SC0-502 Exams

Document Sample
SC0-502 Exams Powered By Docstoc
					        SC0-502




Security Certified Program
      Exam: SC0-502
          Demo Edition




        © 2007 - 2008 Test Killer, LTD All Rights Reserved

                                    http://www.testkiller.com
           1                         http://www.troytec.com
                                            SC0-502




QUESTION: 1
Now that you have Troytec somewhat under control, you are getting ready to go home for the
night. You have made good progress on the network recently, and things seem to be going
smoothly. On your way out, you stop by the CEO's office and say good night. You are told
that you will be meeting in the morning, so try to get in a few minutes early.The next
morning, you get to the office 20 minutes earlier than normal, and the CEO stops by your
office, "Thanks for coming in a bit early. No problem really, I just wanted to discuss with
you a current need we have with the network.""OK, go right ahead." You know the network
pretty well by now, and are ready for whatever is thrown your way."We are hiring 5 new
salespeople, and they will all be working from home or on the road. I want to be sure that the
network stays safe, and that they can get access no matter where they are.""Not a problem,"
you reply. "I'll get the plan for this done right away.""Thanks a lot, if you have any questions
for me, just let me know."You are relieved that there was not a major problem and do some
background work for integrating the new remote users. After talking with the CEO more, you
find out that the users will be working from there home nearly all the time, with very little
access from on the road locations.The remote users are all using Windows 2000 Professional,
and will be part of the domain. The CEO has purchased all the remote users brand new
Compaq laptops, just like the one used in the CEO's office, and which the CEO takes home
each night; complete with DVD\CD-burner drives, built-in WNICs, 17" LCD widescreen
displays, oversized hard drives, a gig of memory, and fast processing. 'I wish I was on the
road to get one of those,' you think.You start planning and decide that you will implement a
new VPN Server next to the Web and FTP Server. You are going to assign the remote users
IP Addresses: 10.10.60.100~10.10.60.105, and will configure the systems to run Windows
2000 Professional.Based on this information, and your knowledge of the Troytec network up
to this point, choose the best solution for the secure remote user needs:}

A. You begin with configuring the VPN server, which is running Windows 2000 Server. You
create five new accounts on that system, granting each of them the Allow Virtual Private
Connections right in Active Directory Users and Computers. You then configure the range of
IP Addresses to provide to the clients as: 10.10.60.100 through 10.10.60.105. Next, you
configure five IPSec Tunnel endpoints on the server, each to use L2TP as the protocol.Then,
you configure the clients. On each system, you configure a shortcut on the desktop to use to
connect to the VPN. The shortcut is configured to create an L2TP IPSec tunnel to the VPN
server. The connection itself is configured to exchange keys with the user's ISP to create a
tunnel between the user's ISP endpoint and the Troytec VPN Server.
B. To start the project, you first work on the laptops you have been given. On each laptop,
you configure the system to make a single Internet connection to the user's ISP. Next, you
configure a shortcut on the desktop for the VPN connection. You design the connection to
use L2TP, with port filtering on outbound UDP 500 and UDP 1701. When a user double-
clicks the desktop icon you have it configured to make an automatic tunnel to the VPN
server.On the VPN server, you configure the system to use L2TP with port filtering on
inbound UDP 500 and UDP 1701. You create a static pool of assigned IP Address
reservations for the five remote clients. You configure automatic redirection on the VPN



                                                                           http://www.testkiller.com
                                                2                           http://www.troytec.com
                                             SC0-502




server in the routing and remote access MMC, so once the client has connected to the VPN
server, he or she will automatically be redirected to the inside network, with all resources
available in his or her Network Neighborhood.
C. You configure the VPN clients first, by installing the VPN High Encryption Service Pack.
With this installed, you configure the clients to use RSA, with 1024-bit keys. You configure a
shortcut on the desktop that automatically uses the private\public key pair to communicate
with the VPN Server, regardless of where the user is locally connected. On the VPN Server,
you also install the VPN High Encryption Service Pack, and configure 1024-bit RSA
encryption. You create five new user accounts, and grant them all remote access rights, using
Active Directory Sites and Services. You configure the VPN service to send the server's
public key to the remote users upon the request to configure the tunnel. Once the request is
made, the VPN server will build the tunnel, from the server side, to the client.
D. You decide to start the configuration on the VPN clients. You create a shortcut on the
desktop to connect to the VPN Server. Your design is such that the user will simply double-
click the shortcut and the client will make the VPN connection to the server, using PPTP.
You do not configure any filters on the VPN client systems.On the VPN Server, you first
configure routing and remote access for the new accounts and allow them to have Dial-In
access. You then configure a static IP Address pool for the five remote users. Next, you
configure the remote access policy to grant remote access, and you implement the following
PPTP filtering:
ùInbound Protocol 47 (GRE) allowed
ùInbound TCP source port 0, destination port 1723 allowed
ùInbound TCP source port 520, destination port 520 allowed
ùOutbound Protocol 47 (GRE) allowed
ùOutbound TCP source port 1723, destination port 0 allowed
ùOutbound TCP source port 520, destination port 520 allowed
E. You choose to configure the VPN server first, by installing the VPN High Encryption
Service Pack and the HISECVPN.INF built-in security template through the Security
Configuration and Analysis Snap-In. Once the Service pack and template are installed, you
configure five user accounts and a static pool of IP Addresses for each account.You then
configure the PPTP service on the VPN server, without using inbound or outbound filters -
due to the protection of the Service Pack. You grant each user the right to dial into the server
remotely, and move on to the laptops.On each laptop, you install the VPN High Encryption
Service Pack, to bring the security level of the laptops up to the same level as the VPN server.
You then configure a shortcut on each desktop that controls the direct transport VPN
connection from the client to the server.


Answer: D

QUESTION: 2
For three years you have worked with Troytec doing occasional network and security
consulting. Troytec is a small business that provides real estate listings and data to realtors in
several of the surrounding states. The company is open for business Monday through Friday


                                                                             http://www.testkiller.com
                                                 3                            http://www.troytec.com
                                           SC0-502




from 9 am to 6 pm, closed all evenings and weekends. Your work there has largely consisted
of advice and planning, and you have been frequently disappointed by the lack of execution
and follow through from the full time staff.On Tuesday, you received a call from Troytec 's
HR director, "Hello, I'd like to inform you that Red (the full time senior network
administrator) is no longer with us, and we would like to know if you are interested in
working with us full time."You currently have no other main clients, so you reply, "Sure,
when do you need me to get going?""Today," comes the fast and direct response. Too fast,
you think."What is the urgency, why can't this wait until tomorrow?""Red was let go, and he
was not happy about it. We are worried that he might have done something to our network on
the way out.""OK, let me get some things ready, and I'll be over there shortly."You knew this
would be messy when you came in, but you did have some advantage in that you already
knew the network. You had recommended many changes in the past, none of which would be
implemented by Red. While pulling together your laptop and other tools, you grab your notes
which have an overview of the network: Troytec network notes: Single Internet access point,
T1, connected to Troytec Cisco router. Router has E1 to a private web and ftp server and E0
to the LAN switch. LAN switch has four servers, four printers, and 100 client machines. All
the machines are running Windows 2000. Currently, they are having their primary web site
and email hosted by an ISP in Illinois. When you get to Troytec , the HR Director and the
CEO, both of whom you already know, greet you. The CEO informs you that Red was let go
due to difficult personality conflicts, among other reasons, and the termination was not
cordial. You are to sign the proper employment papers, and get right on the job. You are
given the rest of the day to get setup and running, but the company is quite concerned about
the security of their network. Rightly so, you think, 'If these guys had implemented even half
of my recommendations this would sure be easier.' You get your equipment setup in your
new oversized office space, and get started. For the time you are working here, your IP
Address is 10.10.50.23 with a mask of \16.One of your first tasks is to examine the router's
configuration. You console into the router, issue a show running-config command, and get
the following output:
MegaOne#show running-config
Building configuration... Current configuration:
!
version 12.1
service udp-small-servers service tcp-small-servers
!
hostname MegaOne
!
enable secret 5 $1$7BSK3$H394yewhJ45JAFEWU73747.
enable password clever
!
no ip name-server
no ip domain-lookup ip routing
!
interface Ethernet0



                                                                         http://www.testkiller.com
                                               4                          http://www.troytec.com
                                             SC0-502




no shutdown
ip address 2.3.57.50 255.255.255.0
no ip directed-broadcast
!
interface Ethernet1
no shutdown
ip 10.10.40.101 255.255.0.0
no ip directed-broadcast
!
interface Serial0
no shutdown
ip 1.20.30.23 255.255.255.0 no
ip directed-broadcast clockrate 1024000
bandwidth 1024 encapsulation hdlc
!
ip route 0.0.0.0 0.0.0.0 1.20.30.45
!
line console 0
exec-timeout 0 0
transport input all
line vty 0 4
password remote login
!
end
After analysis of the network, you recommend that the router have a new configuration. Your
goal is to make the router become part of your layered defense, and to be a system configured
to help secure the network.You talk to the CEO to get an idea of what the goals of the router
should be in the new configuration. All your conversations are to go through the CEO; this is
whom you also are to report to."OK, I suggest that the employees be strictly restricted to only
the services that they must access on the Internet." You begin."I can understand that, but we
have always had an open policy. I like the employees to feel comfortable, and not feel like we
are watching over them all the time. Please leave the connection open so they can get to
whatever they need to get to. We can always reevaluate this in an ongoing basis.""OK, if you
insist, but for the record I am opposed to that policy.""Noted," responds the CEO, somewhat
bluntly."All right, let's see, the private web and ftp server have to be accessed by the Internet,
restricted to the accounts on the server. We will continue to use the Illinois ISP to host our
main web site and to host our email. What else, is there anything else that needs to be
accessed from the Internet?""No, I think that's it. We have a pretty simple network, we do
everything in house.""All right, we need to get a plan in place as well right away for a
security policy. Can we set something up for tomorrow?" you ask."Let me see, I'll get back to
you later." With that the CEO leaves and you get to work.Based on the information you have
from Troytec ; knowing that the router must be an integral part of the security of the
organization, select the best solution to the organization's router problem:}



                                                                             http://www.testkiller.com
                                                 5                            http://www.troytec.com
                                          SC0-502




A. You backup the current router config to a temp location on your laptop. Friday night, you
come in to build the new router configuration. Using your knowledge of the network, and
your conversation with the CEO, you build and implement the following router
configuration:
MegaOne#configure terminal MegaOne(config)#no cdp run MegaOne(config)#no ip source-
route MegaOne(config)#no ip finger
MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 80
MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 20
MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 21
MegaOne(config)#access-list 175 permit tcp any 10.10.0.0 0.0.255.255 established
MegaOne(config)#access-list 175 deny ip 0.0.0.0 255.255.255.255 any
MegaOne(config)#access-list 175 deny ip 10.0.0.0 0.255.255.255 any
MegaOne(config)#access-list 175 deny ip 127.0.0.0 0.255.255.255 any
MegaOne(config)#access-list 175 deny ip 172.16.0.0 0.0.255.255 any
MegaOne(config)#access-list 175 deny ip 192.168.0.0 0.0.255.255 any
MegaOne(config)#access-list 175 permit ip any 10.10.0.0 0.0.255.255
MegaOne(config)#access-list 175 permit udp any 10.10.0.0 0.0.255.255
MegaOne(config)#access-list 175 permit icmp any 10.10.0.0 0.0.255.255
MegaOne(config)#interface serial 0
MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#no ip directed broadcast
MegaOne(config-if)#no ip unreachables
MegaOne(config-if)#Z MegaOne#
B. You backup the current router config to a temp location on your laptop. Sunday night, you
come in to build the new router configuration. Using your knowledge of the network, and
your conversation with the CEO, you build and implement the following router
configuration:
MegaOne#configure terminal
MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 80
MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 20
MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 21
MegaOne(config)#access-list 175 permit tcp any 10.10.0.0 0.0.255.255 established
MegaOne(config)#access-list 175 permit ip any 10.10.0.0 0.0.255.255
MegaOne(config)#access-list 175 permit udp any 10.10.0.0 0.0.255.255
MegaOne(config)#access-list 175 permit icmp any 10.10.0.0 0.0.255.255
MegaOne(config)#interface Ethernet 0
MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#no cdp enable
MegaOne(config)#interface Ethernet 1
MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#no cdp enable
MegaOne(config-if)#Z
MegaOne#
C. You backup the current router config to a temp location on your laptop. Early Monday
morning, you come in to build the new router configuration. Using your knowledge of the



                                                                        http://www.testkiller.com
                                              6                          http://www.troytec.com
                                           SC0-502




network, and your conversation with the CEO, you build and implement the following router
configuration:
MegaOne#configure terminal
MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 80
MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 20
MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 21
MegaOne(config)#access-list 175 permit tcp any 10.10.0.0 0.0.255.255 established
MegaOne(config)#access-list 175 permit ip any 10.10.0.0 0.0.255.255
MegaOne(config)#access-list 175 permit udp any 10.10.0.0 0.0.255.255
MegaOne(config)#access-list 175 permit icmp any 10.10.0.0 0.0.255.255
MegaOne(config)#interface Serial 0
MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#no cdp enable
MegaOne(config-if)#no ip directed broadcast MegaOne(config-if)#no ip unreachables
MegaOne(config-if)#Z
MegaOne#
D. As soon as the office closes Friday, you get to work on the new router configuration. Using
your knowledge of the network, and your conversation with the CEO, you build and
implement the following router configuration:
MegaOne#configure terminal
MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 80
MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 20
MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 21
MegaOne(config)#access-list 175 permit tcp any 10.10.0.0 0.0.255.255 established
MegaOne(config)#access-list 175 permit ip any 10.10.0.0 0.0.255.255
MegaOne(config)#access-list 175 permit udp any 10.10.0.0 0.0.255.255
MegaOne(config)#access-list 175 permit icmp any 10.10.0.0 0.0.255.255
MegaOne(config)#interface Ethernet 0
MegaOne(config-if)#ip access-group 175 in
MegaOne(config)#interface Ethernet 1
MegaOne(config-if)#ip access-group 175 in
MegaOne(config-if)#Z MegaOne#
E. With the office closed, you decide to build the new router configuration on Saturday. Using
your knowledge of the network, and your conversation with the CEO, you build and
implement the following router configuration:
MegaOne#configure terminal
MegaOne(config)#no cdp run
MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 80
MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 20
MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 21
MegaOne(config)#access-list 175 permit tcp any 10.10.0.0 0.0.255.255 established
MegaOne(config)#access-list 175 permit ip any 10.10.0.0 0.0.255.255
MegaOne(config)#access-list 175 permit udp any 10.10.0.0 0.0.255.255
MegaOne(config)#access-list 175 permit icmp any 10.10.0.0 0.0.255.255



                                                                         http://www.testkiller.com
                                               7                          http://www.troytec.com
                                            SC0-502




MegaOne(config)#access-list 175 deny ip 0.0.0.0 255.255.255.255 any
MegaOne(config)#access-list 175 deny ip 10.0.0.0 0.255.255.255 any
MegaOne(config)#access-list 175 deny ip 127.0.0.0 0.255.255.255 any
MegaOne(config)#access-list 175 deny ip 172.16.0.0 0.0.255.255 any
MegaOne(config)#access-list 175 deny ip 192.168.0.0 0.0.255.255 any MegaOne(config)#no
ip source-route
MegaOne(config)#no ip finger
MegaOne(config)#interface serial 0
MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#no ip directed broadcast
MegaOne(config-if)#no ip unreachables MegaOne(config-if)#Z
MegaOne#

