Security+ Guide to Network Security Fundamentals, 2e Solutions 1-1
Chapter 1 Review Questions
1. Each of the following factors illustrates why information security is
increasingly difficult except _______.
a. faster computer processors
b. growing sophistication of attacks
c. faster detection of weaknesses
d. distributed attacks
2. A type of software that repairs security flaws in an application is called a(n)
a. hot fix
3. The primary goal of information security is to protect __________.
4. Each of the following is a characteristic of information except ________.
5. Each of the following is intended to protect information except _________.
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-2
6. Information security procedures tell the people how to use products to protect
information. True or false?
7. Hackers now use protocols such as the Hypertext Transfer Protocol (HTTP) to
send data or commands to attack computers, making it difficult to distinguish
an attack from legitimate network traffic. True or false?
8. The theft of data is the least significant cause of financial loss due to a
security breach. True or false?
9. Integrity ensures that information is correct and that no unauthorized person
or malicious software program can or has altered that data. True or false?
10. Attackers can now use hundreds or thousands of computers in an attack
against a single computer or network, making it impossible to stop an attack
by identifying and blocking the source. True or false?
11. While most attacks today take advantage of vulnerabilities that someone has
already uncovered, a(n) _____ occurs when a hacker discovers and exploits a
previously unknown flaw. day zero attack
12. _____ involves assuring that only authorized parties can view information.
13. Under the _____, healthcare enterprises must guard protected health
information and implement policies and procedures to safeguard it. Health
Insurance Portability and Accountability Act (HIPAA)
14. The _____ act is designed to broaden the surveillance of law enforcement
agencies to help them detect and suppress terrorism. USA Patriot Act
15. Attacks by terrorists using computer technology and the Internet is called
16. What is a distributed attack?
A distributed attack is an attack that comes from not just one but several
difference sources. Attackers can now use hundreds or thousands of
computers in an attack against a single computer or network. This “many
against one” approach makes it impossible to stop an attack just by
identifying and blocking the source.
17. What is the difference between a threat and a threat agent?
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-3
A threat is an event or an action that may defeat the security measures in
place and result in a loss. A threat agent is a person or thing that has the
power to carry out a threat.
18. What is a risk and how can it be mitigated?
A risk is the likelihood that the stereo will be stolen. In information
security terms, a risk is the likelihood that a threat agent will exploit a
vulnerability. Risk cannot ever be entirely eliminated; it would cost too
much and take too long. Rather, some degree of risk must always be
assumed. The questions are, “How much risk is acceptable? Are we
willing to tolerate it?” There are three options when dealing with risks:
accept the risk, diminish the risk, or transfer the risk.
19. Explain how people, products and procedures help protect information.
Information security is achieved through a combination of three entities.
The protection that covers the information along with the hardware,
software and communications is in three successive layers. The innermost
layer are the products that provide the necessary security. These
products may be as basic as door locks or as complicated as intrusion
dection systems and firewalls. These products form the physical security
around the data. The next layer is the people. Without individuals
implementing and properly using the security products then the data can
never be protected. The final layer is the procedures. These include the
plans and policies established by the organization to ensure that the
people correctly use the products. These three layers all interact with
each other. The procedures tell the people how to use the products to
protect the information. Thus information security is the protection of the
integrity, confidentiality, and availability of information on the devices
that store, manipulate and transmit the information through products,
people and procedures.
20. Identify some problems with software patches when trying to protect
One of the primary defenses against attacks is applying patches, which is
a type of software that is used to fix or repair security flaws in an existing
software application. However, managing patches and knowing which
ones to install can be difficult. Most attacks have been successful due to
users not applying patches that had been released long before the attack
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-4
Chapter 2 Review Questions
1. Attackers known as _____ like to think of themselves as an elite group who are
performing a valuable service in identifying security weaknesses.
b. script kiddies
2. A _____ possesses advanced computer skills and attacks computers with a
a. script kiddie
d. worm zombie
3. The motivation for a computer spy is _____________.
4. One reason employees are so successful at attacking their company’s computers is
a. they have superior networking skills
b. employees already have access to all company information
c. a company’s information security is focused on keeping out intruders
d. employees have unlimited access to company computers
5. Each of the following is a goal of cyberterrorists except _________.
a. defacing electronic information
b. denying service to legitimate users
c. committing unauthorized intrusions into critical infrastructures
d. replacing computers with unauthorized devices
6. Today the global computing infrastructure is the most likely target of attacks.
True or false?
7. Instead of attacking the computing infrastructure directly, attackers can embed the
attack in the data itself, which makes detection harder. True or false?
8. Social engineering is the easiest way to attack a computer system, requires almost
no technical ability, and is usually highly successful. True or false?
9. There is no defense for social engineering attacks. True or false?
10. The first line and strongest defense of any computer system is passwords. True
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-5
11. When an attacker sends out counterfeit e-mail messages to direct users to his
own site this is called _____. phishing
12. With a(n) _____ attack the attacker attempts to create every possible password
combination by systematically changing one character at a time and then using
each newly generated password to access the system. brute force
13. A(n) _____ attack takes each word from a dictionary and encodes it in the same
way in which the computer would encode a user’s password. dictionary
14. A(n) _____ occurs when a computer program attempts to stuff more data into a
temporary storage area than it can hold, overwriting valid computer data. buffer
15. Cryptography is based on a procedure called an algorithm, which is given a
starting value known as a(n) _____. key
16. Explain how an attacker would use a mathematical attack.
A mathematical attack may develop a statistical analysis of the characters
in an encrypted text and then analyzes the statistics in an attempt to
discover the keys and decrypt the data. Although by hand this would take
an enormous amount of time, with modern computers mathematical
attacks of this nature are much more feasible.
17. What is the birthday paradox and how is it used by attackers?
If you were to meet a complete stranger there would be only a 1 in 365
chance (0.27%) that he would have the same birthday as you. However, the
chance of meeting someone with your birthday increases remarkably faster
as you meet more people. With the first 23 people that you meet there is
actually a 50% chance and not a 6.3% chance (23 in 365) that you will find
someone with the same birthday as you. If you meet 60 people the
probability leaps to over 99% that you will share the same birthday with
one of these people. This phenomenon is called the birthday paradox. In
cryptography the birthday paradox is significant. When encrypting a
message it would be assumed that the best approach would be to randomly
select a different key value each time. However, if you pick random values
then you will actually create duplicate values much sooner than you would
expect, much like meeting someone who shares your birthday. That is, even
with random selection duplicate values will quickly appear. A birthday
attack is an attack on a cryptographical system that exploits the
mathematics underlying the birthday paradox.
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-6
18. What is the difference between a man-in-the-middle attack and a replay?
A replay attack is similar to an active man in the middle attack. However,
whereas an active man in the middle attack will change the contents of a
message before sending it on, a replay attack will only capture the message
and then send it again later (replay it).
19. Explain how a denial of service (DoS) attack works.
A denial of service (DoS) attack attempts to make a server or other
network device unavailable by flooding it with requests, such as displaying
a Web page or accessing a stored file. The server will respond to each
request from the computers that started the process. However, with a DoS
attack, the computers that launched the denial of service attack are
programmed to not reply to the server’s response. The server will “hold
the line open” and continue to wait for a response (which is never coming)
while receiving more and more requests and keeping those lines open for
responses. After a short period of time the server runs out of resources and
can no longer function.
