Chapter13 Mock Exam 2 Assessment

 

 

1.      You are the security administrator for a large multinational corporation, and you have used a black box penetration tester to find vulnerabilities in your company and exploit them as far you can. During the penetration test, it was found that there were some vulnerabilities in your Windows 10 desktop operating system. There were no vulnerabilities in any of your Linux or Unix systems. Which of the following BEST describes why the penetration tester was successful with the Windows 10 machines, but not with the Linux or Unix machines?

A. Linux and Unix are more secure than Windows 10

B. The penetration tester did not attempt to exploit the Linux/Unix machines

C. The Linux and Unix operating systems never have any vulnerabilities

D. The operating systems' attack vectors are very different

Answer: D

Concept: Different operating systems have different structures, so the attack vectors and the paths taken to attack them are different.

Wrong answers:

A. Not a proven fact—red herring

B. The penetration tests did attempt the exploit—that is why they had negative results

C. All operating systems suffer from vulnerabilities at one time or another

 

 

2.      You are a security administrator and you wish to implement an encrypted method of authentication for your wireless network. Which of the following protocols is the MOST secure for your wireless network?

A. PAP

B. WPA2-PSK

C. EAP-TLS

D. PEAP

Answer: C

Concept: EAP-TLS is a secure wireless authentication protocol, as it is uses certificates. It is the most secure EAP standard.

Wrong answers:

A. PAP shows the passwords in clear text and is used by VPN, not wireless networks

B. WPA2-PSK uses a wireless router password therefore, it is not secure

D. PEAP encrypts EAP packets for secure wireless authentication, but it is not as secure as EAP-TLS

 

 

3.      You are designing the network topology for a new company that is rapidly expanding from a one-premise company with 20 users to a medium-sized company with 300 users. The company tells you that it was subject to a DDoS attack last year that took the company down for over a day. In your network design, they don't want to implement a DMZ; therefore, the traffic will be coming directly from the internet. How do you propose to BEST mitigate against future DDoS attacks? Select two answers from the following list; each forms part of the solution:

A. Install a stateless firewall on the edge of your network to prevent incoming traffic

B. Install a stateful firewall on the edge of your network to prevent incoming traffic

C. Install an NIDS in your network as an additional layer of protection

D. Install an NIPS in your network as an additional layer of protection

E. Install an inline NIPS in your network as an additional layer of protection

Answer: B and E

Concept: A stateful firewall on the edge of your network can prevent a DDoS attack as it inspects the traffic, including the verbs. An inline NIPS will ensure that all network traffic coming from the firewall will go through it and be inspected thoroughly.

Wrong answers:

A. A stateless firewall is a basic firewall that will prevent unauthorized access, but does not really inspect the traffic thoroughly

C. An NIDS cannot be an additional layer of protection, as it just detects changes in traffic patterns and cannot prevent the attacks

D. Although installing an NIPS behind the firewall is a good idea, the inline NIPS is a much better solution, as all of the traffic passes through it

 

 

4.      You work on the cyber security team of a large multinational corporation, and you have been alerted to an attack on the web server inside your DMZ that is used for selling your products on the internet. You can see by running netstat that you have an unknown active connection. What should be the first step you take when investigating this incident?

A. Isolate the web server by disconnecting it from the network to prevent further damage

B. Disconnect all external active connections to ensure that the attack is stopped

C. Run a packet sniffer to capture the network traffic and identify the attacker

D. Take a screenshot of the damage done to the website and reporting it to the police

Answer: C

Concept: The first stage in any attack is to capture the volatile evidence. In this incident you would capture the network traffic to identify the source of the attack.

Wrong answers:

A. Disconnecting the attack will prevent further damage, but will not identify the attacker and prevent it from happening again

B. Again, this option will not identify the attacker, but may instead stop legitimate customers

D. A screenshot may not show the real damage being done, and will not identify the attacker

 

 

 

5.      I need to purchase a certificate that I can install on five mail servers. Which one should I purchase?

A. PEM certificate

B. Wildcard certificate

C. Subject Alternate Name (SAN) certificate

D. Root certificate

Answer: B

Concept: A wildcard certificate can be used on multiple servers in the same domain.