Answer: A

QUESTION: 3
It has been quite some time since you were called in to address the network and security
needs of Troytec . You feel good in what you have accomplished so far. You have been able
to get Troytec to deal with their Security Policy issue, you have secured the router, added a
firewall, added intrusion detection, hardened the Operating Systems, and more. One thing
you have not done however, is run active testing against the network from the outside. This
next level of testing is the final step, you decide, in wrapping up this first stage of the new
Troytec network and security system. You setup a meeting with the CEO to discuss."We
have only one significant issue left to deal with here at Troytec ," you begin."We need some
really solid testing of our network and our security systems.""Sounds fine to me, don't you do
that all the time anyway? I mean, why meet about this?""Well, in this case, I'd like to ask to
bring in outside help. Folks who specialize in this sort of thing. I can do some of it, but it is
not my specialty, and the outside look in will be better and more independent from an outside
team.""What does that kind of thing cost, how long will it take?""It will cost a bit of money,
it won't be free, and with a network of our size, I think it can be done pretty quick. Once this
is done and wrapped up, I will be resigning as the full time security and network pro here. I
need to get back to my consulting company full time. Remember, this was not to be a
permanent deal. I can help you with the interview, and this is the perfect time to wrap up that
transition.""All right, fair enough. Get me your initial project estimates, and then I can make
a more complete decision. And, I'll get HR on hiring a new person right away."Later that
afternoon you talk to the CEO and determine a budget for the testing. Once you get back to
your office, you are calling different firms and consultants, and eventually you find a
consulting group that you will work with. A few days later you meet with the group in their
office, and you describe what you are looking for, and that their contact and person to report
to is you. They ask what is off limits, and your response is only that they cannot do anything
illegal, to which they agree and point out is written in their agreement as well. With this
outside consulting group and your knowledge of the network and company, review and select
the solution that will best provide for a complete test of the security of Troytec .}




                                                                            http://www.testkiller.com
                                                8                            http://www.troytec.com
                                            SC0-502




A. The consulting group has identified the steps it will follow in testing the network. You
have asked to be kept up to date, and given an approximate schedule of events. You intend to
follow along with the test, with weekly reports. The first thing the consultants will do is
dumpster diving and physical surveillance, looking for clues as to user information and other
secret data that should not be outside of the network. Once they have identified several targets
through the dumpster diving, they will run scans to match up and identify the workstations
for those users. After identifying the user workstations, they will run vulnerability checks on
the systems, to find holes, and if a hole is found they have been given permission to exploit
the hole and gain access of the system. They will attempt to gain access to the firewall and
router remotely, via password guessing, and will test the response of the network to Denial of
Service attacks. Finally, they will call into Troytec to see what information they can learn via
social engineering.
B. The consulting group has identified the steps it will follow in testing the network. You
have asked to be kept up to date, and given an approximate schedule of events. You intend to
follow along with the test, with weekly reports. The consultants will first run remote network
surveillance to identify hosts, followed by port scans and both passive and active
fingerprinting. They will then run vulnerability scanners on the identified systems, and
attempt to exploit any found vulnerabilities. They will next scan and test the router and
firewall, followed by testing of the IDS rules.They will then perform physical surveillance
and dumpster diving to learn additional information. This will be followed by password
sniffing and cracking. Finally, they will call into Troytec to see what information they can
learn via social engineering.
C. The consulting group has identified the steps it will follow in testing the network. You
have asked to be kept up to date, and given an approximate schedule of events. You intend to
follow along with the test, with weekly reports.The consultants surprise you with their initial
strategy. They intend to spend nearly 100% of their efforts over the first week on social
engineering and other physical techniques, using little to no technology. They have gained
access to the building as a maintenance crew, and will be coming into the office every night
when employees are wrapping up for the day. All of their testing will be done through
physical contact and informal questioning of the employees. Once they finish that stage, they
will run short and direct vulnerability scanners on the systems that they feel will present
weakness.
D. The consulting group has identified the steps it will follow in testing the network. You
have asked to be kept up to date, and given an approximate schedule of events. You intend to
follow along with the test, with weekly reports.The consultants have decided on a direct
strategy. They will work inside the Troytec office, with the group introducing themselves to
the employees. They will directly interview each employee, and perform extensive physical
security checks of the network. They will review and provide analysis on the security policy,
and follow that with electronic testing. They will run a single very robust vulnerability
scanner on every single client and server in the network, and document the findings of the
scan.
E. The consulting group has identified the steps it will follow in testing the network. You
have asked to be kept up to date, and given an approximate schedule of events. You intend to



                                                                           http://www.testkiller.com
                                                9                           http://www.troytec.com
                                           SC0-502




follow along with the test, with weekly reports.The consultants will start the process with
remote network surveillance, checking to see what systems and services are available
remotely. They will run both passive and active fingerprinting on any identified system. They
will run customized vulnerability scanners on the identified systems, and follow that through
with exploits, including new zero-day exploits they have written themselves.They will next
run scans on the router, firewall, and intrusion detection, looking to identify operating
systems and configurations of these devices. Once identified, they will run customized scripts
to gain access to these devices. Once they complete the testing on the systems, they will
dumpster dive to identify any leaked information.

Answer: B

QUESTION: 4
Troytec is a company that makes state of the art aircraft for commercial and government use.
Recently Troytec has been working on the next generation of low orbit space vehicles, again
for both commercial and governmental markets. Troytec has corporate headquarters in
Testbed, Nevada, USA. Testbed is a small town, with a population of less than 50,000 people.
Troytec is the largest company in town, where most families have at least one family member
working there.The corporate office in Testbed has 4,000 total employees, on a 40-acre
campus environment. The largest buildings are the manufacturing plants, which are right next
to the Research and Development labs. The manufacturing plants employee approximately
1,000 people and the R&D labs employ 500 people. There is one executive building, where
approximately 500 people work. The rest of the employees work in Marketing, Accounting,
Press and Investor Relations, and so on. The entire complex has a vast underground complex
of tunnels that connect each building.All critical functions are run from the Testbed office,
with remote offices around the world. The remote offices are involved in marketing and sales
of Troytec products. These offices also perform maintenance on the Troytec aircraft and will
occasionally perform R&D and on-site manufacturing.There are 5 remote offices, located in:
New York, California, Japan, India, and England. Each of the remote offices has a dedicated
T3 line to the Troytec HQ, and all network traffic is routed through the Testbed office - the
remote offices do not have direct Internet connections.You had been working for two years in
the New York office, and have been interviewing for the lead security architect position in
Testbed. The lead security architect reports directly to the Chief Security Officer (CSO), who
calls you to let you know that you got the job. You are to report to Testbed in one month, just
in time for the annual meeting, and in the meantime you review the overview of the Troytec
network.




                                                                          http://www.testkiller.com
                                              10                           http://www.troytec.com
                                             SC0-502




Your first day in Troytec Testbed, you get your office setup, move your things in place, and
about the time you turn on your laptop, there is a knock on your door. It is Blue, the Chief
Security Officer, who informs you that there is a meeting that you need to attend in a half an
hour.With your laptop in hand, you come to the meeting, and are introduced to everyone.
Blue begins the meeting with a discussion on the current state of security in Troytec ."For
several years now, we have constantly been spending more and more money on our network
defense, and I feel confident that we are currently well defended." Blue, puts a picture on the
wall projecting the image of the network, and then continues, "We have firewalls at each
critical point, we have separate Internet access for our public systems, and all traffic is routed
through our controlled access points. So, with all this, you might be wondering why I have



                                                                             http://www.testkiller.com
                                                11                            http://www.troytec.com
                                           SC0-502




concern."At this point a few people seem to nod in agreement. For years, Troytec has been at
the forefront of perimeter defense and security. Most in the meeting are not aware that there
is much else that could be done.Blue continues, "Some of you know this, for the rest it is new
news: MassiveCorp is moving their offices to the town right next to us here. Now, as you all
know,MassiveCorp has been trying to build their orbital systems up to our standards for years
and have never been able to do so. So, from a security point of view, I am concerned."This is
news to most people, Green, the Vice President of Research asks, "We have the best in
firewalls, we have the best in you and your systems, what are you suggesting?"Blue responds,
"I suggest trust. Not with MassiveCorp, but in our own systems. We must build trusted
networks. We must migrate our network from one that is well-defended to one that is well-
defended and one that allows us to trust all the network traffic."The meeting continues for
some time, with Blue leading the discussion on a whole new set of technologies currently not
used in the network. After some time, it is agreed upon that Troytec will migrate to a trusted
networking environment.The following week, Blue informs you that you will be working
directly together on the development of the planning and design of the trusted network. The
network is going to run a full PKI, with all clients and servers in the network using digital
certificates. You are grateful that in the past two years, Blue has had all the systems changed
to be running only Windows 2000, both server and professional systems, running Active
Directory. You think the consistent platform will make the PKI roll out easier.The entire
Troytec network is running Active Directory, with the domain structure as in the following
list: Testbed. Troytec .org Newyork. Troytec .org California. Troytec .org Japan. Troytec .org
India. Troytec .org England. Troytec .org.
Although you will be working in the Testbed office, the plan you develop will need to include
the entire Troytec organization.Based on this information, select the solution that describes
the best plan for the new trusted network of Troytec :}

A. You design the plan for two weeks, and then you present it to Blue. Your plan follows
these critical steps:
1 . Draft a Certification Practice Statement (CPS) to define what users will be allowed to do
with their certificates, and a Certificate Policy (CP) to define the technology used to ensure
the users are able to use their certificates as per the CPS.
2 . Draft a CPF based on your own guidelines, including physical and technology controls.
3 . Design the system to be a full hierarchy, with the Root CA located in the executive
building. Every remote office will have a subordinate CA, and every other building on the
campus in Testbed will have a subordinate CA.
4 . Design the hierarchy with each remote office and building having it's own enrollment CA.
5 . Build a small test pilot program, to test the hierarchy, and integration with the existing
network.
6 . Implement the CA hierarchy in the executive office, and get all users acclimated to the
system.
7 . Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
8 . One at a time, implement the CA hierarchy in each remote office; again getting all users



                                                                          http://www.testkiller.com
                                              12                           http://www.troytec.com
                                           SC0-502




acclimated to the system.
9 . Test the team in each location on proper use and understanding of the overall PKI and
their portion of the trusted network.
10 . Evaluate the rollout, test, and modify as needed to improve the overall security of the
Troytec trusted network.
B. You design the plan for two weeks, and then you present it to Blue. Your plan follows
these critical steps:
1. Draft a Certification Practice Statement (CPS) to define what users will be allowed to do
with their certificates, and a Certificate Policy (CP) to define the technology used to ensure
the users are able to use their certificates as per the CPS.
2. Draft a CPF based on your own guidelines, including physical and technology controls.
3. Design the system, outside of the executive office, to be a full hierarchy, with the Root CA
for the hierarchy located in the executive building. Every remote office will have a
subordinate CA, and every other building on the campus in Testbed will have a subordinate
CA.
4. In the executive building, you design the system to be a mesh CA structure, with one CA
per floor of the building.
5. Design the hierarchy with each remote office and building having it's own enrollment CA.
6. Build a small test pilot program, to test the hierarchy, and integration with the existing
network.
7. Implement the CA hierarchy in the executive office, and get all users acclimated to the
system.
8. Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
9. One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
10. Test the team in each location on proper use and understanding of the overall PKI and
their portion of the trusted network.
11. Evaluate the rollout, test, and modify as needed to improve the overall security of the
Troytec trusted network.
C. You design the plan for two weeks, and then you present it to Blue. Your plan follows
these critical steps:
1 . Draft a Certificate Policy (CP) document to define what users will be allowed to do with
their certificates, and a Certification Practice Statement (CPS) document to define the
technology used to ensure the users are able to use their certificates as per the CPS.
2 . Draft a Certificate Practices Framework (CPF) document based on RFC 2527, including
every primary component.
3 . Design the system to be a full hierarchy, with the Root CA located in the executive
building. Every remote office will have a subordinate CA, and every other building on the
campus in Testbed will have a subordinate CA.
4 . Design the hierarchy with each remote office and building having it's own enrollment CA.
5 . Build a small test pilot program, to test the hierarchy, and integration with the existing
network.



                                                                          http://www.testkiller.com
                                              13                           http://www.troytec.com
                                           SC0-502




6 . Implement the CA hierarchy in the executive office, and get all users acclimated to the
system.
7 . Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
8 . One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
9 . Test the team in each location on proper use and understanding of the overall PKI and
their portion of the trusted network.
10 . Evaluate the rollout, test, and modify as needed to improve the overall security of the
Troytec trusted network.
D. You design the plan for two weeks, and then you present it to Blue. Your plan follows
these critical steps:
1 . Draft a Certificate Policy (CP) document to define what users will be allowed to do with
their certificates, and a Certification Practice Statement (CPS) document to define the
technology used to ensure the users are able to use their certificates as per the CPS.
2 . Draft a Certificate Practices Framework (CPF) document based on RFC 2527, including
every primary component.
3 . Design the system to be a full mesh, with the Root CA located in the executive building.
4 . Design the mesh with each remote office and building having it's own Root CA.
5 . Build a small test pilot program, to test the hierarchy, and integration with the existing
network.
6 . Implement the CA mesh in the executive office, and get all users acclimated to the system.
7 . Implement the CA mesh in each other campus building in Testbed, and get all users
acclimated to the system.
8 . One at a time, implement the CA mesh in each remote office; again getting all users
acclimated to the system.
9 . Test the team in each location on proper use and understanding of the overall PKI and
their portion of the trusted network.
10 . Evaluate the rollout, test, and modify as needed to improve the overall security of the
Troytec trusted network.
E. You design the plan for two weeks, and then you present it to Blue. Your plan follows
these critical steps:
1 . Draft a Certification Practice Statement (CPS) to define what users will be allowed to do
with their certificates, and a Certificate Policy (CP) to define the technology used to ensure
the users are able to use their certificates as per the CPS.
2 . Draft a CPF based on your own guidelines, including physical and technology controls.
3 . Design the system to be a full mesh, with the Root CA located in the executive building.
4 . Design the mesh with each remote office and building having it's own Root CA.
5 . Build a small test pilot program, to test the hierarchy, and integration with the existing
network.
6 . Implement the CA mesh in the executive office, and get all users acclimated to the system.
7 . Implement the CA mesh in each other campus building in Testbed, and get all users
acclimated to the system.



                                                                         http://www.testkiller.com
                                              14                          http://www.troytec.com
                                           SC0-502




8 . One at a time, implement the CA mesh in each remote office; again getting all users
acclimated to the system.
9 . Test the team in each location on proper use and understanding of the overall PKI and
their portion of the trusted network.
10 . Evaluate the rollout, test, and modify as needed to improve the overall security of the
Troytec trusted network.

