Security +


1. Your corporate network has been unavailable to outside users for several hours. Your internal users have not been able to access the Internet either during this time period. After some investigation, your firewall logs show millions of dropped packets. You determine that the packets are malformed. What type of attack are you being subjected to?

A. Denial of Service attack
B. Replay attack
C. Spoofing attack
D. Dictionary attack

>> !
Answer: A

A Denial of Service (DoS) attack is just that--one that is designed to deny authorized and legitimate users from accessing a network or network resource. There are many means available to an attacker to launch a DoS attack, but the most common involves the use of worms or Trojans to create "zombie bots" on several hundred or even several thousand computers. These invaded systems then can be commanded from one computer to launch a massive flood of traffic at a specific IP address simultaneously. Many times, packets are intentionally malformed or misaddressed to cause infrastructure devices, such as firewalls and routers, to become saturated and (by default) stop all incoming traffic.

A Replay Attack is one in which packets are captured in transit from one party to another, modified and later retransmitted to cause one or both parties from the original conversation to unwittingly trust the attacker and perform an action of the attackers choice or transmit information to the attacker.

A Spoofing attack is one in which a message appears to originate from one source when in fact it came from a different source altogether. This type of attack is commonly used by email Trojans and worms for replication (Nimda, for example) and is fairly popular for attacks on wireless networks (MAC spoofing).

A Dictionary Attack is one in which a key or password are subjected to guessing by using a dictionary list that is pre-populated with commonly used words and phrases, such as "thequickbrownfox."


2. Your corporate Web servers in the DMZ are being saturated with TCP SYN packets. They are responding with the required TCP SYNACK packets, but the originating client is not completing the TCP connection process. What type of attack are you experiencing?

A. Denial of Service attack
B. Replay attack
C. Spoofing attack
D. SYN Flood attack

>> !
Answer: D

The SYN Flood attack is another form of a Denial of Service (DoS) attack. Normally when a client makes a connection to a Web server, the Web server allocates a port to the client for the impending connection and responds to the client with a TCP SYNACK packet. If the client does not then respond with the expected TCP ACK packet, the Web server will keep the port open with no valid traffic using it until the port closes on timeout. If an attacker makes thousands of connections repeatedly in a short period of time and repeats this process, the Web server will soon exhaust its available ports and thus become unable to respond to further connection attempts. The Web server is now unavailable until the ports timeout and become available for another connection. Unfortunately, the TCP stack usually has a much longer timeout period for these open ports than it takes an attack to saturate the server with the SYN Flood.

A Denial of Service (DoS) attack is just that--one that is designed to deny authorized and legitimate users from accessing a network or network resource. There are many means available to an attacker to launch a DoS attack, but the most common involves the use of worms or Trojans to create "zombie bots" on several hundred or even several thousand computers. These invaded systems then can be commanded from one computer to launch a massive flood of traffic at a specific IP address simultaneously. Many times, packets are intentionally malformed or misaddressed to cause infrastructure devices such as firewalls and routers to become saturated and (by default) stop all incoming traffic.

A Replay Attack is one in which packets are captured in transit from one party to another, modified and later retransmitted to cause one or both parties from the original conversation to unwittingly trust the attacker and perform an action of the attackers choice or transmit information to the attacker.

A Spoofing attack is one in which a message appears to originate from one source when in fact it came from a different source altogether. This type of attack is commonly used by email Trojans and worms for replication (Nimda, for example) and is fairly popular for attacks on wireless networks (MAC spoofing).


3. While examining the traffic logs from your firewall you notice a large amount of inbound traffic that appears to be coming from the 192.0.0.0/24 IP address range. Your internal network uses the 192.0.0.0/24 IP address range. You have determined that the source of the traffic is the Internet. What type of attack are you being subjected to?

A. Denial of Service attack
B. Replay attack
C. IP Spoofing attack
D. SYN Flood attack

>> !
Answer: C

An IP Spoofing attack is one in which the originating IP address has been spoofed to present an IP address that is allowed on the network. This is done to gain access to networks that would otherwise not be accessible by fooling network devices into thinking that the traffic is valid. In this case, your firewall rules need to be modified to prevent inbound traffic from private IP addresses such as the address block that you are using on your internal network. Private IP addresses are not routable on the Internet. Therefore, these packets must obviously be forged, or spoofed.

A Denial of Service (DoS) attack is just that - one that is designed to deny authorized and legitimate users from accessing a network or network resource. There are many means available to an attacker to launch a DoS attack, but the most common involves the use of worm or Trojans to create "zombie bots" on several hundred or even several thousand computers that then can be commanded from one computer to launch a massive flood of traffic at a specific IP address. Many times packets are intentionally malformed or misaddressed to cause infrastructure devices, such as firewalls and routers, to become saturated and (by default) stop all incoming traffic.

A Replay Attack is one in which packets are captured in transit from one party to another, modified and later retransmitted to cause one or both parties from the original conversation to unwittingly trust the attacker and perform an action of the attacker's choice or transmit information to the attacker.

The SYN Flood attack is another form of a Denial of Service (DoS) attack. Normally when a client makes a connection to a Web server, the Web server allocates a port to the client for the impending connection and responds to the client with a TCP SYNACK packet. If the client does not then respond with the expected TCP ACK packet, the Web server will keep the port open with no valid traffic using it until the port closes on timeout. If an attacker makes thousands of connections repeatedly in a short period of time and repeats this process, the Web server will soon exhaust its available ports and thus become unable to respond to further connection attempts. The Web server is now unavailable until the ports timeout and become available for another connection. Unfortunately, the TCP stack usually has a much longer timeout period for these open ports then it takes an attack to saturate the server with the SYN Flood.


4. You have recently been hired to perform a security audit of the Infosystems Incorporated company network. You just got off the phone with Rick, one of the help desk workers. Rick was nice enough to reset your password for you since you forgot it. Rick also informed you of the new password. Therefore, you should be able to log into the network. You do not have a user account on the network. What type of attack did you successfully perform against the network?

A. Social Engineering
B. Denial of Service attack
C. Replay attack
D. Spoofing attack

>> !
Answer: A

Social Engineering is the soft skill side of attacking a system. Social Engineering is typically used to gain easy access to the network or system without having to expend efforts using the typical hacker tools. Instead it uses techniques such as gaining information over the phone by impersonating a user or a contractor who should have access to a secure area to perform an assigned task, but does not have it through some oversight.

A Denial of Service (DoS) attack is just that--an attack that is designed to deny authorized and legitimate users from accessing a network or network resource. There are many means available to an attacker to launch a DoS attack, but the most common involves the use of worm or Trojans to create "zombie bots" on several hundred or even several thousand computers that then can be commanded from one computer to launch a massive flood of traffic at a specific IP address. Many times packets are intentionally malformed or misaddressed to cause infrastructure devices, such as firewalls and routers, to become saturated and (by default) stop all incoming traffic.

A Replay Attack is one in which packets are captured in transit from one party to another, modified and later retransmitted to cause one or both parties from the original conversation to unwittingly trust the attacker and perform an action of the attacker's choice or transmit information to the attacker.

A Spoofing attack is one in which a message appears to originate from one source when in fact it came from a different source altogether. This type of attack is commonly used by email Trojans and worms for replication (Nimda, for example) and is fairly popular for attacks on wireless networks (MAC spoofing).


5. Which of the following is UNTRUE with regard to password security?

A. Passwords should be kept secret.
B. Passwords should be of a sufficient length.
C. Brute force attacks try every possible combination of characters to crack a password.
D. Using something personal, such as your pet's name, provides a secure password.

>> !
Answer: D

Although you may be the only person to know your pet's name, it will most likely be cracked within minutes using a dictionary password cracker. A brute force cracker will be able to crack this sort of password even if your pet's name is not in the dictionary.

Passwords should be kept secret. If passwords are written down, they should be kept in a safe location away from public view.

Passwords should be of sufficient length. Eight characters is generally the accepted minimum length for a password.

Two common types of password attacks exist:
* Dictionary attacks try all dictionary words to attack weak passwords. Passwords that are made up of dictionary based words will be cracked with ease.
* Brute force attacks are commonly used to crack more secure passwords. All permutations using the 256 available ASCII characters will be tested until a match is found.


6. Which of the following is untrue of tokens?

A. Tokens are considered more secure than passwords.
B. Tokens can be asynchronous or synchronous.
C. Tokens provide a one time password.
D. Tokens are a form of single sign on authentication.

>> !
Answer: D

Tokens provide a one-time password. Every time a user authenticates with a token a different passphrase is used. Tokens can be software or hardware based and usually also require a PIN in combination with the randomly generated passphrase for a successful authentication.

Since tokens use randomly generated passphrases that are only useable one time, the token is considered much more secure than a password.

Tokens can be asynchronous (often token software is asynchronous) in that a passphrase is generated and although only useable once, does not expire after a period of time. Synchronous tokens, on the other hand, generate a passphrase than must be entered within a valid time window. Failure to do so will result in the passphrase expiring after a period of time (often one minute).

Tokens do not provide single sign on (SSO) authentication. SSO contradicts one time password requirements. SSO allows authentication to take place once only and then all subsequent services are available based on the initial authentication. With tokens, for each new authentication service a new passphrase is required.


7. Which of the following security models is used to map access control with organizational structure?

A. Mandatory Access Control
B. Discretionary Access Control
C. Rule Based Access Control
D. Role Based Access Control

>> !
Answer: D

Role Based Access Control (RBAC) uses the concept of groups or role objects, which identify the level of access a user or group of users, has. For example, an Administrator will be defined within an Administrative group and access control will be defined for the Administrative group rather than individual users. This technique allows a mapping between resources and organizational structure. This type of access control significantly reduces systems and security administration.

Mandatory Access Control (MAC) uses security labels to determine whether access is permissible. MAC is centrally managed but requires that each object be given a specific label.

Discretionary Access Control (DAC) is a distributed method for controlling access. A data or process owner will have the discretion to determine who will have access to a resource.

Rule Based Access Control (RBAC) uses access control lists to determine how resources are accessed. This type of access control maps closely to policies rather than organizational structure.