20. What is the difference between a worm and a virus?
Although similar in nature, worms are different from viruses in two
regards. First, a virus attaches itself to another computer document, like an
e-mail message, and is then spread by traveling along with the e-mail
message. A worm, on the other hand, does not attach to a “host” document
in order to spread. A worm can spread by itself. A second difference is that
a virus needs the user to perform some type of action, like starting a
program or reading an e-mail message, in order to start the infection. A
worm does not require any action by the computer user to start it. Worms
can continuously replicate themselves until they “clog” all available
resources, such as computer memory or the network bandwidth connection.
Chapter 3 Review Questions
1. A security plan that is initiated by a(n) _____ would be defined as a bottom-
a. Chief information officer (CIO)
b. Help desk technician
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-7
c. Chief security officer
d. Financial counselor
2. The advantage of layering is _________.
a. there is no single point of failure
b. it is less expensive
c. it provides redundant services such as dual firewalls
d. it does not require security personnel to implement
3. Restricting users to the lowest level of permissions they need to do their job is
a. restrictive access listing (RAL)
c. constraint leveling
d. concise security administration (CSA)
4. Each of the following is an example of how diversity can be achieved except
a. one firewall filters one type of traffic while a second firewall
filters other traffic
b. devices purchased from a variety of vendors
c. servers running different operating systems
d. requiring one type of hard disk drive
5. Which of the following is an example of security by obscurity?
a. Posting the company’s security plan on the Web site
b. Advertising for bids for a specific brand of firewall in the
c. Removing a logon window message that indicates the
name of the operating system
d. Requiring vendors to ship equipment that does not have a
6. Layering is no longer considered a proper means of creating a security
environment. True or false?
7. A disadvantage of layering is that uncoordinated layers can create security
holes in the defense. True or false?
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-8
8. Complex security systems are preferred over simple systems. True or false?
9. Authentication verifies that a trusted person who has been preapproved for
access is actually the one who now demands that access. True or false?
10. The only time you are asked to authenticate yourself is when using a
computer. True or false?
11. Authentication based on a secret code you have memorized is an example of
authentication by ___. what you know
12. The term used to describe an employee who actively tries to prevent security
attacks from passing through them is a(n) _____. human firewall
13. A subject, such as a person or a computer program, interacts with a(n) _____.
14. Using your fingerprint to access a system is an example of authentication by
_____. what you are
15. A(n) _____ is a security device that is used to authenticate the user by having
the appropriate permission (such as a password) embedded into it. token
16. What are some of the weaknesses of biometrics and how can they be
Biometrics has its weaknesses. Many high-end scanners are relatively
expensive, can be difficult to use, and can reject authorized users while
accepting unauthorized users. These errors are mainly due to the large
number of characteristics of a face or hand that must be scanned and
then compared. Also, it is possible to “steal” someone’s characteristics by
lifting a fingerprint from a glass, photographing an iris, or recording a
voice and then use these to trick the scanner. Biometric security is still in
its early developmental stages. Many industry experts recommend that
at the present time it should be used along with passwords and other
forms of authentication.
17. Explain how a digital certificate works.
Although encrypting messages with keys is an excellent means of sending
messages so that unauthorized users cannot see them, one of the
weaknesses of the key system is that it does not prove that the sender is
actually who they he claims to be. How does the receiver know who
actually sent the message? The answer is a certificate (sometimes called a
digital certificate). A certificate links or binds a specific person to a key.
Digital certificates are provided by a certification authority (CA), which
is an independent third-party organization. A user requesting a digital
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-9
certificate must provide personal information, such as name, former last
name (if changed in last twelve months), home address, social security
number, date of birth, driver's license number, e-mail address, work
phone and home phone numbers. In some instances the CA may require
that the person actually make a personal visit to the CA office in order to
prove his existence and identity. Once the person’s identity is established
then the CA will then issue a certificate.
18. Where is Kerberos used and how does it work?
Kerberos is typically used when a user on a network is attempting to
make use of a network service, and the service wants assurance that the
user is who he says he is. The user is provided a ticket that is issued by
the Kerberos authentication server (AS). This ticket contains information
linking it to the user. The user presents this ticket to the network for a
service. The service then examines the ticket to verify the identity of the
user. If all checks out, then the user is accepted. Kerberos tickets are
difficult to copy (because they are encrypted), they contain specific user
information, they restrict what a user can do, and they expire after a few
hours or a day.
19. What is the difference between one-way authentication and mutual
authentication? What attacks does mutual authentication combat?
Two-way authentication, known as mutual authentication, can be used to
combat identity attacks, such as man in the middle and replay attacks.
With mutual authentication the user is authenticated through a
password, tokens, or other means by the server. The server likewise is
authenticated: that is, the user verifies that he is actually connected to the
“real” server and not an imposter. Mutual authentication provides a
means for both sides of a connection to verify the authenticity of each
20. How does Role Based Access Control function? What are its advantages?
Handling the permissions for individual users can be a time-consuming
task. Not only must they be initially set up, but there may be constant
“tweaking” necessary as users take on new responsibilities or assume new
job titles. A model that can be used assigns permissions to a position or
“role” and then user and other objects are assigned to that role,
inheriting all of the permissions for the role. This is known as Role Based
Access Control (RBAC). RBAC reduces the amount of “adjusting” that
must be done on an account as an employee ads additional responsibilities
to his or her title.
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-10
Chapter 4 Review Questions
1. You can start to build defenses for your information systems by creating
2. In Microsoft Windows, the name of the background program, such as
Svchost.exe, is called a _____ .
c. display service
d. parent service
3. Stopping and then starting again a service is sometimes called a
4. A nonsecurity advantage of disabling a service is that ____________.
a. ROM is preserved
b. the operating system can perform fewer functions
c. communication with firmware is enhanced
d. it frees up RAM
5. A(n) _____ identifies what program or service on the receiving computer is
b. port number
c. UPD designator
d. service-initiated socket (SIS)
6. Port 80 identifies the service as Web traffic (HTTP). True or false?
7. Determining which services to turn off is a very simple task. True or false?
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-11
8. With open source software such as Linux, the user community provides
updates. True or false?
9. A patch should be applied before a service pack. True or false?
10. Tools that assist in the update procedures of distributing and testing patches
are known as patch management tools. True or false?
11. A process provides what is known as a(n) _____ to the operating system.
12. When a service is in _____ mode, it starts every time the computer is turned
13. _____ mode allows Windows to start a service whenever it is needed.
14. A service that has been set to _____ mode is not loaded, even if it is needed.
15. Explain the differences between a service pack, a hotfix, and a patch.
Of the different types of software updates there are three that are most
commonly used. The service pack, which is a cumulative set updates
including fixes for problems that have not been made available through
updates, are the most broad. After installing the current version of the
operating system software on the computer the very next step should be
to install the service pack (or packs). This will serve to update the
software to the fullest extent. The second type is known as a hotfix. A
hotfix does not typically address security issues. Instead, it addressed a
specific problem in software, such as a feature that does not work
properly. Once all of the service packs have been installed on a new
system then any hotfixes should be applied. The third common update is
a patch, or a software update to fix or repair of a specific security flaw.
Patches may be released on a regular or irregular basis, depending upon
the vendor or support team. Patches for a local operating system can be
installed by the end user on his or her own system.
