Try the all-new QuickBooks Online for FREE.  No credit card required.

Security Guide to Network Security Fundamentals

Document Sample
Security  Guide to Network Security Fundamentals Powered By Docstoc
					Security+ Guide to Network Security Fundamentals, 2e                             Solutions 1-1

Chapter 1 Review Questions

        1. Each of the following factors illustrates why information security is
           increasingly difficult except _______.
                        a.     faster computer processors
                        b.     growing sophistication of attacks
                        c.     faster detection of weaknesses
                        d.     distributed attacks

        2. A type of software that repairs security flaws in an application is called a(n)
                        a.     hot fix
                        b.     exploit
                        c.     repair
                        d.     patch

        3. The primary goal of information security is to protect __________.
                        a.     procedures
                        b.     people
                        c.     information
                        d.     products

        4. Each of the following is a characteristic of information except ________.
                        a.     integrity
                        b.     confidentiality
                        c.     conformity
                        d.     availability

        5. Each of the following is intended to protect information except _________.
                        a.     people
                        b.     policies
                        c.     equipment
                        d.     confidentiality
Security+ Guide to Network Security Fundamentals, 2e                               Solutions 1-2

        6. Information security procedures tell the people how to use products to protect
           information. True or false?

        7. Hackers now use protocols such as the Hypertext Transfer Protocol (HTTP) to
           send data or commands to attack computers, making it difficult to distinguish
           an attack from legitimate network traffic. True or false?

        8. The theft of data is the least significant cause of financial loss due to a
           security breach. True or false?

        9. Integrity ensures that information is correct and that no unauthorized person
           or malicious software program can or has altered that data. True or false?

        10. Attackers can now use hundreds or thousands of computers in an attack
            against a single computer or network, making it impossible to stop an attack
            by identifying and blocking the source. True or false?

        11. While most attacks today take advantage of vulnerabilities that someone has
            already uncovered, a(n) _____ occurs when a hacker discovers and exploits a
            previously unknown flaw. day zero attack

        12. _____ involves assuring that only authorized parties can view information.

        13. Under the _____, healthcare enterprises must guard protected health
            information and implement policies and procedures to safeguard it. Health
            Insurance Portability and Accountability Act (HIPAA)

        14. The _____ act is designed to broaden the surveillance of law enforcement
            agencies to help them detect and suppress terrorism. USA Patriot Act

        15. Attacks by terrorists using computer technology and the Internet is called
            _____. cyberterroism

        16. What is a distributed attack?
            A distributed attack is an attack that comes from not just one but several
            difference sources. Attackers can now use hundreds or thousands of
            computers in an attack against a single computer or network. This “many
            against one” approach makes it impossible to stop an attack just by
            identifying and blocking the source.

        17. What is the difference between a threat and a threat agent?
Security+ Guide to Network Security Fundamentals, 2e                           Solutions 1-3

            A threat is an event or an action that may defeat the security measures in
            place and result in a loss. A threat agent is a person or thing that has the
            power to carry out a threat.

        18. What is a risk and how can it be mitigated?
            A risk is the likelihood that the stereo will be stolen. In information
            security terms, a risk is the likelihood that a threat agent will exploit a
            vulnerability. Risk cannot ever be entirely eliminated; it would cost too
            much and take too long. Rather, some degree of risk must always be
            assumed. The questions are, “How much risk is acceptable? Are we
            willing to tolerate it?” There are three options when dealing with risks:
            accept the risk, diminish the risk, or transfer the risk.

        19. Explain how people, products and procedures help protect information.
            Information security is achieved through a combination of three entities.
            The protection that covers the information along with the hardware,
            software and communications is in three successive layers. The innermost
            layer are the products that provide the necessary security. These
            products may be as basic as door locks or as complicated as intrusion
            dection systems and firewalls. These products form the physical security
            around the data. The next layer is the people. Without individuals
            implementing and properly using the security products then the data can
            never be protected. The final layer is the procedures. These include the
            plans and policies established by the organization to ensure that the
            people correctly use the products. These three layers all interact with
            each other. The procedures tell the people how to use the products to
            protect the information. Thus information security is the protection of the
            integrity, confidentiality, and availability of information on the devices
            that store, manipulate and transmit the information through products,
            people and procedures.

        20. Identify some problems with software patches when trying to protect
            One of the primary defenses against attacks is applying patches, which is
            a type of software that is used to fix or repair security flaws in an existing
            software application. However, managing patches and knowing which
            ones to install can be difficult. Most attacks have been successful due to
            users not applying patches that had been released long before the attack
Security+ Guide to Network Security Fundamentals, 2e                             Solutions 1-4

Chapter 2 Review Questions
     1. Attackers known as _____ like to think of themselves as an elite group who are
        performing a valuable service in identifying security weaknesses.
           a. crackers
           b. script kiddies
           c. hackers
           d. cyberterrorists

     2. A _____ possesses advanced computer skills and attacks computers with a
         malicious intent.
           a. script kiddie
           b. hacker
           c. cracker
           d. worm zombie
     3. The motivation for a computer spy is _____________.
           a. financial
           b. egotism
           c. ideological
           d. social

     4. One reason employees are so successful at attacking their company’s computers is
           a. they have superior networking skills
           b. employees already have access to all company information
           c. a company’s information security is focused on keeping out intruders
           d. employees have unlimited access to company computers

     5. Each of the following is a goal of cyberterrorists except _________.
           a. defacing electronic information
           b. denying service to legitimate users
           c. committing unauthorized intrusions into critical infrastructures
           d. replacing computers with unauthorized devices

     6. Today the global computing infrastructure is the most likely target of attacks.
         True or false?

     7. Instead of attacking the computing infrastructure directly, attackers can embed the
         attack in the data itself, which makes detection harder. True or false?

     8. Social engineering is the easiest way to attack a computer system, requires almost
         no technical ability, and is usually highly successful. True or false?

     9. There is no defense for social engineering attacks. True or false?

     10. The first line and strongest defense of any computer system is passwords. True
         or false?
Security+ Guide to Network Security Fundamentals, 2e                           Solutions 1-5

     11. When an attacker sends out counterfeit e-mail messages to direct users to his
         own site this is called _____. phishing

     12. With a(n) _____ attack the attacker attempts to create every possible password
         combination by systematically changing one character at a time and then using
         each newly generated password to access the system. brute force

     13. A(n) _____ attack takes each word from a dictionary and encodes it in the same
         way in which the computer would encode a user’s password. dictionary

     14. A(n) _____ occurs when a computer program attempts to stuff more data into a
         temporary storage area than it can hold, overwriting valid computer data. buffer

     15. Cryptography is based on a procedure called an algorithm, which is given a
         starting value known as a(n) _____. key

     16. Explain how an attacker would use a mathematical attack.

          A mathematical attack may develop a statistical analysis of the characters
          in an encrypted text and then analyzes the statistics in an attempt to
          discover the keys and decrypt the data. Although by hand this would take
          an enormous amount of time, with modern computers mathematical
          attacks of this nature are much more feasible.

     17. What is the birthday paradox and how is it used by attackers?

          If you were to meet a complete stranger there would be only a 1 in 365
          chance (0.27%) that he would have the same birthday as you. However, the
          chance of meeting someone with your birthday increases remarkably faster
          as you meet more people. With the first 23 people that you meet there is
          actually a 50% chance and not a 6.3% chance (23 in 365) that you will find
          someone with the same birthday as you. If you meet 60 people the
          probability leaps to over 99% that you will share the same birthday with
          one of these people. This phenomenon is called the birthday paradox. In
          cryptography the birthday paradox is significant. When encrypting a
          message it would be assumed that the best approach would be to randomly
          select a different key value each time. However, if you pick random values
          then you will actually create duplicate values much sooner than you would
          expect, much like meeting someone who shares your birthday. That is, even
          with random selection duplicate values will quickly appear. A birthday
          attack is an attack on a cryptographical system that exploits the
          mathematics underlying the birthday paradox.
Security+ Guide to Network Security Fundamentals, 2e                           Solutions 1-6

     18. What is the difference between a man-in-the-middle attack and a replay?

         A replay attack is similar to an active man in the middle attack. However,
         whereas an active man in the middle attack will change the contents of a
         message before sending it on, a replay attack will only capture the message
         and then send it again later (replay it).