Wrong answers:

A. PEM is a base64 format

C. A SAN certificate can be used in servers in different domains

D. A root certificate can only be used by a CA

 

 

 

6.      You are the manager of a large IT company, and it is your duty to authorize administrative controls. Which of the following are actions that you would NORMALLY authorize? Select all that apply:

A. Collecting an ID badge

B. Creating an IT security policy

C. Purchasing a cable lock

D. Creating a new firewall rule

Answer: A and B

Concept: Writing policies, filling out forms, and anything to do with applying for ID badges are administrative controls.

Wrong answers:

C. A cable lock is a physical control

D. A firewall rule is a technical control to mitigate risk

 

 

7.      You are the operational manager for a financial company that has just suffered a disaster. Which of the following sites will you choose to be fully operational in the least amount of time?

A. Cold site

B. Warm site

C. Hot site

D. Campus site

Answer: C

Concept: The hot site should be up and running with data less than one hour old.

Wrong answers: 

A. The cold site is the hardest site to get up and running, and it only has power and water

B. A warm site has noncritical data, and the data is about a day old

D. This is a red herring, and has nothing to do with disaster recovery

 

 

8.      The serious crimes agency has just taken control of a laptop belonging to a well-known criminal that they have been trying to track down for the last 20 years. They want to ensure that everything is done by the book and no errors are made. What is the first step in their forensic investigation, prior to starting the chain of custody?

A. Making a system image of the laptop

B. Placing the laptop in a polythene bag and seal it

C. Hashing the data so that data integrity is assured

D. Asking for proof of ownership of the laptop

Answer: A

Concept: The first step is to create a system image; or, if it is a hard drive, create a forensic copy.

Wrong answers:

B. This is the second step

C. This is one of the steps when we start to investigate the contents of the laptop

D. This is not relevant

 

 

9.      If an attacker is looking for information about the software versions that you use on your network, which of the following tools could they use? Select all that apply:

A. Protocol analyzer

B. Port scanner

C. Network mapper

D. Baseline analyzer

Answer: A and C

Concept: A Network mapper (Nmap) can identify new hosts on the network, identify what services are running, and identify what operating systems are installed. A protocol analyzer can tell what operating systems run on network hosts. This is sometimes called a packet sniffer.

Wrong answers:

B. A port scanner only tells you which ports are open

D. A baseline analyzer is a vulnerability scanner, and tells you about missing patches

 

 

10.  Footage of people relaxing in their homes started appearing on the internet without the knowledge of the people being filmed. The people being filmed were warned by relatives and coworkers, resulting in an inquiry being launched by the police. Initial evidence reported a that the victims had recently purchased IoT devices, such as health monitors, baby monitors, smart TVs, and refrigerators. Which of the following best describes why the attacks were successful?

A. The devices' default configurations had not been changed

B. The victims' houses had been broken into and hidden cameras were installed

C. The victims' wireless networks were broadcasting beyond the boundaries of their homes

D. The manufacturers of the devices installed hidden devices to allow them to film

Answer: A

Concept: IoT home-based automated devices should have the default configurations of the username and password changed.

Wrong answers:

B. This would be very unlikely for so many people

C. This may be a possibility, but is unlikely to be the main reason

D. This would not happen, or the manufacturer would lose their market share

 

 

 

11.  You are the network administrator for an IT training company that has over 20 training rooms that are all networked together in their Miami office. Your corporate admin team could not access the internet last week as they were getting their IP settings from one of the training room's DHCP servers. The training manager has asked you to separate the corporate admin machines into their own network with a different IP range from the training rooms. What is the most secure way of implementing this? Select the best option from the following list:

A. Create a VLAN on the switch and put the corporate admin team in the VLAN

B. Install a router in the LAN and place the corporate admin team in the new subnet

C. Create an NAT from the firewall and put the corporate machines in that network

D. Install a proxy server

Answer: C

Concept: A NAT hides the internal network from external resources and will separate the training machines from the corporate admin machines.

Wrong answers:

A. Putting a VLAN on the switch will segment the two networks, but it's not the best option

B. Installing a router creates a subnet and would also segment the two entities, but this is not the best option either

D. A proxy caches web pages and also filters traffic to and from the internet

 

 

 

12.  Your organization has many different ways of connecting to your network, ranging from VPN and RAS to 802.1x authentication switches. You need to implement a centrally managed authentication system that will allow for long periods of access. Select the two most suitable methods of authentication:

A. PAP

B. TACACS+

C. NTLM

D. RADIUS

Answer: B and D

Concept: AAA Server are used for centralized authentication as they provide authentication, authorization, and accounting, where they can record all log-ins and log-outs in a database.