16. What are the desirable features of a good patch management system?
Patch management attempts to identify the systems that need updates
and then installs and tests those updates as well as identifying any new
vulnerabilities. The features of a good patch management system include:
Patches can be targeted at certain groups of computers for
Computers are automatically rebooted after the patch is installed
A reporting system verifies the download and installation of the patch
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-12
Third-party management and patch tools should connect to the patch
Patches can be downloaded from the Internet onto a local patch
server and then the updates can be distributed locally so that patches
can be applied to computers that do not have Internet access
Patches can be copied to a CD from the local patch server and
installed manually if necessary
17. What are security template snap-ins?
Microsoft Windows systems provide a centralized method of defining
security on a computer. The Microsoft Management Console (MMC) is
Windows a utility that accepts additional components known as snap-ins.
Snap-ins, available from either Microsoft or other third-party vendors,
adds additional functionality to the operating system.
One of the useful snap-in components is the Security Template snap-in.
Security Templates do not introduce new security parameters, but rather
organizes all existing security attributes into one place to make security
administration easier by providing a single point of entry where all
system security can be viewed, adjusted, and applied to a local computer.
18. List some ways to secure a Web server.
Some of the steps that should be followed to harden a Web server
Use ACLs to limit a Web surfer’s ability to navigate and browse the
content and run selected applications; they should never be given
permissions to write to the server.
Be sure that patches and service packs are regularly used to update the
Keep in tune with exposed Web server vulnerabilities by subscribing to
security organizations that distribute information on the latest flaws, or
regularly visit attacker Web sites.
Delete any sample files that may be included with the installation that are
intended as references; these may have security holes in them.
Isolate the Web server from the internal network
Be sure that the Web server records its actions on a log file and examine
the file regularly
If the server will be sending or receiving sensitive information, implement
a technology that encrypts the transmission
19. What is an open mail relay? How can it be prevented?
An open mail relay occurs when a mail server processes mail messages
when neither the sender nor the recipient is a local user. The mail server
is used to “bounce” e-mail from one outside source to other sources. In
this case the mail server becomes an entirely unrelated third party.
Spammers use open mail relays to distribute hundreds of thousands of e-
mail messages that can only be traced back to the open mail relay and not
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-13
the spammer’s computer. Open mail relay can be prevented by properly
configuring the mail server. Only trusted users should be given
permission to send outgoing e-mail messages. This can be set by
specifying a IP range of addresses. Another option is to specify which
systems are allowed to send mail through the mail server.
20. What is a rule base and how is it used?
The rules that a network device will use to permit or deny a packet are
sometimes called a rule base. Because more than one criteria is used, such
as deny packets arriving from a specific site or that attempt to access a
specific TCP port, ACLs end up being lists of rules instead of one specific
rule. Because each packet must be compared to the set of rules before it
can pass through, it is important that the rule base size be limited to
about 40 rules. As packets arrive they are compared to each rule in
sequence: the packet is first compared to Rule 1, and if it passes it is then
compared to Rule 2, etc. The most important rules should come towards
the top of the list. The last rule should be a “general” rule that covers
malicious packets that have not been detected by any previous rules. The
above rules do not apply to Cisco Routers’ ACL in which each packet is
compared to each rule in sequence and if it matches the rule, it will be
either accepted or rejected based on the rule. If the packet does not
match the rule, it will be compared downward towards the list until one is
matched. If there is no match at all, the packet will be dropped.
Chapter 5 Review Questions
1. Each of the following can be found in a cable plant except _____________.
a. coaxial cable
b. fiber-optic cable
d. BNC connectors
2. Floppy disks are known as _____ media.
3. _____ contains a dedicated controller chip.
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-14
c. USB memory stick
d. RAM BIOS
4. A(n) _____ receives a packet from one network device and sends it to all
devices on the network.
5. Each of the following can be identified as physical security except
a. door locks
b. antivirus software
c. alarm systems
6. Although at one time the mainstay of computer networks, twisted-pair cable is
rarely used today. True or false?
7. A switch cannot limit the effectiveness of a sniffer. True or false?
8. A DSL broadband connection allows for an “always on” connection, while a
cable modem does not. True or false?
9. A Remote Access Server does not recognize the universal naming convention.
True or false?
10. Mobile devices, such as PDAs and cell phones, pose no real threat to security.
True or false?
11. The physical infrastructure, such as the wire, connectors, and cables, which
are used to carry data communications signals between equipment is known
as the _____. cable plant
12. An attacker can capture packets as they travel through the network using a
technique called _____. sniffing
13. A software firewall runs as a program on a local computer is called a(n)
_____. personal firewall
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-15
14. _____, which is part of the TCP/IP protocol suite, is used to gather data about
network performance. Simple Network Management Protocol (SNMP)
15. A(n) _____is a smaller version of the telephone company’s larger central
switching office that is privately owned. PBX
16. Explain the difference between stateful and a stateless packet filtering
Packets can be filtered by a firewall in one of two different ways. Stateless
packet filtering looks at the packet and permits or denies it based strictly
on the rule base. Stateful packet filtering keeps a record of the state of a
connection between an internal computer and an external server and
makes decisions based on the connection as well as the rule base. For
example, a stateless packet filter firewall would allow a packet to pass
through because it passed the rule base. However, a stateful packet filter
would drop this packet because the internal network computer did not
first solicit or request the packet.
17. How does an active intrusion-detection system differ from a passive intrusion-
A device that monitors network security at a higher level is an intrusion
detection system (IDS). An IDS looks at the activity on the network and
what the packets are actually doing instead filtering based on where the
packets came from. An active IDS (sometimes called a reactive IDS) will
perform a specific function when it senses an attack, such as dropping
packets or tracing the attack back to a source. A passive IDS sends
information about what happened but the IDS will take no action.
18. What is a demilitarized zone (DMZ) and why is it used?
A demilitarized zone (DMZ) is a separate network that sits outside the
secure network perimeter. Outside users can access the DMZ but cannot
enter the secure network. In Figure 5-22 a DMZ has been set up outside
of the secure network perimeter. The DMZ contains a Web server and an
e-mail server, two servers that are continuously accessed by outside users,
yet they never enter the secure network. By placing these servers in a
DMZ it restricts the access of outside users to the secure network.
19. Explain the difference between and an intranet and an extranet.
An intranet is a network that has the same functionality as the public
Internet in that it uses the same protocols (HTTP, HTTPS, etc.) but it is
only accessible to trusted inside users. An organization may post human
resource information for its employees that allows them to check their
number of sick days or change a mailing address. If this was available on
the public Web server in the DMZ it would be subject to attacks.
However, by keeping this information on a secure intranet it reduces the
risk of attack. An extranet is accessible to users that are not trusted
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-16
internal users but instead are trusted external users. An extranet is not
accessible to the general public but may allow vendors and business
partners to access a company Web site. An extranet is generally
established as a collaborative network that uses Internet technology to
link businesses with their suppliers, customers, or other businesses that
share common goals.
20. How does Network Address Translation (NAT) work?
Network Address Translation (NAT) hides the IP addresses of network
devices from attackers. On a network using NAT, as a packet leaves the
network NAT will remove the private IP address from the sender’s
packet and replace it with an alias IP address. The NAT software
maintains a table of the special addresses and alias IP addresses. When a
packet is returned to the NAT the process is reversed. An attacker who
captures the packet on the Internet cannot determine the actual IP
address of the sender. Without that address it is more difficult to identify
and attack a computer.