     19. Explain how a denial of service (DoS) attack works.

          A denial of service (DoS) attack attempts to make a server or other
          network device unavailable by flooding it with requests, such as displaying
          a Web page or accessing a stored file. The server will respond to each
          request from the computers that started the process. However, with a DoS
          attack, the computers that launched the denial of service attack are
          programmed to not reply to the server’s response. The server will “hold
          the line open” and continue to wait for a response (which is never coming)
          while receiving more and more requests and keeping those lines open for
          responses. After a short period of time the server runs out of resources and
          can no longer function.

     20. What is the difference between a worm and a virus?

         Although similar in nature, worms are different from viruses in two
         regards. First, a virus attaches itself to another computer document, like an
         e-mail message, and is then spread by traveling along with the e-mail
         message. A worm, on the other hand, does not attach to a “host” document
         in order to spread. A worm can spread by itself. A second difference is that
         a virus needs the user to perform some type of action, like starting a
         program or reading an e-mail message, in order to start the infection. A
         worm does not require any action by the computer user to start it. Worms
         can continuously replicate themselves until they “clog” all available
         resources, such as computer memory or the network bandwidth connection.

Chapter 3 Review Questions

        1. A security plan that is initiated by a(n) _____ would be defined as a bottom-
           up approach.
                            a. Chief information officer (CIO)
                            b. Help desk technician
Security+ Guide to Network Security Fundamentals, 2e                               Solutions 1-7

                            c. Chief security officer
                            d. Financial counselor

        2. The advantage of layering is _________.
                            a. there is no single point of failure
                            b. it is less expensive
                            c. it provides redundant services such as dual firewalls
                            d. it does not require security personnel to implement

        3. Restricting users to the lowest level of permissions they need to do their job is
           called ____________.
                            a. restrictive access listing (RAL)
                            b. limiting
                            c. constraint leveling
                            d. concise security administration (CSA)

        4. Each of the following is an example of how diversity can be achieved except
                            a. one firewall filters one type of traffic while a second firewall
                               filters other traffic
                            b. devices purchased from a variety of vendors
                            c. servers running different operating systems
                            d. requiring one type of hard disk drive

        5. Which of the following is an example of security by obscurity?
                            a. Posting the company’s security plan on the Web site
                            b. Advertising for bids for a specific brand of firewall in the
                               local newspaper
                            c. Removing a logon window message that indicates the
                               name of the operating system
                            d. Requiring vendors to ship equipment that does not have a
                               serial number

        6. Layering is no longer considered a proper means of creating a security
           environment. True or false?

        7. A disadvantage of layering is that uncoordinated layers can create security
           holes in the defense. True or false?
Security+ Guide to Network Security Fundamentals, 2e                            Solutions 1-8

        8. Complex security systems are preferred over simple systems. True or false?

        9. Authentication verifies that a trusted person who has been preapproved for
           access is actually the one who now demands that access. True or false?

        10. The only time you are asked to authenticate yourself is when using a
            computer. True or false?

        11. Authentication based on a secret code you have memorized is an example of
            authentication by ___. what you know

        12. The term used to describe an employee who actively tries to prevent security
            attacks from passing through them is a(n) _____. human firewall

        13. A subject, such as a person or a computer program, interacts with a(n) _____.

        14. Using your fingerprint to access a system is an example of authentication by
            _____. what you are

        15. A(n) _____ is a security device that is used to authenticate the user by having
            the appropriate permission (such as a password) embedded into it. token

        16. What are some of the weaknesses of biometrics and how can they be
            Biometrics has its weaknesses. Many high-end scanners are relatively
            expensive, can be difficult to use, and can reject authorized users while
            accepting unauthorized users. These errors are mainly due to the large
            number of characteristics of a face or hand that must be scanned and
            then compared. Also, it is possible to “steal” someone’s characteristics by
            lifting a fingerprint from a glass, photographing an iris, or recording a
            voice and then use these to trick the scanner. Biometric security is still in
            its early developmental stages. Many industry experts recommend that
            at the present time it should be used along with passwords and other
            forms of authentication.

        17. Explain how a digital certificate works.
            Although encrypting messages with keys is an excellent means of sending
            messages so that unauthorized users cannot see them, one of the
            weaknesses of the key system is that it does not prove that the sender is
            actually who they he claims to be. How does the receiver know who
            actually sent the message? The answer is a certificate (sometimes called a
            digital certificate). A certificate links or binds a specific person to a key.
            Digital certificates are provided by a certification authority (CA), which
            is an independent third-party organization. A user requesting a digital
Security+ Guide to Network Security Fundamentals, 2e                           Solutions 1-9

            certificate must provide personal information, such as name, former last
            name (if changed in last twelve months), home address, social security
            number, date of birth, driver's license number, e-mail address, work
            phone and home phone numbers. In some instances the CA may require
            that the person actually make a personal visit to the CA office in order to
            prove his existence and identity. Once the person’s identity is established
            then the CA will then issue a certificate.

        18. Where is Kerberos used and how does it work?
            Kerberos is typically used when a user on a network is attempting to
            make use of a network service, and the service wants assurance that the
            user is who he says he is. The user is provided a ticket that is issued by
            the Kerberos authentication server (AS). This ticket contains information
            linking it to the user. The user presents this ticket to the network for a
            service. The service then examines the ticket to verify the identity of the
            user. If all checks out, then the user is accepted. Kerberos tickets are
            difficult to copy (because they are encrypted), they contain specific user
            information, they restrict what a user can do, and they expire after a few
            hours or a day.

        19. What is the difference between one-way authentication and mutual
            authentication? What attacks does mutual authentication combat?
            Two-way authentication, known as mutual authentication, can be used to
            combat identity attacks, such as man in the middle and replay attacks.
            With mutual authentication the user is authenticated through a
            password, tokens, or other means by the server. The server likewise is
            authenticated: that is, the user verifies that he is actually connected to the
            “real” server and not an imposter. Mutual authentication provides a
            means for both sides of a connection to verify the authenticity of each

        20. How does Role Based Access Control function? What are its advantages?
            Handling the permissions for individual users can be a time-consuming
            task. Not only must they be initially set up, but there may be constant
            “tweaking” necessary as users take on new responsibilities or assume new
            job titles. A model that can be used assigns permissions to a position or
            “role” and then user and other objects are assigned to that role,
            inheriting all of the permissions for the role. This is known as Role Based
            Access Control (RBAC). RBAC reduces the amount of “adjusting” that
            must be done on an account as an employee ads additional responsibilities
            to his or her title.
Security+ Guide to Network Security Fundamentals, 2e                          Solutions 1-10

Chapter 4 Review Questions
        1. You can start to build defenses for your information systems by creating
           security ___________.
                            a. foundations
                            b. baselines
                            c. pillars
                            d. planes
        2. In Microsoft Windows, the name of the background program, such as
           Svchost.exe, is called a _____ .
                            a. process
                            b. service
                            c. display service
                            d. parent service
        3. Stopping and then starting again a service is sometimes called a
                            a. restart
                            b. disable
                            c. process
                            d. reable
        4. A nonsecurity advantage of disabling a service is that ____________.
                            a. ROM is preserved
                            b. the operating system can perform fewer functions
                            c. communication with firmware is enhanced
                            d. it frees up RAM
        5. A(n) _____ identifies what program or service on the receiving computer is
           being accessed.
                            a. process
                            b. port number
                            c. UPD designator
                            d. service-initiated socket (SIS)
        6. Port 80 identifies the service as Web traffic (HTTP). True or false?
        7. Determining which services to turn off is a very simple task. True or false?
Security+ Guide to Network Security Fundamentals, 2e                            Solutions 1-11

        8. With open source software such as Linux, the user community provides
           updates. True or false?
        9. A patch should be applied before a service pack. True or false?
        10. Tools that assist in the update procedures of distributing and testing patches
            are known as patch management tools. True or false?
        11. A process provides what is known as a(n) _____ to the operating system.
        12. When a service is in _____ mode, it starts every time the computer is turned
            on. automatic
        13. _____ mode allows Windows to start a service whenever it is needed.
        14. A service that has been set to _____ mode is not loaded, even if it is needed.
        15. Explain the differences between a service pack, a hotfix, and a patch.
            Of the different types of software updates there are three that are most
            commonly used. The service pack, which is a cumulative set updates
            including fixes for problems that have not been made available through
            updates, are the most broad. After installing the current version of the
            operating system software on the computer the very next step should be
            to install the service pack (or packs). This will serve to update the
            software to the fullest extent. The second type is known as a hotfix. A
            hotfix does not typically address security issues. Instead, it addressed a
            specific problem in software, such as a feature that does not work
            properly. Once all of the service packs have been installed on a new
            system then any hotfixes should be applied. The third common update is
            a patch, or a software update to fix or repair of a specific security flaw.
            Patches may be released on a regular or irregular basis, depending upon
            the vendor or support team. Patches for a local operating system can be
            installed by the end user on his or her own system.
        16. What are the desirable features of a good patch management system?
            Patch management attempts to identify the systems that need updates
            and then installs and tests those updates as well as identifying any new
            vulnerabilities. The features of a good patch management system include:
               Patches can be targeted at certain groups of computers for
               Computers are automatically rebooted after the patch is installed
               A reporting system verifies the download and installation of the patch
Security+ Guide to Network Security Fundamentals, 2e                       Solutions 1-12

