every time they run. Worms are not viruses.
Which of the following types of malware appears to the user as legitimate but actually enables unauthorized access to the user's computer?
A. Worm
B. Virus
C. Trojan
D. Spam
C. A Trojan, or a Trojan horse, appears to be legitimate and looks like it'll perform desirable functions, but in reality it is designed to enable unauthorized access to the user's computer.
Which of the following would be considered detrimental effects of a virus hoax? (Select the two best answers.)
A. Technical support resources are consumed by increased user calls.
B. Users are at risk for identity theft.
C. Users are tricked into changing the system configuration.
D. The e-mail server capacity is consumed by message traffic.
A and C. Because a virus can affect many users, technical support resources can be consumed by an increase in user phone calls and e-mails. This can be detrimental to the company because all companies have a limited amount of technical support personnel. Another detrimental effect is that unwitting users may be tricked into changing some of their computer system configurations. The key term in the question is "virus hoax." If the e-mail server is consumed by message traffic, that would be a detrimental effect caused by the person who sent the virus and by the virus itself but not necessarily by the hoax. Although users may be at risk for identity theft, it is not one of the most detrimental effects of the virus hoax.
To mitigate risks when users accesses company e-mail with their cell phone, what security policy should be implemented on the cell phone?
A. Data connection capabilities should be disabled.
B. A password should be set on the phone.
C. Cell phone data should be encrypted.
D. Cell phone should be only for company use.
B. A password should be set on the phone, and the phone should lock after a set period of time. When the user wants to use the phone again, the user should be prompted for a password. Disabling the data connection altogether would make access to e-mail impossible on the cell phone. Cell phone encryption of data is possible, but it could use a lot of processing power that may make it unfeasible. Whether the cell phone is used only for company use is up to the policies of the company.
Your manager wants you to implement a type of intrusion detection system (IDS) that can be matched to certain types of traffic patterns. What kind of
IDS is this?
A. Anomaly-based IDS
B. Signature-based IDS
C. Behavior-based IDS
D. Heuristic-based IDS
B. When using an IDS, particular types of traffic patterns refer to signature-based IDS.
You are the security administrator for your organization. You want to ensure the confidentiality of data on mobile devices. What is the best solution?
A. Device encryption
B. Remote wipe
C. Screen locks
D. AV software
A. Device encryption is the best solution listed to protect the confidentiality of data. By encrypting the data, it makes it much more difficult for a malicious person to make use of the data. Screen locks are a good idea but are much easier to get past than encryption. Antivirus software will not stop an attacker from getting to the data once the mobile device has been stolen. Remote sanitization doesn't keep the data confidential, it removes it altogether! While this could be considered a type of confidentiality, it would only be so if a good backup plan was instituted. Regardless, the best answer with confidentiality in mind is encryption. For example, if the device was simply lost, and was later found, it could be reused (as long as it wasn't tampered with). But if the device was sanitized, it would have to be reloaded and reconfigured before being used again.
You are tasked with implementing a solution that encrypts the CEO's laptop. However, you are not allowed to purchase additional hardware or software. Which of the following solutions should you implement?
A. HSM
B. TPM
C. HIDS
D. USB encryption
B. A TPM or trusted platform module is a chip that resides on the motherboard of the laptop. It generates cryptographic keys that allow the entire disk to be encrypted, as in full disk encryption (FDE). Hardware security modules (HSMs) and USB encryption require additional hardware. A host-based intrusion detection system requires either additional software or hardware.
One of your co-workers complains of very slow system performance and says that a lot of antivirus messages are being displayed. The user admits to recently installing pirated software and downloading and installing an illegal keygen to activate the software. What type of malware has affected the user's computer?
A. Worm
B. Logic bomb
C. Spyware
D. Trojan
D. A Trojan was probably installed (unknown to the user) as part of the keygen package. Illegal downloads often contain malware of this nature. At this point, the computer is compromised. Not only is it infected, but malicious individuals might be able to remotely access it.
A smartphone has been lost. You need to ensure 100% that no data can be retrieved from it. What should you do?