8. Beyond the issue of clear text, which of the following is a security concern with Instant Messaging (IM)?

A. File transfers containing malicious code.
B. No user authentication.
C. No audit trails.
D. Lack of standards.

>> !
Answer: A

Instant Messaging (IM) is rising in popularity over email. Some years ago there were no IM standards. IM is relatively free of spam because you invite a user to a pre-screened list. IM does have authentication, which means IM can provide an audit trail.

The largest challenge beyond the clear text nature of some IM is the fact it can transfer files and currently there are not a great deal of options for scanning IM file transfers for malicious code.

The clear text nature of IM has been addressed in recent updates.


9. What is the difference between JavaScript and ActiveX?

A. JavaScript is human readable code, ActiveX is machine code instructions.
B. JavaScript is machine code instructions, ActiveX is human readable code.
C. ActiveX is generic, JavaScript requires compiling for specific platforms.
D. JavaScript provides for digital code signing, ActiveX does not.

>> !
Answer: A

The concept behind JavaScript running an applet is similar to ActiveX in theory. The big difference is ActiveX gives the developer (programmer) full control of the Windows Operating System. JavaScript runs in a sandbox to prevent bad things from happening.

ActiveX has more developer security since the code is not human readable. Anyone can 'help themself' to coding you have done in JavaScript.

Microsoft looks to protect you from malicious ActiveX controls by signing the code with a certificate. And someone made a point of the weakness of this theory by writing proof-of-concept malicious code and then signing it.


10. Anonymous FTP is accomplished by entering which of the following?

A. Email address as user name and anonymous as the password.
B. User name anonymous and email address for a password.
C. Site name for the username and "password" for password.
D. Current date for username and "password" for password.

>> !
Answer: B

Depending on your background, this question is either a "well, duh" or a "really?" Years ago web browsers didn't do FTP. You *had* to use FTP software, and manually type in this data. Today most browsers support FTP by clicking on a hyperlink.

When doing anonymous FTP the user name is always anonymous and the password is the user's email address.


11. What is the maximum data rate for 802.11b?

A. 11Mpbs
B. 54Mbps
C. 1Mbps
D. 2Mbps

>> !
Answer: A

The specification for 802.11b supports a maximum transfer rate of 11Mbps. 1Mbps and 2Mbps are 'fall-back' speeds, which can occur due to distance, interference or overloading of traffic at a specific point.

54Mbps is the specification for 802.11a and 802.11g


12. You are the assistant systems manager for your medium sized company's network. You've been assigned to establish a terminal connection from a supervisor's PC to the main UNIX finance system. Which of the following protocols would provide the greatest security for this connection?

A. Telnet
B. RSH
C. SSH version 1
D. SSH version 2

>> !
Answer: D

Secure SHell (SSH) version 2 provides greater security than SSH version 1 and is therefore the best choice for secure, encrypted terminal traffic.

SSH version 1 is a good choice for secure terminal connectivity since all data traveling across a network is encrypted.

Telnet is a common terminal software application, which is not very secure since it sends data across a network in plain text.

Remote SHell (RSH) is, by default, less secure than telnet since it not only sends data across a network in plain text but doesn't require authentication.


13. PPTP uses which port number?

A. UDP 1723
B. TCP 1723
C. TCP and UDP 1723
D. Port 1723 is not used with PPTP

>> !
Answer: B

The 'trick' with any firewall configuration is to open up ports 'just enough' to allow your network to function without giving easy access to an attacker. PPTP uses TCP 1723.

Since 1723 TCP (only) is the correct answer, the alternate choices are incorrect.

Other common port numbers include:

DNS: TCP and UDP port 53
FTP: TCP ports 20 and 21
IPSEC: UDP port 500
HTTP: TCP port 80
HTTPS: TCP and UDP ports 443
NNTP: TCP port 119
POP3:TCP port 110
SMTP: TCP port 25
SSH: TCP ports 22 and 1019-1023
Telnet: TCP port 23
TFTP: UDP 69


14. Which of the following are NOT Wireless Application Protocol (WAP) layers? (Choose all that apply)

A. WAE
B. WTLS
C. WSL
D. WEP
E. WML

>> !
Answer: D & E

The following are WAP layers:

  • WAE - Wireless Application Environment
  • WSL - Wireless Session Layer
  • WTLS - Wireless Transport Layer Security
  • WTP - Wireless Transport Protocol

Wired Equivalent Privacy (WEP) is a method of using pre shared keys to encrypt traffic between two wireless access points or a wireless access point and a wireless network interface card.

Wireless Markup Language (WML) is a stripped down tag based language based on HTML, designed for low speed wireless devices such as PDAs and hand held telephones.


15. SSL uses which port number?

A. TCP 443
B. UDP 443
C. TCP and UDP 443
D. SSL does not use port 443

>> !
Answer: A

When configuring a firewall, only the ports that need to be open should be open to prevent intrusions. SSL requires TCP 443 to be open. This does reduce exposure, but does not eliminate it. See http://online.securityfocus.com/archive/75/259421

Because SSL (Secure Sockets Layer) is encrypted, it can be difficult to distinguish an attack.

Because SSL used TCP 443, the other choices are not correct.


16. In which of the following strengths is SSL available? (Choose all that apply)

A. 56 bit
B. 1024 bit
C. 160 bit
D. 40 bit
E. 128 bit

>> !
Answer: D & E

SSL (Secure Sockets Layer) is available in 40 bit and 128 bit strengths. Until 2000, 128 bit SSL encryption was not permitted outside of the US.

DES (Data Encryption Standard) uses 56 bit keys.

RSA (Rivest Shamir Adleman) commonly uses 512, 1024 and 2048 bit key sizes. Since RSA uses public key (asymmetric) cryptography, key lengths are much larger than private key (symmetric) cryptography such as DES.

SHA-1 (Secure Hash Algorithm One) is a hashing algorithm commonly used in digital signatures. It creates a 160 bit encrypted message from variable sized plaintext messages.


17. Which of the following is the standard that provides for extensible authentication over both physical media and wireless links?

A. 802.1x
B. 802.11a
C. 802.11b
D. 802.11g

>> !
Answer: A

It is easy to confuse the offerings in the 802 point series because the numbering and letter schemes do not lend themselves to easy differentiation.

802.1x is for the EAP (Extensible Authentication Protocol) for both wired and wireless LAN media and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, and public key authentication defined in RFC 2284.

802.11a is the 5Ghtz frequency that gives wireless LANs 54Mbps throughput.

802.11b is the 2.4Ghtz frequency that has a maximum throughput of 11Mbps.

802.11g is the standard that operates at 2.4Ghtz and offers 54Mbps throughput and is backwards compatible with 802.11b (@ 11Mbps).


18. A malicious piece of code that is similar to a Trojan horse, although triggered by a particular event or after a particular period of time, is also known as which of the following?

A. Spam
B. Social engineering
C. Spoofing
D. Logic bomb

>> !
Answer: D

A logic bomb is similar to a Trojan in that is performs an unexpected or malicious when a certain sequence of events has been established or time period has been reached.

Unsolicited mail in any quantity is known as spam. Unsolicited mail in large quantities is known as mail bombing.

Spoofing involves the usage of a stolen identity. Mail spoofing usually involves masquerading as another user or crafting an e-mail message to appear to come from a source other than the sender.

Social engineering involves masquerading as an authoritative figure and tricking a user to provide confidential information in order to allow unauthorized entry to a facility, service or system.


19. Which of the following is a difference between S/MIME and PGP?

A. S/MIME uses 3DES for encryption whereas PGP doesn't.
B. S/MIME uses SHA-1 for hashing whereas PGP doesn't.
C. S/MIME relies upon a CA for public key distribution whereas PGP doesn't.
D. S/MIME is used for secure mail transmission whereas PGP isn't.

>> !
Answer: C

S/MIME (Secure Multipurpose Internet Mail Extensions) and PGP (Pretty Good Privacy) are both used for encryption of mail. PGP can also be used for file level encryption and host to host VPN.

Both services uses 3DES foe encryption and SHA-1 for hashing.

The main difference between the two secure mail services is that S/MIME relies upon a CA (Certificate Authority) to sign a X.509 digital certificate for distribution of public keys. A user decides whether a public key is valid based on trust of the CA. PGP uses a "web of trust." A user must distribute his/her own keys, and the recipient must decide whether the source of the key is trustworthy. Several individuals can sign a PGP certificate unlike the X.509 certificate.


20. Which of the following statements are true in relation to ActiveX programs? (Choose all that apply)

A. All ActiveX programs are confined to a sandbox for controlled security.
B. Active X programs are easily portable.
C. Active X is used to write files that provide "stateful" information about an individuals web browsing patterns.
D. Active X is a Microsoft designed technology for downloading miniature executable programs.
E. ActiveX uses digital signing as a means to provide security via authenticity.

>> !
Answer: D & E

Active X is a technology conceived by Microsoft. While is has many similarities to Java and Java Script and was designed to provide similar functionality, there are also many differences.

Active X does not provide run time security, but relies on digital signing to validate the identity of the Active X code writer and authenticity of the Active X program. While this may seem like a good security mechanism, it has problems in that it does not verify the quality or safety of the Active X program. Java, which was conceived by Sun Microsystems, on the other hand uses a "sandbox" which confines the capabilities of the Java code to a secure environment. Despite this secure approach, often Java code is written to break these rules and run outside of the confines of the sandbox.

Active X, unlike Java and Java Script, is complied code and is not easily portable. In fact, it was intended to run only on a Microsoft Windows architecture.

Active X does not write files that record "stateful" information about web browsing patterns - Cookies perform this activity.


21. Which of the following is true in relation to cookies?

A. Cookies are always stored as text files on a user's hard disk.
B. A web browser client requests a cookie from the web server.
C. A web browser must always accept cookies.
D. Cookies are used as a form of identification of a client to a server.

>> !
Answer: D

Cookies are used to provide "stateful" information about an individual's browsing patterns. As such, cookies, loosely provide a means of identifying a web browser client to a web server

A web server will send a cookie to a client, which will store that cookie on its hard disk. Information will be added to that cookie as the individual browses pages on that particular web server. Many individuals have some concern for the lack of privacy associated with cookies being exchanged between clients and servers, given that web browsing patterns can be recorded.

Cookies are usually, but not always, stored as text.

Although many web based transactions cannot take place without cookies, cookies may be disabled by the browser.