                Third-party management and patch tools should connect to the patch
                management system
                Patches can be downloaded from the Internet onto a local patch
                server and then the updates can be distributed locally so that patches
                can be applied to computers that do not have Internet access
                Patches can be copied to a CD from the local patch server and
                installed manually if necessary
        17. What are security template snap-ins?
            Microsoft Windows systems provide a centralized method of defining
            security on a computer. The Microsoft Management Console (MMC) is
            Windows a utility that accepts additional components known as snap-ins.
            Snap-ins, available from either Microsoft or other third-party vendors,
            adds additional functionality to the operating system.
            One of the useful snap-in components is the Security Template snap-in.
            Security Templates do not introduce new security parameters, but rather
            organizes all existing security attributes into one place to make security
            administration easier by providing a single point of entry where all
            system security can be viewed, adjusted, and applied to a local computer.
        18. List some ways to secure a Web server.
            Some of the steps that should be followed to harden a Web server
            Use ACLs to limit a Web surfer’s ability to navigate and browse the
            content and run selected applications; they should never be given
            permissions to write to the server.
            Be sure that patches and service packs are regularly used to update the
            Keep in tune with exposed Web server vulnerabilities by subscribing to
            security organizations that distribute information on the latest flaws, or
            regularly visit attacker Web sites.
            Delete any sample files that may be included with the installation that are
            intended as references; these may have security holes in them.
            Isolate the Web server from the internal network
            Be sure that the Web server records its actions on a log file and examine
            the file regularly
            If the server will be sending or receiving sensitive information, implement
            a technology that encrypts the transmission
        19. What is an open mail relay? How can it be prevented?
            An open mail relay occurs when a mail server processes mail messages
            when neither the sender nor the recipient is a local user. The mail server
            is used to “bounce” e-mail from one outside source to other sources. In
            this case the mail server becomes an entirely unrelated third party.
            Spammers use open mail relays to distribute hundreds of thousands of e-
            mail messages that can only be traced back to the open mail relay and not
Security+ Guide to Network Security Fundamentals, 2e                         Solutions 1-13

            the spammer’s computer. Open mail relay can be prevented by properly
            configuring the mail server. Only trusted users should be given
            permission to send outgoing e-mail messages. This can be set by
            specifying a IP range of addresses. Another option is to specify which
            systems are allowed to send mail through the mail server.
        20. What is a rule base and how is it used?
            The rules that a network device will use to permit or deny a packet are
            sometimes called a rule base. Because more than one criteria is used, such
            as deny packets arriving from a specific site or that attempt to access a
            specific TCP port, ACLs end up being lists of rules instead of one specific
            rule. Because each packet must be compared to the set of rules before it
            can pass through, it is important that the rule base size be limited to
            about 40 rules. As packets arrive they are compared to each rule in
            sequence: the packet is first compared to Rule 1, and if it passes it is then
            compared to Rule 2, etc. The most important rules should come towards
            the top of the list. The last rule should be a “general” rule that covers
            malicious packets that have not been detected by any previous rules. The
            above rules do not apply to Cisco Routers’ ACL in which each packet is
            compared to each rule in sequence and if it matches the rule, it will be
            either accepted or rejected based on the rule. If the packet does not
            match the rule, it will be compared downward towards the list until one is
            matched. If there is no match at all, the packet will be dropped.

Chapter 5 Review Questions
        1. Each of the following can be found in a cable plant except _____________.
                            a. coaxial cable
                            b. fiber-optic cable
                            c. RJ-11
                            d. BNC connectors
        2. Floppy disks are known as _____ media.
                            a. magnetic
                            b. optical
                            c. flash
                            d. electronic
        3. _____ contains a dedicated controller chip.
Security+ Guide to Network Security Fundamentals, 2e                              Solutions 1-14

                            a. CompactFlash
                            b. SmartMedia
                            c. USB memory stick
                            d. RAM BIOS
        4. A(n) _____ receives a packet from one network device and sends it to all
           devices on the network.
                            a. hub
                            b. switch
                            c. router
                            d. IDS
        5. Each of the following can be identified as physical security except
                            a. door locks
                            b. antivirus software
                            c. alarm systems
                            d. lighting
        6. Although at one time the mainstay of computer networks, twisted-pair cable is
           rarely used today. True or false?
        7. A switch cannot limit the effectiveness of a sniffer. True or false?
        8. A DSL broadband connection allows for an “always on” connection, while a
           cable modem does not. True or false?
        9. A Remote Access Server does not recognize the universal naming convention.
           True or false?
        10. Mobile devices, such as PDAs and cell phones, pose no real threat to security.
            True or false?
        11. The physical infrastructure, such as the wire, connectors, and cables, which
            are used to carry data communications signals between equipment is known
            as the _____. cable plant
        12. An attacker can capture packets as they travel through the network using a
            technique called _____. sniffing
        13. A software firewall runs as a program on a local computer is called a(n)
            _____. personal firewall
Security+ Guide to Network Security Fundamentals, 2e                            Solutions 1-15

        14. _____, which is part of the TCP/IP protocol suite, is used to gather data about
            network performance. Simple Network Management Protocol (SNMP)
        15. A(n) _____is a smaller version of the telephone company’s larger central
            switching office that is privately owned. PBX
        16. Explain the difference between stateful and a stateless packet filtering
            Packets can be filtered by a firewall in one of two different ways. Stateless
            packet filtering looks at the packet and permits or denies it based strictly
            on the rule base. Stateful packet filtering keeps a record of the state of a
            connection between an internal computer and an external server and
            makes decisions based on the connection as well as the rule base. For
            example, a stateless packet filter firewall would allow a packet to pass
            through because it passed the rule base. However, a stateful packet filter
            would drop this packet because the internal network computer did not
            first solicit or request the packet.
        17. How does an active intrusion-detection system differ from a passive intrusion-
            detection system?
            A device that monitors network security at a higher level is an intrusion
            detection system (IDS). An IDS looks at the activity on the network and
            what the packets are actually doing instead filtering based on where the
            packets came from. An active IDS (sometimes called a reactive IDS) will
            perform a specific function when it senses an attack, such as dropping
            packets or tracing the attack back to a source. A passive IDS sends
            information about what happened but the IDS will take no action.
        18. What is a demilitarized zone (DMZ) and why is it used?
            A demilitarized zone (DMZ) is a separate network that sits outside the
            secure network perimeter. Outside users can access the DMZ but cannot
            enter the secure network. In Figure 5-22 a DMZ has been set up outside
            of the secure network perimeter. The DMZ contains a Web server and an
            e-mail server, two servers that are continuously accessed by outside users,
            yet they never enter the secure network. By placing these servers in a
            DMZ it restricts the access of outside users to the secure network.
        19. Explain the difference between and an intranet and an extranet.
            An intranet is a network that has the same functionality as the public
            Internet in that it uses the same protocols (HTTP, HTTPS, etc.) but it is
            only accessible to trusted inside users. An organization may post human
            resource information for its employees that allows them to check their
            number of sick days or change a mailing address. If this was available on
            the public Web server in the DMZ it would be subject to attacks.
            However, by keeping this information on a secure intranet it reduces the
            risk of attack. An extranet is accessible to users that are not trusted
Security+ Guide to Network Security Fundamentals, 2e                           Solutions 1-16

            internal users but instead are trusted external users. An extranet is not
            accessible to the general public but may allow vendors and business
            partners to access a company Web site. An extranet is generally
            established as a collaborative network that uses Internet technology to
            link businesses with their suppliers, customers, or other businesses that
            share common goals.
        20. How does Network Address Translation (NAT) work?
            Network Address Translation (NAT) hides the IP addresses of network
            devices from attackers. On a network using NAT, as a packet leaves the
            network NAT will remove the private IP address from the sender’s
            packet and replace it with an alias IP address. The NAT software
            maintains a table of the special addresses and alias IP addresses. When a
            packet is returned to the NAT the process is reversed. An attacker who
            captures the packet on the Internet cannot determine the actual IP
            address of the sender. Without that address it is more difficult to identify
            and attack a computer.