A. Remote wipe
B. GPS tracking
C. Implement encryption
D. Turn on screen locks
A. If the device has been lost and you need to be 100% sure that data cannot be retrieved from it, then you should remotely sanitize (or remotely "wipe") the device. This removes all data to the point where it cannot be reconstructed by normal means. GPS tracking might find the device, but as time is spent tracking and acquiring the device, the data could be stolen. Encryption is a good idea, but over time encryption can be deciphered. Screen locks can be easily circumvented.
A user complains that they were browsing the Internet when the computer started acting erratically and crashed. You reboot the computer and notice that performance is very slow. In addition, after running a netstat command you notice literally hundreds of outbound connections to various websites, many of which are well-known sites. Which of the following has happened?
A. The computer is infected with spyware.
B. The computer is infected with a virus.
C. The computer is now part of a botnet.
D. The computer is now infected with a rootkit.
C. The computer is probably now part of a botnet. The reason the system is running slowly is probably due to the fact that there are hundreds of outbound connections to various websites. This is a solid sign of a computer that has become part of a botnet. Spyware, viruses, and rootkits might make the computer run slowly, but they will not create hundreds of outbound connections.
Virtualization technology is often implemented as operating systems and applications that run in software. Often, it is implemented as a virtual machine. Of the following, which can be a security benefit when using virtualization?
A. Patching a computer will patch all virtual machines running on the computer.
B. If one virtual machine is compromised, none of the other virtual machines can be compromised.
C. If a virtual machine is compromised, the adverse effects can be compartmentalized.
D. Virtual machines cannot be affected by hacking techniques.
C. By using a virtual machine (which is one example of a virtual instance) any ill effects can be compartmentalized to that particular virtual machine, usually without any ill effects to the main operating system on the computer. Patching a computer does not automatically patch virtual machines existing on the computer. Other virtual machines can be compromised, especially if nothing is done about the problem. Finally, virtual machines can definitely be affected by hacking techniques. Be sure to secure them!
Eric wants to install an isolated operating system. What is the best tool to use?
A. Virtualization
B. UAC
C. HIDS
D. NIDS
A. Virtualization enables a person to install operating systems (or applications) in an isolated area of the computer's hard drive, separate from the computer's main operating system.
Where would you turn off file sharing in Windows Vista?
A. Control Panel
B. Local Area Connection
C. Network and Sharing Center
D. Firewall properties
C. The Network and Sharing Center is where you can disable file sharing in Windows Vista.
Which option enables you to hide ntldr?
A. Enable Hide Protected Operating System Files
B. Disable Show Hidden Files and Folders
C. Disable Hide Protected operating system Files
D. Remove the -R Attribute
A. To hide ntldr you need to enable theH ide Protected Operating System Files checkbox. Keep in mind that you should have already enabled the Show Hidden Files and Folders radio button.
Which of the following should be implemented to harden an operating system? (Select the two best answers.)
A. Install the latest service pack.
B. Install Windows Defender.
C. Install a virtual operating system.
D. Execute PHP scripts.
A and B. Two ways to harden an operating system include installing the latest service pack and installing Windows defender. However, virtualization is a separate concept altogether, and PHP scripts will generally not be used to harden an operating system.
In Windows 7, Vista, and XP, what is the best file system to use?
A. FAT
B. NTFS
C. DFS
D. FAT32
B. NTFS is the most secure file system for use with Windows 7, Vista, and XP. FAT and FAT32 are older file systems, and DFS is the distributed file system used in more advanced networking.
A customer's computer uses FAT16 as its file system. What file system can you upgrade it to when using the convert command?
A. NTFS
B. HPFS
C. FAT32
D. NFS
A. TheC onvert command is used to upgrade FAT and FAT32 volumes to the more secure NTFS without loss of data. HPFS is the High Performance File System developed by IBM and not used by Windows. NFS is the Network File System, something you would see in a storage area network.
Which of the following is not an advantage of NTFS over FAT32?
A. NTFS supports file encryption.
B. NTFS supports larger file sizes.
C. NTFS supports larger volumes.
D. NTFS supports more file formats.
D. NTFS and FAT32 support the same number of file formats.
What is the deadliest risk of a virtual computer?