22. Which of the following are IPSec protocols? (Choose all that apply)

A. PPTP
B. ESP
C. SSL
D. L2F
E. AH

>> !
Answer: B & E

IPSec supports two protocols: AH (authentication header) and ESP (Encapsulating Security Payload). AH provides data integrity and ESP supports data confidentiality.

IPSec supports two modes: transport mode and tunnel mode. Transport mode is useful for host to gateway scenarios such as dial in users, where only the payload is encrypted, whereas tunnel mode is more suited to gateway to gateway or site to site VPNs, where the entire packet (header and payload) is encrypted - a new header is added to the encrypted data.

PPTP and L2F are Layer 2 tunneling protocols commonly used in older VPN implementations.

SSL is an upper layer security protocol designed for secure web transactions.


23. Which of the following is False about firewalls?

A. Often firewalls are used to filter traffic between public and private networks.
B. Many firewalls incorporate a third port which connects to a DMZ.
C. Third generation firewalls are known as "stateful" firewalls.
D. Packet filter firewalls are more resource intensive than application proxy firewalls.

>> !
Answer: D

Firewalls were designed to filter traffic flowing to and from non-trusted networks. Most non-trusted networks are public networks, with the Internet being a prime example.

To increase security, most firewalls incorporate a third port which attaches to a demilitarized zone (DMZ). A DMZ is a place where systems and services that must be accessible from the Internet are placed, such that if one of these is compromised, the security of mission critical and private confidential systems is not compromised.

Firewalls have undergone several generations:

  • First generation - packet filtering
  • Second generation - application gateway/proxy
  • Third generation - stateful inspection

Packet filter firewalls are less resource intensive and less secure that application gateway/proxy firewalls.


24. Which of the following is False in relation to honey pots?

A. A honey pot is used to lure attackers away from production systems.
B. A honey pot is used to study the techniques used by attackers.
C. A honey pot is designed to advertise its presence to attract attackers.
D. A honey pot is usually set up to aid in prosecution of attackers.

>> !
Answer: C

Honey pots are configured as an attractive system that appears to have little or no security in order to attract attackers and lure them away from production systems.

A honey pot should perform copious amounts of data collection to allow information about the attacker's techniques to be captured.

Many honey pots are configured to aid in providing evidence in a court of law that may lead to the prosecution of an attacker.

Honey pots do not advertise their presence. This would be entrapment, which is illegal. Honey pots entice intentional attackers. A honey pots simply relies on an attacker discovering it. Once discovered, many attackers will focus on it rather than other critical production systems. Only a very experienced attacker is likely to distinguish between a well-configured honey pot and a production system.


25. Which of the following is the most effective way of enforcing security in a dial-in network?

A. Ensure that users do not provide dial-in telephone numbers to others.
B. Ensure that users do not provide usernames and passwords to others.
C. Disable all modems.
D. Use callback.

>> !
Answer: D

Using callback is considered to be the best way of enforcing security on a dial in network, since the call is dropped by the receiving modem, which then calls the source of the original call to verify that the caller is valid. The only problem with this is that roaming users may have difficulties unless every possible calling source is identified.

While it is best practice to educate users on password etiquette, it is very difficult to ensure users keep dial-in telephone numbers and account details confidential. Often users will write down this information and may leave it visible for unauthorized viewing.

Disabling modems actually prevents users from dialing in; hence, while this improves security, it reduces functionality beyond acceptable levels.


26. You have been asked to find a suitable backup strategy for your company. You have determined that the amount of data to be backed up is 30GB. Which type of tape backup system could be eliminated immediately?

A. DAT
B. Travan
C. QIC
D. 8mm
E. DLT

>> !
Answer: C

QIC (Quarter Inch Cartridge) is an older type of tape that supports between 60MB and 20GB of capacity.

4mm DAT (Digital Audio Tape) supports up to 40GB with DDS4 type tapes.

8mm tapes support up to 50GB of backup capacity.

Travan supports up to 40GB of backup capacity.

DLT (Digital Linear Tape), in its most recent form (Super DLT), can provide up to 220GB of capacity for backups.


27. Which of the following traffic types is a host-based IDS able to analyze that a network based IDS cannot?

A. HTTP
B. TFTP
C. LDAP
D. SSL

>> !
Answer: D

Since SSL traffic is encrypted and decrypted by the host, it will remain encrypted throughout its journey on the network. A Network based Intrusion Detection System (IDS) will, therefore, not be able to scan the payloads of SSL packets in search of malicious content.

Once decrypted by a host, a host based IDS will be able to scan the data for malicious content.

HyperText Transfer Protocol (HTTP), Trivial File Transfer Protocol (TFTP) and Lightweight Directory Access Protocol (LDAP) are all examples of plain text network protocols, which can be scanned by network based IDS's.


28. Firewalls can be configured in a number of ways. Choose the option that applies to application level firewalls only.

A. Authenticated user ID
B. Source address
C. Port number
D. Destination port

>> !
Answer: A

Firewalls come in two broad categories, application-level and network-level. Application-level firewalls act like a proxy in that they accept a connection from one side of a firewall and permit/deny access based on a rule set. Network-level firewalls inspect data within the packets and compare them to a rule set. The difference may appear to be non-existence. This is not the case. Application-level firewalls have a detailed understanding of application protocols and can offer a greater degree of access control. The down side is they have higher overhead. Network-level firewalls are faster due to lower overhead, and cannot perform protocol-specific validation. Because a user ID is an application level function, only an application-level firewall can check an authenticated user ID.

Source addresses and port numbers help define whether or not traffic is allowed to pass through a network-level firewall. All traffic that passes through a firewall is part of a connection. A connection will have two parts: IP addresses of two nodes that wish to communicate and port numbers that identify the protocol or service that would be used during the communication.

The destination port of the first packet often identifies the type of service desired in an attempted connection. If the firewall is set to block that connection, the firewall will save the destination port number to its logfile.


29. Which of the following is a reason routers can limit damage caused by sniffing and MITM (Man In The Middle) attacks?

A. They send data to a specific subnet only.
B. They prevent DoS (Denial of Service) attacks.
C. They prevent DDoS (Distributed Denial of Service) attacks.
D. They broadcast to all subnets.

>> !
Answer: A

Any device that operates above the Physical Layer of the OSI model begins to exhibit 'some intelligence'. A switch can direct network traffic to a specific device based on the MAC address, as opposed to broadcasting to all subnets. A router can direct traffic based on an IP address and look at more factors than a Data-link Layer switch.

Since a router works on the Network Layer of the OSI model (Layer 3), it can send data to a specific subnet only, limiting the damage from sniffing and a Man In The Middle (MITM) attack, also known as a sniffing attack.

A router (or a switch) is capable of preventing a MITM attack.

Routers must be configured properly to help prevent Dos and DDos attacks. Moreover, just because a network can prevent a DoS or DDos attack, does not mean it can prevent an MITM attack.


30. You are the network administrator for your company and are responsible for planning intrusion detection and prevention. What advantage can a Honeypot offer your network?

A. They provide a secure location to store sensitive corporate data.
B. They provide a secure location to store your backup media in the event of a disaster.
C. They provide an attractive target to attackers looking to compromise a system.
D. They provide no real value to a production network and should be used only for research.

>> !
Answer: C

Honeypots, when responsibly deployed, can be a very useful tool to help prevent attackers from targeting your real production servers. Honeypots can be configured in numerous ways to simulate different operating systems with different vulnerabilities.

Honeypots do not provide a secure location to store sensitive corporate data. The Honeypot is intentionally put on the network to lure attackers to it instead of other servers, thus storing sensitive data on it would be foolish.

Honeypots do not provide a secure location to store backup media.

Honeypots have a high value in today's production networks - when deployed responsibly. Honeypots are deployed differently in a production environment where their purpose is to detour attackers away from production servers and confine their activities. Research Honeypots are typically much more dangerous to implement as the goal is observe the attackers methods and results.


31. What is the most common security issue with a modem?

A. It can be used to circumvent the firewall.
B. There are no known security issues with modems. The slow data rate of a modem makes it a low security risk.
C. The AT command set.
D. It can double as a fax machine.

>> !
Answer: A

Rogue modems undermine security because they open unsecure paths around firewalls.

This is something you'd better know for the exam. Modems may seem harmless but they can pose a security risk. While a modem may not be the fastest connection available, by being able to send 24 hours a day, 7 days a week, even a 28.8Kbps modem can send 172,776 Kbytes of data per 24 hour period. How many characters does it take to capture a user account name and password? 10? 20? A 'rogue modem' is a serious issue.

The AT command set is what is used to control a modem. This in itself is not a security issue.

A fax machine may be a security issue, but it not considered a common security issue.


32. A VPN can yield incredible cost savings over a direct connection. However, one gotcha that must be remembered is?

A. Communications is at the mercy of the Internet.
B. IPSec must be used.
C. A NIDS must be used.
D. One Operating System (O/S) must be selected and used.

>> !
Answer: A

"The availability and performance of an organization's wide-area VPN (over the Internet in particular) depends on factors largely outside of their control." Bradley Mitchell (first link)

IPSec is an option, not a requirement. Other encryption options include: PPTP and L2TP.

Network Intrusion Detection Systems (NIDS) are not a cure all. The false alarm rate may be higher then the value of the data being connected by a VPN. This makes NIDS an option not a requirement.

O/S technology today does not require one O/S to be used. It may be simpler to setup a single Many sites manage to mix Linux and Windows 2000. Again, choosing one O/S is an option not a requirement.


33. Workstations can be a security hole in a number of ways. Of the choices below, which is NOT a security issue?

A. Changing a password to an 8 character length, like "password".
B. Disabling a guest account.
C. Modem and software (I.E. PC Anywhere).
D. Creating network shares on a local drive.

>> !
Answer: B

Disabling a guest account is always a good idea. It can be used as a 'way in' for an attacker. Not disabling the Guest account can be a security hole.

Passwords that are made up of normal words are considered weak passwords. The word password for a password is a favorite to try in a brute force attack.

A modem and remote control software are major holes in security. This is especially true if it's a rogue modem sitting behind the firewall.

End users who create network shares on local machines also raise issues, from improper backup to unauthorized users gaining access.


34. What is the least understood security issue with magnetic media?

A. Difficulty of true erasure.
B. Fragile nature of magnetic media.
C. Large number of incompatible formats.
D. Need for securing backups.