Chapter 6 Review Questions

1. Each of the following is a reason that software is susceptible to attacks except
a.   cost
b.   length and complexity
c.   extensibility
d.   connectivity

2. The Transmission Control Protocol/Internet Protocol (TCP/IP) protocol that handles
   outgoing mail using port 25 is ___________.
a.   Simple Mail Transfer Protocol (SMTP)
b.   Post Office Protocol (POP)
c.   Internet Mail Access Protocol (IMAP)
d.   Secure/Multipurpose Internet Mail Extensions (S/MIME)

3. Each of the following attacks can be launched using e-mail except __________.
a.   man-in-the-middle
b.   virus
c.   worm
d.   Trojan horse

4. Each of the following protocols can be used to encrypt transmissions over the Internet
   except ______________.
Security+ Guide to Network Security Fundamentals, 2e                            Solutions 1-17

a.   Secure Sockets Layer (SSL)
b.   Personal Communications Technology (PCT)
d.   Common Gateway Interface (CGI)

5. Each of the following is illegal under Controlling the Assault of Non-Solicited
   Pornography and Marketing Act of 2003 (CAN-SPAM) except ___________
a.   sending an unsolicited e-mail message
b.   using deceptive subject lines or e-mail addresses
c.   sending e-mails to addresses that have been randomly generated
d.   not maintaining a functioning unsubscribe system for 30 days

6. A macro is a script that records the steps a user performs. True or false?

7. The primary weakness of Secure/Multipurpose Internet Mail Extensions (S/MIME) is
   that it uses weak keys of only 1,024 bits in length. True or false?

8. Pretty Good Privacy (PGP) uses a one-time session key for encryption. True or false?

9. JavaScript is special program code that is embedded into a Hypertext Markup
   Language (HTML) document. True or false?

10. JavaScript security is handled by restrictions within the client operating system and
    not the Web browser. True or false?

11. A(n) _____ is a list of spammers that can be used by organizations to block e-mail
    that originates from the e-mail addresses on the list. blacklist

12. Unlike JavaScript, which is embedded in a Hypertext Markup Language (HTML)
    document, a(n) _____is a separate program that is downloaded onto the user’s
    computer when he visits a Web site. Java applet

13. Java applets run in what is called a(n)_____, which serves as a security fence
    surrounding the program and keeps it away from private data and other resources on a
    local computer. sandbox

14. A(n) _____ is a computer file created by a Web server, stored on a user’s computer,
    and contains user-specific information. cookie

15. The _____ is a set of rules that describes how a Web server communicates with other
    software on the server. Common Gateway Interface (CGI)

16. Explain the difference between Internet Mail Access Protocol (IMAP) and Post
    Office Protocol (POP3).
Security+ Guide to Network Security Fundamentals, 2e                          Solutions 1-18

    POP3 is a very basic protocol, which essentially allows users to have a collection
    of messages stored on the server. The e-mail client connects to the POP3 server
    and downloads the messages onto the local computer. Once the messages are
    downloaded they are generally erased from the POP3 server. Because retrieved
    messages are erased from the mail server and then stored on a single local
    computer, this can make it difficult to manage messages from multiple
    computers. IMAP (Internet Mail Access Protocol) is a more advanced protocol
    that solves these problems. With IMAP the e-mail remains on the e-mail server.
    Mail can be organized into folders and read from any computer. Client e-mail
    software allows IMAP users to work with e-mail while offline. Client e-mail
    connects to the IMAP server using port 143.

17. How does Bayesian filtering work?
    Sophisticated e-mail filters can use a technique known as Bayesian filtering. The
    user divides e-mail messages that have been received into two piles, spam and
    not-spam. The filter then analyzes every word in each e-mail and determines
    how frequently the word occurs in the spam pile compared with the not-spam
    pile. A word like “the” would occur equally in both piles and be given a neutral
    50 percent ranking. A word like “report” may occur frequently in non-spam
    messages and would receive a 99 percent probability of being a non-spam word,
    while a word like “sex” may receive a 100 probability of being a spam word.
    Whenever an e-mail arrives, the filter looks for the 15 words with the highest
    probabilities to calculate the message’s overall spam probability rating. Bayesian
    filters trap a much higher percentage of spam than other techniques.

18. What are ActiveX controls and what can they do?
    ActiveX is a set of technologies developed by Microsoft. An outgrowth of two
    other Microsoft technologies called OLE (Object Linking and Embedding) and
    COM (Component Object Model), ActiveX is not a programming language but
    is a set of rules for how applications should share information. ActiveX controls
    represent a specific way of implementing ActiveX. Programmers can develop
    ActiveX controls in a variety of languages, including C, C++, Visual Basic, and
    Java. ActiveX controls can also be invoked from Web pages through the use of a
    scripting language or directly with an HTML OBJECT tag. If an ActiveX
    control is not installed locally the Web page can specify an address where the
    control can be obtained. Once obtained, the control installs itself automatically.
    An ActiveX control is similar to a Java applet. Unlike Java applets, however,
    ActiveX controls do not run in a sandbox but instead have full access to the
    Windows operating system. Anything a user can do on a computer an ActiveX
    control can do.

19. What is the difference between a first-party cookie and a third-party cookie?
    A first-party cookie is a cookie that is created from the Web site you are
    currently viewing. Whenever you return to this site that cookie would be used by
    that server to see your preferences. However, some Web sites attempt to access
Security+ Guide to Network Security Fundamentals, 2e                        Solutions 1-19

    cookies that were not created by them. These are known as third-party cookies
    because they were not created by the Web site that attempts to access the cookie.
    The most common reason for third-party cookies is for Web marketers to try to
    track your preferences and the types of Web sites you like to visit.

20. What are the differences between HTTP and HTTPS?
    One common use of Secure Sockets Layer (SSL) is to secure Web HTTP
    communication between a browser and a Web server. This secure version is
    “plain” HTTP but sent over TLS/SSL and named HTTPS (Secure Hypertext
    Transport Protocol). Whereas TLS/SSL creates a secure connection between a
    client and a server over which any amount of data can be sent securely, HTTPs
    is designed to transmit individual messages securely. SSL and HTTPs are
    complementary rather than competing technologies. Besides using TLS/SSL,
    HTTPS uses port 443 instead of port 80 as with HTTP. From the user’s
    perspective URLs much be entered with HTTPS:// instead of HTTP://. A small
    lock is shown on the corner of the browser to indicate the transmission is secure.

        Chapter 7 Review Questions

        1. The File Transfer Protocol (FTP) can be accessed by each of the following
           except ___________________.
        a. Web browser
        b. FTP client
        c. command line
        d. LPTP server

        2. Another name for anonymous FTP is __________________.
        a. blind FTP
        b. free user FTP
        c. Freenet
        d. Unannounced FTP

        3. The most widely-deployed tunneling protocol is ____________.
        a. L2TP
        b. RADIUS
        c. PPP
        d. PPTP
Security+ Guide to Network Security Fundamentals, 2e                            Solutions 1-20

        4. Each of the following is a characteristic of the Layer 2 Tunneling Protocol
           (L2TP) except ________________.
        a. It merges the features of PPTP and Layer 2 Forwarding Protocol (L2F).
        b. It requires a TCP/IP network.
        c. It can be implemented on devices like routers.
        d. It can support advanced encryption methods.

        5. Each of the following is an authentication technology except _________.
        a. IEEE 802.11b
        b. RADIUS
        c. TACACS+
        d. IEEE 802.1x

        6. The 802.1x protocol is based on the Extensible Authentication Protocol
           (EAP), which is an extension of PPP. True or False?

        7. One of the advantages of the RADIUS architecture is that it supports
           authentication and authorization as well as auditing functions. True or false?

        8. Similar to RADIUS, Terminal Access Control Access Control System
           (TACACS+) is an industry standard protocol specification that forwards
           username and password information to a centralized server. True or false?

        9. Secure Shell (SSH) is a Windows-based command interface and protocol that
           replaces three Windows utilities: wlogin, wcp, and wsh. True or false?