A. If a virtual computer fails, all other virtual computers immediately go offline.
B. If a virtual computer fails, the physical server goes offline.
C. If the physical server fails, all other physical servers immediately go offline.
D. If the physical server fails, all the virtual computers immediately go offline.
D. The biggest risk of running a virtual computer is that it will go offline immediately if the server that it is housed on fails. All other virtual computers on that particular server will also go offline immediately.
Virtualized browsers can protect the OS that they are installed within from which of the following?
A. DDoS attacks against the underlying OS
B. Phishing and spam attacks
C. Man-in-the-middle attacks
D. Malware installation from Internet websites
D. The beauty of a virtualized browser is that regardless of whether a virus or other malware damages it, the underlying operating system will remain unharmed. The virtual browser can be deleted and a new one can be created; or if the old virtual browser was backed up previous to the malware attack, it can be restored.
An administrator wants to reduce the size of the attack surface of Windows server 2008. Which of the following is the best answer to accomplish this?
A. Update antivirus software.
B. Install service packs.
C. Disable unnecessary services.
D. Install network intrusion detection systems.
C. Often, operating system manufacturers such as Microsoft refer to the attack surface as all the services that run on the operating system. By conducting an analysis of which services are necessary and which are unnecessary, an administrator can find out which ones need to be disabled, thereby reducing the attack surface. Service packs, antivirus software, and network intrusion detection systems (NIDS) are good tools to use to secure an individual computer and the network but do not help to reduce the size of the attack surface of the operating system.
Which of the following is a security reason to implement virtualization in your network?
A. To isolate network services and roles
B. To analyze network traffic
C. To add network services at lower costs
D. To centralize patch management
A. Virtualization of computer servers enables a network administrator to isolate the various network services and roles that a server may play. Analyzing network traffic would have to do more with assessing risk and vulnerability and monitoring and auditing. Adding network services at lower costs deals more with budgeting than with virtualization, although, virtualization can be less expensive. Centralizing patch management has to do with hardening the operating systems on the network scale.
A user complains that they were browsing the Internet when the computer started acting erratically and crashed. You reboot the computer and notice that
performance is very slow. In addition, after running a netstat command you notice literally hundreds of outbound connections to various websites, many of which are well-known sites. Which of the following has happened?
A. The computer is infected with spyware.
B. The computer is infected with a virus.
C. The computer is now part of a botnet.
D. The computer is now infected with a rootkit.
C. The computer is probably now part of a botnet. The reason the system is running slowly is probably due to the fact that there are hundreds of outbound connections to various websites. This is a solid sign of a computer that has become part of a botnet. Spyware, viruses, and rootkits might make the computer run slowly, but they will not create hundreds of outbound connections.
Virtualization technology is often implemented as operating systems and applications that run in software. Often, it is implemented as a virtual machine. Of the following, which can be a security benefit when using virtualization?
A. Patching a computer will patch all virtual machines running on the computer.
B. If one virtual machine is compromised, none of the other virtual machines
can be compromised.
C. If a virtual machine is compromised, the adverse effects can be compartmentalized.
D. Virtual machines cannot be affected by hacking techniques.
C. By using a virtual machine (which is one example of a virtual instance) any ill effects can be compartmentalized to that particular virtual machine, usually without any ill effects to the main operating system on the computer. Patching a computer does not automatically patch virtual machines existing on the computer. Other virtual machines can be compromised, especially if nothing is done about the problem. Finally, virtual machines can definitely be affected by hacking techniques. Be sure to secure them!
A customer's computer uses FAT16 as its file system. What file system can you upgrade it to when using the convert command?
A. NTFS
B. HPFS
C. FAT32
D. NFS
A. TheC onvert command is used to upgrade FAT and FAT32 volumes to the more secure NTFS without loss of data. HPFS is the High Performance File System developed by IBM and not used by Windows. NFS is the Network File System, something you would see in a storage area network.
Virtualized browsers can protect the OS that they are installed within from which of the following?
A. DDoS attacks against the underlying OS
B. Phishing and spam attacks
C. Man-in-the-middle attacks
D. Malware installation from Internet websites
D. The beauty of a virtualized browser is that regardless of whether a virus or other malware damages it, the underlying operating system will remain unharmed. The virtual browser can be deleted and a new one can be created; or if the old virtual browser was backed up previous to the malware attack, it can be restored.