>> !
Answer: A

There is a huge difference between making life tough to retrieve data from magnetic media that has been erased and the word, impossible. A tape that has been exposed to magnetic fields may not restore correctly. But, given sufficient interest, it can be done.

DoD requirements for non-classified data requires six passes of writing random data. This is due to the way magnetism works. There is a small memory effect of the previous state of the magnetic order which can be measured. The memory effect is reduced with repeat passes.

Magnetic media are more susceptible to wear, because of their mechanical nature, than CDs. Anyone who's worked with audio cassettes can attest to this.

Because magnetic media is inexpensive, there are a variety of formats to fit different needs. This is well known.


35. A common configuration error with IDS is:

A. improper installation.
B. using all default settings.
C. placing a probe outside the firewall.
D. not installing an encryption standard.

>> !
Answer: B

The sad reality of the current state of the art in IDS (Intrusion Detection Systems) is they are far from perfect. An IDS must be "tuned" just like a firewall.

"Improper installation" is the wrong choice because the question refers to configuration errors.

"Placing a probe outside the firewall" *may* be a good idea. This is akin to have a motion detector turn lights on outside when movement is detected. Yet, you don't have the motion sensitive lights calling in an active alarm to the local police.

One of the basic technical issues involving security is "if it is encrypted it isn't possible to examine the traffic for bad things." "Not installing encryption standard" at an IDS point is required for the IDS to operate.


36. From the choices given, choose the one that is not an enemy of CD-R backups.

A. Storage near a monitor.
B. Storage in a furnace room.
C. Storage in a 'wet' area such as a bathroom or kitchen.
D. Storage in an unsecured location.

>> !
Answer: A

A monitor emits magnetic fields. This is the one area that a CD-R is immune to.

CD -R and -RW technologies rely on coating a plastic disc with chemicals. This coating can be damaged by humidity (i.e., water, such as in a bathroom or kitchen), heat (e.g., in a furnace room), or strong light.

Storing data in an insecure location is never a good idea.

The following web links give a great deal of detail on CD-R/RW technology.


37. DNS uses what Port(s)?

A. UDP port 53 only
B. TCP port 53 only
C. TCP and UDP 53
D. DNS does not use port 53

>> !
Answer: C

This says it all: "The Internet supports name server access using TCP [RFC-793] on server port 53 (decimal) as well as datagram access using UDP [RFC-768] on UDP port 53 (decimal)." - RFC 1035 Page 31


38. You have placed a device between your internal network and the Internet that acts to prevent private IP addresses from being seen outside of the private internal network. All outgoing requests appear to come from a single IP address assigned to this network device. What type of device have you installed?

A. Firewall
B. Proxy Server
C. Web Server
D. Access Point

>> !
Answer: B

A Proxy Server acts as a middle man between internal clients and the external network. The Proxy Server forwards all requests from the internal clients to the external hosts, substituting its own IP address for the IP addresses of the internal clients. In this way, the Proxy Server hides all internal IP addresses and only makes its own public IP address available on the external network. Some Proxy Servers, such as Microsoft's ISA Server, also perform other functions, such as caching of Web files for faster access.

A Firewall is a hardware or software device that uses a list of rules to control traffic in and/or out of a network.

A Web Server is a computer that provides HTTP services for clients, serving Web pages and other content through a client-side browser such as Internet Explorer.

An Access Point is a wireless network device that provides connectivity for wireless clients to the wired network


39. What network device always functions fully at Layer 3 of the OSI model?

A. Switch
B. Router
C. Web Server
D. Network adapter

>> !
Answer: B

Routers are a Layer 3 device.

The majority of older switches function at Layer 2. Some newer, more capable switches are also starting to perform their function at Layer 3.

Web servers would be a Layer 7 device, providing application services such as HTTP and FTP.

Network adapters are a Layer 1 device, providing the hardware layer of the seven layer model.


40. Which of the following is a technique attackers would NOT use to avoid detection by a network based IDS?

A. Fragment packets.
B. Perform scans in small periods across a lengthy period of time.
C. Encrypt traffic.
D. Use switched networks.

>> !
Answer: D

Using switched networks does not allow an attacker to avoid detection. In fact, using a switched network makes it more difficult to perform sniffing or intrusion detection. The advantage to using switched networks would be to stop malicious attackers on your own network from easily connecting a sniffer on your own network.

Fragmenting packets often breaks up packet headers, which makes it harder to determine what type of traffic is being sent through a network. Often an Intrusion Detection System (IDS) may detect the first packet fragment but not the remaining fragments.

By performing scans in small chunks over a longer period of time, attackers reduce the possibility of being detected. This type of network scan is often referred to as a "stealth scan."

By encrypting traffic, a network based IDS is unable to look beyond the header. In many cases, the malicious traffic resides in the payload rather than the header.


41. Your company only has one public IP address but has three servers that need to be made available on the Internet to provide Web, FTP and Email services. What network service can you employ to allow all three servers to be accessed from the Internet using your one public IP address?

A. DHCP
B. TCP/IP
C. NAT
D. DNS

>> !
Answer: C

Network Address Translation (NAT) allows you to hide several private IP addresses behind one publicly accessible IP address, allowing internal computers behind the NAT device to access the Internet and remote Internet clients to access configured computes behind the NAT device.

Dynamic Host Configuration Protocol (DHCP) is used to assign IP addresses and related information to network clients easily and uniformly without IP address conflict issues.

TCP/IP is a network protocol, not a network service.

Domain Name Service (DNS) provides a means to resolve fully qualified domain names (FQDN) to IP addresses on a network.


42. Which of the following is NOT a step to be taken towards hardening an operating system?

A. Purchasing an operating system that performs a relatively secure default installation.
B. Removing unnecessary and unwanted services.
C. Purchasing an operating system that has undergone many revisions over a lengthy period of time.
D. Installing software patches and hot fixes.

>> !
Answer: C

Hardening an operating system is the process of making an operating system more secure than it is by default. Since it requires time and effort it is wise to choose an operating system that is already known for its security. This means it takes less time to harden it to the desired level.

Many default operating system installations install services that are not useful. These should be removed to reduce the possibility of a potential malicious user exploiting existing vulnerabilities.

Often operating systems are released with bugs and security holes. Patches and hot fixes should be applied to strengthen security.

Although, in some cases multiple revisions of an operating system may make it more stable and more secure, this is not always the case. While many bugs and security flaws may be resolved by a new revision of an operating system, in many cases new bugs and security flaws are introduced, requiring additional time and effort for carrying out hardening.


43. Which of the following is false about digital certificates?

A. Contains a name.
B. Contains a serial number.
C. May conform to the X.509 standard.
D. Contains a copy of the certificate holder's private key.

>> !
Answer: D

Digital certificates have the following properties:

  • contains a name
  • contains a serial number
  • contains expiration dates
  • contains a copy of the certificate holder's public key
  • contains a digital signature of the certificate issuing authority (CA or RA)
  • may conform to the X.509 standard

Certificates are used to authenticate, hence these should be publicly available for verification of authenticity and identification. For this reason a private key cannot be attached to a digital certificate. A private key, however, is used to encrypt a digital signature and used to decrypt a public key encrypted file or message.


44. Which of the following is true of RSA?

A. It uses the same key to encrypt and decrypt.
B. It has much smaller key sizes than DES and AES.
C. It relies on the difficulty of factoring large prime numbers for its strength.
D. It has replaced DES.

>> !
Answer: C

RSA was created by Rivest, Shamir and Adleman as a public key cryptography system. Its strength is derived from the difficulty in factoring large prime numbers. While it is relatively simple to multiply two large number together, it is difficult to take that result and determine which two numbers were multiplied to give that result.

Since RSA is a public key cryptographic system, it uses separate keys for encryption and decryption.

It actually has larger keys than any private key cryptographic systems such as Data Encryption Standard (DES). Typically RSA keys are 512, 1024 or 2048 bits in length, compared with private key cryptographic systems: 56 bits for DES, 128 bits for International Data Encryption Algorithm (IDEA), 168 bits for Triple DES and up to 256 bits for Advanced Encryption Standard (AES).

RSA did not replace DES (recently DES was discontinued for government use, with Rijndael officially selected as an AES replacement). RSA complements DES: RSA is used to encrypt keys used by DES, while DES will do the bulk of the encryption for messages.


45. Which of the following describes key escrow?

A. Revocation of a private key by a CA (Certificate Authority).
B. Expiration of a public or private key.
C. The exchange of a key through a secure means.
D. The administration of a private key by a trusted third party.

>> !
Answer: D

Key escrow is the administration of a private key by a trusted third party, such that it may be used in specific circumstances to decrypt data in order to prove wrongdoing or unlawful activities.

If a private key is compromised, a CA can revoke it.

To ensure that keys maintain validity, it is necessary to enforce an expiration date. A key pair can no longer be used once expiration has occurred.

Key exchange (examples include Diffie Hellmann and IKE) are used to ensure that keys are encrypted as they are sent across a network.


46. Which of the following does Public Key Cryptography NOT support?

A. Integrity
B. Confidentiality
C. Non Repudiation
D. Availability

>> !
Answer: D

Cryptography cannot provide availability. Availability is ensuring that data is accessible in a timely fashion. Fault tolerance, load balancing and adequate resources can only provide availability.

Integrity is the ability to confirm that data has not been modified while in transit. Encryption of data ensures that it is very difficult to modify data while in transit.

Confidentiality ensures that only authorized users can access the data. Public key cryptography provides this functionality through authentication.

Non-repudiation ensures that the sender of data is unable to claim that he/she was not the sender of data, through the use of digital signing. This is what separates public key cryptography from private key cryptography.


47. Which of the following is an asymmetric cryptographic algorithm?

A. ElGamal
B. DES
C. AES
D. IDEA

>> !
Answer: A

ElGamal (named for its inventor, Egyptian born Taher ElGamal) was designed as an asymmetric algorithm to extend Diffie Hellmann beyond the key exchange functionality and to provide encryption and digital signature support.

Data Encryption Standard (DES) was developed as a symmetric cryptographic algorithm in the 1970's by NSA and IBM. It provides 56 bit keys and is no longer considered secure. Triple DES and Advanced Encryption Standard (AES) have assumed much of the limelight in the symmetric key encryption arena.