Chapter 6 Review Questions
1. Each of the following is a reason that software is susceptible to attacks except
b. length and complexity
2. The Transmission Control Protocol/Internet Protocol (TCP/IP) protocol that handles
outgoing mail using port 25 is ___________.
a. Simple Mail Transfer Protocol (SMTP)
b. Post Office Protocol (POP)
c. Internet Mail Access Protocol (IMAP)
d. Secure/Multipurpose Internet Mail Extensions (S/MIME)
3. Each of the following attacks can be launched using e-mail except __________.
d. Trojan horse
4. Each of the following protocols can be used to encrypt transmissions over the Internet
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-17
a. Secure Sockets Layer (SSL)
b. Personal Communications Technology (PCT)
d. Common Gateway Interface (CGI)
5. Each of the following is illegal under Controlling the Assault of Non-Solicited
Pornography and Marketing Act of 2003 (CAN-SPAM) except ___________
a. sending an unsolicited e-mail message
b. using deceptive subject lines or e-mail addresses
c. sending e-mails to addresses that have been randomly generated
d. not maintaining a functioning unsubscribe system for 30 days
6. A macro is a script that records the steps a user performs. True or false?
7. The primary weakness of Secure/Multipurpose Internet Mail Extensions (S/MIME) is
that it uses weak keys of only 1,024 bits in length. True or false?
8. Pretty Good Privacy (PGP) uses a one-time session key for encryption. True or false?
Language (HTML) document. True or false?
not the Web browser. True or false?
11. A(n) _____ is a list of spammers that can be used by organizations to block e-mail
that originates from the e-mail addresses on the list. blacklist
document, a(n) _____is a separate program that is downloaded onto the user’s
computer when he visits a Web site. Java applet
13. Java applets run in what is called a(n)_____, which serves as a security fence
surrounding the program and keeps it away from private data and other resources on a
local computer. sandbox
14. A(n) _____ is a computer file created by a Web server, stored on a user’s computer,
and contains user-specific information. cookie
15. The _____ is a set of rules that describes how a Web server communicates with other
software on the server. Common Gateway Interface (CGI)
16. Explain the difference between Internet Mail Access Protocol (IMAP) and Post
Office Protocol (POP3).
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-18
POP3 is a very basic protocol, which essentially allows users to have a collection
of messages stored on the server. The e-mail client connects to the POP3 server
and downloads the messages onto the local computer. Once the messages are
downloaded they are generally erased from the POP3 server. Because retrieved
messages are erased from the mail server and then stored on a single local
computer, this can make it difficult to manage messages from multiple
computers. IMAP (Internet Mail Access Protocol) is a more advanced protocol
that solves these problems. With IMAP the e-mail remains on the e-mail server.
Mail can be organized into folders and read from any computer. Client e-mail
software allows IMAP users to work with e-mail while offline. Client e-mail
connects to the IMAP server using port 143.
17. How does Bayesian filtering work?
Sophisticated e-mail filters can use a technique known as Bayesian filtering. The
user divides e-mail messages that have been received into two piles, spam and
not-spam. The filter then analyzes every word in each e-mail and determines
how frequently the word occurs in the spam pile compared with the not-spam
pile. A word like “the” would occur equally in both piles and be given a neutral
50 percent ranking. A word like “report” may occur frequently in non-spam
messages and would receive a 99 percent probability of being a non-spam word,
while a word like “sex” may receive a 100 probability of being a spam word.
Whenever an e-mail arrives, the filter looks for the 15 words with the highest
probabilities to calculate the message’s overall spam probability rating. Bayesian
filters trap a much higher percentage of spam than other techniques.
18. What are ActiveX controls and what can they do?
ActiveX is a set of technologies developed by Microsoft. An outgrowth of two
other Microsoft technologies called OLE (Object Linking and Embedding) and
COM (Component Object Model), ActiveX is not a programming language but
is a set of rules for how applications should share information. ActiveX controls
represent a specific way of implementing ActiveX. Programmers can develop
ActiveX controls in a variety of languages, including C, C++, Visual Basic, and
Java. ActiveX controls can also be invoked from Web pages through the use of a
scripting language or directly with an HTML OBJECT tag. If an ActiveX
control is not installed locally the Web page can specify an address where the
control can be obtained. Once obtained, the control installs itself automatically.
An ActiveX control is similar to a Java applet. Unlike Java applets, however,
ActiveX controls do not run in a sandbox but instead have full access to the
Windows operating system. Anything a user can do on a computer an ActiveX
control can do.
19. What is the difference between a first-party cookie and a third-party cookie?
A first-party cookie is a cookie that is created from the Web site you are
currently viewing. Whenever you return to this site that cookie would be used by
that server to see your preferences. However, some Web sites attempt to access
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-19
cookies that were not created by them. These are known as third-party cookies
because they were not created by the Web site that attempts to access the cookie.
The most common reason for third-party cookies is for Web marketers to try to
track your preferences and the types of Web sites you like to visit.
20. What are the differences between HTTP and HTTPS?
One common use of Secure Sockets Layer (SSL) is to secure Web HTTP
communication between a browser and a Web server. This secure version is
“plain” HTTP but sent over TLS/SSL and named HTTPS (Secure Hypertext
Transport Protocol). Whereas TLS/SSL creates a secure connection between a
client and a server over which any amount of data can be sent securely, HTTPs
is designed to transmit individual messages securely. SSL and HTTPs are
complementary rather than competing technologies. Besides using TLS/SSL,
HTTPS uses port 443 instead of port 80 as with HTTP. From the user’s
perspective URLs much be entered with HTTPS:// instead of HTTP://. A small
lock is shown on the corner of the browser to indicate the transmission is secure.
Chapter 7 Review Questions
1. The File Transfer Protocol (FTP) can be accessed by each of the following
a. Web browser
b. FTP client
c. command line
d. LPTP server
2. Another name for anonymous FTP is __________________.
a. blind FTP
b. free user FTP
d. Unannounced FTP
3. The most widely-deployed tunneling protocol is ____________.
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-20
4. Each of the following is a characteristic of the Layer 2 Tunneling Protocol
(L2TP) except ________________.
a. It merges the features of PPTP and Layer 2 Forwarding Protocol (L2F).
b. It requires a TCP/IP network.
c. It can be implemented on devices like routers.
d. It can support advanced encryption methods.
5. Each of the following is an authentication technology except _________.
a. IEEE 802.11b
d. IEEE 802.1x
6. The 802.1x protocol is based on the Extensible Authentication Protocol
(EAP), which is an extension of PPP. True or False?
7. One of the advantages of the RADIUS architecture is that it supports
authentication and authorization as well as auditing functions. True or false?
8. Similar to RADIUS, Terminal Access Control Access Control System
(TACACS+) is an industry standard protocol specification that forwards
username and password information to a centralized server. True or false?
9. Secure Shell (SSH) is a Windows-based command interface and protocol that
replaces three Windows utilities: wlogin, wcp, and wsh. True or false?