Answer: C

QUESTION: 5
Blue thanks you for your plan and design and took it into consideration. You are then
informed that Blue has gone ahead and made a new plan, which will incorporate some of
your suggestions, but is going to build the network a bit differently. In Testbed and in each
remote office there will be a single self-sufficient CA hierarchy, one that is designed to
directly integrate with the existing network. Blue mentions that the hierarchy is only to go
two-levels deep, you are not to make an extensive hierarchy in any location. This means a
distinct CA hierarchy in six locations, inclusive of the Testbed headquarters.Using this
information, choose the solution that will provide for the proper rollout of the Certificate
Authorities in the network.}

A. In each location, you recommend the following steps:
1 . Harden a system to function as the Root CA
2 . Harden a system to function as the Registration Authority
3 . Configure CATool on the Root CA
4 . Configure CATool on the Registration Authority, as a subordinate to the Root CA
5 . Once the Subordinate CA is active, take the Root CA offline
6 . Configure users for the CAs
7 . Configure each Root CA to trust each other Root CA via cross certification
8 . Test the CA hierarchy
9 . Have the local administrative staff inform and train each user how to connect to the
Registration Authority through their browser and request a certificate
B. In each location, you recommend the following steps:
1 . Harden a system to function as the Root CA
2 . Harden a system to function as a Registration Authority
3 . Configure a Windows Enterprise Root CA
4 . Configure each Enterprise Root CA to trust each other Enterprise Root CA via cross
certification
5 . Configure a Windows Stand-Alone Subordinate Enrollment Authority to function as the
Registration Authority
6 . Once the Stand-Alone Subordinate is installed, take the Enterprise Root CA offline
7 . Test the CA hierarchy
8 . Have the local administrative staff inform and train each user how to connect to the
Registration Authority through their browser and request a certificate


                                                                         http://www.testkiller.com
                                             15                           http://www.troytec.com
                                           SC0-502




C. In each location, you recommend the following steps:
1 . Harden a system to function as the Root CA
2 . Harden a system to function as the Registration Authority
3 . Configure a Windows Enterprise Root CA
4 . Configure each Enterprise Root CA to trust each other Enterprise Root CA via cross
certification
5 . Configure a Windows Enterprise Registration Authority, as a subordinate to the Enterprise
Root CA
6 . Once the Subordinate CA is active, take the Enterprise Root CA offline
7 . Test the CA hierarchy
8 . Have the local administrative staff inform and train each user how to connect to the
Registration Authority through their browser and request a certificate
D. In each location, you recommend the following steps:
1 . Harden a system to function as the Root CA
2 . Harden a system to function as the Registration Authority
3 . Configure CATool on the Root CA
4 . Configure CATool on the Registration Authority, as a subordinate to the Root CA
5 . Configure users for the CAs
6 . Configure each Root CA to trust each other Root CA via cross certification
7 . Test the CA hierarchy
8 . Have the local administrative staff inform and train each user how to connect to the
Registration Authority through their browser and request a certificate
E. In each location, you recommend the following steps:
1 . Harden a system to function as the Root CA
2 . Harden a system to function as the Registration Authority
3 . Configure a Windows Enterprise Root CA
4 . Configure each Enterprise Root CA to trust each other Enterprise Root CA via cross
certification
5 . Configure a Windows Registration Authority, as a subordinate to the Enterprise Root CA
6 . Test the CA hierarchy
7 . Have the local administrative staff inform and train each user how to connect to the
Registration Authority through their browser and request a certificate

Answer: E

QUESTION: 6
Now that you have a fully functioning CA hierarchy in each location, and that the trusted
network is well underway, you are called in to meet with Blue. Blue comes into the room,
and you talk to one another for a while. It seems that now with the CA hierarchy in place, you
need to plan the certificate rollout for the individual users and computers in the
network.Since this is the executive building, Blue places higher security requirements here
than on the other buildings. Certificates need to be issued to all the entities, computers and
users, in the network. Blue has decided that for all senior level management, the process for



                                                                         http://www.testkiller.com
                                              16                          http://www.troytec.com
                                            SC0-502




certificate issuance should be even more secure than the rest of the deployment.Based on this
information, and you understanding of the Troytec environment, choose the best solution to
assigning certificates to the computers and users of the trusted network in the Executive
building:}

A. You meet with the other administrators of the executive building and let them know what
you are working on, and how they can help. You will first assign certificates to the computers
in the network, followed by assigning certificates to the users in the network. For this task,
you divide the other administrators into four teams, one per floor of the building. Each team
will be responsible for the assigning of certificates to the computers and users on the
corresponding floor. To make the process faster, you have decided to install a new CA for
each floor. The team leader on each floor will install and configure the CA, and you will
oversee the process.With the new CAs installed, one administrator from each team goes to
each desk on the floor and makes a request for a certificate for the computer using Internet
Explorer. Once the machine certificate is installed, the administrator has each user log on to
their machine and the administrator walks the user through the process of connecting to the
CA_SERVER\certsrv on their floor to request a user certificate.To ensure the security of the
senior level management, you lead the team on the fourth floor. You install the new CA
yourself, and oversee the configuration of the certificates for every machine and user on the
floor.
B. You meet with the other administrators of the executive building and let them know what
you are working on, and how they can help. You will first assign certificates to the computers
in the network. To make the process easier, you have decided to configure the network so that
the computers will request certificates automatically. In order to do this you perform the
following steps:
1 . You open Active Directory Users and Computers
2 . You use Group Policy to edit the domain policy that is controlling the executive building.
3 . You expand Computer Configuration to Public Key Policies, and you click the Automatic
Certificate request option.
4 . In the template list, you select computer, and define CA as the location to send the request.
5 . You restart the computers that you can, and wait for the policy to refresh on the systems
you cannot restart.
Once you finishing setting up the computers to be assigned certificates, you shift your focus
to all the users in the executive building. In order to have each user obtain a certificate you
issue a memo (the actual memo goes into extreme detail on each step,even listing common
questions and answers) to all users that instructs them to perform the following steps:
1 . Log on to your computer as your normal user account
2 . Open Internet Explorer, and to connect to the CA_SERVER\certsrv.
3 . Select the option to Request A Certificate, and to choose a User Certificate Request type,
then submit the request.
4 . When the certificate is issued, click the Install This Certificate hyperlink on screen.
Finally, you address the senior level management. For these people, you want the security to
be higher, so you select a stronger algorithm for their certificates. With all the other



                                                                            http://www.testkiller.com
                                               17                            http://www.troytec.com
                                            SC0-502




certificates, you used the default key strength and algorithms. However, the senior level
management needs higher security. Therefore, you personally walk each person through the
process of requesting a certificate; only you ensure that they select 1024-bit AES as their
encryption algorithm.
C. You meet with the other administrators of the executive building and let them know what
you are working on, and how they can help. You will first assign certificates to the computers
in the network. To make the process easier, you have decided to configure the network so that
the computers will request certificates automatically. In order to do this you perform the
following steps:
1 . You open Active Directory Users and Computers
2 . You use Group Policy to edit the domain policy that is controlling the executive building.
3 . You expand Computer Configuration to Public Key Policies, and you click the Automatic
Certificate request option.
4. In the template list, you select computer, and define CA as the location to send the request.
5. You restart the computers that you can, and wait for the policy to refresh on the systems
you cannot restart.
Once you finishing setting up the computers to be assigned certificates, you shift your focus
to all the users in the executive building. In order to have each user obtain a certificate you
issue a memo (the actual memo goes into extreme detail on each step, even listing common
questions and answers) to all users that instructs them to perform the following steps:
1 . Log on to your computer as your normal user account
2 . Open Internet Explorer, and to connect to the CA_SERVER\certsrv.
3 . Select the option to Request A Certificate, and to choose a User Certificate Request type,
then submit the request.
4 . When the certificate is issued, click the Install This Certificate hyperlink on screen.
Finally, you address the senior level management. For these people, you want the security to
be higher, so you select a different certificate scheme. By using a different scheme, you
ensure that there will be no possibility of other people in the building gaining access to the
senior level management accounts. For these accounts you utilize licensed PGP digital
certificates that can be used for both authentication and secure email. You personally show
each manager how to create and use their key ring, providing for very secure communication.
D. You meet with the other administrators of the executive building and let them know what
you are working on, and how they can help. You will first assign certificates to the computers
in the network. To make the process easier, you have decided to configure the network so that
the computers will request certificates automatically. In order to do this you perform the
following steps:
1 . You open Active Directory Users and Computers
2 . You use Group Policy to edit the domain policy that is controlling the executive building.
3 . You expand Computer Configuration to Public Key Policies, and you click the Automatic
Certificate request option.
4 . In the template list, you select computer, and define CA as the location to send the request.
5 . You restart the computers that you can, and wait for the policy to refresh on the systems
you cannot restart.



                                                                            http://www.testkiller.com
                                               18                            http://www.troytec.com
                                            SC0-502




Once you finishing setting up the computers to be assigned certificates, you shift your focus
to the users, except for the senior management, in the executive building. In order to have
each user obtain a certificate you issue a memo (the actual memo goes into extreme detail on
each step, even listing common questions and answers) to all users that instructs them to
perform the following steps:
1 . Log on to your computer as your normal user account
2 . Open Internet Explorer, and to connect to the CA_SERVER\certsrv.
3 . Select the option to Request A Certificate, and to choose a User Certificate Request type,
then submit the request.
4 . When the certificate is issued, click the Install This Certificate hyperlink on screen.
Finally, you address the senior level management in the building. For these people, you
personally go into their office and walk through the steps with each person.
1 . The user logs on to the computer with their normal user account
2 . You open the MMC and add the personal certificates snap-in
3 . You right-click certificates and Request A New Certificate
4 . The user fills in the requested information, and you verify this information.
5 . You put the certificate request onto a USB drive, and take the request back to the CA.
6 . You put the USB drive into the CA, manually process the request, and put the issued
certificate onto the USB drive.
7 . You bring the USB drive back to each person, and manually import their new certificate
E. You meet with the other administrators of the executive building and let them know what
you are working on, and how they can help. You will first assign certificates to the computers
in the network. To make the process easier, you have decided to configure the network so that
the computers will request certificates automatically. In order to do this you perform the
following steps:
1 . You open Active Directory Users and Computers
2 . You use Group Policy to edit the domain policy that is controlling the executive building.
3 . You expand Computer Configuration to Public Key Policies, and you click the Automatic
Certificate request option.
4 . In the template list, you select computer, and define CA as the location to send the request.
5 . You restart the computers that you can, and wait for the policy to refresh on the systems
you cannot restart.
Once you finishing setting up the computers to be assigned certificates, you shift your focus
to all the users in the executive building. In order to have each user obtain a certificate you
issue a memo (the actual memo goes into extreme detail on each step, even listing common
questions and answers) to all users that instructs them to perform the following steps:
1 . Log on to your computer as your normal user account
2 . Open Internet Explorer, and to connect to the CA_SERVER\certsrv.
3 . Select the option to Request A Certificate, and to choose a User Certificate Request type,
then submit the request.
4 . When the certificate is issued, click the Install This Certificate hyperlink on screen.

Answer: D



                                                                            http://www.testkiller.com
                                               19                            http://www.troytec.com
                                              SC0-502




QUESTION: 7
Now that the network is moving towards a trusted network, you are preparing for the specific
new implementations in Troytec . Just as you wrap up some paperwork for the morning, Blue
calls you and lets you know that you are going to be needed in a meeting this afternoon.You
get to Blue's office and sit down at the desk. Blue begins the conversation, "You know we
have some solid fundamental issues addressed in our new trusted network, but I have yet to
feel that we have addressed any serious concerns.""I've been thinking about some similar
issues," you reply."Good, then I'm sure you have been thinking about our email. Right now, I
cannot guarantee the integrity of any email, and I cannot guarantee the confidentiality of any
email. We have reasonable controls towards guaranteeing the availability of our email, but
what's the point if there is no confidentiality or integrity?""I agree. I think that addressing this
issue should be an immediate priority.""One concern is that whatever the system is that we
put in place, it must be very user-friendly. As we roll out these new systems, anything that
will significantly increase the calls into the help desk is something we need to minimize. A
second concern is that it not be too costly. We already have this new investment in the trusted
network, we need to be sure that we utilize what are building to the fullest extent possible.""I
think we should be able to do that without much difficulty. I already have some solid ideas,"
you reply."OK, take a few days on this. For the moment, just concern yourself with the
executive building; the others can follow the plan in their own buildings. Let's meet again this
coming Monday and you can describe your suggestion then."Based on this conversation, and
your knowledge of Troytec , select the best solution to the email problems in the network.}

A. After careful consideration you decide that you will implement secure email in a test
group using PGP. You will use a full licensed version of PGP. You will go to each computer
and you will install the full PGP on each system.Once installed, you will show each user how
to create a PGP certificate by requesting the certificate from the CATool CA server you
installed specifically for secure email. After the user has received a certificate, you associate
that PGP certificate with their Windows domain user account.With the PGP certificate
associated with the user account, you show each user how to manage their key ring. You
show them how to generate their key, and you configure all user's key strength to be 2048
bits. Now that the user has a strong key and a PGP certificate, you configure the email client
of each user.You explain that each user will have to install the public key of each other user
in the network. You test this by sending an email from your laptop with your PGP certificate
attached, and you have the user save the attachment to their Outlook folder. With the
certificate saved, you show them how to send secure email to you. You receive the email on
your laptop, and double-click the lock to show the user that the secure email message was
successfully sent and received.
B. After careful consideration you decide that you will implement secure email in a test group
using X.509v3 digital certificates. You choose this since every user received their certificate
during an earlier phase, and those certificates included the ability to be used for secure
email.Using the X.509v3 certificates, you will configure each machine to use S\MIME. You
go to each computer and open Outlook Express, which is the default client email program in



                                                                              http://www.testkiller.com
                                                 20                            http://www.troytec.com
                                           SC0-502




the test group. You go to the Tools and Account option, selecting the Mail tab, and the
properties for the email account.You select he Security Tab and in the submenu for the
Signing Certificate you configure the certificate for the user's account. You select 3DES as
the algorithm to use. You then check the Encrypt Contents And Attachments For All
Outgoing Messages check box and the Digitally Sign All Outgoing Messages check box. You
accept the default of including the digital id when sending signed messages and the default to
add sender's certificates to the user's address book, and close the properties the email
account.You show the user how to send and receive email, showing the red ribbon that
indicates a signed message and the blue lock that indicates an encrypted message.
C. After careful consideration you decide that you will implement secure email in a test group
using GPG. You have decided to use GPG to avoid any licensing conflicts that might occur if
any user requires secure email exchange with another individual that is in a country with
different cryptography laws. You will go to each computer and you will install GPG on each
system.Once installed, you will show each user how to create the required directory structure,
by typing the command: gpg --gen-key Once the directory structure is created, you will show
each user how to generate the required files, by typing the command: gpg --gen-key.Since
you want very secure email, you configure each system to use 2048 bit key strength and you
select DSA and ElGamal encryption.With GPG installed and configured, you show each user
how to use their new secure email. You have them open Outlook and create a new message to
you. Once the message is created, you have them select the Security drop-down list and
choose both GPG Sign and GPG Encrypt, and then press send.You show them on your laptop
that you receive the message. You press Reply, and on your laptop also select the Security
drop-down menu, where you choose both GPG Sign and GPG Encrypt. The user receives the
message, and you show that secure email was successfully sent and received.
D. After careful consideration you decide that you will implement secure email in a test
group using PGP. You will use a full licensed version of PGP. You will go to each computer
and you will install the full PGP on each system.Once installed, you will show each user how
to create a PGP certificate by requesting the certificate from the MS Enterprise Root CA
server you installed, and configured specifically for secure email certificates. After the user
has received a certificate, you associate that PGP certificate with their Windows domain user
account.With the PGP certificate associated with the user account, you show each user how to
manage their key ring. You show them how to generate their key, and you configure all user's
key strength to be 2048 bits. Now that the user has a strong key and a PGP certificate, you
configure the email client of each user.You explain that each user will have to install the
public key of each other user in the network. You test this by sending an email from your
laptop with your PGP certificate attached, and you have the user save the attachment to their
Outlook folder. With the certificate saved, you show them how to send secure email to you.
You receive the email on your laptop, and double-click the lock to show the user that the
secure email message was successfully sent and received.
E. After careful consideration you decide that you will implement secure email in a test group
using X.509v3 digital certificates. You choose this since every user received their certificate
during an earlier phase, and those certificates included the ability to be used for secure
email.You will configure each machine to use PGP, with the X.509v3 certificates option.



                                                                          http://www.testkiller.com
                                              21                           http://www.troytec.com
                                            SC0-502




You go to each computer and open Outlook Express, which is the default client email
program in the test group. You go to the Tools and Account option, selecting the Mail tab, and
the properties for the email account.You select he Security Tab and in the submenu for the
Signing Certificate you configure the certificate for the user's account. You select DSA and
ElGamal as the cryptosystem to use. You then check the Encrypt Contents And Attachments
For All Outgoing Messages check box and the Digitally Sign All Outgoing Messages check
box. You accept the default of including the digital id when sending signed messages and the
default to add sender's certificates to the user's address book, and close the properties the
email account. You show the user how to send and receive email, showing the red ribbon that
indicates a signed message and the blue lock that indicates an encrypted message.