International Data Encryption Algorithm (IDEA) is similar to DES, but is considered a much stronger symmetric key algorithm with its 128 bit key length.

Advanced Encryption Standard (AES) is the new symmetric key encryption standard which uses the Rijndael cipher, a new algorithm that can use variable key lengths up to 256 bits.


48. Of the following AES finalists, which was chosen as the AES encryption algorithm?

A. Rijndael
B. Serpent
C. RC6
D. MARS
E. Twofish

>> !
Answer: A

Rijndael is a shared-key (symmetric) block cipher, supporting variable length blocks and variable key size, submitted by Joan Daemen and Vincent Rijmen.

MARS is a shared-key (symmetric) block cipher, supporting 128-bit blocks and variable key size, submitted by IBM.

RC6 is a shared-key (symmetric) block cipher, supporting 128-bit blocks and variable key size, submitted by RSA.

Serpent is a shared-key (symmetric) block cipher, supporting 128-bit blocks and variable key size, submitted by Cambridge University.

Twofish is a shared-key (symmetric) block cipher, supporting 128-bit blocks and variable key size, submitted by Bruce Schneier of Counterpane.


49. What are the two most popular hashing routines in use today?

A. MD5
B. RC4
C. SHA-1
D. AES
E. Blowfish

>> !
Answer: A & C

Of the choices listed, MD5 and SHA-1 are the only standards that are hashing algorithms. "The SHA-1 may be used with the DSA in electronic mail, electronic funds transfer, software distribution, data storage, and other applications which require data integrity assurance and data origin authentication. The SHA-1 may also be used whenever it is necessary to generate a condensed version of a message. " NIST

"This document describes the MD5 message-digest algorithm. The algorithm takes as input a message of arbitrary length and produces as output a 128-bit 'fingerprint' or 'message digest' of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given pre-specified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA." RFC 1321

RC4, Advanced Encryption Standard (AES) and Blowfish are all Symmetric Ciphers (shared secret) cryptography algorithms.

There are other message digest versions available, (SHA-256, SHA-384, SHA-512) but they are much less common.


50. Non-repudiation is a stronger variation on authentication because validation comes from which of the following?

A. A third party
B. Sender
C. Receiver
D. A shared secret

>> !
Answer: A

The key here is non-repudiation uses the digital version of a notary public. Authentication is a challenge/response. Non-repudiation uses verification that the response is still considered valid.

Since no third-party is involved in the verification with the sender or receiver, non-repudiation is not possible. This makes both these choices incorrect.

The challenge with a shared-secret is the more that share the secret, the less secret it is. And it does not involve a third-party, making this a poor choice.


51. A digital certificate has a number of data variables associated with it. From the list given, choose the one that is NOT in a certificate.

A. Certificate version number.
B. Owner's social security number.
C. Certificate authority which issued the certificate.
D. Period of certificate validity.

>> !
Answer: B

Getting your digital certificate "trusted" may involve showing your Social Security card to a verifying authority. However, your social security number is Not part of your digital certificate. This is a sensitive piece of data that, if obtained by a nefarious party, can be a critical piece of information in what is called "identity theft."

"Certificate version number", "Certificate authority which issued the certificate", and "Period of certificate validity" are all data variables associated with a digital certificate.


52. Which of the following is NOT a good reason for using RADIUS?

A. It provides centralized administration of user accounts.
B. It is well supported by several vendors.
C. It is a good choice for authenticating dial in users.
D. It provides greater security than its rival protocol TACACS+.

>> !
Answer: D

Terminal Access Control Access Control System Plus (TACACS+), designed by Cisco, is more secure than Remote Authentication Dial In User Service (RADIUS)

Though TACACS+ is more secure, it is not supported by as many vendors as RADIUS.

RADIUS was designed to provide centralized authentication, authorization and an accounting database.

RADIUS is most commonly used for authentication of dial in users, especially in VPN situations.

Several vendors support RADIUS. It is standards based and provides great flexibility in its configuration.


53. The first step in creating a digital signature for a message is by computing the hash value of the message with which of the following?

A. MD5
B. DES
C. AES
D. IDEA

>> !
Answer: B

MD5 is a message-digest algorithm. It works this way. Perhaps you want to send a digitally signed document to your boss. You create the document, which you then pass through a message hash algorithm. The hash generated by that algorithm will be the checksum of the document's contents. You then encrypt the message hash with your private key. This process produces a digital signature, which you then attach to the document and send on its way.

Data Encryption Standard (DES), Advanced Encryption Standard (AES) and International Data Encryption Algorithm (IDEA) are all block ciphers, not message digest algorithms.


54. Asymmetric cryptography is based on the work of which of the following?

A. Diffie-Hellman
B. NIST
C. IEEE
D. ANSI

>> !
Answer: A

Diffie-Hellman is a key agreement protocol, also known as "exponential key agreement," developed by Diffie and Hellman in 1976. Diffie-Hellman allows two users to exchange a secret key over an insecure medium.

National Institute of Standards and Technology (NIST), Institute of Electrical and Electronics Engineers (IEEE) and American National Standards Institute (ANSI) are all standards bodies, not types of cryptography.


55. What are the two primary types of symmetric algorithms?

A. Block
B. Stream
C. Shared secret
D. Public key
E. Private key

>> !
Answer: A & B Block cipher and stream cipher both are kinds of symmetric-key encryption, which use a secret key. The secret key must be shared to convert the encrypted text back into plain text. Block cipher changes plain (unencrypted) text into a "block" of cipher or encrypted text (for the exam, know that cipher text is the same as encrypted text). Stream cipher is faster than block cipher because they typically work with a smaller unit of plain text than does block cipher.

Symmetric-key encryption often is called "shared secret" key because the secret key must be shared to convert the encrypted text back into plain text. However, "shared secret" is not a type of symmetric algorithm, it is a way of referring to the algorithm itself. Watch for this kind of subtlety on the exam.

Private keys and public keys are associated with asymmetrical encryption. One key, freely given, is the public key. The other key, kept secret and NOT shared, is the private key.


56. Before risk analysis can occur you must first do which of the following?

A. Perform asset identification.
B. Accurately identify the value of intangible assets.
C. Perform threat identification.
D. Perform user education.

>> !
Answer: A

The first step in determining risk is discovering what you have to protect; i.e., identifying your assets.

It is not logical or necessary to put an accurate value on an intangible asset. A good guess will do. That is the nature of things when they are intangible.

Only after you have determined what you are protecting can you begin to understand what the threats might me.

User education must be part of security and be an on-going process. This is not the first step in risk analysis.


57. What are the 'three A's' in computer forensics?

A. Authorize, Acquire, Analyze
B. Acquire, Authenticate, Analyze
C. Acquire, Analyze, Arrest
D. Analyze, Acquire, Arrest

>> !
Answer: B

Typically, computer forensics operates on the principles of criminal law. This burden of proof is generally called "beyond reasonable doubt." This is a much higher standard than civil law. Very carefully measured steps must be followed in computer forensics. These include: acquiring the evidence, authenticating the evidence, and analyzing the evidence.

As a Security+ candidate you are testing for an entry-level certification. That translates to, "don't touch, get help from a senior official."


58. What is the most critical part of an Incident Response Policy?

A. Insure it determines how a procedure occurs.
B. Have one before you need it.
C. Uses multiple people to perform different tasks.
D. Disables all network access.

>> !
Answer: B

The choice of the word "Incident" does not do justice to the topic. A soldier can engage in what can be called a hostile fire or an incident. No matter what you call it, it's a disaster for someone. Without prior planning the results would be disastrous (for one side of the equation). This is also true in planning your security.

Policies and procedure are titled that because a policy states what should happen. A procedure is how to make it happen. That makes procedure different from policy, and thus the answer "Insure it determines how a procedure occurs" is incorrect.

One person may or may not be sufficient to implement a response. Not enough data to be a correct choice.

"Disables all network access" may or may not be a prudent move. Not enough data to be a correct choice.


59. Of the choices offered, choose the best definition of RBAC.

A. A special type of group defined by job duties.
B. The Security Accounts Manager in any O/S.
C. Authorization proving a users identity.
D. Client identity proven by a certificate.

>> !
Answer: A

In Role Based Access Control (RBAC), each user is assigned one or more roles. Each role is assigned privileges. If a user requires a certain privilege, they must be assigned the role that has those privileges.

The Security Accounts Manager is also known as the SAM and is found in NT. Not all O/S's even have security.

Authorization is what a person is allowed to access. It has nothing to do with Authentication, which proves a user's identity.

Client identity that is proven with a certificate is a strong form of authentication.


60. Unless an AUP states otherwise, in the USA an employee has . . .

A. a reasonable expectation of privacy.
B. no rights at all because the firm owns the equipment and network.
C. laws vary too much to make a blanket statement.
D. no rights at all because the company has the responsibility to check for illicit backdoors and viruses.

>> !
Answer: A

This question touches in the areas of legality and the 4th Amendment in the US Constitution. Employers are expected to treat private email, private IM and other means of digital communication as private unless clearly stated otherwise.

###
password protection, encryption and by encouraging personal use will likely contribute to a reasonable expectation of privacy even in the absence of a clear policy statement."

For instance, email is considered private because password protection and encryption are provided and personal use is often encouraged, seldom discouraged. All that would indicate to any reasonable person, and legally, that there is a reasonable expectation of privacy, especially when there is no clear policy statements. An Acceptible Use Policy (AUP) can help make clear what expectations an employee should expect.


61. Hard copy should be run through a shredder to prevent sensitive data being revealed by which of the following?

A. Degaussing.
B. Un-erasing data.
C. Out-of-date SLA's.
D. Dumpster diving.

>> !
Answer: D

Dumpster diving is known to be a very low risk attack yielding rich returns. Unless an area is posted, "No trespassing", generally speaking, NO laws are being broken.

Hard copy is another way of saying printed material. Since printed material is not magnetic, degaussing will not help.

In the same logic, you cannot un-erase paper.

Out-of-date SLA (Service Level Agreements) may need to be shredded. If the vendor with the old SLA is still being used, the SLA could tip off an attacker on some company secrets.