10. IP Security (IPSec) functions at Layer 1 of the OSI model. True or false?
11. One of the ways to reduce the risk of FTP vulnerabilities is to use _____.
12. IP Security (IPSec) confidentiality is performed by the _____ protocol.
Encapsulating Security Payload (ESP)
13. A(n) _____ takes advantage of using the public Internet as if it were a private
network. virtual private network (VPN)
14. A(n) _____is a database that is stored on the network itself that contains all
the information about users and their privileges to network resources.
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-21
15. _____ is the security layer of the Wireless Access Protocol (WAP) and
provides privacy, data integrity, and authentication. Wireless Transport
Layer Security (WTLS)
16. Explain how the three elements of the IEEE 802.1x standard function.
A networking supporting the 802.1x protocol consists of three elements.
The supplicant is the client device, like a desktop computer or PDA,
which requires secure network access. The supplicant sends the request
to an authenticator that serves as an intermediary device. An
authenticator can be a network switch or a wireless device. The
authenticator sends the request from the supplicant to the authentication
server. The authentication server accepts or rejects the supplicant’s
request and sends that information back to the authenticator, which in
turn grants or denies access to the supplicant. One of the strengths of the
802.1x protocol is that the supplicant never has direct communication
with the authentication server. This minimizes the risk of attack on the
authentication server, which contains valuable login data for all users.
17. What are the advantages of IPSec functioning at a lower layer of the OSI
Different security tools function at different layers of the Open System
Interconnection (OSI) model. Tools such as Secure/Multipurpose
Internet Mail Extensions (S/MIME) and Pretty Good Privacy (PGP)
operate at the Application layer, while Kerberos functions at the Session
layer. The advantages of having security tools function at the higher
layers like the Application layer is that these tools can be specifically
designed to protect that application. However, protecting at this layer
may require multiple security tools, perhaps even as many as one per
each application. Secure Socket Layers (SSL)/ Transport Layer Security
(TLS) operate at the Session layer. The advantage of operating at this
level is that more applications can be protected, yet minor modifications
may have to be made to the application. An even improved functionality
can be achieved if the protection is even lower in the OSI layer. If the
protection was at the Network layer, it can protect a wide range of
applications with no modifications needed. Even applications that are
ignorant of security, such as a legacy MS-DOS application, can still be
protected. This is the level at which IPSec functions.
18. What are the two IPSec encryption modes? Give an example that illustrates
why two modes are necessary.
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-22
IPSec supports two encryption modes: Transport and Tunnel. Transport
mode encrypts only the data portion (payload) of each packet yet leaves
the header unencrypted. The more secure Tunnel mode encrypts both the
header and the data portion. IPSec accomplishes transport and tunnel
modes by adding new headers to the IP packet. The entire original packet
(header and payload) is then treated as the data portion the new packet.
Because tunnel mode protects the entire packet, it is generally used in a
network gateway-to-gateway communication. Transport mode is used
when a device must see the source and destination addresses in order to
route the packet. For example, a packet sent from a client computer to
the local IPSec-enabled firewall would be sent in transport mode in order
for the packet to be transported through the local network. Once it
reached the firewall it would be changed to tunnel mode before being
sent onto the Internet. The receiving firewall would then extract, decrypt
and authenticate the original packet before it is routed to the final
19. Explain the process of how Internet data can be displayed on a cell phone.
With standard computers, Web browser software makes a request to the
World Wide Web file server for a Web page. This page is transmitted
back to the Web browser in HTML. When a Web server sends a Web
page back to a computer, it is sending only HTML code. The Web
browser is responsible for interpreting that code and displaying the
results on the screen. WAP follows this standard Internet model with a
few variations. A WAP cell phone runs a tiny browser program called a
microbrowser that uses Wireless Markup Language (WML) instead of
HTML. WML is designed to display text-based Web content on the small
screen of a cell phone. However, since the Internet standard is HTML, a
WAP Gateway (sometimes called a WAP Proxy) must translate between
WML and HTML. The WAP Gateway takes the Web page sent from the
Web server in HTML code and changes it to WML language before
forwarding it on to the cell phone.
20. What is the wired equivalent privacy (WEP) and what is its weakness?
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-23
The wired equivalent privacy (WEP) is an optional configuration for
WLANs that encrypt packets during transmission to prevent attackers
from viewing their contents. WEP uses shared keys, meaning that the
same key for encryption and decryption must be installed on the AP as
well as each wireless device. WEP can also be used for authentication.
When a wireless devices attempts to connect to a WLAN the AP sends the
device 128 bytes of challenge text. The client encrypts the challenge text
with its WEP key and returns it to the AP, which compares the encrypted
text with its own encrypted version of the challenge text with its WEP
key. If the two match, then the client has the correct WEP key and is
approved. The vulnerability with WEP is that the IV is not properly
implemented. Every time a packet is encrypted it should be given a
unique IV. Yet because the IV is only 24 bits in length, it can have only
16,777,215 possible values. A WLAN transmitting at 11Mbps will
transmit approximately 700 packets each second. This means that in less
than seven hours all of the 16 million IV values have been used and it
must start repeating itself. Because the IVs are transmitted in clear text,
an attacker can capture packets and see when the IV starts repeating.
With the information he or she is then able to crack the encryption.
Chapter 8 Review Questions
21. Cryptography provides each of the following types of protection except
22. A(n) _____ is never intended to be decrypted but is only used for comparison
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-24
23. Each of the following is an example of how hashing is used except
a. bank ATM machine
b. authenticating UNIX and Linux passwords
c. determining the integrity of a message
d. encrypting and decrypting e-mail messages
24. Each of the following is a characteristic of a secure hash except
a. collisions should be rare
b. a message cannot be produced from a predefined hash
c. the results of a hash function should not be reversed
d. the hash should always be the same fixed size
25. The data added to a section of text when using the message-digest (MD)
algorithm is called _________________.
d. byte code
26. A cipher is an encryption or decryption algorithm tool used to create encrypted or
decrypted text. True or false?
27. Most security experts recommend that the family of DES hashes be replaced with
a more secure hash algorithm. True or false?
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-25
28. The Secure Hash Algorithm (SHA) creates a more secure hash 160 bits long
instead of 128 bits as with other algorithms. True or false?
29. Symmetric encryption algorithms use a single key to encrypt and decrypt. True or
30. A stream cipher takes one character and replaces it with one character. True or
31. Data that has been encrypted by an encryption algorithm (a cipher) is called
32. A(n) _____ cipher maps a single plaintext character to multiple ciphertext
characters. homoalphabetic substitution
33. A(n) _____ cipher rearranges the letters without changing them. transposition
34. A(n) _____ cipher manipulates an entire block of plaintext at one time. block
35. The _____was specifically designed to replace the weaker Data Encryption
Standard (DES). Triple Data Encryption Standard (3DES)
36. Explain the problems with key management and how it affects symmetric
The primary weakness of symmetric encryption algorithms is keeping the
single key secure. Known as key management, it poses a number of
significant challenges. If a user wants to send an encrypted message to
another using symmetric encryption, he must be sure that she has the key to
decrypt the message. How should the first user get the key to the second
user? He would not want to send it electronically through the Internet,
because that would make it vulnerable to eavesdroppers. Nor can he encrypt
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-26
the key and send it, because the recipient would need some way to decrypt
the key. And if he can even get the get securely to the user, how can be he
certain that an attacker has not seen the key on that person’s computer? Key
management is a significant impediment to using symmetric encryption.