Which of the following needs to be backed up on a domain controller to recover Active Directory?
A. User data
B. System files
C. Operating system
D. System state
D. The system state needs to be backed up on a domain controller to recover the active directory database in the future. The system state includes user data and system files but does not include the entire operating system. If a server fails, the operating system would have to be reinstalled, and then the system state would need to be restored.
Which of the following should you implement to fix a single security issue on the computer?
A. Service pack
B. Support website
C. Patch
D. Baseline
C. A patch can fix a single security issue on a computer. A service pack addresses many issues and rewrites many files on a computer; it may be overkill to use a service pack when only a patch is necessary. You might obtain the patch from a support website. A baseline can measure a server or a network and to obtain averages of usage.
An administrator wants to reduce the size of the attack surface of Windows server 2008. Which of the following is the best answer to accomplish this?
A. Update antivirus software.
B. Install service packs.
C. Disable unnecessary services.
D. Install network intrusion detection systems.
C. Often, operating system manufacturers such as Microsoft refer to the attack surface as all the services that run on the operating system. By conducting an analysis of which services are necessary and which are unnecessary, an administrator can find out which ones need to be disabled, thereby reducing the attack surface. Service packs, antivirus software, and network intrusion detection systems (NIDS) are good tools to use to secure an individual computer and the network but do not help to reduce the size of the attack surface of the operating system.
You finished installing the operating system for a home user. What are three good methods to implement to secure that operating system? (Select the three best answers.)
A. Install the latest service pack.
B. Install a hardware- or software-based firewall.
C. Install the latest patches.
D. Install pcAnywhere.
A, B, and C. After installing an operating system, it's important to install the latest service pack, patches, and a firewall. These three methods can help to secure the operating system. However, pcAnywhere can actually make a computer less secure and should be installed only if the user requests it. pcAnywhere is just one of many examples of remote control software.
Which of the following is one example of verifying new software changes on a test system?
A. Application hardening
B. Virtualization
C. Patch management
D. HIDS
C. Patch management is an example of verifying any new changes in software on a test system (or live systems for that matter.) Verifying the changes (testing) is the second step of the standard patch management strategy. Application hardening might include updating systems, patching them, and so on, but to be accurate, this question is looking for that particular second step of patch management. Virtualization is the creating of logical OS images within a working operating system. HIDS stands for host-based intrusion detection system, which attempts to detect malicious activity on a computer.
You have been tasked with protecting an operating system from malicious software. What should you do? (Select the two best answers.)
A. Disable the DLP.
B. Update the HIPS signatures.
C. Install a perimeter firewall.
D. Disable unused services.
E. Update the NIDS signatures.
B and D. Updating the host-based intrusion prevention system is important. Without the latest signatures, the HIPS will not be at its best when it comes to protecting against malware. Also, disabling unused services will reduce the attack surface of the OS, which in turn makes it more difficult for attacks to access the system and run malicious code. Disabling the data leakage prevention device would not aid the situation, and it would probably cause data leakage from the computer. Installing a perimeter firewall won't block malicious software from entering the individual computer. A personal firewall would better reduce the attack surface of the computer, but it is still not meant as an antimalware tool. Updating the NIDS signatures will help the entire network, but might not help the individual computer. In this question we want to focus in on the individual computer, not the network. In fact, given the scenario of the question, you do not even know if a network exists.
Which of the following is one way of preventing spyware from being downloaded?
A. Use firewall exceptions.
B. Adjust Internet Explorer security settings.
C. Adjust the Internet Explorer home page.
D. Remove the spyware from Add/Remove Programs.
B. Adjust the Internet Explorer security settings so that security is at a higher level, and add trusted and restricted websites.
What key combination should be used to close a pop-up window?
A. Windows+R
B. Ctrl+Shift+Esc
C. Ctrl+Alt+Del
D. Alt+F4
D. Alt+F4 is the key combination that is used to close an active window. Sometimes it is okay to click the X, but malware creators are getting smarter all the time; the X could be a ruse.
Which protocol can be used to secure the e-mail login from an Outlook client using POP3 and SMTP?
