Security Certified Professional Exam #SCO-402: Network Defense and Countermeasures
10 questions. Answers and explanations can be found at the end of the quiz
courtesy of MeasureUp
Questions
1. You have an issue in your company with users claiming they did not receive e-mail messages, while other users claim they were sent. What PKI component will help you to prove the dates and times of messages sent on the network?
a. Non-Repudiation
b. Encryption
c. Encapsulation
d. Integrity
e. Confidentiality
2. As you increase the security of your network, you are concerned that the added security measures may impact the network in ways you had not intended. For example, how could a firewall have a negative impact on network performance?
a. It can decrypt secured packets.
b. It can authorize information to unauthorized hosts.
c. It can filter packets that have a virus signature.
d. It can block traffic that should be allowed through.
e. It can log every packet that is transmitted.
3. The Chief Security Officer of your organization has instructed the security staff to perform a risk analysis and assign an Annual Loss Expectancy to assets. If you have a server that if it is down for one day will cost $35,000, and is seriously attacked once a month, what is the ALE for this situation?
a. $350,000
b. $3,500
c. $420,000
d. $35,000
e. $120,000
4. You have captured all the network traffic in the last week on your company network for analysis. You are looking for signatures of different types. What are the three categories of signatures?
a. Answers
b. Exploits
c. DoS attacks
d. Reconnaissance
e. Accesses
5. You are running Snort in your network to capture network traffic. Based on the following capture, what type of traffic was captured?
04/17-08:47:35.481575 0:A0:CC:58:CC:BF -> 0:80:5F:26:5A:21 type:0x800 len:0x3E
192.168.0.204:4654 -> 192.168.0.1:443 TCP TTL:128 TOS:0x0 ID:27146 IpLen:20 DgmLen:48
******S* Seq: 0x52B6718E Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
a. An unsecured Web server response
b. An unsecured Web server request
c. A secure Web server response
d. A secure Web server request
e. A session setup with an FTP server
6. Which of the following protocols can be used across an L2TP based VPN? (Select all that apply.)
a. IP
b. Xmitter-1
c. IPX
d. Apple screech
e. NetBEUI
7. Your company has decided to implement an IDS solution and it is your job to set up each host in the network with a small program that will monitor and analyze the logs of the operating system and a few applications for possible illegal modification or tampering. You have also been asked to set up the machine that will be accepting alerts, if any, from the network hosts. What type of IDS are you being asked to implement?
a. Traditional Network-based
b. Distributed Host-based
c. Distributed Network-based
d. Centralized Host-based
e. Combination-based
8. You are about to install Snort on a Windows 2000 machine for use as a Network-based IDS machine. What must you have installed prior to installing Snort?
a. WinPcap
b. LibPcap
c. ISR
d. IRS
e. SnortPrep
9. You are configuring a complex firewall system for your network, and have created a layered solution using a DMZ. Why will you put your e-mail and Web servers in the DMZ, rather than inside your network?
a. In the DMZ there is no benefit to the servers.
b. In the DMZ the servers respond to internal clients faster.
c. In the DMZ the servers are less likely to be hit by a DOS attack.
d. In the DMZ the servers are easier to manage.
e. In The DMZ the servers have a layer of protection from total exposure.
10. When a client establishes a connection through Firwall-1, what is the order of the following steps?
A: NAT the packet.
B: Check the incoming packet against the rule base.
C: Check the inbound packet's IP address for evidence of having been spoofed.
D: Check the outgoing packet against the rule base.
E: The OS routes the packet.
F: Check the outbound packet's IP address for evidence of having been spoofed.
a. C, B, E, D, F, A
b. A, B, C, D, E, F
c. C, B, E, F, D, A
d. B, C, D, E, F, A
e. B, C, E, F, D, A
Answers
1. A is correct. Non-Repudiation is one of the main issues of network security. It is used to enable the two parties of a communication to authenticate the communication, such as when a message was sent, when it was received, who sent it, and who received it. Encryption is used to secure either data files or network transmissions, but it cannot verify when events happened. Likewise, Integrity and Confidentiality cannot be used to verify that a message was sent or received.