Wrong answers:

A. PAP is a weak authentication system where passwords are shown in clear text

C. NTLM is a weak authentication protocol that is susceptible to pass-the-hash attacks

 

 

13.  From a security perspective, what is the MAJOR benefit of using imaging technologies such as Microsoft WDS or Symantec Ghost to image desktops and laptops that are being rolled out?

A. It provides a consistent baseline for all new machines

B. It ensures that all machines are patched

C. It reduces the number of vulnerabilities

D. It allows a non-technical person to roll out the images

Answer: A

Concept: When you build an image, all of the applications will have the same settings and updates and therefore will be consistent. A baseline consists of the applications that are installed at the current time.

Wrong answers:

B. Updates come out almost every week, so you will still need to patch an image, especially if it was taken a month or two ago

C. Vulnerabilities are discovered on a frequent basis, therefore this is not true

D. The fact is true, but from a security point of view it could pose a risk

 

 

14.  A company that is allowing people to access their internet application wants the people who log into the application to use an account managed by someone else. An example of this is a user accessing their Facebook account with a technology called Open ID Connect. Which of the following protocols is this based on? Select the BEST choice:

A. Kerberos

B. SAML

C. OAuth 2.0

D. Federation services

Answer: C

Concept: OAuth 2.0 is the industry-standard protocol for authorization. It is used by Open ID Connect, where people can be authenticated using their Facebook or Google account.

Wrong answers:

A. Kerberos is used only in Microsoft Active Directory

B. SAML is an XML-based authentication used in federation services

D. Federation services is third-party-to-third-party authentication that uses SAML, an XML-based authentication protocol

 

 

15.  You are the security administrator for a medium-sized company that needs to enforce a much stricter password policy via Group Policy. The aims of this policy are to do the following:

Prevent using the same password within 12 password changes

 

1.      Ensure that they cannot change the password more than once a day

 

2.      Prevent weak passwords or simple passwords, such as 123456 or 'password', from being used

Select the following options that you will need to use to fulfill all of these goals:

A. Enforce password history

B. Minimum password length

C. Passwords must meet complexity requirements

D. Minimum password age

E. Maximum password length

Answers: A and C

Concept: The password history is the number of passwords that you need to remember before you can reuse them. Password complexity requires users to use three of the four following characters in the password: lower case, higher case, number, and special characters not used in programming. A minimum password age set to 1 means that you can change the password only once a day, preventing password rotation until you get back to the original password.

Wrong answers:

B. Password length was a requirement, but the longer the password length, the longer it will take a brute force attack to crack

E. In a group policy, there is no option for maximum password length

 

 

16.  You provide a service for people who have recently fulfilled their contract with their mobile phone provider to unlock their phone and then install third-party applications on it. They will then no longer be tied to using the mobile phone vendor's app store. Which of the following techniques will you use to achieve this? Select all that apply:

A. Tethering

B. Sideloading

C. Slipstreaming

D. Jailbreaking or rooting

E. Degaussing

Answers: B and D

Concept: Sideloading involves loading third-party applications onto an unlocked mobile phone. Jailbreaking (iOS), or rooting (Android), is where the phone has been unlocked, removing the vendor's restrictions on the mobile phone.

Wrong answers:

A. Tethering involves connecting your phone to a laptop to give the laptop internet access

C. Slipstreaming is a technique for installing drivers into an .iso file

E. Degaussing involves passing a charge over a hard drive to erase data

 

 

17.  You are the security administrator of a multinational company that has recently prevented brute-force attacks by using account lockout settings with a low value using group policy. The CEO of the company has now dictated that the company will no longer use account lockout settings as he read an article about it and got the wrong impression. Facing this dilemma, how can you ensure that you can make it more difficult for brute force to be successful?

A. Obfuscation

B. PBKDF2

C. XOR

D. bcrypt

Answer: B and D

Concept: PBKDF2 and bcrypt are key-stretching algorithms that insert random characters into password hashes, making them longer so that brute-force attacks need more processing and computation resources to crack them.

Wrong answers:

A. Obfuscation makes code obscure so that if someone steals your code, they cannot make sense of it

C. XOR (express OR) can be used to encrypt binary numbers

 

 

18.  You want to join a wireless network using a password. Which of the following wireless features would be most appropriate to achieve this objective?