        10. IP Security (IPSec) functions at Layer 1 of the OSI model. True or false?

        11. One of the ways to reduce the risk of FTP vulnerabilities is to use _____.
            secure FTP

        12. IP Security (IPSec) confidentiality is performed by the _____ protocol.
            Encapsulating Security Payload (ESP)

        13. A(n) _____ takes advantage of using the public Internet as if it were a private
            network. virtual private network (VPN)

        14. A(n) _____is a database that is stored on the network itself that contains all
            the information about users and their privileges to network resources.
            directory service
Security+ Guide to Network Security Fundamentals, 2e                         Solutions 1-21

        15. _____ is the security layer of the Wireless Access Protocol (WAP) and
            provides privacy, data integrity, and authentication. Wireless Transport
            Layer Security (WTLS)

        16. Explain how the three elements of the IEEE 802.1x standard function.
            A networking supporting the 802.1x protocol consists of three elements.
            The supplicant is the client device, like a desktop computer or PDA,
            which requires secure network access. The supplicant sends the request
            to an authenticator that serves as an intermediary device. An
            authenticator can be a network switch or a wireless device. The
            authenticator sends the request from the supplicant to the authentication
            server. The authentication server accepts or rejects the supplicant’s
            request and sends that information back to the authenticator, which in
            turn grants or denies access to the supplicant. One of the strengths of the
            802.1x protocol is that the supplicant never has direct communication
            with the authentication server. This minimizes the risk of attack on the
            authentication server, which contains valuable login data for all users.

        17. What are the advantages of IPSec functioning at a lower layer of the OSI

            Different security tools function at different layers of the Open System
            Interconnection (OSI) model. Tools such as Secure/Multipurpose
            Internet Mail Extensions (S/MIME) and Pretty Good Privacy (PGP)
            operate at the Application layer, while Kerberos functions at the Session
            layer. The advantages of having security tools function at the higher
            layers like the Application layer is that these tools can be specifically
            designed to protect that application. However, protecting at this layer
            may require multiple security tools, perhaps even as many as one per
            each application. Secure Socket Layers (SSL)/ Transport Layer Security
            (TLS) operate at the Session layer. The advantage of operating at this
            level is that more applications can be protected, yet minor modifications
            may have to be made to the application. An even improved functionality
            can be achieved if the protection is even lower in the OSI layer. If the
            protection was at the Network layer, it can protect a wide range of
            applications with no modifications needed. Even applications that are
            ignorant of security, such as a legacy MS-DOS application, can still be
            protected. This is the level at which IPSec functions.

        18. What are the two IPSec encryption modes? Give an example that illustrates
            why two modes are necessary.
Security+ Guide to Network Security Fundamentals, 2e                          Solutions 1-22

            IPSec supports two encryption modes: Transport and Tunnel. Transport
            mode encrypts only the data portion (payload) of each packet yet leaves
            the header unencrypted. The more secure Tunnel mode encrypts both the
            header and the data portion. IPSec accomplishes transport and tunnel
            modes by adding new headers to the IP packet. The entire original packet
            (header and payload) is then treated as the data portion the new packet.
            Because tunnel mode protects the entire packet, it is generally used in a
            network gateway-to-gateway communication. Transport mode is used
            when a device must see the source and destination addresses in order to
            route the packet. For example, a packet sent from a client computer to
            the local IPSec-enabled firewall would be sent in transport mode in order
            for the packet to be transported through the local network. Once it
            reached the firewall it would be changed to tunnel mode before being
            sent onto the Internet. The receiving firewall would then extract, decrypt
            and authenticate the original packet before it is routed to the final
            destination computer.

        19. Explain the process of how Internet data can be displayed on a cell phone.

            With standard computers, Web browser software makes a request to the
            World Wide Web file server for a Web page. This page is transmitted
            back to the Web browser in HTML. When a Web server sends a Web
            page back to a computer, it is sending only HTML code. The Web
            browser is responsible for interpreting that code and displaying the
            results on the screen. WAP follows this standard Internet model with a
            few variations. A WAP cell phone runs a tiny browser program called a
            microbrowser that uses Wireless Markup Language (WML) instead of
            HTML. WML is designed to display text-based Web content on the small
            screen of a cell phone. However, since the Internet standard is HTML, a
            WAP Gateway (sometimes called a WAP Proxy) must translate between
            WML and HTML. The WAP Gateway takes the Web page sent from the
            Web server in HTML code and changes it to WML language before
            forwarding it on to the cell phone.

        20. What is the wired equivalent privacy (WEP) and what is its weakness?
Security+ Guide to Network Security Fundamentals, 2e                        Solutions 1-23

            The wired equivalent privacy (WEP) is an optional configuration for
            WLANs that encrypt packets during transmission to prevent attackers
            from viewing their contents. WEP uses shared keys, meaning that the
            same key for encryption and decryption must be installed on the AP as
            well as each wireless device. WEP can also be used for authentication.
            When a wireless devices attempts to connect to a WLAN the AP sends the
            device 128 bytes of challenge text. The client encrypts the challenge text
            with its WEP key and returns it to the AP, which compares the encrypted
            text with its own encrypted version of the challenge text with its WEP
            key. If the two match, then the client has the correct WEP key and is
            approved. The vulnerability with WEP is that the IV is not properly
            implemented. Every time a packet is encrypted it should be given a
            unique IV. Yet because the IV is only 24 bits in length, it can have only
            16,777,215 possible values. A WLAN transmitting at 11Mbps will
            transmit approximately 700 packets each second. This means that in less
            than seven hours all of the 16 million IV values have been used and it
            must start repeating itself. Because the IVs are transmitted in clear text,
            an attacker can capture packets and see when the IV starts repeating.
            With the information he or she is then able to crack the encryption.
Chapter 8 Review Questions

    21. Cryptography provides each of the following types of protection except


            a. confidentiality

            b. speed

            c. integrity

            d. authentication

    22. A(n) _____ is never intended to be decrypted but is only used for comparison


            a. hash

            b. key

            c. algorithm
Security+ Guide to Network Security Fundamentals, 2e                          Solutions 1-24

            d. PAM

    23. Each of the following is an example of how hashing is used except


            a. bank ATM machine

            b. authenticating UNIX and Linux passwords

            c. determining the integrity of a message

            d. encrypting and decrypting e-mail messages

    24. Each of the following is a characteristic of a secure hash except


            a. collisions should be rare

            b. a message cannot be produced from a predefined hash

            c. the results of a hash function should not be reversed

            d. the hash should always be the same fixed size

    25. The data added to a section of text when using the message-digest (MD)

        algorithm is called _________________.

            a. filler

            b. extender

            c. padding

            d. byte code

    26. A cipher is an encryption or decryption algorithm tool used to create encrypted or

        decrypted text. True or false?

    27. Most security experts recommend that the family of DES hashes be replaced with

        a more secure hash algorithm. True or false?
Security+ Guide to Network Security Fundamentals, 2e                          Solutions 1-25

    28. The Secure Hash Algorithm (SHA) creates a more secure hash 160 bits long

        instead of 128 bits as with other algorithms. True or false?

    29. Symmetric encryption algorithms use a single key to encrypt and decrypt. True or


    30. A stream cipher takes one character and replaces it with one character. True or


    31. Data that has been encrypted by an encryption algorithm (a cipher) is called

        _____. ciphertext.

    32. A(n) _____ cipher maps a single plaintext character to multiple ciphertext

        characters. homoalphabetic substitution

    33. A(n) _____ cipher rearranges the letters without changing them. transposition

    34. A(n) _____ cipher manipulates an entire block of plaintext at one time. block

    35. The _____was specifically designed to replace the weaker Data Encryption

        Standard (DES). Triple Data Encryption Standard (3DES)

    36. Explain the problems with key management and how it affects symmetric


        The primary weakness of symmetric encryption algorithms is keeping the

        single key secure. Known as key management, it poses a number of

        significant challenges. If a user wants to send an encrypted message to

        another using symmetric encryption, he must be sure that she has the key to

        decrypt the message. How should the first user get the key to the second

        user? He would not want to send it electronically through the Internet,

        because that would make it vulnerable to eavesdroppers. Nor can he encrypt
Security+ Guide to Network Security Fundamentals, 2e                        Solutions 1-26

        the key and send it, because the recipient would need some way to decrypt

        the key. And if he can even get the get securely to the user, how can be he

        certain that an attacker has not seen the key on that person’s computer? Key

        management is a significant impediment to using symmetric encryption.

