CISSP- Telecommunications & Networking

1. A botnet can be characterized as

A network used solely for internal communications

An automatic security alerting tool for corporate networks

A group of dispersed, compromised machines controlled remotely for illicitreasons.

A type of virus

Bots” and “botnets” are most insidious implementations of unauthorized,
remote control of compromised systems. Such machines are essentially
zombies controlled by ethereal entities from the dark places on the Internet. Page 749.

Explanation

Bots” and “botnets” are most insidious implementations of unauthorized,
remote control of compromised systems. Such machines are essentially
zombies controlled by ethereal entities from the dark places on the Internet. Page 749.

2. A security event management (SEM) service performs the following function:

Gathers firewall logs for archiving

Aggregates logs from security devices and application servers looking forsuspicious activity

Reviews access controls logs on servers and physical entry points to matchuser system authorization with physical access permissions

Coordination software for security conferences and seminars.

SEM/SEIM systems have to understand a wide variety of diff erent
applications and network element (routers/switches) logs and formats; consolidate
these logs into a single database and then correlate events looking for clues to
unauthorized behaviors that would be otherwise inconclusive if observed in a single
log fi le. Page 751.

Explanation

SEM/SEIM systems have to understand a wide variety of diff erent
applications and network element (routers/switches) logs and formats; consolidate
these logs into a single database and then correlate events looking for clues to
unauthorized behaviors that would be otherwise inconclusive if observed in a single
log fi le. Page 751.

3. Which of the following end-point devices might be considered part of a converged IP network?

File server

IP phone

Security camera

All of the above

Correct answer is d. See Figure 10.3, Page 740.

Explanation

Correct answer is d. See Figure 10.3, Page 740.

4. In which of the following situations is the network itself not a target of attack?

A denial-of-service attack on servers on a network

Hacking into a router

A virus outbreak saturating network capacity

A man-in-the-middle attack

Although the modifi cation of messages will often happen at
the higher network layers, networks can be set up to provide robustness or resilience
against interception and change of a message (man-in-the-middle attack) or
replay attacks. Ways to accomplish this can be based on encryption or checksums
on messages, as well as on access control measures for clients that would prevent
an attacker from gaining the necessary access to send a modifi ed message into the
network. Page 745.

Explanation

Although the modifi cation of messages will often happen at
the higher network layers, networks can be set up to provide robustness or resilience
against interception and change of a message (man-in-the-middle attack) or
replay attacks. Ways to accomplish this can be based on encryption or checksums
on messages, as well as on access control measures for clients that would prevent
an attacker from gaining the necessary access to send a modifi ed message into the
network. Page 745.

5. In the OSI reference model, on which layer can Ethernet (IEEE 802.3) be described?

Layer 1—Physical layer

Layer 2—Data-link layer

Layer 3—Network Layer

Layer 4—Transport Layer

Layer 2, the data-link layer, describes data transfer between
machines, for instance, by an Ethernet. Page 735.

Explanation

Layer 2, the data-link layer, describes data transfer between
machines, for instance, by an Ethernet. Page 735.

6. What is the optimal placement for network-based intrusion detection systems (NIDSs)?

On the network perimeter, to alert the network administrator of all suspicioustraffic

On network segments with business-critical systems; e.g., demilitarizedzones (DMZs) and on certain intranet segments

At the network operations center (NOC)

At an external service provider

Intrusion detection systems (IDS) monitor activity and send
alerts when they detect suspicious traffi c. Th ere are two broad classifi cations of IDS:
host-based IDS, which monitor activity on servers and workstations, and networkbased
IDS, which monitor network activity. Page 750.

Explanation

Intrusion detection systems (IDS) monitor activity and send
alerts when they detect suspicious traffi c. Th ere are two broad classifi cations of IDS:
host-based IDS, which monitor activity on servers and workstations, and networkbased
IDS, which monitor network activity. Page 750.

7. Which of the following devices should not be part of a network's perimeter defense?

A boundary router

A firewall

A proxy server

None of the above

Th e security perimeter is the fi rst line of protection between
trusted and untrusted networks. In general, it includes a fi rewall and router that
helps fi lter traffi c. Security perimeters may also include proxies and devices, such
as an intrusion detection system (IDS), to warn of suspicious traffi c. Th e defensive
perimeter extends out from these fi rst protective devices, to include proactive
defense such as boundary routers which can provide early warning of upstream
attacks and threat activities. Page 765.

Explanation

Th e security perimeter is the fi rst line of protection between
trusted and untrusted networks. In general, it includes a fi rewall and router that
helps fi lter traffi c. Security perimeters may also include proxies and devices, such
as an intrusion detection system (IDS), to warn of suspicious traffi c. Th e defensive
perimeter extends out from these fi rst protective devices, to include proactive
defense such as boundary routers which can provide early warning of upstream
attacks and threat activities. Page 765.