Answer: B

QUESTION: 8
You have now been involved in several major changes in the security of Troytec , and
specifically the Testbed campus. You have worked on the planning and design of the trusted
network, you have worked on the initial rollout of the CA hierarchy, you have worked on
assigning certificates to the end users and computers in the Executive building of the Testbed
campus, and you have managed the implementation of secure email - a critical service for
Troytec .Blue has asked you to meet with the other administrative staff of the Testbed
campus and discuss how the certificates will impact the organization. There are a total of
about 40 people in the meeting, and you have decided that your primary focus during this
meeting will be on encryption\cryptography.Choose the best solution for providing the
correct information to your administrative staff on how encryption\cryptography and digital
certificates will be properly used in the network:}

A. You gather the administrative staff together in the conference room to discuss
cryptography in the network. You begin your talk with the function of cryptography, in
general, and then you move towards specific implementations in the Troytec network. You
explain that public key cryptography is founded on math, and that the big picture fundamental
point is that UserA has a pair of keys and UserB has a pair of keys. You explain that one key
of each key pair is made available to the other users in the network. You illustrate this with an
example of sending an encrypted message from UserA to UserB."We know, for example, that
UserA wishes to send a message to UserB and wants that message to be secure. UserB will
use the public key that UserA has made available to encrypt the message. Once encrypted,
UserB will send the message over the network to User A . UserA will then use the other key
of the pair, the private key to decrypt the message," you explain to the group.You further
explain some of the common algorithms used in the network. You tell them that Diffie-
Hellman was the first widely used private key algorithm, and that Diffie-Hellman itself is not
used to secure messages, rather to exchange a symmetric key. You explain that RSA was
another breakthrough in that it was a private key algorithm that was able to secure messages.
You then describe digital certificates and some of their features. You tell the group that
digital certificates can be assigned to different entities, including users and computers. You


                                                                            http://www.testkiller.com
                                               22                            http://www.troytec.com
                                            SC0-502




state that these digital certificates include many options, for example an Issuer Field that
holds the distinguished name of the entity that issued the certificate, and a Subject Field that
holds the distinguished name of the person who has the private key that corresponds to the
public key in the certificate.
B. You gather the administrative staff together in the conference room to discuss
cryptography in the network. You begin your talk with the function of cryptography, in
general, and then you move towards specific implementations in the Troytec network. You
explain that public key cryptography is founded on math, and that the big picture fundamental
point is that UserA has a pair of keys and UserB has a pair of keys. You explain that one key
of each key pair is made available to the other users in the network. You illustrate this with an
example of sending an encrypted message from UserA to UserB ."We know, for example,
that UserA wishes to send a message to UserB and wants that message to be secure. UserA
will use the public key that UserB has made available to encrypt the message. Once
encrypted, UserA will send the message over the network to UserB. UserB will then use the
other key of the pair, called the private key, to decrypt the message," you explain to the
group. You further explain some of the common algorithms used in the network. You tell
them that Diffie-Hellman was the first widely used public key algorithm, and that Diffie-
Hellman itself is not used to secure messages, rather to exchange a symmetric key. You
explain that RSA was another breakthrough in that it was a public key algorithm that was able
to secure messages.You then describe digital certificates and some of their features. You tell
the group that digital certificates can be assigned to different entities, including users and
computers. You state that these digital certificates include many options, for example an
Issuer Field that holds the distinguished name of the entity that issued the certificate, and a
Subject Field that holds the distinguished name of the person who has the private key that
corresponds to the public key in the certificate.
C. You gather the administrative staff together in the conference room to discuss
cryptography in the network. You begin your talk with the function of cryptography, in
general, and then you move towards specific implementations in the Troytec network. You
explain that public key cryptography is founded on math, and that the big picture fundamental
point is that UserA and UserB have a set of mathematically linked keys. You explain that one
key of each key pair is made available to the other users in the network. You illustrate this
with an example of sending an encrypted message from UserA to UserB."We know, for
example, that UserA wishes to send a message to UserB and wants that message to be secure.
UserA will use the public key that UserB has made available to encrypt the message. Once
encrypted, UserA will send the message over the network to UserB. UserB will then use the
other key of the pair, the private key to decrypt the message," you explain to the group.You
further explain some of the common algorithms used in the network. You tell them that RSA
was the first widely used private key algorithm, and that RSA itself is not used to secure
messages, rather to exchange a symmetric key. You explain that Diffie-Hellman was another
breakthrough in that it was a private key algorithm that was able to secure messages.You then
describe digital certificates and some of their features. You tell the group that digital
certificates can be assigned to different entities, including users and computers. You state that
these digital certificates include many options, for example an Issuer Field that holds the



                                                                            http://www.testkiller.com
                                               23                            http://www.troytec.com
                                            SC0-502




distinguished name of the entity that issued the certificate, and a Subject Field that holds the
distinguished name of the person who has the private key that corresponds to the public key
in the certificate.
D. You gather the administrative staff together in the conference room to discuss
cryptography in the network. You begin your talk with the function of cryptography, in
general, and then you move towards specific implementations in the Troytec network. You
explain that public key cryptography is founded on math, and that the big picture fundamental
point is that UserA and UserB have a set of mathematically linked keys. You explain that one
key of each key pair is made available to the other users in the network. You illustrate this
with an example of sending an encrypted message from UserA to UserB."We know, for
example, that UserA wishes to send a message to UserB and wants that message to be secure.
UserA will use the private key that UserB has made available to encrypt the message. Once
encrypted, UserA will send the message over the network to UserB. UserB will then use the
other key of the pair, the public key to decrypt the message," you explain to the group. You
further explain some of the common algorithms used in the network. You tell them that RSA
was the first widely used private key algorithm, and that RSA itself is not used to secure
messages, rather to exchange a symmetric key. You explain that Diffie-Hellman was another
breakthrough in that it was a private key algorithm that was able to secure messages.You then
describe digital certificates and some of their features. You tell the group that digital
certificates can be assigned to different entities, including users and computers. You state that
these digital certificates include many options, for example an Issuer Field that holds the
distinguished name of the entity that issued the certificate, and a Subject Field that holds the
distinguished name of the person who has the private key that corresponds to the public key
in the certificate.
E. You gather the administrative staff together in the conference room to discuss
cryptography in the network. You begin your talk with the function of cryptography, in
general, and then you move towards specific implementations in the Troytec network. You
explain that public key cryptography is founded on math, and that the big picture fundamental
point is that UserA and UserB have a set of mathematically linked keys. You explain that one
key of each key pair is made available to the other users in the network. You illustrate this
with an example of sending an encrypted message from UserA to UserB."We know, for
example, that UserA wishes to send a message to UserB and wants that message to be secure.
UserA will use the private key that UserB has made available to encrypt the message. Once
encrypted, UserA will send the message over the network to UserB. UserB will then use the
other key of the pair, the public key to decrypt the message," you explain to the group.You
further explain some of the common algorithms used in the network. You tell them that RSA
was the first widely used private key algorithm, and that RSA itself is not used to secure
messages, rather to exchange a symmetric key. You explain that Diffie-Hellman was another
breakthrough in that it was a private key algorithm that was able to secure messages.You then
describe digital certificates and some of their features. You tell the group that digital
certificates can be assigned to different entities, including users and computers. You state that
these digital certificates include many options, for example an Issuer Field that holds the
distinguished name of the person who issued the certificate, and a Subject Field that holds the



                                                                            http://www.testkiller.com
                                               24                            http://www.troytec.com
                                              SC0-502




full OIDs describing the use of the certificate by the holder of the certificate.

Answer: B

QUESTION: 9
You have now seen to it that all end users and computers in the Testbed office have received
their certificates. The administrative staff has been trained on their use and function in the
network. The following day, you meet with Blue to discuss the progress."So far so good,"
starts Blue, "all the users have their certificates, all the computers have their certificates. I
think we are moving forward at a solid pace. We have talked about the ways we will use our
certificates, and we need to move towards securing our network traffic.""I agree," you reply,
"last week I ran a scheduled scan, and we still have vulnerability in our network traffic. The
folks from MassiveCorp would love to have a sniffer running in here, I'm sure of that.""That's
exactly the point. We need a system in place that will ensure that our network traffic is not so
vulnerable to sniffing. We have to get some protection for our packets. I'd like you to design
the system and then we can review it together." The meeting ends a few minutes later, and
you are back in your office working on the design.Choose the best solution for protecting the
network traffic in the executive office of the Testbed campus:}

A. After further analysis on the situation, you decide that you will need to block traffic in a
more complete way at the border firewalls. You have decided that by implementing stricter
border control, you will be able to manage the security risk of the packets that enter and leave
the network better.You implement a new firewall at each border crossing point. You will
configure half of the firewalls with Checkpoint FW-1 NG and the other half with Microsoft
ISA . By using two different firewalls, you are confident that you will be minimizing any
mass vulnerability.At each firewall you implement a new digital certificate for server
authentication, and you configure the firewall to require every user to authenticate all user
connections. You block all unauthorized traffic and run remote test scans to ensure that no
information is leaking through.Once the test scans are complete, you verify that all users are
required to authenticate with the new firewall before their traffic is allowed to pass, and
everything works as you planned.
B. You spend time analyzing the network and decide that the best solution is to take
advantage of VPN technology. You will create one VPN endpoint in each building. Your
plan is to create a unique tunnel between each building.You first install a new Microsoft
machine, and configure it to perform the functions of Routing and Remote Access. You then
create a tunnel endpoint, and configure each machine to use L2TP to create the tunnel.To
increase security, you will implement full 256-bit encryption on each tunnel, and you will use
3DES on one half of the tunnels and AES on the other half of the tunnels. You will be sure
that each tunnel uses the same algorithm on both ends, but by using two algorithms you are
sure that you have increased the security of the network in a significant way.
C. You decide that you will implement an IPSec solution, using the built-in functionality of
Windows. You decide that you wish for there to be maximum strength, and therefore you
choose to implement IPSec using both AH and ESP.First, you configure each server in the


                                                                              http://www.testkiller.com
                                                 25                            http://www.troytec.com
                                            SC0-502




network with a new IPSec policy. You choose to implement the default Server IPSec Policy.
Using this policy you are sure that all communication both to and from the server will utilize
IPSec. You reboot the servers that you can and use secedit to force the others to refresh their
policy.Next, with the help of the administrative staff, you will configure each client in the
network. For the clients, you use the default Client IPSec Policy. You reboot the client
machines that you can and use secedit to force the others to refresh their policy.
D. You decide that you will implement an IPSec solution, using custom IPSec settings. You
wish to utilize the digital certificates that are available in the network. You decide that you
wish for there to be maximum strength, and therefore you choose to implement IPSec using
both AH and ESP.First, you configure a custom policy for the servers in the network. You
verify that none of the default policies are currently implemented, and you create a new
policy. Your new policy will use SHA for AH and SHA+3DES for ESP. You make sure that
the policy is to include all IP traffic, and for Authentication Method, you use the certificate
that is assigned to each server. You reboot the servers that you can and use secedit to force
the others to refresh their policy.Next, with the help of the administrative staff, you will
configure each client in the network. For the clients, you verify that no default policy is
enabled, and you create a policy that uses SHA for AH and SHA+3DES for ESP. You make
sure that the policy is to include all IP traffic, and for Authentication Method, you use the
certificate that is assigned to each server. You reboot the client machines that you can and use
secedit to force the others to refresh their policy.
E. You decide that you will implement an IPSec solution, using custom IPSec settings. You
wish to utilize the digital certificates that are available in the network. You decide that you
wish for there to be maximum strength, and therefore you choose to implement IPSec using
both AH and ESP.First, you configure a custom policy for the servers in the network. To
increase strength, you will implement your custom policy on top of the default Server IPSec
Policy. You verify that the policy is running, and then you create a new policy. Your new
policy will use SHA+3DES for AH and SHA for ESP. You make sure that the policy is to
include all IP traffic, and for Authentication Method, you use the certificate that is assigned
to each server. You reboot the servers that you can and use secedit to force the others to
refresh the two policies.Next, with the help of the administrative staff, you will configure
each client in the network. For the clients you also need the highest in security, so you will
use a custom policy on the default policy. You verify that the default Client IPSec policy is
enabled, and then you create a policy that uses SHA+3DES for AH and SHA for ESP. You
make sure that the policy is to include all IP traffic, and for Authentication Method, you use
the certificate that is assigned to each server. You reboot the client machines that you can and
use secedit to force the others to refresh the two policies.

Answer: D

QUESTION: 10
You had been taking a short vacation, and when you come into work on Monday morning,
Blue is already at your door, waiting to talk to you."We've got a problem," Blue says, "It
seems that the password used by our Vice President of Engineering has been compromised.



                                                                           http://www.testkiller.com
                                               26                           http://www.troytec.com
                                           SC0-502




Over the weekend, we found this account had logged into the network 25 times. The Vice
President was not even in the office over the weekend." "Did we get the source of the
compromise yet?""No, but it won't surprise me if it is our new neighbors at MassiveCorp. I
need to you to come up with a realistic plan and bring it to me tomorrow afternoon. This
problem must be resolved, and like everything else we do not have unlimited funds - so keep
that in mind."Based on this information, choose the best solution to the password local
authentication problem in the Executive building.}

A. Since you are aware of the significance of the password problems, you plan to address the
problem using technology. You write up a plan for Blue that includes the following points:
1 . For all executives you recommend no longer using passwords, and instead migrating to a
token-based authentication system.
2 . You will install the RSA SecurID time-based token system.
3 . You will create SecurID user records for each user to match their domain accounts.
4 . You will assign each user record a unique token.
5 . You will hand deliver the tokens to the correct executive.
6 . Users will be allowed to create their own PIN, which will be 4 characters long.
7 . The tokens will replace all passwords for authentication into each user's Windows system.
B. Since you are aware of the significance of the password problems, and since you do not
have unlimited funds, you plan to address this problem through education and through
awareness. You write up a plan for Blue that includes the following points:
1 . All end users are to be trained on the methods of making strong passwords
2 . All end users are instructed that they are to change their password at a minimum of every
30 days.
3 . The administrative staff is to run password-checking utilities on all passwords every 30
days.
4 . All end users are to be trained on the importance of never disclosing their password to any
other individual.
5 . All end users are to be trained on the importance of never writing down their passwords
where they are clearly visible.
C. Since you are aware of the significance of the password problems, you plan to address the
problem using technology. You write up a plan for Blue that includes the following points:
1 . You will reconfigure the Testbed. Troytec .org domain to control the password problem.
2 . You will configure AD in this domain so that complex password policies are required.
3 . The complex password policies will include:
a. Password length of at least 8 characters
b. Passwords must be alphanumeric
c. Passwords must meet Gold Standard of complexity
d. Passwords must be changed every 30 days
e. Passwords cannot be reused
D. Since you are aware of the significance of the password problems, you plan to address the
problem using technology. You write up a plan for Blue that includes the following points:
1 . For all executives you recommend no longer using passwords, and instead migrating to a



                                                                          http://www.testkiller.com
                                              27                           http://www.troytec.com
                                           SC0-502




token-based authentication system.
2 . You will install the RSA SecurID challenge-response token system.
3 . You will create SecurID user records for each user to match their domain accounts.
4 . You will assign each user record a unique token.
5 . You will hand deliver the tokens to the correct executive.
6 . Users will be required to use tokencodes from the One-Time tokencode list. The
tokencodes will be alphanumeric and will be 4 characters long.
7 . The tokens will replace all passwords for authentication into each user's Windows system.
E. Since you are aware of the significance of the password problems, plan to address the
problem using technology. You write up a plan for Blue that includes the following points:
1 . For all executives you recommend no longer using passwords, and instead migrating to a
biometric solution.
2 . You will install retinal scanners at every user's desktop in the executive building.
3 . You will personally enroll each user at each desktop.
4 . You will instruct each user on the proper positioning and use of the scanner.
5 . The biometric system will replace all passwords for authentication into each user's
Windows system.