62. When considering a disaster recovery plan, what is the most important consideration?

A. Involve stakeholders from every department.
B. Insure the CFO has authorized the budget.
C. Insure the personal department has hired a CISSP.
D. Insure the CEO has approved the project.

>> !
Answer: A

A stakeholder is a term used in project management. It is any party that has an interest ("stake") in a firm. Every department must be involved in planning. Failure to do this is worse than no plan at all. It creates a false sense of security before an incident and error-prone responses after an incident.

Not all firms require an ISC2 CISSP (Certified Information Systems Security Professional), making this an invalid choice. Only larger companies need the management skills of a CISSP.

The CFO of a company cannot budget or plan for a project without a definition. With a solid plan in place with cost/benefit analysis done, even if a budget didn't exist before, a good plan will find a budget.

Before approving the project, the CEO should ensure that all stakeholders have helped define the project.


63. An AUP has many elements. From the choices given, choose the one that does not apply.

A. Have legal council check policy.
B. Write your own.
C. Make polices reasonable and narrow.
D. Consider any policy that limits access carefully.

>> !
Answer: B

An Acceptable Use Policy (AUP) defines the legal aspects of security. Unless you are a legal professional in addition to being a computer professional, writing your own policy could be disastrous.

A lawyer can help you write the policy, check it, ensure its polices are reasonable and narrow, and help you decide how to carefully limit access.


64. Which of the following are UNacceptable practices when collecting evidence for computer forensics?

A. Not powering down or rebooting the system.
B. Taking pictures of internal components.
C. Contacting senior management.
D. Not unplugging the system from the network.

>> !
Answer: D

The practices that should be carried out when collecting evidence as for computer forensics are as follows:

  • Do not power down or reboot the system.
  • Do not open files.
  • Unplug the system from the network.
  • Capture running processes and open files. If possible, document current memory and swap files.
  • Capture mail, DNS and other network service logs supporting hosts.
  • Perform a complete port scan of external TCP and UDP port scans of the host.
  • Contact senior management.
  • Where it is practical to make byte for byte copies of the physical disk without a re-boot, do it.
  • If you are making byte for byte (bit stream) copies, it is preferable to use new drives. If you must use existing drives "sanitize" the drives first (low-level format) to eliminate the possibility of a virus.
  • Take pictures of internal components.
  • Document make/model/serial numbers, cable configuration and type.
  • Label evidence "bag and tag".
  • Repeat photographic process with labels on evidence.
  • Document who, what, when (with precise time), how, and why.
  • Have an evidence custodian initial each item at the scene, along with initials of worker.
  • Photograph/videotape above procedures.
  • Include hardware for specialized media; i.e., ZIP disks.
  • Be extra careful with battery powered devices; i.e., laptops.

All the other listed options should be performed. In this case, the system should be removed from the network.


65. Which of the following would you expect to find in a security policy document?

A. A risk assessment.
B. Step by step instructions of how to harden operating systems.
C. Guidelines on IP addresses to be assigned to new routers.
D. A list of persons to contact if a breach of policy is witnessed.

>> !
Answer: D

A security policy is a high level document which should contain the following:

  • An endorsement by management
  • Version control information
  • A record of previous updates
  • A statement indicating intended audience
  • Rules of acceptable use
  • A list of contacts to report any incidents found to be in breach of policy
  • Actions to be taken upon individuals who do not comply with policy

"A risk assessment" is generally carried out in a risk management scenario or during business continuity planning.

Step by step instructions refer to procedural documentation.

Guidelines are usually less specific than procedures and more flexible than standards and are used to provide items such as lists of acceptable parameters that may be applied by procedures.


66. Which of the following is false about a security policy?

A. It is a high level statement that shows a corporation's devotion to maintaining security.
B. It should be endorsed by upper management.
C. It should be frequently updated.
D. It should be read by all IT personnel only.

>> !
Answer: D

All staff, including full time, casual, part time and contractors should read the security policy. It should list the do and don'ts and should include resultant consequences for failure to comply with the policy.

In many cases, user awareness can help enforce the contents of a security policy document.

A security policy is a written document that shows a corporation's commitment to maintaining security effectively.

Since security is dynamic, a security policy should be dynamic, being updated frequently to ensure it covers latest security practices and equipment.

It is important that upper management endorse the security policy.


67. Which of the following is NOT an example of physical security?

A. Security guard
B. CCTV
C. Biometrics system
D. Alarm
E. Token

>> !
Answer: E

A token is used for authentication and is not a physical security device. Smart cards, however, can be used for both technical and physical security. Therefore, if you see smart cards listed among possible answers in a question like the one above, remember smart cards can be used for technical and physical security but a token cannot be used for physical security.

Physical security is the ability to provide security of physical objects such as hardware, media and buildings, for example. A security guard is able to survey a building to ensure that the building, surrounds and building contents are protected.

Guards or operations staff are able to use CCTV (closed circuit television), time-lapse video recorders and cameras to monitor a building and its surrounds for intrusions.

An alarm is a physical security device that sounds in the event of an intrusion.

A biometrics system can fall under both technical and physical security areas. A fingerprint identification system may be used to authenticate a user to a computer, but it may also be used to identify a user as valid for entry to a room or building.


68. Which of the following is NOT a good practice for data backup and restoration?

A. Media should be stored in a fire resistant container.
B. Restoration tests should be performed to ensure backup reliability.
C. Media should be transported off site on a rotational basis.
D. Media should never leave the site as it may be needed in an emergency.

>> !
Answer: D

Since backup media is critical in a disaster recovery, it must be able to survive harsh conditions. A strong, fire resistant, waterproof container should be used for storage of backup media.

In order to confirm that backups are reliable, frequent restoration tests should be scheduled. This will identify any backup media or equipment failures before a disaster occurs.

To assist with data recovery, media should be transferred to an approved off site facility on a rotational basis. If a disaster occurs on site, it means that the data is still available. It is also a requirement that the provider of this service be able to provide data in a timely fashion if a disaster occurs.

Although it is convenient to have all data readily available in the event of a disaster, it is best practice to ensure that remote off site storage takes place. If a disaster does occur, it won't wipe out critical systems and all remnants of data in one instance. By keeping data off site, it allows fast retrieval of data with the ability to rebuild a computing environment and facilitate business continuity.


69. You are the network administrator for your company and are responsible for planning disaster recovery procedures. What benefit would keeping your backup media offsite provide to you?

A. It's usually cheaper than keeping backup media onsite.
B. It's much safer than keeping backup media onsite.
C. It's usually easier than keeping backup media onsite.
D. It allows for a faster recovery when the backup media is needed.

>> !
Answer: B

Keeping your backup media offsite provides an extra layer of protection for your data. Imagine the scenario where you had been performing regular backups of your mission critical servers, only to keep the backups in the file cabinet in your office. Over the weekend a small fire breaks out in the building and the sprinklers come on. Now your servers are soaked - not to mention your backup tapes.

Keeping backup media offsite is usually more expensive, but the price is worth it when your building suffers damage.

Keeping backup media offsite is really neither more or less difficult than keeping onsite, especially if you are using a third-party media service to rotate and store your backup tapes for you.

The down side to offsite backups is that it usually takes some time to get the backup media onsite in the event it is needed. This, however, is a small price to pay for the safety of knowing it will not be destroyed if your building is damaged.


70. You have recently completed your security audit of the Infosystems Incorporated company network. You have recommended that a multi-factor authentication system be put in place to secure access to the server room. What three things make up a multi-factor authentication system?

A. Something you know, such as a username.
B. Something you know, such as PIN or password.
C. Something you have, such as user account.
D. Something you have, such as a smartcard.
E. Something you are, such as a fingerprint.
F. Something you are, such as an administrator.

>> !
Answer: B, D & E

Multi-factor authentication typically uses three or more items to authenticate a user. These most often consist of the "something you have" which would be a smartcard or magnetically encoded badge, "something you know" which would be a PIN or password and "something you are" such as a fingerprint or retinal scan.

Knowing a username is not usually accepted as an adequate authentication mechanism in a multi-factor scenario. Instead, a PIN or password is used as something that is known - user names are often very easy to guess.

Having a user account is not an effective authentication method alone. The possession of a smartcard or badge provides a physical link that can be used to authenticate a user.

Being an administrator is not as effective an authentication measure as comparing your fingerprint or retinal scan to that stored in a database, and is thus not an effective authentication method in a multi-factor scenario.


71. You are network administrator for your company. From a security standpoint, what is typically the weakest part of any security plan?

A. Users
B. Servers
C. Firewalls
D. Physical security

>> !
Answer: A

Users are always the single largest weakness in any security plan. You can secure servers, configure firewalls and install high-security locks, but you can never account for users and their unpredictable nature.

Servers can be a security issue in any organization, but are not typically as problematic as users.

Firewalls can be a security issue in any organization, but are not typically as problematic as users.

Physical security measures can be a security issue in any organization, but are not typically as problematic as users.


72. You are the network administrator for your company. You are responsible for planning disaster recovery procedures. You are looking into setting up a hot site. Which of the following represents a hot site in relationship to disaster recovery?

A. A co-located space that is shared with one or more other organizations.
B. A hotel suite that is rented when disaster strikes to serve as a temporary operations center.
C. A fully equipped site that can be quickly brought online to act in place of your normal network operations center.
D. A location that is utilized for secure storage of your backup media.

>> !
Answer: C

A hot site is one that is ready to go on very short notice to take over normal operations of your network and organization's business needs. Typically it is the same size or slightly smaller version of your existing network operations center and has similar equipment and services as your regular network operations center.

A co-located space is not typically used as a disaster recovery hot site. Typically, co-located sites are used when multiple companies partner on a venture and each places specific network hardware at the site as part of the overall solution.

A hotel suite that is rented when disaster strikes would be thought of as a cold site. This means that little to no pre-work has been done and the network will have to be rebuilt from scratch on the spot.

A location that provides secure storage of your backup media would be a tape vault or a media storage service, but not a full-fledged hot site.


73. Which of the following is True about CHAP?

A. CHAP is used primarily on PPP based networks.
B. PAP is more secure than CHAP.
C. CHAP is a certificate based protocol.
D. CHAP uses two-way hashing.

>> !
Answer: A

CHAP is used as a primary authentication protocol for PPP even though the security could be set to none.