37. Describe how elliptic curve cryptosystems work.
Elliptic curve cryptography was first proposed in the mid-1980s. Instead of
using prime numbers as with RSA, elliptic curve cryptography uses elliptic
curves. An elliptic curve is a function that is drawn on an X-Y axis as a
gently curved line. By adding two points on the curve together you can arrive
at a third point on the curve. The public aspect of an elliptic curve
cryptosystem is that users share an elliptic curve and one point on the curve.
One user then chooses a secret random number and computes a public key
based on a point on the curve. The other user does the same. They can now
exchange messages because the shared public keys can generate a private key
on elliptic curve.
38. What is a digital signature? Why is it used?
The asymmetric cryptographic system can itself provide for multiple types of
security functions, including authentication, integrity and non-repudiation.
This is done through using a digital certificate and helps to prove that the
person sending the message with a public key is actually who they claim to
be, that the message was not altered, and that it cannot be denied that the
message was sent. A digital signature is a shorter version of the message itself
that is created by the contents of the message and the sender’s private key
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-27
and is then added attached to the end of the message. Because the contents of
the message are used to create the digital signature, this signature will be
different for every message sent. When using a digital certificate the sender
uses her own private key to create a digital signature before encrypting the
entire message with the receiver’s public key. The sender begins by creating
the document that is to be transmitted. Then using special software a
summary of that message is created. Finally, the sender’s public key is used
to encrypt the summary and this is attached to the end of the message.
39. What is the Microsoft Encrypting File System (EFS) and what are some of its
Microsoft’s Encrypting File System (EFS) is an encryption scheme for
Windows 2000, Windows XP Professional, and Windows 2003 Server
operating systems that use the NTFS file system. Because EFS is tightly
integrated with the NTFS file system, file encryption and decryption are
transparent. When users open a file, it is decrypted by EFS as data is read
from disk and when they save the file, EFS encrypts the data as it is written
to disk. Encrypting a file is performed by setting a file attribute and the
encryption attribute can also be set for a file folder. Any file created in or
added to the folder is automatically encrypted.
40. What is a pluggable authentication module (PAM)?
When UNIX was originally developed the task of authenticating a user was
accomplished by the user entering a password and the system then checked if
the entered password corresponded to the encrypted official password that is
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-28
stored in the user database /etc/passwd. Since that time a number of new
ways of authenticating users have become popular, such as using new
hardware devices like smart cards. Yet each time a new authentication
scheme was developed it requires all the necessary programs, such as login
and ftp, to be rewritten to support it. The solution was to use pluggable
authentication modules (PAMs) instead. PAM provides a way to develop
programs that are independent of the authentication scheme. PAM rests
between the operating system and the program that needs authentication.
The authentication modules are attached to the programs when needed.
Chapter 9 Review Questions
1. _____ cryptography uses one key to both encrypt and decrypt messages.
d. Dual Key Hashing (DKH)
2. The primary weakness of symmetric cryptography is _________________,
a. key management
b. RAM memory requirements
c. CPU processing speed
d. Hard disk storage space
3. A _____ is a shorter version of the message itself that is created by the contents of
the message and the sender’s private key.
a. hash algorithm
b. certificate authority
c. digital certificate
d. digital signature
4. Revoked digital certificates are listed in a(n) ___________________.
a. Certificate Revocation List (CRL)
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-29
b. Certification Authority Revocation Algorithm (CARA)
c. 509.X certificate
d. Public Key Crypto Folder (PKCF)
5. A subordinate certification authority server is known as a _____ server.
a. Registration Authority (RA)
b. CA proxy
c. Certificate Extension Server (CES)
d. Digital CA Directory Access Proxy
6. When using symmetric cryptography it is acceptable to use the same key for
encrypting documents sent to several different users. True or false?
7. Another alternative to a certificate authority (CA) is to provide the information in
a publicly accessible directory called a Certificate Repository (CR). True or
8. A Public Key Infrastructure (PKI) is a system that manages encryption keys and
identity information for the human and mechanical components of a network that
require asymmetric cryptography. True or false?
9. Public Key Cryptography Standards (PKCS) is a numbered set of standards that
are widely accepted in the industry. True or false?
10. A web of trust model uses multiple certification authority (CA) servers. True or
11. The primary disadvantage of _____ cryptography is that it is a computing-
intensive process. public key (asymmetric)
12. _____ defines the format for the digital certificate and is the most widely used
certificate format for PKI. X.509
13. _____ certificates are issued directly to individuals and are typically used to
secure e-mail transmissions through S/MIME and SSL/TLS. Personal
14. Key management can either be centralized or _____. decentralized
15. One way to provide more security than a single set of public and private (single-
dual) keys can offer is to use _____ pairs of dual keys. multiple
16. Explain the difference between a certificate policy (CP) and a certificate practice
A certificate policy (CP) is a published set of rules that govern the operation
of the PKI and may be used by a certificate user to determine the
trustworthiness of a certificate for a particular application. The CP provides
recommended baseline security requirements for the use and operation of
Certificate Authorities (CA), Registration Authorities (RA), and other PKI
components. A Certificate Practice Statement (CPS) is a more technical
document compared to a CP. A CPS describes in detail how the CA uses and
17. What is key escrow? Why is it used?
Keys that are managed by a third-party entity is known as key escrow. There
are a number of organizations that will provide this service, such as a trusted
CA. When using key escrow the private key is actually split with each half
encrypted. The two halves are sent to the third party, which stores each key
in a separate location. If the private key must be retrieved then the two
halves are combined together and then decrypted. Although key escrow
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-30
relieves the end user from the worry of losing her private key, by having a
copy of the key makes it vulnerable to attacks.
18. Explain M-of-N control and tell how it works.
What happens if an employee is hospitalized for an extended period of time
yet the organization for which she works needs to transact business using her
keys? How can her key be recovered? One technique is known as M-of-N
control. Well before a user is incapacitated her private key is encrypted and
divided into a specific number of parts, for example three. The parts are
distributed to other individuals, with an overlap so that multiple individuals
have the same part. For example, the three parts could be distributed to six
people, with two people each having the same part. This is known as the N
group. If it is necessary to recover the key, a smaller subset of the N group
known as the M group must meet together and agree that the key should be
recovered. If a majority of the M group agree then they can piece back
together the key.
19. What is the difference between key destruction and key revocation?
Key destruction removes all private and public keys along with the user’s
identification information in the CA. When a key is revoked or expired the
user’s information remains on the CA.
20. Why should keys not be renewed?
Keys should be allowed to expire because it provides additional security. If
an attacker has unknowingly captured a user’s key she could use that key
indefinitely without the user’s knowledge. If, however, the key is allowed to
expire then a new key must be generated, making the attacker’s stolen key no
Chapter 11 Review Questions
1. A(n) _____ is a weakness that allows a threat agent to bypass security.
2. The _____ defines the overall process involved with developing a security policy.
a. security policy cycle
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-31
b. risk identification cycle
c. monitoring scope
d. evaluation cycle
3. Each of the following is a step of risk identification except _________________.
a. Inventory the assets
b. Decide what to do about the risks
c. Determine what threats exist against the assets
d. Write the security policy
4. Each of the following is an asset except _________________.
5. Each of the following is an attribute that should be compiled for hardware when
performing an asset identification except _________________.
a. the name of the equipment
b. the manufacturer’s serial number
c. the MAC and IP address
d. the cost
6. A tool used in threat modeling is an attack tree. True or false?
7. A vulnerability appraisal is the last step of compliance monitoring and evaluation.
True or false?