A. SMTP
B. SPA
C. SAP
D. Exchange
B. SPA (Secure Password Authentication) is a Microsoft protocol used to authenticate e-mail clients. S/MIME and PGP can be used to secure the actual e-mail transmissions.
What are two ways to secure Internet Explorer? (Select the two best answers.)
A. Set the Internet zone's security level to High.
B. Disable the pop-up blocker.
C. Disable ActiveX controls.
D. Add malicious sites to the Trusted Sites zone.
A and C. By increasing the Internet zone security level to high, you employ the maximum safeguards for that zone. ActiveX controls can be used for malicious purposes; disabling them makes it so that they do not show up in the browser. Disabling a pop-up blocker and adding malicious sites to the Trusted Sites zone would make Internet Explorer less secure.
Heaps and stacks can be affected by which of the following attacks?
A. Buffer overflows
B. Rootkits
C. SQL injection
D. Cross-site scripting
A. Stacks and heaps are data structures that can be affected by buffer overflows. Value types are stored in a stack, whereas reference types are stored in a heap. An ethical coder will try to keep these running efficiently. An unethical coder will attempt to use a buffer overflow to affect heaps and stacks that in turn could affect the application in question or the operating system. The buffer overflow might be initiated by certain inputs and can be prevented by bounds checking.
As part of your user awareness training, you recommend that users remove which of the following when they finish accessing the Internet?
A. Instant messaging
B. Cookies
C. Group policies
D. Temporary files
B. The best answer is cookies, which can be used for authentication and session tracking and can be read as plain text. They can be used by spyware and can track people without their permission. It is also wise to delete temporary Internet files as opposed to temporary files.
Which statement best applies to the term Java applet?
A. It decreases the usability of web-enabled systems.
B. It is a programming language.
C. A web browser must have the capability to run Java applets.
D. It uses digital signatures for authentication.
C. To run Java applets, a web browser must have that option enabled. Java increases the usability of web-enabled systems, and Java is a programming language. It does not use digital signatures for authentication.
Which of the following concepts can ease administration but can be the victim of malicious attack?
A. Zombies
B. Backdoors
C. Buffer overflow
D. Group policy
B. Backdoors were originally created to ease administration. However, hackers quickly found that they could use these backdoors for a malicious attack.
In an attempt to collect information about a user's activities, which of the following will be used by spyware?
A. Tracking cookie
B. Session cookie
C. Shopping cart
D. Persistent cookie
A. A tracking cookie will be used, or misused, by spyware in an attempt to access a user's activities. Tracking cookies are also known as browser cookies or HTTP cookies, or simply a cookie. Shopping carts take advantage of cookies to keep the shopping cart reliable.
What is it known as when a web script runs in its own environment and does not interfere with other processes?
A. Quarantine
B. Honeynet
C. Sandbox
D. VPN
C. When a web script runs in its own environment for the express purpose of not interfering with other processes, it is known as running in a sandbox. Often, the sandbox will be used to create sample scripts before they are actually implemented. Quarantining is a method used to isolate viruses. A honeynet is a collection of servers used to attract hackers and isolate them in an area where they can do no damage. VPN is short for virtual private network, which enables the connection of two hosts from remote networks.
How can you train a user to easily determine whether a web page has a valid security certificate? (Select the best answer.)
A. Have the user contact the webmaster.
B. Have the user check for HTTPS://.
C. Have the user click the padlock in the browser and verify the certificate.
D. Have the user called the ISP.
C. In Internet Explorer, the user should click the padlock in the browser; this will show the certificate information. Often, the address bar will have different colors as the background; for example, blue or green means that the certificate is valid, whereas red or pink indicates a problem. In Firefox, click the name of the website listed in the address bar just before where it says HTTPS to find out the validity of the certificate. Contacting the webmaster and calling the ISP are time-consuming, not easily done, and not something that an end user should do. Although HTTPS:// can tell a person that the browser is now using the hypertext transfer protocol secure, it does not necessarily determine whether the certificate is valid.
To code applications in a secure manner, what is the best practice to use?
A. Cross-site scripting
B. Flash version 3
C. Input validation
D. HTML version 5
C. Input validation is the best practice to use when coding applications. This is important when creating web applications or web pages that require information
to be inputted by the user.