    37. Describe how elliptic curve cryptosystems work.

        Elliptic curve cryptography was first proposed in the mid-1980s. Instead of

        using prime numbers as with RSA, elliptic curve cryptography uses elliptic

        curves. An elliptic curve is a function that is drawn on an X-Y axis as a

        gently curved line. By adding two points on the curve together you can arrive

        at a third point on the curve. The public aspect of an elliptic curve

        cryptosystem is that users share an elliptic curve and one point on the curve.

        One user then chooses a secret random number and computes a public key

        based on a point on the curve. The other user does the same. They can now

        exchange messages because the shared public keys can generate a private key

        on elliptic curve.

    38. What is a digital signature? Why is it used?

        The asymmetric cryptographic system can itself provide for multiple types of

        security functions, including authentication, integrity and non-repudiation.

        This is done through using a digital certificate and helps to prove that the

        person sending the message with a public key is actually who they claim to

        be, that the message was not altered, and that it cannot be denied that the

        message was sent. A digital signature is a shorter version of the message itself

        that is created by the contents of the message and the sender’s private key
Security+ Guide to Network Security Fundamentals, 2e                          Solutions 1-27

        and is then added attached to the end of the message. Because the contents of

        the message are used to create the digital signature, this signature will be

        different for every message sent. When using a digital certificate the sender

        uses her own private key to create a digital signature before encrypting the

        entire message with the receiver’s public key. The sender begins by creating

        the document that is to be transmitted. Then using special software a

        summary of that message is created. Finally, the sender’s public key is used

        to encrypt the summary and this is attached to the end of the message.

    39. What is the Microsoft Encrypting File System (EFS) and what are some of its


        Microsoft’s Encrypting File System (EFS) is an encryption scheme for

        Windows 2000, Windows XP Professional, and Windows 2003 Server

        operating systems that use the NTFS file system. Because EFS is tightly

        integrated with the NTFS file system, file encryption and decryption are

        transparent. When users open a file, it is decrypted by EFS as data is read

        from disk and when they save the file, EFS encrypts the data as it is written

        to disk. Encrypting a file is performed by setting a file attribute and the

        encryption attribute can also be set for a file folder. Any file created in or

        added to the folder is automatically encrypted.

    40. What is a pluggable authentication module (PAM)?

        When UNIX was originally developed the task of authenticating a user was

        accomplished by the user entering a password and the system then checked if

        the entered password corresponded to the encrypted official password that is
Security+ Guide to Network Security Fundamentals, 2e                           Solutions 1-28

        stored in the user database /etc/passwd. Since that time a number of new

        ways of authenticating users have become popular, such as using new

        hardware devices like smart cards. Yet each time a new authentication

        scheme was developed it requires all the necessary programs, such as login

        and ftp, to be rewritten to support it. The solution was to use pluggable

        authentication modules (PAMs) instead. PAM provides a way to develop

        programs that are independent of the authentication scheme. PAM rests

        between the operating system and the program that needs authentication.

        The authentication modules are attached to the programs when needed.

Chapter 9 Review Questions

    1. _____ cryptography uses one key to both encrypt and decrypt messages.
           a. Symmetric
           b. Asymmetric
           c. PIK
           d. Dual Key Hashing (DKH)
    2. The primary weakness of symmetric cryptography is _________________,
           a. key management
           b. RAM memory requirements
           c. CPU processing speed
           d. Hard disk storage space
    3. A _____ is a shorter version of the message itself that is created by the contents of
       the message and the sender’s private key.
           a. hash algorithm
           b. certificate authority
           c. digital certificate
           d. digital signature
    4. Revoked digital certificates are listed in a(n) ___________________.
           a. Certificate Revocation List (CRL)
Security+ Guide to Network Security Fundamentals, 2e                          Solutions 1-29

            b. Certification Authority Revocation Algorithm (CARA)
            c. 509.X certificate
            d. Public Key Crypto Folder (PKCF)
    5. A subordinate certification authority server is known as a _____ server.
            a. Registration Authority (RA)
            b. CA proxy
            c. Certificate Extension Server (CES)
            d. Digital CA Directory Access Proxy
    6. When using symmetric cryptography it is acceptable to use the same key for
        encrypting documents sent to several different users. True or false?
    7. Another alternative to a certificate authority (CA) is to provide the information in
        a publicly accessible directory called a Certificate Repository (CR). True or
    8. A Public Key Infrastructure (PKI) is a system that manages encryption keys and
        identity information for the human and mechanical components of a network that
        require asymmetric cryptography. True or false?
    9. Public Key Cryptography Standards (PKCS) is a numbered set of standards that
        are widely accepted in the industry. True or false?
    10. A web of trust model uses multiple certification authority (CA) servers. True or
    11. The primary disadvantage of _____ cryptography is that it is a computing-
        intensive process. public key (asymmetric)
    12. _____ defines the format for the digital certificate and is the most widely used
        certificate format for PKI. X.509
    13. _____ certificates are issued directly to individuals and are typically used to
        secure e-mail transmissions through S/MIME and SSL/TLS. Personal
    14. Key management can either be centralized or _____. decentralized
    15. One way to provide more security than a single set of public and private (single-
        dual) keys can offer is to use _____ pairs of dual keys. multiple
    16. Explain the difference between a certificate policy (CP) and a certificate practice
        statement (CPS).
        A certificate policy (CP) is a published set of rules that govern the operation
        of the PKI and may be used by a certificate user to determine the
        trustworthiness of a certificate for a particular application. The CP provides
        recommended baseline security requirements for the use and operation of
        Certificate Authorities (CA), Registration Authorities (RA), and other PKI
        components. A Certificate Practice Statement (CPS) is a more technical
        document compared to a CP. A CPS describes in detail how the CA uses and
        manages certificates.
    17. What is key escrow? Why is it used?
        Keys that are managed by a third-party entity is known as key escrow. There
        are a number of organizations that will provide this service, such as a trusted
        CA. When using key escrow the private key is actually split with each half
        encrypted. The two halves are sent to the third party, which stores each key
        in a separate location. If the private key must be retrieved then the two
        halves are combined together and then decrypted. Although key escrow
Security+ Guide to Network Security Fundamentals, 2e                         Solutions 1-30

        relieves the end user from the worry of losing her private key, by having a
        copy of the key makes it vulnerable to attacks.
    18. Explain M-of-N control and tell how it works.
        What happens if an employee is hospitalized for an extended period of time
        yet the organization for which she works needs to transact business using her
        keys? How can her key be recovered? One technique is known as M-of-N
        control. Well before a user is incapacitated her private key is encrypted and
        divided into a specific number of parts, for example three. The parts are
        distributed to other individuals, with an overlap so that multiple individuals
        have the same part. For example, the three parts could be distributed to six
        people, with two people each having the same part. This is known as the N
        group. If it is necessary to recover the key, a smaller subset of the N group
        known as the M group must meet together and agree that the key should be
        recovered. If a majority of the M group agree then they can piece back
        together the key.
    19. What is the difference between key destruction and key revocation?
        Key destruction removes all private and public keys along with the user’s
        identification information in the CA. When a key is revoked or expired the
        user’s information remains on the CA.
    20. Why should keys not be renewed?
        Keys should be allowed to expire because it provides additional security. If
        an attacker has unknowingly captured a user’s key she could use that key
        indefinitely without the user’s knowledge. If, however, the key is allowed to
        expire then a new key must be generated, making the attacker’s stolen key no
        longer valid.

Chapter 11 Review Questions

    1. A(n) _____ is a weakness that allows a threat agent to bypass security.

            a. vulnerability

            b. exploit

            c. risk

            d. mitigation

    2. The _____ defines the overall process involved with developing a security policy.

            a. security policy cycle
Security+ Guide to Network Security Fundamentals, 2e                          Solutions 1-31

            b. risk identification cycle

            c. monitoring scope

            d. evaluation cycle

    3. Each of the following is a step of risk identification except _________________.

            a. Inventory the assets

            b. Decide what to do about the risks

            c. Determine what threats exist against the assets

            d. Write the security policy

    4. Each of the following is an asset except _________________.

            a. data

            b. buildings

            c. software

            d. loans

    5. Each of the following is an attribute that should be compiled for hardware when

        performing an asset identification except _________________.

            a. the name of the equipment

            b. the manufacturer’s serial number

            c. the MAC and IP address

            d. the cost

    6. A tool used in threat modeling is an attack tree. True or false?

    7. A vulnerability appraisal is the last step of compliance monitoring and evaluation.

        True or false?