8. It is possible to eliminate the risk for all assets. True or false?
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-32
9. A guideline is a document that outlines specific requirements or rules that must be
met. True or false?
10. Two elements that must be balanced in an information security policy are trust
and control. True or false?
11. _____ is defined as the obligations that are imposed on owners and operators of
assets to exercise reasonable care of the asset and take necessary precautions to
protect it. Due care
12. _____ means that one person’s work serves as a complimentary check on another
person’s. Separation of duties
13. An information security policy should clearly outline that all information is
provided on a strictly _____ basis. need-to-know
14. A(n) _____ defines what actions the users of a system may perform while using
the computing and networking equipment. acceptable use policy (AUP)
15. A(n) _____ is a contract between a vendor and an organization for services.
service-level agreement (SLA) policy
16. Explain the composition and goals of a security policy development team.
Security policy design should be the work of a team and not one or two
technicians. A security policy development team should be formed to handle
the task. The team should be charged with developing the initial draft of the
policy, determining which groups are required to review each policy, the
required approval process and finally how it will be implemented. Ideally the
team should have these representatives:
• a senior level administrator
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-33
• a member of management who can enforce the policy
• a member of the legal staff
• a representative from the user community
The size of the security policy development team will depend on the size and
scope of the policy. Small scale policies may only require a few participants
while larger policies may require a team of ten.
The team should first decide on the scope and goals of the policy. The scope
should be a statement about who is covered by the policy while the goals
outline what the policy attempts to achieve. The team must also decide on
how specific to make the policy. A security policy is not meant to be a
detailed plan regarding how it is to be implemented.
17. What actions should be taken by the incidence response team (IRT) when an
attack penetrates security?
Once an incident is identified the IRT should immediately convene and take
assessment of the situation. The immediately decision will be how to contain
the incident. If the attack is coming electronically through the network it
may be necessary to take preventive measures to limit the spread of the
attack, such as temporarily shutting off the mail server from replicating a
virus. Other containment actions may include reconfiguring firewalls,
updating antivirus software, or implementing an emergency patch
management system. In extreme cases even the connection to the Internet
may be terminated. After the incident is contained the next steps are to
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-34
determine the cause of the attack, assess its damage, and implement recovery
procedures to get the organization back to normal as quickly as possible.
Once the incident is over a review of security is essential to ensure that a
repeat attack is not successful.
18. Explain why an ethics policy can be useful.
The main purpose of an ethics policy to state the values, principles and ideals
that each member of an organization must agree to. In particular, the code is
intended to uphold and advance the honor, dignity and effectiveness of the
organization. A code of ethics can also help to clarify some of the ethical
obligations and responsibilities undertaken by users. This is important
because no single set of rules could apply to the enormous variety of
situations and responsibilities that exist. While users must always be guided
by their own professional judgment, a code of ethics will help when
difficulties arise. A code of ethics also emphasizes to members and the public,
employers, and clients that the members of an organization are professionals
who are resolved to uphold their ethical ideals and obligations.
19. Describe the steps in the security policy cycle and what each one does.
The security policy cycle defines the overall process involved with developing
a security policy. The first part of the cycle is risk identification. Risk
identification seeks to determine the risks that an organization faces against
its information assets. That information then becomes the basis of developing
a security policy. A security policy is a document or series of documents that
clearly defines the defense mechanisms that an organization will employ to
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-35
keep information secure. It also outlines how the organization will respond to
attacks and the duties and responsibilities of its employees for information
security. Once the policy is completed it must constantly be reviewed for
compliance. And because new assets are continually being added to the
organization and new threats appear against the assets, compliance
monitoring and evaluation must regularly be conducted. The results of the
monitoring and evaluation (such as revealing that a new asset is unprotected)
then become input back into risk identification and the process begins again.
20. List and define the three actions an organization may take regarding risk.
There are three options an organization can take with these the risks:
Accept the risk – This is accomplished by doing nothing at all but leaving
everything as is. The assumption is that an attack will occur sometime in the
future, but a decision has already been made to do nothing to protect against
Diminish the risk – To diminish or reduce the risk, additional hardware,
software, or procedures would be implemented.
Transfer the risk – This option makes someone else responsible for the
Chapter 12 Review Questions
1. Each of the following is a problem associated with users identifying and
authenticating themselves with multiple accounts except
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-36
a. Regulatory legislation
b. Weak password creation
c. E-commerce bottlenecks
d. Underworked support staff
2. _____ allows a user’s single authenticated ID to be shared across multiple
networks or online businesses.
a. Identity management
b. Password Sharing Protocol (PSP)
c. Privilege management
d. Change management
3. Each of the following is a key element of identity management except
a. Single sign-on (SSO)
b. Password synchronization
c. Password resets
d. RC4 hashing
4. Privilege management organizational structures are _________________.
a. Centralized or decentralized
b. Corporate or private
c. Internet-based or client-based
d. Secure or not secure
5. Each of the following is a name used to describe the highest level of Linux
privileges except ____________.
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-37
6. Privilege management attempts to simplify assigning and revoking access control
to users. True or false?
7. When an individual user is added to a group, that user inherits the privileges of
the group. True or false?
8. There are three types of audits of user privileges: usage audits, log audits, and
response audits. True or false?
9. The term change management refers to a methodology for making changes and
keeping track of those changes. True or false?
10. The goal of digital rights management (DRM) is to remove another layer of
security. True or false?
11. Books, music, plays, paintings, and photographs are all examples of _____
12. Secret information known as a(n) _____ is embedded into a document, image, or
song without the user’s knowledge so that illegal copies can be traced back to the
original owner. digital watermark
13. _____ is information about a document and can be stored in the header of an
eXtensible Markup Language (XML) file or another digital-content format.
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-38
14. _____ ensures that a user’s password is the same for every application to which
the user logs on. Password synchronization.
15. _____ audits are reviews of usage audits to determine if there is an unexpected
increase in privileges. Escalation
16. Explain the difference between file-based digital rights management (DRM) and
Protecting documents through DRM can be accomplished at one of two
different levels. The first level is file-based DRM and focuses on protecting
the content of a single file. Most document-creation software now allows a
user to determine the rights that the reader of the document may have. The
document can be encrypted and a password can be required to access the
document. Also, the ability to print, edit, or copy the data can also applied.
These restrictions can be contained in metadata, which is information about
a document. The disadvantage to file-based DRM is that each user must
determine the restrictions and apply the control mechanisms and keys must
be securely exchanged. In addition, file-based DRM is proprietary and
cannot be easily transferred between application software packages. That is,
the security settings for a Microsoft Word document are different from those
of an Adobe Acrobat document.
A more comprehensive approach is server-based DRM. Server-based
products can be integrated with Lightweight Directory Access Protocol
(LDAP) for authentication and can provide access to groups of users based
on their privileges. More granular restrictions can also be enforced, such as
limiting the number of accesses or setting a time in which access is permitted
(such as 6:00 AM to 3:30 PM on June 15). Audit controls can provide a usage
log of actions taken by each user.