An organization hires you to test an application that you have limited knowledge of. You are given a login to the application, but do not have access to source code. What type of test are you running?
A. White box
B. Gray box
C. Black box
D. SDLC
B. A gray box test is when you are given limited information about the system you are testing. Black box testers are not given logins, source code, or anything else, though they may know the functionality of the system. White box testers are given logins, source code, documentation, and more. SDLC stands for Systems Development Life Cycle of which these types of tests are just a part.
You check the application log of your web server and see that someone attempted unsuccessfully to enter the text "test; etc/passwd" into an HTML form field. Which attack was attempted?
A. SQL injection
B. Code injection
C. Command injection
D. Buffer overflow
C. I n this case a command was entered, and the attacker was attempting to gain access to the password file within the /etc directory. If the attacker tried to inject code, he would not use commands, but rather PHP, ASP, or another language. SQL injections are usually run on databases, not web servers' HTML forms. Buffer overflows have to do with memory and how applications utilize it.
An attacker takes advantage of vulnerability in programming, which allows the attacker to copy more than 16 bytes to a standard 16-byte variable. Which attack is being initiated?
A. Directory traversal
B. Command injection
C. XSS
D. Buffer overflow
D. A buffer overflow can be initiated when a string variable is not programmed correctly—for example, if the variable allows for more than the standard amount of bytes. Directory traversal is when an attacker uses commands and code to access unauthorized parent directories. Command injection is when commands and command syntax are entered into an application or OS. XSS or cross-site scripting is when code is injected into a website form to obtain information and unauthorized access.
What's the best way to prevent SQL injection attacks on web applications?
A. Input validation
B. Host-based firewall
C. Add HTTPS pages
D. Update the web server
A. Input validation is the best way to prevent SQL injection attacks on web servers and database servers (or combinations of the two). Host-based firewalls aid in preventing network attacks but not necessarily coded attacks of this type. HTTPS pages initiate a secure transfer of data, but they don't necessarily lock out attackers that plan on using SQL injection. Updating the web server is a good idea, but will have little if any effect on the forms that are written by the web programmer.
Which of the following attacks uses a JavaScript image tag in an e-mail?
A. SQL injection
B. Cross-site scripting
C. Cross-site request forgery
D. Directory traversal
B. Cross-site scripting (XSS) can be initiated on web forms or through e-mail. It often uses JavaScript to accomplish its means. SQL injection is when code (SQL-based) is inserted into forms or databases. Cross-site request forgery (XSRF) is when a user's browser sends unauthorized commands to a website, without the user's consent. Directory traversal is when an attacker attempts to gain access to higher directories in an OS.
Which of the following should occur first when developing software?
A. Fuzzing
B. Penetration testing
C. Secure code review
D. Patch management
C. Of the listed answers, secure code review should happen first in the SDLC. It should be followed by fuzzing and penetration testing in that order. Patch management is a recurring theme until the software meets the end of its life cycle.
You are the security administrator for a multimedia development company. Users are constantly searching the Internet for media, information, graphics,
and so on. You receive complaints from several users about unwanted windows appearing on their displays. What should you do?
A. Install antivirus software
B. Install pop-up blockers
C. Install screensavers
D. Install a host-based firewall
B. The windows that are being displayed are most likely pop-ups. Standard pop-up blockers will prevent most of these. Antivirus software of itself does not have pop-up blocking technology but might be combined in a suite of antimalware software that does have pop-up blocking capability. Screensavers won't affect the users' web sessions. Host-based firewalls are a good idea and will prevent attacks, but since a firewall will allow the connections that users make to websites, it cannot stop pop-ups.
You have analyzed what you expect to be malicious code. The results show that JavaScript is being utilized to send random data to a separate service on the same computer. What attack has occurred?
A. DoS
B. SQL injection
C. LDAP injection
D. Buffer overflow
D. Buffer overflows can be initiated by sending random data to other services on a computer. While JavaScript is commonly used in XSS attacks, it can also be used to create a buffer overflow. DoS stands for denial of service, which is when a computer sends many packets to a server or other important system in the hope of making that system fail. SQL and LDAP injection will not use JavaScript.