Answer: A

QUESTION: 11
For the past month, the employees in the executive building have been getting adjusted to
their new authentication systems. There was a large spike in help desk calls the first week,
which has gone down daily, and now there are fewer login related calls than there was when
the office used passwords alone.During your weekly meeting with Blue, the authentication
subject is discussed, "So far, the system is working well. Our call volume has dropped, and it
seems that most people are getting used to the tokens. There is one issue, however.""Really,
what's that?" you ask."It seems that the senior executives are not that keen on carrying the
new tokens around with them. They are asking for a way to authenticate without carrying
anything, but still have it be secure.""All right, do we have a budget?""Yes, however there
are not that many senior executives, so the cost isn't the primary issue; although we do want
to keep the costs down as much as possible.""So, what limitations do I have?""Well you need
to be sure it's easy to use, is unintrusive, won't require too much training, won't be all that
expensive, and provides for strong authentication." Blue tells you. Based on this information,
choose the best solution to the authentication problem for the senior executives on the fourth
floor.}

A. You talk to several of the senior executives on the fourth floor and determine that many of
these people are interested in a biometric solution, and that many of them have an interest in
voice authentication. They like the fact that they may be able to simply speak to the computer
and be authenticated.Since they like this technology, you decide this is what you will
implement. You configure each machine with the Anovea software for voice authentication,
and configure a microphone at each workstation. You then walk the executive through the


                                                                          http://www.testkiller.com
                                              28                           http://www.troytec.com
                                           SC0-502




process of enrollment, and have each person test his or her system.With the software
installed, the microphone installed, and with the voice authentication testing and functional,
you uninstall the token software and retrieve their tokens. You verify that everything works,
and you move on to the next person's system.
B. You talk to some of the senior executives on the fourth floor and determine that many of
these people are interested in a biometric solution, and that many of them have an interest in
retinal authentication. They like the fact that they may be able to simply look at the computer
and be authenticated.Since they like this technology, you decide this is what you will
implement. You configure each machine with the Panasonic Authenticam and authentication
software. You then walk the executive through the process of enrollment, and have each
person test his or her system.With the software installed, the retinal scanner installed, and
with the retinal authentication testing and functional, you uninstall the token software and
retrieve their tokens. You verify that everything works, and you move on to the next person's
system.
C. You talk to two of the senior executives on the fourth floor and determine that these
people are interested in a biometric solution, and that they have an interest in retinal
authentication. They like the fact that they may be able to simply look at the computer and be
authenticated.Since they like this technology, you decide this is what you will implement.
You configure each machine with the Panasonic Authenticam and authentication software.
You then walk the executive through the process of enrollment, and have each person test his
or her system.With the software installed, the retinal scanner installed, and with the retinal
authentication testing and functional, you uninstall the token software and retrieve their
tokens. You verify that everything works, and you move on to the next person's system.
D. You talk to three of the senior executives on the fourth floor and determine that they
disliked the tokens therefore you will install a new authentication system. The people you
talked to didn't say they would have problems with smart cards, so you decide to implement a
smart card solution.You configure each machine with a smart card reader and driver. You
then create a local account for each user, and make that account use smart cards. You then
assign a smart card to the account and load the user's credentials on the card. You then walk
the executive through the process of using the smart card, and have each person test his or her
system.With the software installed, the reader installed, and with the smart card
authentication testing and functional, you uninstall the token software and retrieve their
tokens. You verify that everything works, and you move on to the next person's system.
E. You talk to several of the senior executives on the fourth floor and determine that many of
these people are interested in a biometric solution, and that many of them have an interest in
fingerprint authentication. They like the fact that they may be able to simply touch something
by the computer and be authenticated.You begin the configuration by installing a BioLink
USB mouse, driver, and authentication software. You walk each person through the process
of enrollment, and how to best use the scanner, and have each person test his or her
system.With the software installed, the mouse and driver installed, and with the fingerprint
authentication testing and functional, you uninstall the token software and retrieve their
tokens. You verify that everything works, and you move on to the next person's system.




                                                                          http://www.testkiller.com
                                              29                           http://www.troytec.com
                                             SC0-502




Answer: E

QUESTION: 12
You finish the work you were doing in the morning, and head out to the monthly meeting.
During this meeting, the Vice President of Strategic Partner Relations informs the group of
some news, "we have decided that we need to implement a new web site that is for our
strategic partners only. This site will be used for various purposes, but will primarily be used
as a means of information exchange.""So, is this going to be a private site?" asks
Blue."Absolutely. We will not want any public users on this website. It's just for the people
we identify in our Strategic Partner Program. I need those of you in security to be sure that
this site is secure.""We can take care of that. How many people do you think will be
accessing the site?" asks Blue."Not too many, perhaps around fifty.""So, is it correct to
assume that you know each of these fifty people?""Yes, that is correct.""OK, well this should
not be too hard. We'll get working on this right away." The meeting ends, and you and Blue
chat more about the web site issue."Well, we know that only around fifty people are going to
access the, and we know who these fifty are. This should not cause too many problems," Blue
says."I agree. Do you think it will be all right to spend any money outside of the site itself?"
you ask."Since we are dealing with so few people, that shouldn't be a problem. However, we
cannot go overboard. Go ahead and write up a plan for this and get it back to me in a day or
two."Based on your knowledge of Troytec , choose the best solution to the web site security
issue.}

A. You decide to use existing security technology of digital certificates and SSL to secure the
site. You first install a new IIS server that will be the host of the web site. You then connect
to the Troytec CA for the executive building and request a new certificate for the web
site.You then configure the web site to Require a Secure Channel (SSL) and install the
certificate. One you install the new certificate, you connect from the new server to the CA in
each office where one or more of the fifty people that require access works. At that CA, you
install the CA's certificate, so that the new server will trust the certificates that each CA
issues.Next, you return to the configuration of the new web site. To make the site more
secure, you require client certificates, and enable mappings for each user account. You call
each user and ensure that they have a certificate from their own CA, which the new server
now trusts. You walk them through the process of connecting to the site, and verify that
secure access to them has been granted.
B. You decide that you will use digital certificates to secure the web site. You will first install
a new private CA that the remote users can connect to and request their certificates. This CA
will be protected with a very strong password. Each user will be given a user account to
access the CA, also protected with a strong password.Next, you install the new private web
server. You then connect to the new CA and make a request for a certificate for the web site.
Once you receive the certificate, you configure the web site to use the certificate to Require a
Secure Channel (SSL). You then select the option to require client certificates, and you
enable mapping for each user account. Finally, you will call each person and instruct them on
the process of connecting to the CA and requesting their certificate, which you will instruct


                                                                             http://www.testkiller.com
                                                30                            http://www.troytec.com
                                              SC0-502




them to store on their local machine. Once they have their certificate, you have them test
access to the site, and when successful you move on to the next person.
C. You decide to use digital certificates on smart cards to secure the web site. You will first
install a new IIS web server to host the site. You then connect to the CA_SERVER and
request a new certificate for the server. The server certificate will be used for authentication,
and you have the certificate issued and stored on a portable USB drive. You then configure a
machine to function as the enrollment machine for smart cards. You are going to manage the
smart cards yourself. At the machine that you are going to use for the smart cards, you first
configure the system with an enrollment agent certificate from the CA_SERVER, and then
you install the driver for the smart card reader.Once the driver is installed, you make
certificate requests for each of the fifty users. You start with the first user, by logging in to the
CA and selecting the option to Request A Certificate For A Smart Card On Behalf Of
Another User Using The Smart Card Enrollment Station radio button. You then select the
Smartcard User template, and enter the user's name. When prompted, you put a blank smart
card in the reader and press the Enroll button, followed by entering the default PIN.Once you
have created all fifty smart cards, you continue with the configuration of the web site. You
configure the site to Require Secure Channel (SSL) and configure the site's certificate from
the USB drive. You then configure the site to require the user to have certificates as well,
enabling mapping for the specific users of this site.You then test access to the site from a
remote machine using the smart card and PIN to be authenticated to the site. Once the test is
complete, you write a short howto file and send it along with the smart card, smart card
reader, and driver to each of the fifty users. You follow up with each user upon receipt to
walk them through the configuration.
D. You decide to use strong authentication via biometrics, specifically fingerprint scanning to
secure the web site. You will first install a new IIS web server to host the site. You then
configure fifty user accounts for the remote users, and assign those accounts very strong
passwords.You then ship one biometric mouse and software to each remote client. You call
each user and walk them through the process of configuration of their equipment. First, you
tell them to create a matching user account with the same user name and very strong
password as you used on the IIS server. You then have them install the software, which you
instruct them to configure so that the biometric will be linked to the user account.Once the
software is installed, you instruct them to connect the mouse to their system and load the
appropriate driver. With the driver installed, you tell them how to load the program and enroll
their fingerprint. Once they have their fingerprint enrolled, and it is matched to their user
account, you let them know that their side of the configuration is complete, and that you will
call them shortly to finish the process.You return to the configuration of the IIS server. In the
Security properties of the website, you select the Advanced authentication tab. On the
Advanced tab, you check the box for mapping user accounts to external biometric devices,
and you check the box to allow the remote machine to control the mapping. You finish the
configuration by configuring the site to use 128-bit RSA to encrypt the data between the client
and the server.With the server configuration done, you call the client back and have them log
in using their biometric mouse. Once logged in, you instruct them to connect to the website
and verify the secure site is running.



                                                                               http://www.testkiller.com
                                                 31                             http://www.troytec.com
                                           SC0-502




E. You decide that you will use freely available PGP certificates to secure access to the
website. You will first install a new IIS web server to hose the site. You then configure one
user account, with a strong password. You map this account as the only account that has
access to the website.You then log on locally, as this user account, to the server and create a
public\private key pair. From that account you then send an outgoing email to all fifty users
with the account's private key. You finish the configuration of the website by making changes
in the Security properties of the website.In the Security properties, you select the Advanced
tab. On the Advanced tab, you check the box to map this account to a local digital certificate,
and you select the new certificate you just created.Next, you contact each remote user and
instruct them to open the email from you. You have them store the key they receive in their
personal certificate store. To verify the install is correct, you walk them through the process
of viewing their certificates in the MMC. Once verified, you have the user connect to the
website, and enter the location of their certificate when asked for authentication credentials.

Answer: C

QUESTION: 13
You got the router configured just as you wish, and it is time to get the team together for a
meeting. You have the advantage of knowing several of these people for quite some time
through your contracting, but this will be your first full meeting with them.The next day, you
sit down with the CEO, HR Director, and other management people in Troytec . You wish for
the meeting to be as short as possible, so in this initial meeting, you open with a short
summary and project what you feel is a serious problem with the company."Thanks for
coming. I will try to keep this as brief as possible. As you all know, Red was let go under
difficult circumstances, and for the last week I have been working non-stop to get the
network and security under control here. Very good progress has been made, but we are
missing a fundamental component. There is no security policy here at Troytec ." To this, you
see some heads nod in agreement, others have no reaction whatsoever, and a few people let
go disappointing sighs."I agree that we need a security policy," adds the HR Director, "as
long as it doesn't become too restrictive.""Policies are only used to document the posture of
the organization, and to provide some guidance in the direction of the network and, in this
case, the security of the network." You add, "Without a written policy, how is any employee
supposed to know what is acceptable, what is not acceptable, and so on.""Our employees
have common sense, we do not want the company to become overly regulated," says a
middle manager who you have not spoken with before."Common sense is great, the more the
employees have, and the easier it is to implement the policies. But, there is no guarantee for
the human element. A simple review of what just took place with Red is a quick reminder of
this." With that comment, the middle manager relaxed a bit, and hesitantly agreed."So, what I
would like to do is to lead the development of the policy here, and work with each of you to
get it implemented. In the next few days, I will be requesting a bit of your time, so we can
talk one on one about your needs and issues surrounding the policy."The next week, you
meet with the management team, and you have a list of questions for them, designed to help
you in drafting the security policy. You have decided to break up the creation of the policy



                                                                          http://www.testkiller.com
                                              32                           http://www.troytec.com
                                            SC0-502




into pieces, spending shorter blocks of time on the policy. This allows the management to be
able to keep most of their days open for running the company.During the meeting, you focus
solely on the Acceptable Use statement for the users of the network. You ask the following
questions to the group, and the consensus answer (after taking your suggestions into account)
is listed after each question.
1 . Are users allowed to share user accounts? No.
2 . Are users allowed to install software without approval? No. Approval must come through
you, or the current Chief Security Officer (CSO).
3 . Are users allowed to copy software for archive or other purpose? No, archives can only be
made by the network administration staff.
4 . Are users allowed to read and\or copy files that they do not own, but have access to? Yes.
5 . Are users allowed to make copies of any operating system files (such as the Windows
directory or the SAM file)? No.
6 . Are users allowed to modify files they do not own, but for which they have write abilities?
Yes, if they have write abilities, they are allowed to modify the file.
Using the provided information from the meeting, you draft the Acceptable Use Statement.
The statement reads as follows:
This Acceptable Use Statement document covers Troytec , networks, computers, and
computing resources. Network, computer, and computing resources are defined as physical
personal computers, server systems, routers, switches, and network cabling. Also included in
the definition are software (media) elements such as floppy disks, CD-ROMs (including
writeable and re-writeable), DVD-ROMs, and tape backup systems. A user is defined as the
individual account with authorization to access Troytec , resources. All users of the Troytec
network are expected to conduct themselves in a respectful and legal manner.
* The Troytec , general computing systems are unclassified systems. As such, top-level secret
information is not to be processed or stored on any general unclassified computer system.
* Individual users are responsible for the proper storage of their personal data on their
workstations. For assistance on proper storage, users are instructed to contact the Security
staff of Troytec .
* In the event that a user has identified a security breech, weakness, or system misuse in a
Troytec , system, they are required to contact the on-duty Security staff immediately. Users
are to use a completed Troytec -TPS Report for their notice to the Security staff. Initial
contact with the Security staff about the incident might be conducted via email or telephone.
* Individual users are not granted access to systems and resources they have not been given
explicit authority to access. In the event access to a resource is required, and access has not
been granted, the user is to make a request to the on-duty Security staff.
* Individual users shall not make unauthorized copies of copyrighted software, except as
permitted by law or by the owner of the copyright.
* Individual users are not permitted to make copies of system configuration files for their
own, unauthorized personal use or to provide to other people or users for unauthorized uses.
* Individual users are not permitted to share, loan, or otherwise allow access to a Troytec
resource via the user's assigned account.
* Individual users are not permitted to engage in any online or offline activity with the intent



                                                                           http://www.testkiller.com
                                               33                           http://www.troytec.com
                                            SC0-502




or harass other users; degrade the performance of any Troytec , system or resource; impede
the ability of an authorized user to access an authorized resource; or attempt to gain access to
an unauthorized resource.
* Electronic mail resources are for authorized use only. Messages that might be deemed
fraudulent, harassing, or obscene shall not be sent from, to, or stored on Troytec , systems. *
Individual users are not permitted to download, install, or run any unauthorized programs or
utilities, including those which reveal weaknesses in the security of a system. This includes,
but is not limited to network sniffing tools and password cracking utilities. Users who are
found to be in violation of this policy will be reported to the on-duty Security staff and the
Troytec CEO. The CEO will determine if the violation will result in the loss of Troytec ,
network privileges. In he event the violation warrants, the CEO may press civil or criminal
charges against the user. I have read and understand the Troytec , Acceptable Use Statement,
and agree to abide by it.With this information, and your knowledge of Troytec , choose the
answer that will provide the best solution for implementing the Acceptable Use statement
policy needs of Troytec :}

A. Once the meeting ends, you make the changes that were discussed during the meeting.
They are not too extensive, but you make them and present the document to the team again
on Friday. Now that you have made the changes, the policy is accepted, and the discussion
moves towards getting every employee to sign and agree to the policy."Well, it's Friday
afternoon. Everyone needs their paychecks today." Comments the HR director."Good point,
let's just print out 100 of these, and tell everyone to sign them in order to get their check."
Agrees one of the managers.After some discussion, it is agreed that this will be the fastest
way to get all the employees to sign the policy document. The meeting wraps up around 2:00,
and the printing and stapling of the policy documents ends around 4:00.Over the next hour,
the HD director, with the help of the manager, hand our checks, making all the employees
sign the document in order to get their check. You think to yourself that the efficiency of a
small operation like this is nice to see in action. You go to get your check, sign your
document, and are actually able to end your day at 5:00pm on a Friday.
B. You present the draft statement to the team at the next meeting. There is some discussion
as to the wording in the clause regarding the internal TPS Report. Some in the group feel the
TPS Report will be to tedious to use, others think with a distributed memo about the Report,
everything will be fine. After further discussion all agree on the wording of the policy.The
employees meet with the HR director over the next week, and are all presented with a copy of
the policy and discuss how to it is to be implemented. There is some resistance, some of the
employees are not happy about having a new procedure to follow.While walking back to your
office, you see the CEO, and motion that you have a quick question, "How does the new
policy seem to be going with HR?" you ask."So far so good, there are a few folks not that
happy, but I think we'll be fine.""I've got to get over there tomorrow to sign mine, when are
you meeting with HR?""Me? I've got too much going on right now. I have to oversee
everything; whatever happens and goes on here has to go through me anyway. I don't have
time to bother with that myself, I just wanted to be sure we had something legally binding to
protect us and to assist the employees.""Fair enough. Listen, I need to talk with you soon