17. List and describe the two types of organizational structures for privilege
The responsibility for privilege management can be either centralized or
decentralized. In a centralized structure, one unit is totally responsible for all
aspects of assigning or revoking privileges. Whereas this creates a unified
approach to privilege management, it also serves to slow down the process.
Users may sometimes wait days or longer for a request for changes to be
implemented. Because they do not have any control, users may be tempted to
circumvent the security, such as using the account and password of a co-
worker to access a file or bring in a rogue wireless access point from home. A
decentralized organizational structure for privilege management delegates
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-39
the authority for assigning or revoking privileges to smaller units, such as
each location hiring a network administrator to manage privileges. The
disadvantage is that each location may only be as good as that single network
administrator, particularly in terms of security. Unless the local network
administrator sees the “big picture,” she may provide access privileges that
affect another unit of the organization or create a security vulnerability. A
blending of centralized and decentralized organization may be the ultimate
choice. The corporate office may set the standards for privileges, but each
local office has the responsibility for implementing the standards.
18. Describe a privilege audit.
A privilege audit reviews the privileges that have been assigned to a specific
user or group. This audit begins by developing a list of the expected
privileges of a user. For example, if a user works in the Accounting
Department, it would be expected that they would have access to the monthly
financial reports and data files. Developing the list of expected privileges is
generally accomplished by reviewing the user’s job classification as detailed
in his or her file with the Human Resources Department. Next, an interview
with the user’s supervisor would reveal if additional privileges were granted
because of a special project to which the user was assigned. The paperwork
requesting these privileges should be closely reviewed.
19. Define “digital rights management” and tell why it is important.
Most organizations work hard to establish a security perimeter around a
network or system to prevent attackers from accessing information. Yet
information security can be enhanced by building a security fence around the
information itself. Known as digital rights management (DRM), the goal is to
provide yet another layer of security: an attacker who can break into a
network would still face yet another hurdle in trying to access information
20. List and define the four key elements of an identity management system.
There are four key elements in an identity management system. Single sign-
on (SSO) allows a user to log on one time to a network or a system, and then
access multiple applications and systems based on that single password.
When an application is opened, the SSO gives the authentication credentials
for the user to the application (as long as the user has the privilege to use that
application). An SSO requires its own infrastructure that validates user
identity and permissions before granting access.
The second element is password synchronization. Password synchronization,
like SSO, permits a user to use a single password to log on to multiple
servers. However, a separate ID and password must be used when accessing
each application on the server. Although password synchronization is a step
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-40
down from SSO, it does not require its own infrastructure. Password resets
are an element that reduces costs associated with password-related help desk
Identity management systems let users reset their own passwords and unlock
their accounts without relying upon the help desk. Users can do this through
a Web browser, a client program, or an interactive voice response system
using the telephone. All password reset requests must be authenticated. One
of the most interesting elements of identity management is access
management. Access management software controls who can access the
network while also managing the content and the business that users can
perform while online. It offers administrators a centralized command
structure for granting access. One feature is that administrators can entrust
management permission rights to business managers and other partners.
Chapter 13 Review Questions
1. Each of the following is a reason that computer forensics is important except
a. high amount of digital evidence
b. increased scrutiny by legal profession
c. higher level of computer skills by criminals
d. high turnover in IT staffing
2. Each of the following is a challenge that computer forensics faces except
a. low cost of evidence
b. volume of electronic evidence
c. distribution of evidence
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-41
d. dynamic content of electronic evidence
3. _____ contains information about files but can result in false leads.
4. _____ attempts to hide the existence of data.
d. Hidden Data Resource (HDR)
5. The first step a forensics response team performs is to _________________.
a. secure the crime scene
b. make a bitmap image of the hard drive
c. use the operating system to copy the drive to a CD-ROM
d. move the computer to a secure location
6. Digital photography is strongly recommended for taking pictures of a computer
that has been attacked. True or false?
7. After a bitmap resource snapshot (BRS) is taken of the hard drive, any volatile
data should then be captured. True or false?
8. A mirror image backup is the same as a normal copy of the data. True or false?
9. Byte-stream backup should be used first by a network technician and then given
to the forensic investigators. True or false?
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-42
10. Mirror image backups are considered a primary key to uncovering evidence
because it creates an exact replica of the computer contents at the crime scene.
True or false?
11. _____ is the application of science to questions that are of interest to the legal
profession. Forensic science
12. The _____ is documentation that shows that the evidence was under strict control
at all times and no unauthorized individuals were given the opportunity to corrupt
the evidence. chain of custody
13. Microsoft Windows-based computer operating systems use a special file known
as a(n) _____ that functions as a “scratch pad” to write data when additional
RAM is full. Windows page file
14. _____ is a term used to describe all types of hidden data on a hard drive. Slack
15. Capturing volatile data and performing a mirror image backup are both steps that
are performed at the _____ stage of a forensics incidence response. Preserve the
16. Explain the difference between RAM slack and file slack.
A source of hidden data is called slack. There are two types of slack with
Windows-based computers. The first is RAM slack. Windows stores files in
512-byte blocks called sectors. Clusters are made up of blocks of sectors.
When a file is not sufficiently long enough to fill up the last sector on a disk
(which is a common occurrence because only rarely would a file size match
the exact sector size) Windows “makes up” the difference by padding the
remaining space with data that is currently stored in RAM. This creates
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-43
what is called RAM slack. RAM slack can contain any information that may
have been created, viewed, modified, downloaded or copied that occurred
since the computer was last booted. Thus, if the computer has not been shut
down for several days, the data stored in RAM slack can come from activity
that occurred in the past. RAM slack pertains only to the last sector of a file.
If additional sectors are needed to round out the block size for the last cluster
assigned to the file, then a different type of slack is created. This is known as
drive slack because the padded data used comes from data that was stored on
the hard drive. Such data could contain remnants of previously deleted files
or data from the format pattern associated with disk storage space that has
yet to be used by the computer. Both RAM slack and drive slack can
potentially hold valuable evidence.
17. Describe how attackers are now targeting cell phones.
Viruses and worms are starting to appear that attack cell phones through
short-range wireless technology. These could potentially cause cell phones to
place calls on their own, running up big long-distance expenses. Infected cell
phones could also be used to launch DDoS attacks, relay spam, or infect a
user’s computer when the phone is synchronized with the computer to share
phone numbers and weekly schedules.
18. What is behavior blocking?
Behavior blocking protects computers by recognizing when they are not
acting normally. For example, a worm that infects a computer might
attempt to replicate itself by opening an unused port. Since that port is not
Security+ Guide to Network Security Fundamentals, 2e Solutions 1-44
normally used by the system, its behavior would be recognized as out of the
ordinary and the port would be blocked.
19. How is host intrusion prevention (HIP) different from standard network security?
Host intrusion prevention (HIP) moves the security focus away from creating
only a strong perimeter to instead hardening individual systems. Programs
and users only have limited access to the operating system. The HIP restricts
the availability of functions like read, write and execute, as well as protect
system resources like ports, files and registry keys.
20. What is virus throttling? How can it be effective in limiting virus attacks?
On average a user’s networked computer makes fewer than two network
connections per second. However, a computer infected with a virus attempts
to make hundreds or even thousands of connections attempts each second to
spread itself. Virus throttling slows the spread of viruses from an infected
computer by restricting the number of connections it can make with other