"PAP is more secure than CHAP" is incorrect for two reasons. First, CHAP uses a challenge-Handshake Authentication system and is much more secure than PAP. Second, PAP is much more susceptible to eavesdropping than CHAP.

"CHAP is a certificate based protocol" is also incorrect because CHAP does not use certificates. It uses handshaking as the basis of operation.

"CHAP uses two-way hashing" is incorrect because CHAP only uses a one-way hash function.


74. Which of the following is False regarding Kerberos?

A. Kerberos uses asymmetric-key cryptography.
B. Kerberos requires that you have a good time source available.
C. Kerberos uses encrypted "tickets" during its process.
D. Kerberos is a secure form of authentication.

>> !
Answer: A

Kerberos actually uses symmetric-key cryptography, NOT asymmetric.

Because the Kerberos system relies on time stamps, a good time source IS mandatory.

Kerberos DOES let the user request an encrypted "ticket" that can then be used to request services from the system.

Kerberos IS a highly secure form of authentication.


75. Which of the following attacks is described as: "An attack used to achieve the disruption of any service to legitimate users"?

A. Replay
B. Session Hijacking
C. Spoofing
D. DOS/DDOS

>> !
Answer: D

These acronyms refer to Denial Of Service/Distributed Denial Of Service attacks that prevents regular network users from accessing an Internet service.

"Session Hijacking" occurs when an attacker takes over a TCP session between two machines.

"Spoofing" occurs when an attacker uses the IP address of a trusted host to fool the recipient into thinking they are a trusted sender.

"Replay" occurs when an attacker uses a 'Sniffer' to grab packets of the wire, extract authentication information and passwords and then 'Replay' the packet back onto the network to complete its journey.


76. Which of the following is a key difference between MAC and DAC?

A. MAC does not allow copying a file.
B. DAC does not allow copying a file.
C. DAC is DoD "B" Level security.
D. DAC is also known as the "Lattice" model.

>> !
Answer: A

A key difference between Mandatory Access Control (MAC) and Discretionary Access Control (DAC) is a user who is allowed to access a file in the DAC model can also copy it. With MAC, a user permitted to access a file does not necessarily have the right to copy the same file. Discretionary Access Control (DAC) has been most commonly found in the PC and network computing environment. The Department of Defense (DoD) standards for MAC is the B level classifications while DAC is the C level classifications

Bell-LaPadula created a security model that is commonly referred to as the Lattice-based model. Lattice is also a MAC based security model. However, technically speaking, the lattice model would allow a top-secret clearance to write to a secret object. Bell-LaPadula can disallow that operation.

Pay particularly close attention to the bullet points on the 4th slide in the link below. http://www.coe.uncc.edu/~gahn/courses/ITSC8077/Lecture9.pdf

The DoD Trusted Computer System Evaluation Criteria is published as a series. Each set of specifications has a different color for the title. This yields the common reference to the "rainbow series." The link below offers a minimum of four different formats to obtain these books free of charge. http://www.radium.ncsc.mil/tpep/library/rainbow/

SANS also has a nice article on how SELinux (Security Enhanced Linux) operates and has a link to obtain this modified Linux O/S.


77. Kerberos uses ______ encryption and creates ______ session key(s).

A. symmetric, one
B. asymmetric, two
C. symmetric, two
D. asymmetric, one

>> !
Answer: C

When a user authenticates using Kerberos, the following takes place. The computer connects to a "ticket-granting service", known as an Authentication Server (AS). The AS creates a "ticket" that is created with a symmetrical encryption scheme. Two session keys are created. One key goes to the user's connection, which includes an expiration stamp. The AS holds on to the other session key.


78. CHAP typically uses an encryption protocol such as which of the following?

A. MD5
B. RC4
C. Skipjack
D. AES

>> !
Answer: A

MD5 (the "MD" stands for "message digest") and its cousin SHA1 (Secure Hashing Algorithm version 1) create a math summation which are unique and do not have enough data to determine the original contents. Challenge Handshake Authentication Protocol (CHAP) creates a three-way handshake. The server challenges the client login attempt. Then the client uses the message that was sent along with its secret to create a MD5 hash. This is sent back to the server. Next the server performs the same hash and compares the two values. This can be repeated a random intervals.

RC4 (Cipher created for RSA by Ron Rivest), Skipjack and Advanced Encryption Standard (AES) are all symmetrical (secret key) block data encryption methods designed to transmit entire messages in cyphertext (not human readable).


79. Which of the following is the difference between a back door and a root kit?

A. A back door is a program which bypasses security to allow access while a root kit accomplishes the same thing by changing the O/S at the kernel or utility level.
B. A root kit is a program which bypasses security to allow access while a back door accomplishes the same thing by changing the O/S at the kernel or utility level.
C. A back door prevents spoofing, a root kit prevents DoS attacks.
D. A back door prevents spoofing, a root kit prevents the O/S kernel from being modified.

>> !
Answer: A

Back Door programs typically install themselves because a user was fooled into downloading and installing a program that was inciting to the user. A root kit modifies an O/S at the kernel or utility level. It is true that the actual damage that can be done by a back door, such as NetBus, verses a root kit is like asking if you would rather be hung or shot. In either case, the only safe thing to do is wipe the drive clean and re-install the O/S. Both types of programs give an unauthorized user access and/or control of the machine.

Root kit programs modify the O/S, while back door programs bypass security.

Machines with either a root kit or a back door can be used to create a Denial of Service (DoS) or a Distributed Denial of Service (DDoS). Since the attacker has control of the machine, other things are possible as well (all of them being bad). This makes any thought of preventing a DoS attack incorrect.

Back doors and root kits cannot be considered useful in assisting security. Security experts expect back door and root kit programs to become a more popular form of attack than viruses in 2003 and beyond.


80. When considering non-essential services and protocols, there are two approaches: optimistic and pessimistic. Choose the correct explanation for the pessimistic route.

A. Open a port when it has been specifically justified as required.
B. Close a port when it becomes an issue.
C. Setting a passive IDS to close a port at alert status.
D. Close a port if you suspect O/S fingerprinting.

>> !
Answer: A

There are two approaches to shutting down non-essential services and protocols. The optimistic approach says, when a problem rears its ugly head, address it. The pessimistic approach says, open a port/service only when you find it not being there is holding up business. The pessimistic approach may be annoying to users who have to justify why they need a service. It is also annoying to users when the network is not available because it has been 'taken out' by an attack.

Passive IDS (Intrusion Detection System) cannot take any proactive measures. This is the difference between active IDS and passive IDS. Given this, the choice to close a port with passive IDS is incorrect.

O/S fingerprinting is the process of sending TCP/IP commands to a system to watch the specific response. Since each vendor creates TCP/IP for their O/S, responses vary slightly between one O/S and another. By observing the responses it is possible to determine the O/S in use to narrow the choice of tools for an assault. Since this has nothing to do with closing non-essential services or ports, this is an incorrect choice.


81. By observing the timer value in the TCP stack, it is possible to do which of the following?

A. Defeat the use of NMap.
B. Adjust the ping response time.
C. Determine the O/S in use to plan an attack.
D. Defeat a DoS.

>> !
Answer: C

Timeout values and regeneration cycles are not rigidly set. This means each O/S has its own implementation. Therefore, it becomes easy to determine the O/S in use. While this can be done manually, products such as Nmap can run an automated test and give a pretty good idea of what O/S is running and how difficult it is to break.

Ping (Packet InterNet Groper) reveals the response time between two TCP/IP enabled devices. This is a result output based on conditions, and not a correct choice for this question.

Nmap is a *nix tool (nmapwin is for windows) that automates the process of determining the O/S in use. It can also be used as a port scanner. It is not the correct choice for this question.

A commonly accepted convention is that you can really stop a DoS (Denial of Service) attack and this is true. However, you would do so by increasing the available bandwidth, which would make a DoS attack ineffective. You would not do this by observing the timer value in the TCP stack


82. Which of the following is a trick played on servers to fool the target computer into thinking that it is receiving data from a source other than the real source?

A. Spoofing
B. Virus
C. Teardrop attack
D. Logic Bomb

>> !
Answer: A

Forging the source address in an IP packet is known as spoofing. Because spoofing is blind (the attacker cannot see the results) it may or may not be successful. The difficult nature of spoofing means it is not a common trick but you'll see it often enough.

A virus is generally meant to damage the contents on a PC, and does not normally need to fake the source of data in order to do this.

A teardrop attack is a type of DoS (Denial of Service) that carries a phony fragmentation offset value.

A logic bomb is a malicious program that is set to wait for a specific event or data. An example of this is the Michelangelo virus which waits for March 6th to destroy the FAT partition of a disk(ette).


83. Almost no integrity checking exists in TACACS+. This makes TACACS+ susceptible to which of the following?

A. Replay attack
B. Teardrop attack
C. Spoofing
D. DoS attack

>> !
Answer: A

The only requirement stated in RFC 1492, the standard for TACACS+, is that packets have a correct sequence number. Since all TACACS+ sessions start with a sequence number of 1, the TACACS+ server will always process a packet with seq_no set to 1. Replaying a session recorded from the beginning is easy.

A teardrop attack use the fact that TCP will fragment data that is too long to fit in one payload into additional packets and set a fragment offset. Modifying the fragment offset can crash a device not properly protected. While this can be an issue, it is not associated with TACACS+.

Spoofing involves changing the source IP address to a one that is different then the real address. This is not an issue associated with TACACS+.

DoS (Denial of Service) attacks are phony requests sent to consume resources making it difficult/impossible for authorized users' access. This is a generic attack that is not specifically associated with TACACS+.


84. A dictionary attack can be made more difficult to carry out by doing which of the following?

A. Using a combination of random letters, special characters, and numbers in a password.
B. Disabling long passwords.
C. Allowing nouns and proper names in password usage.
D. Hanging passwords once a year.

>> !
Answer: A

A dictionary cracking tool, such as Crack, takes a word and transforms it into greater than 4,000 variations and encrypts these variation with DES (Data Encryption Standard). The software then compares the DES string to the DES encrypted passwords on a *nix system looking for a match.

The other choices offered all have the common element of things Not to do. Longer passwords make it more difficult to guess them. Common names and phrases (such as password) are at the top of the list for a dictionary password cracker. Password age varies by needs and forcing passwords to change only once a year is too long for any system.