                                                                           http://www.testkiller.com
                                               34                           http://www.troytec.com
                                           SC0-502




about our firewall situation," you reply."OK, stop by anytime. You know my door is always
open."You walk away, and are pretty happy with how things are going here. You know you
have more work to do, but so far your suggestions are being taken well and appreciated.
C. You present the current draft to the team at the next meeting. There is some discussion
now on the language of the different clauses, and it seems that no one can agree on the points.
What you thought was close to being done, now seems to be at risk of never getting done.As
the meeting escalates, and opinions start to get louder, the CEO interrupts the group,"Enough.
We are a small group, we have enough in common, we know what we need out of this. We
will bring in three contractors who specialize in policy writing. We'll give them our thoughts,
they will work with our tireless Security Guru, and get this thing done."You are not all that
thrilled about three consultants coming down on your territory, but realize the frustration of
the CEO. You agree, "That's fine by me. I'll meet with them, and we will draft the
document."There is other business on the agenda for the meeting, but it is not related to you,
so you excuse yourself and go back to your office.After working with the three consultants
for a month, you have the document, approved by Troytec . You organize a company wide
meeting, where the consultants describe the policy and what it is for to all the employees. The
employees are told where they can find the policy to review for themselves, and after a
question and answer session everyone gets back to their work.
D. You present the draft statement to the team at the next meeting. There is some discussion
as to the wording in the clause regarding the internal TPS Report. Some in the group feel the
TPS Report will be to tedious to use, others think with a distributed memo about the Report,
everything will be fine. After further discussion all agree on the wording of the policy.The
team finishes the discussion, and the meeting ends with approval of the document. Once the
document is approved, you move the discussion towards getting everyone in the company
aware of and agreeing to it."I suggest that we tie it into our paychecks, and have the
document go through HR.""We could do that, I guess. I can present the document to all the
employees over the rest of the month." the HR Director responds.Following that, the CEO
brings up that there is going to be a company dinner next month, and that at the dinner the
CEO will declare the policy in place, and that "As all of us become comfortable with this, we
all should appreciate this step forward for our company."The next day, you post the policy on
the company intranet site, so everyone has an electronic copy to go with their copy from the
HR meeting. Once that is done, you move on to your next project.E. After the review of the
policy it is decided that some of the bullet points in the document need to be changed. You
make the requested changes, and the team reviews the document once more."It all looks good
to me now," says a manager in the meeting."OK, how should we present this to the
employees?" you ask."I could take a copy to each employee and discuss it with them," offers
the HR director."No, that would be too time-consuming. That's not a good use of your time,"
responds the CEO. "We need to get this done, obviously. What is our most cost-effective way
of doing this?""Well, I could post the policy on our intranet site, and we could have the
employees go and download it themselves. During lunch, perhaps?" you suggest. "That
sounds good, let's take that approach," the CEO answers. Later that day, you create a quick
intranet site, called Troytec policy and documents. You draft a quick email, which will be
sent to all the employees in the company:



                                                                          http://www.testkiller.com
                                              35                           http://www.troytec.com
                                            SC0-502




"Dear _____,
At Troytec we have just finished work on a security policy that will clearly define the use of
the computers and other issues. This document will answer the questions that many of you
have had recently on what you are allowed to do with the computer and when online.
At your earliest convenience, please connect to the new site I have linked here, to download
and read the new policy. Thanks and have a great day.
- Troytec Security Staff."
You verify the site is working, send the email out to all the employees, and go home for the
day.

Answer: D

QUESTION: 14
Things have been running smoothly now at Troytec for the last several weeks. There have
been no major attacks, and it seems that the systems in place are performing just as expected.
You are putting together some paperwork when you get a call from Blue to meet in the
conference room.When you get there, Blue is wrapping up a meeting with the senior Vice
President of Sales, whom you say hello to on your way in."I was just talking with our senior
VP here, and we've run into a new issue to discuss," Blue tells you."We'll I'll let you two sort
this out. Blue, do let me know when it's all ready to go." With that the VP leaves.You sit
down across from Blue, who starts, "That was an interesting meeting. It seems that even
though I have always said no to the request, we are being pressured to implement a wireless
network.""Here?" you ask, "In the executive building?""Yes, right here. The sales team
wishes to have the ability to be mobile. Instead of running a full scale roll out I have trimmed
the request down to running a test implementation on the second floor. The test run on that
floor will be used to determine the type of wireless rollout for the rest of the building, and
eventually the rest of the campus. So, here is what we need to do. I need you to create the roll
out plan, and bring that plan to me. I'll review with you and implement as required.""As
always, what is my budget restriction?" you ask."In this case, security is the top priority. If
we are going to run wireless, it has to be as secure as possible, use whatever you need. That
being said, your plan has to use existing technologies, we are not going to fund the
development of a new protocol or proprietary encryption system right now."You begin your
work on this problem by pulling out your own wireless networking gear. You have a laptop
that uses an ORiNOCO card, and you have a full directional antenna that you can hold or
mount on a small tripod. You take your gear to the lobby of the second floor, and you load up
NetStumbler quickly to run a quick check that there are no access points in your area.The
immediate area is clear of any signal, so you take you gear and walk the entire second floor,
waiting to see if there is any signal, and you find none. With your quick walk through
complete, you take your gear back to your office and start working on your plan.Using your
knowledge of the Troytec network, select the best solution to the wireless networking rollout
problem:}

A. You have figured out that since the network is a test roll out, you have some flexibility in


                                                                           http://www.testkiller.com
                                               36                           http://www.troytec.com
                                            SC0-502




its configuration. After your walk through test, you begin by configuring the wireless nodes in
the network to run in Ad Hoc mode, creating an Independent Basic Service Set (IBSS).You
will use a complex SSID of 5cN@4M3! on all wireless nodes. You will next configure every
node to no longer broadcast any beacon packets. You will configure all the nodes to not use
the default channel, and instead move them all to channel six.You will configure every node
to use MAC address filtering, to avoid unauthorized nodes from attempting to gain access to
the network. Finally, you will configure each node to use WEP in the strong 128-bit mode,
along with a complex 16-character passphrase.Once the network is up and running, you take
your gear (which is not an authorized client of the network) and every few days will walk the
office again, checking for access.
B. You have figured out that since the network is a test roll out, you have some flexibility in
its configuration. After your walk through test, you begin by configuring the wireless nodes in
the network to run in Ad Hoc mode, creating an Extended Basic Service Set (EBSS).You will
use a complex SSID of 5cN@4M3! on all wireless nodes. You will next configure every node
to no longer broadcast any beacon packets. You will configure all the nodes to not use the
default channel, and instead move them all to channel six.You will configure every node to
use MAC address filtering, to avoid unauthorized nodes from attempting to gain access to the
network. Finally, you will configure each node to use WEP in the strong 128-bit mode, along
with a complex 16-character passphrase for generating four keys. You will manually input
the WEP Keys into each node. You will divide the test nodes into quarters, and configure
each quarter to startup on the network using a different default WEP key.Once the network is
up and running, you take your gear (which is not an authorized client of the network) and
every few days will walk the office again, checking for access.
C. You determine that for the test network, you will run in infrastructure mode, using a SSID
of FLOOR2. During the test, you will create one single Independent Basic Service Set
(IBSS), running through one access point. All test nodes will be configured to participate in
the IBSS, using the SSID of FLOOR2.You will configure the access point to use WPA, with
an algorithm of TKIP. You will configure WPA to utilize the full 128-bit key option, with the
pre-shared WPA key option. The client computers will need supplicants, so you will
configure the Funk Software Odyssey Client on the clients, matching the key settings and
TKIP settings. You will disable the access point from broadcasting its SSID, and you will
configure MAC address filtering.Once the network is up and running, you take your gear
(which is not an authorized client of the network) and every few days will walk the office
again, checking for access.
D. You determine that for the test network, you will run the network in infrastructure mode,
using a SSID of FLOOR2. During the test, you will create one single Basic Service Set
(BSS), running through one access point. All test nodes will be configured to participate in
the BSS, using the SSID of FLOOR2, and the access point will be configured with MAC
address filtering of the test nodes.You will configure the access point to use EAP,
specifically EAP-TLS. You will configure a Microsoft RADIUS Server as the authentication
server. You will configure the RADIUS server with a digital certificate. Using EAP-TLS,
both the server and the client will be required to authenticate using their digital certificates
before full network access will be granted. Clients will have supplicant software configured



                                                                           http://www.testkiller.com
                                               37                           http://www.troytec.com
                                           SC0-502




where required. You will next make a physical map of the office, using the tool Ekahau.
Working with this tool, you will map out and track the positioning of each wireless device
once the network is active.When the network is up and running, you take your gear (which is
not an authorized client of the network) and every few days will walk the office again,
checking for access. You will continue the test by running checks from the parking lot,
ensuring that you cannot gain access.
E. You figure out that you will run the test network in infrastructure mode, using a SSID of
Troytec . You will create one single Basic Service Set (BSS), all running through one access
point. All test nodes will be configured to participate in the BSS, using the SSID of Troytec ,
and the access point will be configured with MAC address filtering of the test nodes.You will
configure the access point to utilize a combination of 802.1x and WPA. The WPA settings
will be fully secured with TKIP, and 128-bit keys, which change on a per session basis. The
802.1x settings will be to use Lightweight EAP (LEAP). The clients will be configured to use
LEAP, with a fallback to TKIP at 128-bits.When the network is up and running, you take
your gear (which is not an authorized client of the network) and every few days will walk the
office again, checking for access. You will continue the test by running checks from the
parking lot, ensuring that you cannot gain access.

Answer: D

QUESTION: 15
You go back through your notes to the day that you recommended that the company get a
firewall in place. Red had been convinced that the ISP protected the network, and that a
firewall was too much technology on top of the router. Now that you have been given this
responsibility, and since you have configured the router already, you wish to get the firewall
in place as quickly as possible. You meet quickly with the CEO and mention that the network
currently has no firewall, a serious problem. You inform the CEO that this must be fixed
immediately, and that you have several firewall options. For this one instance, the CEO tells
you to build the best solution; the decision is not going to be based on direct cost.Based on
your knowledge of and the information you have from Troytec , select the best solution to the
organization's firewall problem:}

A. You decide to take advantage of the features of Microsoft's ISA Server and Checkpoint's
NG. You implement two firewalls, each with two network cards. From one Ethernet interface
of the router, you connect to a Checkpoint firewall, and from the other Ethernet interface on
the router, you connect to a Microsoft ISA firewall.The Checkpoint firewall is connected via
one NIC to the router, and the other NIC is connected to the Web and FTP Server. The
Microsoft ISA Server is connected via one NIC to the router and the other NIC is connected to
the LAN switch.You perform the following steps and configurations to setup the firewalls:
1. First, you configure the IP Address on both network cards of both firewalls.
2. Second, you select the Floodgate-1, SMART Clients, and Policy Server as the only
components to install and complete the installation of Checkpoint.
3. Third, you configure the Checkpoint firewall so only Web and FTP traffic are allowed


                                                                          http://www.testkiller.com
                                              38                           http://www.troytec.com
                                           SC0-502




inbound.
4. Fourth, you select the Cache Mode option during the install of ISA Server and complete
the installation of Microsoft ISA Server.
5. Fifth, you allow all outbound traffic through the ISA Server.
6. Sixth, you allow only inbound traffic through the ISA Server that is in response to
outbound requests.
B. After analysis, you decide to implement a firewall using Checkpoint's NG. You begin by
installing a new machine, with a fresh hard drive, and the loading of NG. The new firewall
will have four NICs. You connect the two Ethernet interfaces on the routers to two of the
firewall NICs. You connect one firewall NIC to the Web and FTP server and one firewall NIC
to the LAN switch.You perform the following steps and configurations to setup the firewall:
1. First, you configure the IP Addresses on all four network cards of the Checkpoint firewall.
2. Second, you select only the VPN-1 & Firewall-1 components to install and complete the
installation of Checkpoint.
3. Third, you configure the only new inbound network traffic to be destined for the WWW
and FTP services on the Web and FTP server
4. Fourth, you block all other incoming traffic.
5. Fifth, you create anti-spoofing rules to block inbound traffic that might be spoofed.
6. Sixth, you configure all traffic to be allowed in the outbound direction
C. After you analyze the network, you have decided that you are going to implement a
firewall using Microsoft ISA Server. The new firewall will have four NICs. You connect the
two Ethernet interfaces on the routers to two of the firewall NICs. You connect one NIC to
the Web and FTP server and one NIC to the LAN switch.You perform the following steps and
configurations to setup the firewall:
1. First, you format a new hard drive and install a new copy of Windows 2000 Server.
2. Second, you configure the correct IP Addresses on the four network cards.
3. Third, you install ISA Server into Firewall only mode, and complete the installation.
4. Fourth, you configure all inbound traffic to require the SYN flag to be set, all other
inbound network traffic is denied
5. Fifth, you configure the network card towards the Web and FTP server will only allow
ports 80, 20, and 21.
6. Sixth, you configure all outbound traffic to be allowed.
D. After you analyze the company, you decide to implement a firewall using Microsoft ISA
Server. You create a DMZ with the Web and FTP server on the network segment between the
router and the new firewall. The firewall will have two NICs, one connected to the router, and
one connected to the LAN switch.You perform the following steps and configurations to
setup the firewall:
1. First, you install a new version of ISA Server, installed in Firewall mode.
2. Second, you configure the inbound network card to disallow all network traffic that did not
originate from inside the network or from the Web and FTP Server.
3. Third, you configure anti-spoofing rules to prevent spoofing attacks.
4. Fourth, you configure all outbound traffic to be allowed.
5. Fifth, you configure inbound traffic with the SYN flag on to be allowed, and to be logged



                                                                         http://www.testkiller.com
                                              39                          http://www.troytec.com
                                            SC0-502




to a SYSLOG server inside the network.
E. After you run an analysis on the network and the Troytec needs, you decide to implement
a firewall using Checkpoint NG. The firewall will have three NICs. One NIC is connected to
the router, one NIC is connected to the Web and FTP server and one NIC is connected to the
LAN switch.You perform the following steps and configurations to setup the firewall:
1. First, you install a new version of Checkpoint NG, selecting the VPN-1 and Firewall-1
components, and complete the installation.
2. Second, you configure the inbound rules to allow only SYN packets that are destined for
ports 80, 20, and 21 on the Web and FTP server.
3. Third, you disallow all inbound traffic for the internal network, unless it is in response to
an outbound request.
4. Fourth, you configure anti-spoofing rules on the inbound interface and log those
connections to a log server.