A. WPA2-Enterprise

B. WPA2-TKIP

C. WPS

D. WPA2-PSK

E. WPA2-CCMP

Answer: D

Concept: PSK uses the WAP password to join the network.

Wrong answers: 

A. WPA2-Enterprise uses 802.1x with RADIUS for authentication

B. WPA2-TKIP is backward compatible with legacy devices

C. WPS pushes a button to access the network

E. WPA2-CCMP is the strongest encryption, as it uses AES

 

 

19.  What is the main purpose of a Network Intrusion Detection System (NIDS)? Select the MOST appropriate option:

A. Identifying vulnerabilities

B. Identifying new network hosts

C. Identifying viruses

D. Identifying new web servers

Answer: B

Concept: NIDS identifies changes to the network and the network traffic.

Wrong answers:

A. This is the job of a vulnerability scanner

C. This is the job of a virus scanner

D. Web servers are not based in the LAN; normally, they are based in the DMZ

 

 

20.  A web server was the victim of an integer-overflow attack. How could this be prevented in the future?

A. Install a proxy server

B. Install SQL-injection

C. Input validation on forms

D. Install a web application firewall

Answer: C

Concept: Input validation prevents buffer-overflow attacks, integer-overflow attacks, and SQL-injection by restricting the input to a certain format.

Wrong answers:

A. A proxy server is used for web page caching and URL and content filtering

B. SQL-injection is a form of attack where the phrase 1 = 1 is used in a script

D. A web application firewall is used to protect web servers and their applications

 

 

21.  You have recently set up a new virtual network with over 1,000 guest machines. One of the hosts is running out of resources, such as memory and disk space. Which of the following best describes what is happening?

A. Virtual machine escape

B. End of system lifespan

C. System sprawl

D. Poor setup

Answer: C

Concept: System sprawl over-utilizes resources. This means that the system has started to run out of resources.

Wrong answers:

A. VM escape is where an attacker uses a virtual machine so that they can attack the host

B. This is where a vendor no longer supports an application

D. This is where the configuration is not set properly

 

 

22.  You are the system administrator for a multinational company that wants to implement two-factor authentication. At present, you are using facial recognition as the method of access. Which of the following would allow you to achieve two-factor authentication? Select all that apply:

A. Palm reader

B. Signature verification

C. Thumb scanner

D. Gait

E. Iris scanner

Answer: B and D

Concept: Facial recognition is something you are for authentication. B and D are both something you do—you have a unique signature and your gait is how you walk.

Wrong answers:

A, C, and E all come under the something you are category.

 

 

23.  The security auditor has just visited your company and is recommending that change management to reduce the risk from the unknown vulnerabilities of any new software introduced into the company. What will the auditor recommend for reducing the risk when you first evaluate the software? Select the BEST practices to adopt from the following list:

A. Jailbreaking

B. Sandboxing

C. Bluesnarfing

D. Chroot jail

E. Fuzzing

Answer: B and D

Concept: Sandboxing and chroot jail allow you to isolate an application inside a virtual guest machine.

A. This is the removal of the restriction that apple set on an iOS device

C. This is stealing contacts from a mobile device

E. This is putting random characters into an application

 

 

24.  You are the security administrator for a multinational corporation. You recently detected and thwarted an attack on your network when someone hacked into your network and took full control of one of the hosts. What type of attack best describes the attack you stopped?

A. Man-in-the-middle attack

B. Replay attack

C. Packet filtering

D. Remote exploit

Answer: D

Concept: An exploit looks for vulnerabilities in a system; a remote exploit is someone coming from outside your network.

Wrong answers:

A. A man-in-the-middle attack is an interception attack where messages are changed in real time as they pass between two hosts

B. A replay attack is a man-in-the-middle attack where the messages are replayed at a later date

C. Packet filtering is used by a firewall to stop certain protocols from accessing your network

 

 

25.  You are the security administrator for a multinational corporation recently carried out a security audit. Following the audit, you told the server administrators to disable NTLM on all servers. Which of the following best describes why you have taken this action?

A. It will improve the server's performance

B. Prevent a man-in-the-middle attack

C. Prevent a pass-the-hash attack

D. Prevent a POODLE attack

Answer: C

Concept: Disabling NTLM will prevent pass-the-hash attacks.

Wrong answers:

A. This is a red herring; it has nothing to do with performance

B. A man-in-the-middle attack is an interception attack

D. A POODLE attack is a man-in-the-middle attack that targets downgrade browsers—SSL3.0 CBC