    8. It is possible to eliminate the risk for all assets. True or false?
Security+ Guide to Network Security Fundamentals, 2e                           Solutions 1-32

    9. A guideline is a document that outlines specific requirements or rules that must be

        met. True or false?

    10. Two elements that must be balanced in an information security policy are trust

        and control. True or false?

    11. _____ is defined as the obligations that are imposed on owners and operators of

        assets to exercise reasonable care of the asset and take necessary precautions to

        protect it. Due care

    12. _____ means that one person’s work serves as a complimentary check on another

        person’s. Separation of duties

    13. An information security policy should clearly outline that all information is

        provided on a strictly _____ basis. need-to-know

    14. A(n) _____ defines what actions the users of a system may perform while using

        the computing and networking equipment. acceptable use policy (AUP)

    15. A(n) _____ is a contract between a vendor and an organization for services.

        service-level agreement (SLA) policy

    16. Explain the composition and goals of a security policy development team.

        Security policy design should be the work of a team and not one or two

        technicians. A security policy development team should be formed to handle

        the task. The team should be charged with developing the initial draft of the

        policy, determining which groups are required to review each policy, the

        required approval process and finally how it will be implemented. Ideally the

        team should have these representatives:

        •   a senior level administrator
Security+ Guide to Network Security Fundamentals, 2e                        Solutions 1-33

        •   a member of management who can enforce the policy

        •   a member of the legal staff

        •   a representative from the user community

        The size of the security policy development team will depend on the size and

        scope of the policy. Small scale policies may only require a few participants

        while larger policies may require a team of ten.

        The team should first decide on the scope and goals of the policy. The scope

        should be a statement about who is covered by the policy while the goals

        outline what the policy attempts to achieve. The team must also decide on

        how specific to make the policy. A security policy is not meant to be a

        detailed plan regarding how it is to be implemented.

    17. What actions should be taken by the incidence response team (IRT) when an

        attack penetrates security?

        Once an incident is identified the IRT should immediately convene and take

        assessment of the situation. The immediately decision will be how to contain

        the incident. If the attack is coming electronically through the network it

        may be necessary to take preventive measures to limit the spread of the

        attack, such as temporarily shutting off the mail server from replicating a

        virus. Other containment actions may include reconfiguring firewalls,

        updating antivirus software, or implementing an emergency patch

        management system. In extreme cases even the connection to the Internet

        may be terminated. After the incident is contained the next steps are to
Security+ Guide to Network Security Fundamentals, 2e                           Solutions 1-34

        determine the cause of the attack, assess its damage, and implement recovery

        procedures to get the organization back to normal as quickly as possible.

        Once the incident is over a review of security is essential to ensure that a

        repeat attack is not successful.

    18. Explain why an ethics policy can be useful.

        The main purpose of an ethics policy to state the values, principles and ideals

        that each member of an organization must agree to. In particular, the code is

        intended to uphold and advance the honor, dignity and effectiveness of the

        organization. A code of ethics can also help to clarify some of the ethical

        obligations and responsibilities undertaken by users. This is important

        because no single set of rules could apply to the enormous variety of

        situations and responsibilities that exist. While users must always be guided

        by their own professional judgment, a code of ethics will help when

        difficulties arise. A code of ethics also emphasizes to members and the public,

        employers, and clients that the members of an organization are professionals

        who are resolved to uphold their ethical ideals and obligations.

    19. Describe the steps in the security policy cycle and what each one does.

        The security policy cycle defines the overall process involved with developing

        a security policy. The first part of the cycle is risk identification. Risk

        identification seeks to determine the risks that an organization faces against

        its information assets. That information then becomes the basis of developing

        a security policy. A security policy is a document or series of documents that

        clearly defines the defense mechanisms that an organization will employ to
Security+ Guide to Network Security Fundamentals, 2e                           Solutions 1-35

        keep information secure. It also outlines how the organization will respond to

        attacks and the duties and responsibilities of its employees for information

        security. Once the policy is completed it must constantly be reviewed for

        compliance. And because new assets are continually being added to the

        organization and new threats appear against the assets, compliance

        monitoring and evaluation must regularly be conducted. The results of the

        monitoring and evaluation (such as revealing that a new asset is unprotected)

        then become input back into risk identification and the process begins again.

    20. List and define the three actions an organization may take regarding risk.

        There are three options an organization can take with these the risks:

            Accept the risk – This is accomplished by doing nothing at all but leaving
        everything as is. The assumption is that an attack will occur sometime in the
        future, but a decision has already been made to do nothing to protect against

            Diminish the risk – To diminish or reduce the risk, additional hardware,
        software, or procedures would be implemented.

            Transfer the risk – This option makes someone else responsible for the

Chapter 12 Review Questions

    1. Each of the following is a problem associated with users identifying and

        authenticating themselves with multiple accounts except

Security+ Guide to Network Security Fundamentals, 2e                          Solutions 1-36

            a. Regulatory legislation

            b. Weak password creation

            c. E-commerce bottlenecks

            d. Underworked support staff

    2. _____ allows a user’s single authenticated ID to be shared across multiple

        networks or online businesses.

            a. Identity management

            b. Password Sharing Protocol (PSP)

            c. Privilege management

            d. Change management

    3. Each of the following is a key element of identity management except


            a. Single sign-on (SSO)

            b. Password synchronization

            c. Password resets

            d. RC4 hashing

    4. Privilege management organizational structures are _________________.

            a. Centralized or decentralized

            b. Corporate or private

            c. Internet-based or client-based

            d. Secure or not secure

    5. Each of the following is a name used to describe the highest level of Linux

        privileges except ____________.
Security+ Guide to Network Security Fundamentals, 2e                            Solutions 1-37

            a. superuser

            b. su

            c. root

            d. SuperAdmin

    6. Privilege management attempts to simplify assigning and revoking access control

        to users. True or false?

    7. When an individual user is added to a group, that user inherits the privileges of

        the group. True or false?

    8. There are three types of audits of user privileges: usage audits, log audits, and

        response audits. True or false?

    9. The term change management refers to a methodology for making changes and

        keeping track of those changes. True or false?

    10. The goal of digital rights management (DRM) is to remove another layer of

        security. True or false?

    11. Books, music, plays, paintings, and photographs are all examples of _____

        property. intellectual

    12. Secret information known as a(n) _____ is embedded into a document, image, or

        song without the user’s knowledge so that illegal copies can be traced back to the

        original owner. digital watermark

    13. _____ is information about a document and can be stored in the header of an

        eXtensible Markup Language (XML) file or another digital-content format.

Security+ Guide to Network Security Fundamentals, 2e                            Solutions 1-38

    14. _____ ensures that a user’s password is the same for every application to which

        the user logs on. Password synchronization.

    15. _____ audits are reviews of usage audits to determine if there is an unexpected

        increase in privileges. Escalation

    16. Explain the difference between file-based digital rights management (DRM) and

        server-based DRM.

        Protecting documents through DRM can be accomplished at one of two
        different levels. The first level is file-based DRM and focuses on protecting
        the content of a single file. Most document-creation software now allows a
        user to determine the rights that the reader of the document may have. The
        document can be encrypted and a password can be required to access the
        document. Also, the ability to print, edit, or copy the data can also applied.
        These restrictions can be contained in metadata, which is information about
        a document. The disadvantage to file-based DRM is that each user must
        determine the restrictions and apply the control mechanisms and keys must
        be securely exchanged. In addition, file-based DRM is proprietary and
        cannot be easily transferred between application software packages. That is,
        the security settings for a Microsoft Word document are different from those
        of an Adobe Acrobat document.

        A more comprehensive approach is server-based DRM. Server-based
        products can be integrated with Lightweight Directory Access Protocol
        (LDAP) for authentication and can provide access to groups of users based
        on their privileges. More granular restrictions can also be enforced, such as
        limiting the number of accesses or setting a time in which access is permitted
        (such as 6:00 AM to 3:30 PM on June 15). Audit controls can provide a usage
        log of actions taken by each user.