Answer: E

QUESTION: 16
The network has been receiving quite a lot of inbound traffic, and although you have been
given instructions to keep the network open, you want to know what is going on. You have
decided to implement an Intrusion Detection System. You bring this up at the next
meeting."After looking at our current network security, and the network traffic we are dealing
with, I recommend that we implement an Intrusion Detection System," you begin."We don't
have any more budget for security equipment, it will have to wait until next year." This is the
reply from the CEO that you were anticipating."I realize that the budget is tight, but this is an
important part of setting up security." You continue, "If I cannot properly identify all the
network traffic, and have a system in place to respond to it, we might not know about an
incident until after our information is found for sale on the open market." As expected, your
last comment got the group thinking."What about false alarms?" asks the VP of sales, "I hear
those things are always going off, and just end up wasting everyone's time.""That's a fair
concern, but it is my concern. When we implement the system, I will fine tune it and adjust it
until the alarms it generates are appropriate, and are generated when there is legitimately
something to be concerned about. We are concerned with traffic that would indicate an
attack; only then will the system send me an alert."For a few minutes there was talk back and
forth in the room, and then the CEO responds again to your inquiry, "I agree that this type of
thing could be helpful. But, we simply don't have any more budget for it. Since it is a good
idea, go ahead and find a way to implement this, but don't spend any money on it."With this
information, and your knowledge of Troytec , choose the answer that will provide the best
solution for the IDS needs of Troytec :}

A. You install Snort on a dedicated machine just outside the router. The machine is designed
to send alerts to you when appropriate. You implement the following rule set:
Alert udp any any -> 10.10.0.0\16 (msg: "O\S Fingerprint Detected"; flags: S12;)
Alert tcp any any -> 10.10.0.0\16 (msg: "Syn\Fin Scan Detected"; flags: SF;)


                                                                            http://www.testkiller.com
                                               40                            http://www.troytec.com
                                            SC0-502




Alert tcp any any -> 10.10.0.0\16 (msg: "Null Scan Detected"; flags: 0;)
Log tcp any any -> 10.10.0.0\16 any
You then install Snort on the web and ftp server, also with this system designed to send you
alerts when appropriate. You implement the built-in scan.rules ruleset on the server. B. You
configure a new dedicated machine just outside the router and install Snort on that machine.
The machine logs all intrusions locally, and you will connect to the machine remotely once
each morning to pull the log files to your local machine for analysis.You run snort with the
following command: Snort -dev -l \snort\log -c snort.conf and using the following rule base:
Alert tcp any any <> any 80
Alert tcp any any <> 10.10.0.0\16 any (content: "Password"; msg:"Password transfer
Possible";)
Log tcp any any <- 10.10.0.0\16 23
Log tcp any any <> 10.10.0.0\16 1:1024
C. You install your IDS on a dedicated machine just inside the router. The machine is
designed to send alerts to you when appropriate. You begin the install by performing a new
install of Windows on a clean hard drive.You install ISS Internet Scanner and ISS System
Scanner on the new system. System Scanner is configured to do full backdoor testing, full
baseline testing, and full password testing. Internet Scanner is configured with a custom
policy you made to scan for all vulnerabilities. You configure both scanners to generate
automatic weekly reports and to send you alerts when an incident of note takes place on the
network.
D. You install Snort on a dedicated machine just inside the router. The machine is designed to
send alerts to you when appropriate. You do have some concern that the system will have too
many rules to operate efficiently. To address this, you decide to pull the critical rules out of
the built-in rule sets, and create one simple rule set that is short and will cover all of the
serious incidents that the network might experience.
ùalert udp any 19 <> $HOME_NET 7 (msg:"DOS UDP Bomb"; classtype:attempted-dos;
sid:271; rev:1;)
ùalert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack";
id:242; fragbits:M; classtype:attempted-dos; sid:270; rev:1;)
ùalert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN Probe"; id:
678; itype: 8; content: "1234"; classtype:attempted-recon; sid:221; rev:1;)
ùalert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP";
dsize: 0; itype: 8; classtype:attempted-recon; sid:469; rev:1;)
ùalert     tcp    $EXTERNAL_NET            any    ->     $HOME_NET        any     (msg:"SCAN
XMAS";flags:SRAFPU; classtype:attempted-recon; sid:625; rev:1;)
ùalert tcp $HOME_NET 31337 -> $EXTERNAL_NET 80 (msg:"SCAN synscan microsoft";
id: 39426; flags: SF; classtype:attempted-recon; sid:633; rev:1;)
E. You install two computers to run your IDS. One will be a dedicated machine that is on the
outside of the router, and the second will be on the inside of the router. You configure the
machine on the outside of the router to run Snort, and you combine the default rules of
several of the built-in rule sets. You combine the ddos.rules, dos.rules, exploit.rules,
icmp.rules, and scan.rules.On the system that is inside the router, running Snort, you also



                                                                           http://www.testkiller.com
                                               41                           http://www.troytec.com
                                            SC0-502




combine several of the built-in rule sets. You combine the scan.rules, web-cgi.rules, ftp.rules,
web-misc.rules, and web-iis.rules.You configure the alerts on the two systems to send you
email messages when events are identified. After you implement the two systems, you run
some external scans and tests using vulnerability checkers and exploit testing software. You
modify your rules based on your tests.

Answer: E

QUESTION: 17

By now, you are feeling confident that the security of the Troytec network is getting under
control. You are aware that there are still several critical areas that you must deal with, and
today you are addressing one of those areas. You have been able to take care of the router,
firewall, security policy, and intrusion detection, now you are concerned with some of the
hosts in the network.Since the organization is not very large, you are the only person working
in the IT end of the company. It will be up to you to directly work on the systems throughout
the network. You make a quick chart of the systems you know should be in the Troytec
network:
Server0001, 10.10.20.101, Windows 2000
Server Server0010, 10.10.20.102, Windows 2000
Server Server0011, 10.10.20.103, Windows 2000 Server
Server0100, 10.10.20.104, Linux (Red Hat 8.0)
User systems, 10.10.100.100~10.10.100.200, Windows 2000 Professional
The addressing that you recommended months ago is in place, and it follows a distinct logical
pattern, you are hoping that no new systems are hidden in the network somewhere.In the
company, you have been granted domain administrator rights, and no other user is authorized
to have administrator, root, supervisor, or otherwise privileged level of access. All the
Windows systems are to belong to one windows domain called SCNA.edu. Users are no
longer allowed to install unauthorized applications, and are all to use the file servers for
storage. Although they have the ability to do so, users are not supposed to store any work data
on their local systems.The servers are located in a server cabinet that is inside your office, so
you decide to start working there.Using your knowledge of Troytec select the best solution
for hardening the Troytec operating systems:}

A. The first thing you do is to run a Nessus scan against all the servers in the room, noting the
findings of the scans. You then begin on the servers by running some tests on the Linux
server. First, you run Tripwire on the entire system to ensure that there are no rogue Root
accounts, and the test is positive. Second, you ensure that there are no unauthorized objects
available through the network, and third you lock the system down with Bastille.You then
work on the Windows servers. You run a check to ensure there are no unauthorized
administrator accounts, and there are not. You create a custom security template and
implement the template on each server using the Security Configuration and Analysis Snap-
In, and you ensure that each system is updated with the latest patches. Finally, you analyze


                                                                            http://www.testkiller.com
                                               42                            http://www.troytec.com
                                             SC0-502




the user's desktops. You go one by one through the network checking for added user accounts,
and you find some. You remove these unauthorized accounts and check for software and
applications. Again, you find some applications that are not allowed and you remove them.
You check the systems for hardware changes, and address the issues that you find.
B. You start the job by running some analysis on the Windows servers. You do this using the
Security Configuration and Analysis Snap-In, and you ensure that each system is updated
with the latest patches. You find several user accounts that have been given local
administrator access, and you remove these accounts. You next use the Secedit tool to
implement local encryption on the shared hard drive to secure the local files for the network
users.You then work on the Linux server. To your surprise there are no unauthorized root
accounts, nor any unauthorized shares. You ensure that the permissions are correct on the
shared objects, and run Bastille to lock down the server.You then work on the client
machines. Before you physically sit at each machine, you run a Nessus scan from your office.
Bringing the results with you, you go to each machine and address any issues as identified in
the Nessus scan, remove any unauthorized applications
C. The first thing you decide to do is plug your laptop into the server room, and run a full
Nessus scan on the entire network, specifically looking for every backdoor vulnerability that
the application can check. This takes some time to compile, but you eventually end up with a
list of issues to address on each machine.You move on to the Linux server, and run a fast
Tripwire check on the system to look for any additional vulnerabilities. Once that check is
done, you install SSH so that all access by every user will be encrypted to the server, and you
run Bastille to lock down the system.At the Windows systems, you address any issues found
during the Nessus scan, you ensure that each system is updated with the latest patches, and
you ensure that the systems are all functioning as fully secure and functional file servers to
the network by implementing the HISECWEB.INF template in the Security Configuration
and Analysis Snap-In.Finally, you work on each desktop machine by removing any
vulnerabilities listed in the scan report. You remove a few pieces of unauthorized hardware
and many unauthorized applications.
D. You being by running a Nessus scan from your office laptop on the systems in the
network, first the servers, then the user's workstations. After the scans are complete, you store
the reports on your laptop, and you take your laptop to the server room.In the server room,
you begin on the Windows servers. You implement a custom security template on each server
using the Security Configuration and Analysis Snap-In, remove any unauthorized accounts,
ensure that each system is updated with the latest patches, and ensure that the permissions on
each shared object are as per policy.You then work on the Linux server, by addressing each
point identified in the Nessus scan. You then lock the system with Bastille, ensure that each
system is updated with the latest patches, and run a quick Tripwire scan to create a baseline
for the system.You take your laptop with you as you go throughout the network to each user
workstation, ensure that each system is updated with the latest patches, and you take care of
each issue you found on the machines. There are a few systems that you find with
unauthorized applications and you remove those applications.
E. You begin by running a Nessus scan on each computer in the network, using the \hotfix
switch to create a full report. The report identifies every vulnerability on each system and lists



                                                                             http://www.testkiller.com
                                                43                            http://www.troytec.com
                                             SC0-502




the specific changes you must make to each system to fix any found vulnerabilities.You take
the report to the server room and start with the Linux server. On the server, you run through
the steps as outlined in the Nessus report, and end by locking the system using Bastille.Then,
you move to the Windows systems, again following the steps of the Nessus report, and
ending by using the Security Configuration and Analysis Snap-In to implement the Gold
Standard template on every server.Finally, you proceed to each user workstation. At each
user machine, you follow each step for each system, based on your report. Once you have
addressed all the vulnerabilities in the systems, you run a quick Secedit scan on each system
to ensure that they are all locked down and that proper encryption is configured.

Answer: D

QUESTION: 18
Although you feel that you have taken solid steps in the security of Troytec , you would like
to have some more analysis and documentation of the state of the network, and the systems in
place protecting Troytec 's resources.The CEO wants to know what Troytec should be
spending on securing these resources, and wants justification for the numbers that you
provide. You inform the group that you will be able to provide them with a Risk Analysis on
the defined resources, and you also suggest that Troytec perform a full business Risk
Analysis, and that they make it part of their policy to perform ongoing analysis.During the
first meeting after the agreement on analysis, a sales manager tells you the following; "We
are rolling out a new online sales component to our organization. It will be up to you to
design the system for this, but we anticipate it being up and running next month and are
looking to have initial revenues of around $1,000 per day through that component.""All
right," you respond "If the initial revenues are going to be around $1,000 per day, what are
you projecting will be the daily revenue through this in 6 and 12 months?"The CEO answers
this question, "Our projections are to have an average of about $2,000 per day in six months
and $3,000 per day within a year.""And, what is this system going to be responsible for? By
that I mean, is this just an order taking machine, is it tied into inventory, is it tied into
shipping, and so on?" you ask."Right now, and as far as the current plan goes, this is an order
taking system. It will not be tied into any of our other systems.""Are we going to get a new
Internet connection for this server, or is it going to run off the current connection we have? I'd
recommend a new connection, but am curious to know if that has been considered.""I think
we can stick with our current connection for the time being. If it seems like there is a need in
the future for the expenses of a new connection, we can discuss it then. Anything else?"
"Not right now, as issues come up I will talk to you about them." The rest of the meeting does
not require your attendance, so you head back to your office.Based on your knowledge of the
Troytec environment, select the solution that best allow you to justify the expense of
protecting the new server.}

A. You decide to perform a Qualitative Risk Analysis on the new server. You organize a
short meeting with the sales director to get a better idea of what will be stored on the system.
You know the projected sales volumes, and you find out that on the system will be nothing



                                                                             http://www.testkiller.com
                                                44                            http://www.troytec.com
                                            SC0-502




more than a catalog, where people can order Troytec products.Since there is nothing of value
stored on the server, you decide that the Level of Damage that would happen if this system is
compromised is low and that the Likelihood of an Attack to gain access is low. Since the
company needs the system for sales, you decide that the threat of a power loss is
significant.Your report back to the CEO is that the current security systems in place are
adequate for the new system, that it will be protected by the firewall and IDS. You do request
toincrease the resources for power equipment, specifically a large battery backup for the
server.
B. You decide to perform a Quantitative Risk Analysis on the server. You meet with the sales
director to find out that the server will only hold a copy of the catalog. You estimate that
since the system will be directly connected with a public IP Address, and since it will hold
customer data that it is a likely target for attack.You know that you have solid security
systems in place, but you think there will be a legitimate attack to compromise this server at
least once per month. Based on this information you decide that the ARO is 12, and the SLE
will be one day of operation plus one day to restore the system, therefore $6,000. With an
ARO of 12, and with a SLE of $6,000 you determine that the ALE for the system is
$72,000.You report to the CEO that although the current security systems in place are solid,
this server requires security of it's own. You identify the $72,000 that could be lost every year
due to attacks, and request resources to properly protect the server.
C. You decide to follow the Facilitated Risk Analysis Process (FRAP) for the server. You sit
down in your office by yourself, and you list out the vulnerabilities that might exist for the
server. You then categorize those vulnerabilities into High, Medium, and Low.Taking each
individual vulnerability that you discovered, you further detail that listing the degree of
impact that vulnerability could have, again categorizing them as High, medium, and
Low.When you are done, you have a list that shows five vulnerabilities, only one of them
High, and that is attempted system compromise. You have identified this vulnerability to
have a Low impact, since it will only contain the Troytec catalog and no other critical
services.You report back to the CEO that the current systems in place are adequate, and your
only suggestion is to possibly increase the power backup to a larger model for the server.
D. Since this is the only system that you are requested to analyze, and the CEO is looking for
numbers, you decide to run a fast Qualitative Risk Analysis. You know that the server is
going to generate $6,000 per month, and you think there will most likely be an attack on the
server at least twice a month. This means that for this server, you have an SLE of $6,000 and
an ALE of 24. With an SLE of $6,000, and with an ALE of 24, you determine that the SRO
for the system is $144,000.You report to the CEO that there is a risk of $144,000 to this
server every year, and you recommend that for the first year that full risk amount be spent on
mitigating the risk, so that in subsequent years you can report the risk has been reduced to
zero.
E. With only this one single system to analyze, you decide that a Quantitative Risk Analysis
is appropriate. You identify three major threats: Power Outage,Administrator-level system
compromise, and Denial of Service attacks. You assign the power outage a low likelihood,
the administrative compromise a medium likelihood, and the DoS a high likelihood.You
assign the power outage a high level of damage, you assign the administrative compromise a



                                                                            http://www.testkiller.com
                                               45                            http://www.troytec.com
                                           SC0-502




high level of damage, and you assign the DoS a low level of damage. Since the likelihood of
the power outage is low, you do not recommend spending any new money on this in your
report to the CEO. Since the level of damage is so high due to the administrative compromise,
you recommend new security systems to protect against that threat. You recommend that the
systems in place to mitigate the threat of the administrative compromise also be capable of
addressing the DoS threat.

Answer: B

QUESTION: 19

The Troytec network has been running smoothly for some time now. You are growing
confident that you have taken care of all the critical needs, and that the network is moving
towards a new state of maturity in the current configuration.You head out of the office on
Friday at noon, since you have put in lots of long hours over the lat month.On Monday, you
are driving into the office, and you happen to look at the speed limit sign that is on the road
right next to Troytec . On the sign, in black paint, you see the following symbol:
Compaq
)
(
128
Not good, you think, someone has been wardriving your office complex. That better not be in
my office. The office building that Troytec is in has many other offices and companies,
Troytec is not the only tenant.When you get inside, you check all your primary systems,
router, firewall, and servers, looking for quick and fast signs of trouble. There does not seem
to be any trouble so far. You check through your Snort logs, and so far so good. You are
starting to think that whatever the war drivers found, it was not part of Troytec . You know
that the Troytec policy does not allow for wireless devices, and you have neither installed nor
approved any wireless for the network. Since it is still early (you get in at 7:30 on Mondays),
you do not have anyone to talk to about adding any wireless devices.Select the solution that
will allow you to find any unauthorized wireless devices in the network in the least amount of
time, and with the least disruption to the office and employees.}

A. Since the company has a clear policy against the use of wireless devices, and since you
know each employee you are fairly confident that the device in question is not inside the
Troytec office. You schedule from 8:00 to 8:30 to do a visual walkthrough of the facilities.At
8:00, you grab your notebook, which has a network map and other reference notes, and you
begin your walkthrough. You walk into every office, except for the CEO's office, which is
locked, and access is not granted.You spend several minutes in each office, and you spend
some time in the open area where the majority of the employees work. You do not see any
wireless access points, and you do not see any wireless antennas sticking up anywhere. It
takes you more than the half an hour you allocated.By 9:00, the office has filled up, and most
people are getting their workweek started. You see the CEO walking in, and motion that you