2. D is correct. If a Firewall is configured improperly, a serious end result could be the blocking of traffic that should be granted access through the firewall. If this happens, there will be a serious negative effect on the network.
Filtering packets with given signatures is what some firewalls are designed to do and is not a negative. Firewalls do not have the ability to authorize information, and decrypting secured packets can only happen if those packets are destined for the firewall. Finally, logging packets may tax the firewall itself, but it will not have a negative impact on network performance.
3. C is correct. When you are required to figure out the Annual Loss Expectancy of an asset, you are using the Quantitative Risk Analysis method. This calculation is determined by first figuring the Annual rate of Occurrence (ARO) and the Single Loss Expectancy (SLE). Once those values are known, the ARO x SLE = ALE.
In this example, the SLE is $35,000, and the ARO is 12. (The cost of the server being down for a day is $35,000 and this attack happens once every month). Therefore $35,000 x 12 = $420,000.
4. A, B and D are correct. Exploits occur when an attacker is attempting to gain access to a system or using a vulnerability found in an application. DOS, Denial of Service, is very common. Reconnaissance occurs when an attacker runs a scan or sweep of network hosts to see which hosts are active and how they are configured.
Corruptions and accesses are not categories of signatures, but may be the end result of an attacker using an Exploit.
5. D is correct. In this signature, you can see that the source is using port 4654 and making a TCP request to port 443. Port 443 is used for secure Web pages. The control bits are set at only the Syn, which means this is the initial request.
If it were a response, it would not have only the Syn bit set. If it were an unsecured Web server, the port number would be 80, and if it were session setup for FTP, the port would be 21.
6. A, C and E are correct. IP, IPX, and NetBEUI can all be used across an L2TP VPN. The other terms are not real protocols.
7. B is correct. A Traditional Network-based IDS works by setting a machine up to passively capture all network traffic and analyze it, looking for signatures indicating possible trouble (attacks, exploits, etc.). A Distributed Network-based IDS is similar to a Traditional Network-based IDS except that it has "sensors" placed throughout the network on many (if not all) hosts that all report back to the "command console" machine if any alarms are triggered.
Centralized Host-based and Distributed Host-based IDS systems work in a similar fashion in regard to their placement except that in a host-based IDS, the "sensor" tracks changes to the operating system and/or programs by monitoring logs instead of network traffic. In the Centralized version, hosts will send their logs to a "command console" for analysis, whereas in the distributed version, individual hosts will analyze their own logs (yes, it uses up a few more CPU cycles when compared to a centralized system) and send alerts to the "command console."
8. A is correct. WinPcap is a program similar to TCP Dump that will allow the capture and sending of raw data from a network card. LibPcap is the Linux version of the same file. The other options are invalid terms.
9. E is correct. When configuring servers in a DMZ, a primary benefit is that the servers are behind at least one layer of defense, usually a firewall or router. The DMZ servers are not less likely to be hit by a DOS, although the DMZ may make the attack less effective. There is no difference in managing the servers, and the response time should not be noticeably different with a DMZ. Using a DMZ does provide a benefit because the servers are protected.
10. C is correct. When a client establishes a connection, the following is what happens. First, the inbound packet is checked to see if it is spoofed. Second, the incoming packet is checked against the current rule base. Third, the Operating System routes the packet as per the rules. Fourth, the outbound packet is checked to see if it is spoofed. Fifth, the outbound packet is checked against the current rule base. And sixth, the packet is NATed (undergoes Network Address translation) and transmitted.
Questions and answers provided by MeasureUp. To order the full version of this exam simulation, click here.
For more CertCities.com pop quizzes, click here. For our list of free, non-braindump practice exams available from across the Web, click here.
More Pop Quiz:
|