    17. List and describe the two types of organizational structures for privilege


        The responsibility for privilege management can be either centralized or
        decentralized. In a centralized structure, one unit is totally responsible for all
        aspects of assigning or revoking privileges. Whereas this creates a unified
        approach to privilege management, it also serves to slow down the process.
        Users may sometimes wait days or longer for a request for changes to be
        implemented. Because they do not have any control, users may be tempted to
        circumvent the security, such as using the account and password of a co-
        worker to access a file or bring in a rogue wireless access point from home. A
        decentralized organizational structure for privilege management delegates
Security+ Guide to Network Security Fundamentals, 2e                         Solutions 1-39

        the authority for assigning or revoking privileges to smaller units, such as
        each location hiring a network administrator to manage privileges. The
        disadvantage is that each location may only be as good as that single network
        administrator, particularly in terms of security. Unless the local network
        administrator sees the “big picture,” she may provide access privileges that
        affect another unit of the organization or create a security vulnerability. A
        blending of centralized and decentralized organization may be the ultimate
        choice. The corporate office may set the standards for privileges, but each
        local office has the responsibility for implementing the standards.

    18. Describe a privilege audit.

        A privilege audit reviews the privileges that have been assigned to a specific
        user or group. This audit begins by developing a list of the expected
        privileges of a user. For example, if a user works in the Accounting
        Department, it would be expected that they would have access to the monthly
        financial reports and data files. Developing the list of expected privileges is
        generally accomplished by reviewing the user’s job classification as detailed
        in his or her file with the Human Resources Department. Next, an interview
        with the user’s supervisor would reveal if additional privileges were granted
        because of a special project to which the user was assigned. The paperwork
        requesting these privileges should be closely reviewed.

    19. Define “digital rights management” and tell why it is important.

        Most organizations work hard to establish a security perimeter around a
        network or system to prevent attackers from accessing information. Yet
        information security can be enhanced by building a security fence around the
        information itself. Known as digital rights management (DRM), the goal is to
        provide yet another layer of security: an attacker who can break into a
        network would still face yet another hurdle in trying to access information

    20. List and define the four key elements of an identity management system.

        There are four key elements in an identity management system. Single sign-
        on (SSO) allows a user to log on one time to a network or a system, and then
        access multiple applications and systems based on that single password.
        When an application is opened, the SSO gives the authentication credentials
        for the user to the application (as long as the user has the privilege to use that
        application). An SSO requires its own infrastructure that validates user
        identity and permissions before granting access.

        The second element is password synchronization. Password synchronization,
        like SSO, permits a user to use a single password to log on to multiple
        servers. However, a separate ID and password must be used when accessing
        each application on the server. Although password synchronization is a step
Security+ Guide to Network Security Fundamentals, 2e                         Solutions 1-40

        down from SSO, it does not require its own infrastructure. Password resets
        are an element that reduces costs associated with password-related help desk

        Identity management systems let users reset their own passwords and unlock
        their accounts without relying upon the help desk. Users can do this through
        a Web browser, a client program, or an interactive voice response system
        using the telephone. All password reset requests must be authenticated. One
        of the most interesting elements of identity management is access
        management. Access management software controls who can access the
        network while also managing the content and the business that users can
        perform while online. It offers administrators a centralized command
        structure for granting access. One feature is that administrators can entrust
        management permission rights to business managers and other partners.

Chapter 13 Review Questions

    1. Each of the following is a reason that computer forensics is important except


            a. high amount of digital evidence

            b. increased scrutiny by legal profession

            c. higher level of computer skills by criminals

            d. high turnover in IT staffing

    2. Each of the following is a challenge that computer forensics faces except


            a. low cost of evidence

            b. volume of electronic evidence

            c. distribution of evidence
Security+ Guide to Network Security Fundamentals, 2e                           Solutions 1-41

            d. dynamic content of electronic evidence

    3. _____ contains information about files but can result in false leads.

            a. Metadata

            b. Microdata

            c. Macrodata

            d. Sumdata

    4. _____ attempts to hide the existence of data.

            a. Cryptography

            b. Decryption

            c. Steganography

            d. Hidden Data Resource (HDR)

    5. The first step a forensics response team performs is to _________________.

            a. secure the crime scene

            b. make a bitmap image of the hard drive

            c. use the operating system to copy the drive to a CD-ROM

            d. move the computer to a secure location

    6. Digital photography is strongly recommended for taking pictures of a computer

        that has been attacked. True or false?

    7. After a bitmap resource snapshot (BRS) is taken of the hard drive, any volatile

        data should then be captured. True or false?

    8. A mirror image backup is the same as a normal copy of the data. True or false?

    9. Byte-stream backup should be used first by a network technician and then given

        to the forensic investigators. True or false?
Security+ Guide to Network Security Fundamentals, 2e                              Solutions 1-42

    10. Mirror image backups are considered a primary key to uncovering evidence

        because it creates an exact replica of the computer contents at the crime scene.

        True or false?

    11. _____ is the application of science to questions that are of interest to the legal

        profession. Forensic science

    12. The _____ is documentation that shows that the evidence was under strict control

        at all times and no unauthorized individuals were given the opportunity to corrupt

        the evidence. chain of custody

    13. Microsoft Windows-based computer operating systems use a special file known

        as a(n) _____ that functions as a “scratch pad” to write data when additional

        RAM is full. Windows page file

    14. _____ is a term used to describe all types of hidden data on a hard drive. Slack

    15. Capturing volatile data and performing a mirror image backup are both steps that

        are performed at the _____ stage of a forensics incidence response. Preserve the


    16. Explain the difference between RAM slack and file slack.

        A source of hidden data is called slack. There are two types of slack with

        Windows-based computers. The first is RAM slack. Windows stores files in

        512-byte blocks called sectors. Clusters are made up of blocks of sectors.

        When a file is not sufficiently long enough to fill up the last sector on a disk

        (which is a common occurrence because only rarely would a file size match

        the exact sector size) Windows “makes up” the difference by padding the

        remaining space with data that is currently stored in RAM. This creates
Security+ Guide to Network Security Fundamentals, 2e                          Solutions 1-43

        what is called RAM slack. RAM slack can contain any information that may

        have been created, viewed, modified, downloaded or copied that occurred

        since the computer was last booted. Thus, if the computer has not been shut

        down for several days, the data stored in RAM slack can come from activity

        that occurred in the past. RAM slack pertains only to the last sector of a file.

        If additional sectors are needed to round out the block size for the last cluster

        assigned to the file, then a different type of slack is created. This is known as

        drive slack because the padded data used comes from data that was stored on

        the hard drive. Such data could contain remnants of previously deleted files

        or data from the format pattern associated with disk storage space that has

        yet to be used by the computer. Both RAM slack and drive slack can

        potentially hold valuable evidence.

    17. Describe how attackers are now targeting cell phones.

        Viruses and worms are starting to appear that attack cell phones through

        short-range wireless technology. These could potentially cause cell phones to

        place calls on their own, running up big long-distance expenses. Infected cell

        phones could also be used to launch DDoS attacks, relay spam, or infect a

        user’s computer when the phone is synchronized with the computer to share

        phone numbers and weekly schedules.

    18. What is behavior blocking?

        Behavior blocking protects computers by recognizing when they are not

        acting normally. For example, a worm that infects a computer might

        attempt to replicate itself by opening an unused port. Since that port is not
Security+ Guide to Network Security Fundamentals, 2e                            Solutions 1-44

        normally used by the system, its behavior would be recognized as out of the

        ordinary and the port would be blocked.

    19. How is host intrusion prevention (HIP) different from standard network security?

        Host intrusion prevention (HIP) moves the security focus away from creating

        only a strong perimeter to instead hardening individual systems. Programs

        and users only have limited access to the operating system. The HIP restricts

        the availability of functions like read, write and execute, as well as protect

        system resources like ports, files and registry keys.

    20. What is virus throttling? How can it be effective in limiting virus attacks?

        On average a user’s networked computer makes fewer than two network

        connections per second. However, a computer infected with a virus attempts

        to make hundreds or even thousands of connections attempts each second to

        spread itself. Virus throttling slows the spread of viruses from an infected

        computer by restricting the number of connections it can make with other


Description: Security Guide to Network Security Fundamentals, network security, CompTIA Security, exam objectives, Course Technology, third edition, Security Guide, Mark Ciampa, 3rd edition, Information Security, up-to-date industry, how to, certification exam, 1st Edition, new Security, the network, product description, Access Control, comptia exams, low prices, chapter questions, Network Perimeter, college textbook, business days, Network Fundamentals, customer reviews, Free e-book, sell textbook, 2nd ed,