                                                                          http://www.testkiller.com
                                              46                           http://www.troytec.com
                                           SC0-502




have a question. You say, "I am doing a quick walkthrough of the office, there might be a
wireless device in here, and I know they are not allowed, so I am checking to see if I can find
it.""As far as I know, there are no wireless devices in the network. We don't allow it, and I
know that no one has asked me to put in wireless.""That's what I thought. I'm sure we don't
have any running here." You reply. You are confident the wireless problem is in another
office.
B. You decide to spend a full hour and a half from 8:00 to 9:30 going over your logs and data.
Until then, you wrap up some early email and pull the log files together to review. It takes
some time to gather all the log files that you can find, but you are able to get everything you
need. You get the log form the Router, the Firewall, the IDS, the internal servers, and the web
and ftp server. For the next 90 minutes you do nothing other than study the logs looking for
unusual traffic, or anything that would be a trigger to you that there has been an intruder in
the network.First, you spend time on the router logs. On the routers you see a series of the
following events:%SYS-5-CONFIG_I: Configured from console by vty1 (10.10.50.23) .This
is an event you consider, and dismiss as not from an attacker.You then analyze the firewall,
and again there you find that there are no logs indicating an intruder is present. All the IP
traffic is from authorized IP Addresses. The IDS logs yield similar results. Only authorized
traffic from hosts that have legitimate IP Addresses from the inside of the network.Analyzing
the server's logs brings you to the same conclusion. All four severs show that the only access
has been from the authorized hosts in the network, that no foreign IP Addresses have even
attempted a connection into the private servers. The web\ftp server that has a public IP
Address has had some failed attempts, but these are all in the realm of what you expect,
nothing there stands out to you as well.After your hour and half, you feel that you have gone
through all the logs, and that there is no evidence that there has been any unauthorized access
into any of your network resources, and you conclude that the wireless device is not in your
office.
C. You take your laptop, which has a built-in wireless network card, and you enable it. You
had not enabled the card before, as you know that wireless is not used in this network. You
do a quick install of NetStumbler and watch on screen to see what might come up sitting in
your office. A few seconds after the WNIC is initialized and NetStumbler is running, you see
the following line in NetStumbler: MAC: 46EAB5FD7C43, SSID: Dell, Channel: 11, Type:
Peer, Beacon: 100. You expand channel 11 on the left side of NetStumbler, and see that
MAC 46EAB5FD7C43 is bolded.You are surprised to find that there is a wireless device
running in the network, and now you are off to see if you can locate the physical device. You
take your laptop and head out of your office. You get about 20 feet away from the office
when you are stopped by the HR director, who needs help with a laser printer. You also stop
to chat about your findings with the CEO, who has just come in to the office. You put your
laptop back in your office, to check later in the day.Although you did not isolate the physical
location of the device, you are confident that you have indeed found a rogue device. As soon
as you locate the device, you will make a report for the CEO, and see to it that the device is
removed immediately.
D. You take your laptop, initialize your WNIC, plug in your external antenna, and enable
NetStumbler. You are glad that you keep all your gear nearby, even when you don't normally



                                                                          http://www.testkiller.com
                                              47                           http://www.troytec.com
                                            SC0-502




use it. You would have had a 40 minute round trip drive to go home and get your own
wardriving equipment.By 8:30 you have found several wireless devices, but are not sure
which, if any might be in your office. The output from NetStumbler shows the following:
MAC:46EAB5FD7C43, SSID:Dell, Channel:11, Type:Peer, Beacon:100
MAC:AB3B3E23AB45, SSID:Cisco, Channel:9, Type:AP, Beacon:85
MAC:000625513AAE, SSID:Compaq, Channel:7, Type:Peer, WEP, Beacon:67
MAC:000C4119420F, SSID:Private, Channel:11, Type:AP, Beacon:55
The one you are most interested in is the Compaq device, as although you know the war
drivers might have just written it down, you want to look for Compaq devices first. The
Compaq is also an AP, so your suspicion is high. You walk around the office, watching for
the numbers in NetStumbler to adjust.As you walk towards the street, you note the strength of
the Compaq device weakens, by the time you get near the windows the signal is very weak.
So, you turn around and walk away from the street, and sure enough the signal gets stronger.
You actually walk out the main office door into the building's interior courtyard. Across the
courtyard you find the signal stronger and stronger.After you walk around for some time, you
are sure that you have isolated the signal as coming from an office inside the building and
exactly opposite Troytec . The device is not in your office, and you will report this to the
CEO. You will also ask the CEO if you should inform the neighbor that their network is
possibly at risk due to their wireless network use.
E. You take your laptop, initialize your WNIC, plug in your external antenna, and enable
NetStumbler. You are glad that you keep all your gear nearby, even when you don't normally
use it. It is not yet 8:00, and you will be able to walk the office freely, looking for any rogue
device.You turn on the laptop, and turn on your WNIC and NetStumbler. Right away, you see
the following line: MAC: 46EAB5FD7C43, SSID: Dell, Channel: 11, Type: Peer, Beacon:
100. You think that is what you were expecting, and you go on looking for the unauthorized
device.You walk around the office for a while, and see no fluctuation in the numbers, and do
not see any other devices on screen. By 8:30, most of the employees have come into the
office. You meet the CEO, who is just coming into the office and give a short report on what
you are doing. Everyone you meet has their lunches, work files, briefcases or laptop bags, and
they get settled in like any other day. You get pulled into several conversations with your co-
workers as they get started.At 9:10, you get back to your laptop and you look down at your
screen to see what NetStumbler has to show. There are now two lines, versus the one that was
there before: MAC: 46EAB5FD7C4, SSID: Dell, Channel: 11, Type: Peer, Beacon:
100.MAC: 000BCDA36ED, SSID: Compaq, Channel: 9, Type: Peer, Beacon: 75.You close
your laptop confident that you now know the exact location of the rogue device, which you
have identified as a Compaq laptop, running in peer mode, and you go to address the device
immediately.

Answer: E

QUESTION: 20
You are well along your way to getting the Troytec security up to what you consider an
acceptable level. You feel the security is now solid enough that you can go ahead and some


                                                                            http://www.testkiller.com
                                               48                            http://www.troytec.com
                                              SC0-502




new tests and perform analysis on the network.You plug in your laptop and fire up Snort to
see the traffic coming into the network. You plug in on the outside of the router, to see the
unfiltered traffic that the network must deal with. In full promiscuous mode, you collect data
for an hour, to filter through it later. Since you captured quite a bit of data, you filter out a few
specific lines to analyze.
10\27-23:48:42.126886 0:D0:9:7E:E5:E9 -> 0:D0:9:7F:C:9B type:0x800 len:0x3C
10.0.10.237 -> 10.0.10.234 ICMP TTL:128 TOS:0x0 ID:1185 IpLen:20 DgmLen:36
Type:8 Code:0 ID:3 Seq:289 ECHO
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10\27-23:48:42.137906 0:D0:9:7E:E5:E9 -> 0:2:B3:2D:1:4A type:0x800 len:0x3C
10.0.10.237 -> 10.0.10.235 ICMP TTL:128 TOS:0x0 ID:1186 IpLen:20 DgmLen:36
Type:8 Code:0 ID:3 Seq:290 ECHO
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10\27-23:48:42.148642 0:D0:9:7E:E5:E9 -> 0:D0:9:7E:F9:DB type:0x800 len:0x3C
10.0.10.237 -> 10.0.10.236 ICMP TTL:128 TOS:0x0 ID:1187 IpLen:20 DgmLen:36
Type:8 Code:0 ID:3 Seq:291 ECHO
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10\27-23:48:42.167031 0:D0:9:7E:E5:E9 -> 0:D0:9:68:87:2C type:0x800 len:0x3C
10.0.10.237 -> 10.0.10.238 ICMP TTL:128 TOS:0x0 ID:1190 IpLen:20 DgmLen:36
Type:8 Code:0 ID:3 Seq:292 ECHO
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10\27-23:48:42.177247 0:D0:9:7E:E5:E9 -> 0:D0:9:69:48:E3 type:0x800 len:0x3C
10.0.10.237 -> 10.0.10.239 ICMP TTL:128 TOS:0x0 ID:1191 IpLen:20 DgmLen:36
Type:8 Code:0 ID:3 Seq:293 ECHO
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10\28-19:09:07.387953 0:D0:9:7E:F9:DB -> 0:2:B3:2D:1:4A type:0x800 len:0x3C
10.0.10.236:57228 -> 10.0.10.235:1 TCP TTL:44 TOS:0x0 ID:24652 IpLen:20
DgmLen:40
******** Seq: 0x0 Ack: 0x0 Win: 0x400 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10\28-19:09:07.320917 0:D0:9:7E:F9:DB -> 0:2:B3:2D:1:4A type:0x800 len:0x3C
10.0.10.236:57228 -> 10.0.10.235:2 TCP TTL:44 TOS:0x0 ID:52330 IpLen:20
DgmLen:40
******** Seq: 0x0 Ack: 0x0 Win: 0x400 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10\28-19:09:07.377933 0:D0:9:7E:F9:DB -> 0:2:B3:2D:1:4A type:0x800 len:0x3C
10.0.10.236:57228 -> 10.0.10.235:3 TCP TTL:44 TOS:0x0 ID:10807 IpLen:20
DgmLen:40
******** Seq: 0x0 Ack: 0x0 Win: 0x400 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10\28-19:09:07.328200 0:D0:9:7E:F9:DB -> 0:2:B3:2D:1:4A type:0x800 len:0x3C
10.0.10.236:57228 -> 10.0.10.235:4 TCP TTL:44 TOS:0x0 ID:40192 IpLen:20
DgmLen:40



                                                                               http://www.testkiller.com
                                                 49                             http://www.troytec.com
                                       SC0-502




******** Seq: 0x0 Ack: 0x0 Win: 0x400 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10\28-19:09:07.363859 0:D0:9:7E:F9:DB -> 0:2:B3:2D:1:4A type:0x800 len:0x3C
10.0.10.236:57228 -> 10.0.10.235:5 TCP TTL:44 TOS:0x0 ID:20497 IpLen:20
DgmLen:40
******** Seq: 0x0 Ack: 0x0 Win: 0x400 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10\28-19:09:07.391163 0:D0:9:7E:F9:DB -> 0:2:B3:2D:1:4A type:0x800 len:0x3C
10.0.10.236:57228 -> 10.0.10.235:6 TCP TTL:44 TOS:0x0 ID:30756 IpLen:20
DgmLen:40
******** Seq: 0x0 Ack: 0x0 Win: 0x400 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10\28-19:09:07.300794 0:D0:9:7E:F9:DB -> 0:2:B3:2D:1:4A type:0x800 len:0x3C
10.0.10.236:57228 -> 10.0.10.235:7 TCP TTL:44 TOS:0x0 ID:3946 IpLen:20
DgmLen:40
******** Seq: 0x0 Ack: 0x0 Win: 0x400 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10\28-01:52:16.979681 0:D0:9:7E:E5:E9 -> 0:D0:9:7F:C:9B type:0x800 len:0x3E
10.0.10.237:1674 -> 10.0.10.234:31337 TCP TTL:128 TOS:0x0 ID:5277 IpLen:20
DgmLen:48
******S* Seq: 0x3F2FE2CC Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10\28-01:52:16.999652 0:D0:9:7E:E5:E9 -> 0:2:B3:2D:1:4A type:0x800 len:0x3E
10.0.10.237:1675 -> 10.0.10.235:31337 TCP TTL:128 TOS:0x0 ID:5278 IpLen:20
DgmLen:48
******S* Seq: 0x3F30DB1F Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10\28-01:52:17.019680 0:D0:9:7E:E5:E9 -> 0:D0:9:7E:F9:DB type:0x800 len:0x3E
10.0.10.237:1676 -> 10.0.10.236:31337 TCP TTL:128 TOS:0x0 ID:5279 IpLen:20
DgmLen:48
******S* Seq: 0x3F3183AE Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10\28-01:52:17.059669 0:D0:9:7E:E5:E9 -> 0:D0:9:68:87:2C type:0x800 len:0x3E
10.0.10.237:1678 -> 10.0.10.238:31337 TCP TTL:128 TOS:0x0 ID:5282 IpLen:20
DgmLen:48
******S* Seq: 0x3F332EC2 Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10\28-01:52:17.079821 0:D0:9:7E:E5:E9 -> 0:D0:9:69:48:E3 type:0x800 len:0x3E
10.0.10.237:1679 -> 10.0.10.239:31337 TCP TTL:128 TOS:0x0 ID:5283 IpLen:20



                                                                  http://www.testkiller.com
                                         50                        http://www.troytec.com
                                           SC0-502




DgmLen:48
******S* Seq: 0x3F3436FA Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10\28-01:45:18.733562 0:D0:9:7E:E5:E9 -> 0:D0:9:7F:C:9B type:0x800 len:0x3E
10.0.10.237:1646 -> 10.0.10.234:12345 TCP TTL:128 TOS:0x0 ID:4974 IpLen:20
DgmLen:48
******S* Seq: 0x38E326F7 Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10\28-01:45:18.753691 0:D0:9:7E:E5:E9 -> 0:2:B3:2D:1:4A type:0x800 len:0x3E
10.0.10.237:1647 -> 10.0.10.235:12345 TCP TTL:128 TOS:0x0 ID:4975 IpLen:20
DgmLen:48
******S* Seq: 0x38E3D2D0 Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10\28-01:45:18.773781 0:D0:9:7E:E5:E9 -> 0:D0:9:7E:F9:DB type:0x800 len:0x3E
10.0.10.237:1648 -> 10.0.10.236:12345 TCP TTL:128 TOS:0x0 ID:4976 IpLen:20
DgmLen:48
******S* Seq: 0x38E4CF5C Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10\28-01:45:18.813837 0:D0:9:7E:E5:E9 -> 0:D0:9:68:87:2C type:0x800 len:0x3E
10.0.10.237:1650 -> 10.0.10.238:12345 TCP TTL:128 TOS:0x0 ID:4979 IpLen:20
DgmLen:48
******S* Seq: 0x38E692B6 Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10\28-01:45:18.833772 0:D0:9:7E:E5:E9 -> 0:D0:9:69:48:E3 type:0x800 len:0x3E
10.0.10.237:1651 -> 10.0.10.239:12345 TCP TTL:128 TOS:0x0 ID:4980 IpLen:20
DgmLen:48
******S* Seq: 0x38E7211C Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Looking at the types of traffic that are hitting your network, what types of attacks
are you dealing with, and what is the best solution for mitigating those attacks?}

A. There is a clear attack pattern, where the attacker is looking for packets that are formed
with a TTL of 128, followed by a TTL of 44. Finally, the attacker is looking to exploit the
NOP SackOK vulnerability.To mitigate these attacks, you recommend implementing a new
firewall on the outside of the router, designed with rules to specifically stop these attacks,
allowing the rest of the traffic through to your router and the rest of your perimeter defense.
B. Looking at the traffic, you are unable to identify any pattern of attack. You see normal



                                                                          http://www.testkiller.com
                                              51                           http://www.troytec.com
                                            SC0-502




legitimate traffic, the type of which you see every day. The traffic that you have captured
provides you no clues as to the current attacks against your network, and as such you make no
recommendations to mitigate.
C. There is a clear pattern of attack, starting with general reconnaissance to see which
systems are up and running to respond to attack inquiries. Next, the attacks show port scans,
looking specifically for open ports on a unique host, and then moving to searching out
NetBus and SubSeven servers.To mitigate these attacks, you do not recommend any new
technology. You feel that your firewall, IDS, and routers will properly address these types of
attacks.
D. There is a clear attack pattern, where the attacker first is checking to see which hosts will
reply to sequential packets, followed by vulnerability checking for the IPLen:20 server
vulnerability.To mitigate these attacks, you recommend reconfiguring the access control lists
on the routers, specifically to address the IPLen:20 attack, and to address the sequential
packet attack. You recommend that with the router configuration change, the threats will be
properly addressed.
E. There is a clear pattern of attack, starting with the attacker looking for hosts that will
respond to the ID:3 vulnerability. Once identified, the attacker runs a second set of scans,
looking for hosts that are vulnerable to a TOS:0x0 attack, and finally running a scan to check
for hosts that are vulnerable to the MSS: 1460 NOP attack.To mitigate these attacks, you
recommend implementing a new firewall on the outside of the router, designed with rules to
specifically stop these attacks, allowing the rest of the traffic through to your router and the
rest of your perimeter defense.

Answer: C




                                                                           http://www.testkiller.com
                                               52                           http://www.troytec.com

				
DOCUMENT INFO
Description: Troytec.com is a place where you can find various types of SC0-502 exam certifications preparation material. Troytec’s full range of study material for the SC0-502 exam helps you to be prepared for the SC0-502 exam fully and enter the exam centre with full confidence. We provide you easy, simple and updated study material. After preparing from the SC0-502 exam material prepared by us we guarantee you that you will be a certified professional. We guarantee that with Troytec SC0-502 study material, you will pass the Certification exam.