85. The statement:

Set myRecordset = myConnection.execute("SELECT * FROM myTable WHERE someText ='" & request.form("inputdata") & "'")

is a perfect setup for which of the following?

A. SQL Injection.
B. Excellent data input validation.
C. A Trojan horse.
D. Creating a digital certificate.

>> !
Answer: A

This is a classic example of a SQL statement vulnerable to a SQL Injection. The single ' at the end allows data of any type to be input, including the running of a program on the SQL server.

This is the opposite of a demonstration of excellent data input validation.

Trojan horse programs are any programs that are not what they appear to be.

This is not the correct way to create a digital certificate.


86. Malicious code that waits for a specific event to execute is known as which of the following?

A. Logic Bomb
B. Worm
C. DDoS
D. IDS

>> !
Answer: A

A logic bomb is a malicious program that is set to wait for a specific event or data. An example of this is the Michelangelo virus which waits for March 6th to destroy the FAT partition of a disk(ette). A more common concern is an upset employee inserting a logic bomb.

A worm is very virus like in that it can replicate itself and propagate across a network. Unlike a virus, it does not have to attach itself to a host program.

A DDoS (Distributed Denial of Service) occurs when multiple machines (sometimes without the owner's knowledge) known as zombies, flood a single IP address. Therefore, normal traffic cannot be handled.

IDS (Intrusion Detection System) is a type of 'burglar alarm' which looks for unusual network traffic or Trojan Horse programs .


87. Which of the following is a type of attack that cannot be detected with software tools?

A. Social Engineering.
B. SATAN.
C. There is no type of attack that cannot be detected by software.
D. Trojan horse.

>> !
Answer: A

Social engineering is an attack that is against people, not equipment. These attacks are based on the basic tendencies of human nature. Training is the solution to social engineering attacks.

Too often IT people think technology is the answer to everything. Social Engineering attacks are typically the most successful and insidious attacks because they cannot be detected by software.

A Trojan horse is a type of viral attack. The goal is to fool the user into installing malicious code, thinking it is something fun or harmless. Since it actually is software, it is not the correct answer for this question.

Security Administrator Tool for Analyzing Networks (SATAN) is software used by systems administrators to help them pinpoint common networking-related security problems. It is not, in itself, an attack (though you can imagine how it might be used in such a way). Just as an aside, for the exam know that SATAN may not work with Linux.


88. Typical biometric options include which of the following?

A. Fingerprint scanning.
B. Keystroke analysis.
C. SmartCard.
D. Password.
E. PIN number with bank card.

>> !
Answer: A & B

Biometrics provides authentication based on something you are or something you do. Fingerprint scanning is searching for something you are. Keystroke analysis is something you do.

SmartCards are hardware devices, something you have and generally not biometric based.

A password is something you know, which is not biometric based.

A PIN is something you know, along with a bank card, something you have. This is called multi-factor authentication.


89. Classic auditing requires a ______ to determine what is normal activity

A. Baseline.
B. 3-way handshake.
C. Log file on the same drive as the service.
D. TCP/IP to be installed.

>> !
Answer: A

To know where you are, you have to know where you began. It is not possible to know what is 'normal' until you establish baseline activity to measure current activity against.

A 3-way handshake is how the TCP protocol establishes a virtual circuit. It starts with a request from a client, the server acknowledges the request and the client confirms it got the OK from the server. This is not classic auditing.

Ideally, log files are stored on a system that is not part of the server running whatever services. This keeps an intruder from "covering his tracks" by erasing log entries.

Baselines are a common and classic method for determining load and allow for planning. Baselines have been used long before TCP/IP became a popular way to network. This makes requiring TCP/IP an incorrect choice.


90. ______ -bit encryption is now considered insecure.

A. 40
B. 128
C. 256
D. 448

>> !
Answer: A

40-bit encryption was broken in just over a week. Therefore, the common accepted practice is that 40-bit encryption isn't good enough.

128-bit encryption today is considered 'standard' for secure computing.

As 256-bit encryption is considerably tougher than the considered safe standard of 128-encryption, it would be incorrect to say it is insecure.

448-bit encryption is the maximum available in the encryption scheme Blowfish. Blowfish is royalty fee and has source code available for your own projects.


91. You are responsible for designing an access control system for your network. Your plan calls for all access to be blocked by default unless a user has specifically configured permissions to access a resource. What type of access control are you implementing?

A. Role Based Access Control.
B. Mandatory Access Control.
C. Discretionary Access Control.
D. Discretionary Access Control List.

>> !
Answer: B

When Mandatory Access Control (MAC) is being used, a user cannot access resources unless they have been specifically authorized to have access. In most cases, systems using the MAC model will also have all anonymous and guest access disabled. It is typical to see Mandatory Access Control used in extremely secure networks, such as government and military networks.

When Role Based Access Control (RBAC) is used, the permissions that a user receives are assigned based on the role or roles that the user is fulfilling within the organization. Some possible roles include Network Administrator, Database Administrator, Developer, User, etc. It is possible for a user to be assigned more than one role, with permissions being cumulative in this case.

When Discretionary Access Control (DAC) is used, the permissions that a group or user has are specified on an object-by-object basis.

A Discretionary Access Control List (DACL) is the list used by an operating system, such as Windows or UNIX, that specifies what permissions each user or group has to each and every object in both the file system and the domain environment.


92. An attacker is trying to gain access to your network by using a software application designed to randomly guess passwords for a selected user name. What form of attack are you experiencing?

A. Brute Force attack.
B. Spoofing attack.
C. Dictionary attack.
D. Replay attack.
E. Man in the middle attack.

>> !
Answer: A

A Brute Force attack is one in which all possible combinations of a key or password are tried in a random fashion in an effort to guess the correct key or password.

A Spoofing attack is one in which a message appears to originate from one source when in fact it came from a different source altogether. This type of attack is commonly used by email Trojans and worms for replication (Nimda, for example) and is fairly popular for attacks on wireless networks (MAC spoofing).

A Dictionary attack is one in which a key or password is subjected to guessing by using a dictionary list that is pre-populated with commonly used words and phrases, such as "thequickbrownfox."

A Replay attack is one in which packets are captured in transit from one party to another, modified, and later retransmitted to cause one or both parties from the original conversation to unwittingly trust the attacker and perform an action of the attacker's choice (or transmit information to the attacker).

A Man in the Middle attack is one in which an attacker captures traffic from both sides of a connection, modifies it, and thus controls the entire conversation for his or her own gain. Both users think they are receiving untainted data from the other user, when in fact the exact opposite is true.


93. An attacker is trying to gain access to your network by using a software application designed to guess passwords for a selected user name from a pre-populated list. What form of attack are you experiencing?

A. Brute Force attack.
B. Spoofing attack.
C. Dictionary attack.
D. Replay attack.
E. Man in the middle attack.

>> !
Answer: C

A Dictionary attack is one in which a key or password or subjected to guessing by using a dictionary list that is pre-populated with commonly used words and phrases, such as "thequickbrownfox."

A Brute Force attack is one in which all possible combinations of a key or password are tried in a random fashion in an effort to guess the correct key or password.

A Spoofing attack is one in which a message appears to originate from one source when in fact it came from a different source altogether. This type of attack is commonly used by email Trojans and worms for replication (Nimda, for example) and is fairly popular for attacks on wireless networks (MAC spoofing).

A Replay attack is one in which packets are captured in transit from one party to another, modified and later retransmitted to cause one or both parties from the original conversation to unwittingly trust the attacker and perform an action of the attacker's choice or transmit information to the attacker.

A Man in the Middle attack is one in which an attacker captures traffic from both sides of a connection, modifies it and thus controls the entire conversation for his or her own gain. Both users think they are receiving untainted data from the other user, when in fact the exact opposite is true.


94. You have recently been hired to perform a security audit of the Infosystems Incorporated company network. You are currently using a tool to audit the password strength of all administrative accounts in the network. The tool is randomly trying all combinations of passwords between 4-12 characters in length in order to locate weak passwords. What type of attack is this similar to?

A. Brute Force attack.
B. Spoofing attack.
C. Dictionary attack.
D. Replay attack.
E. Man in the middle attack.

>> !
Answer: A

A Brute Force attack is one in which all possible combinations of a key or password are tried in a random fashion in an effort to guess the correct key or password.

A Spoofing attack is one in which a message appears to originate from one source when in fact it came from a different source altogether. This type of attack is commonly used by email Trojans and worms for replication (Nimda, for example) and is fairly popular for attacks on wireless networks (MAC spoofing).

A Dictionary attack is one in which a key or password or subjected to guessing by using a dictionary list that is pre-populated with commonly used words and phrases such as "thequickbrownfox."

A Replay attack is one in which packets are captured in transit from one party to another, modified and later retransmitted to cause one or both parties from the original conversation to unwittingly trust the attacker and perform an action of the attackers choice or transmit information to the attacker.

A Man in the Middle attack is one in which an attacker captures traffic from both sides of a connection, modifies it and thus controls the entire conversation for his or her own gain. Both users think they are receiving untainted data from the other user, when in fact the exact opposite is true.


95. Which of the following are NOT true of RSA? (Choose all that apply)

A. It uses the same key to encrypt and decrypt.
B. It has much smaller key sizes than DES and AES.
C. It relies on the difficulty of factoring large prime numbers for its strength.
D. It has replaced DES.

>> !
Answer: A, B & D

RSA was created by Rivest, Shamir and Adleman as a public key cryptography system. Its strength is derived from the difficulty in factoring large prime numbers. While it is relatively simple to multiply two large number together, it is difficult to take that result and determine which two numbers were multiplied to give that result.

Since RSA is a public key cryptographic system, it uses separate keys for encryption and decryption.

It actually has larger keys than any private key cryptographic systems such as Data Encryption Standard (DES). Typically RSA keys are 512, 1024 or 2048 bits in length, compared with private key cryptographic systems: 56 bits for DES, 128 bits for International Data Encryption Algorithm (IDEA), 168 bits for Triple DES and up to 256 bits for Advanced Encryption Standard (AES).

RSA did not replace DES (recently DES was discontinued for government use, with Rijndael officially selected as an AES replacement). RSA complements DES: RSA is used to encrypt keys used by DES, while DES will do the bulk of the encryption for messages.