8. Which of the following is an advantage of fiber-optic over copper cables from a security perspective?

Fiber optics provides higher bandwidth.

Fiber optics are more difficult to wiretap.

Fiber optics are immune to wiretap.

None. The two are equivalent; network security is independent from thephysical layer.

From a security perspective, fi ber optics’ immunity to electromagnetic
interference (EMI) and radio frequency interference (RFI) is important.
Because fi ber optics emit extremely small amounts of energy from the cable, data
cannot be as easily intercepted as information is transported through electric current
in wires. Page 762.

Explanation

From a security perspective, fi ber optics’ immunity to electromagnetic
interference (EMI) and radio frequency interference (RFI) is important.
Because fi ber optics emit extremely small amounts of energy from the cable, data
cannot be as easily intercepted as information is transported through electric current
in wires. Page 762.

9. Which of the following is a principal security risk of wireless LANs?

Lack of physical access control

Demonstrably insecure standards

Implementation weaknesses

War driving

Wireless networks allow users to be mobile while remaining
connected to a LAN. Unfortunately, this allows unauthorized users greater access to the LAN as well. In fact, many wireless LANs can be accessed off of the organization’s
property by anyone with a wireless card in a laptop, which eff ectively
extends the LAN where there are no physical controls. Page 777.

Explanation

Wireless networks allow users to be mobile while remaining
connected to a LAN. Unfortunately, this allows unauthorized users greater access to the LAN as well. In fact, many wireless LANs can be accessed off of the organization’s
property by anyone with a wireless card in a laptop, which eff ectively
extends the LAN where there are no physical controls. Page 777.

10. Which of the following is the principal weakness of DNS (Domain Name System)?

Lack of authentication of servers, and thereby authenticity of records

Its latency, which enables insertion of records between the time when arecord has expired and when it is refreshed

Authentication has been proposed but attempts to introduce
stronger authentication into DNS have not found wider acceptance. Authentication
services have been delegated upward to higher protocol layers. Applications in need
of guaranteeing authenticity cannot rely on DNS to provide such but will have to
implement a solution themselves. Page 818.

Explanation

Authentication has been proposed but attempts to introduce
stronger authentication into DNS have not found wider acceptance. Authentication
services have been delegated upward to higher protocol layers. Applications in need
of guaranteeing authenticity cannot rely on DNS to provide such but will have to
implement a solution themselves. Page 818.

11. Which of the following are true statements about IPSec? a IPSec provides mechanisms for authentication and encryption. b = IPSec provides mechanisms for nonrepudiation. c = IPSec will only be deployed with IPv6. d = IPSec authenticates hosts against each other. e = IPSec only authenticates clients against a server. f = IPSec is implemented in SSH and TLS.

A and d

A, b, and e

A, b, c, d, and f

A, b, c, e, and f

IP Security (IPSec) is a suite of protocols for communicating
securely with IP by providing mechanisms for authenticating and encryption.
Standard IPSec authenticates only hosts with each other. Page 804.

Explanation

IP Security (IPSec) is a suite of protocols for communicating
securely with IP by providing mechanisms for authenticating and encryption.
Standard IPSec authenticates only hosts with each other. Page 804.

12. Which of the following are eff ective protective or countermeasures against a distributed denial-of-service attack? a = Redundant network layout; b = Secret fully qualifi ed domain names (FQDNs); c = Reserved bandwidth; d = Traffic filtering; e = Network address translation (NAT).

B and e

B, d, and e

A and c

A, c, and d

Countermeasures to a denial-of-service attack include, but
are not limited to: multiple layers of fi rewalls, careful fi ltering on fi rewalls, routers
and switches, internal network access controls (NAC), redundant (diverse) network
connections, load balancing, reserved bandwidth (quality of service, which would
at least protect systems not directly targeted), and blocking traffi c from an attacker
on upstream router. Page 745.

Explanation

Countermeasures to a denial-of-service attack include, but
are not limited to: multiple layers of fi rewalls, careful fi ltering on fi rewalls, routers
and switches, internal network access controls (NAC), redundant (diverse) network
connections, load balancing, reserved bandwidth (quality of service, which would
at least protect systems not directly targeted), and blocking traffi c from an attacker
on upstream router. Page 745.

13. Which of the following tactics might be considered a part of a proactive network defense?

Redundant firewalls

Business continuity planning

Disallowing P2P traffic

Perimeter surveillance and intelligence gathering

Ideally to counter an attack, network security must also be proactive,
anticipate, and oppose the attack against their infrastructure by interdicting
and disrupting an attack preemptively or in self-defense. Th is requires intelligence
on the threat, active surveillance at the perimeter and beyond, and the ability to
intercede upstream or disable a threat agent’s tools. Page 742.

Explanation

Ideally to counter an attack, network security must also be proactive,
anticipate, and oppose the attack against their infrastructure by interdicting
and disrupting an attack preemptively or in self-defense. Th is requires intelligence
on the threat, active surveillance at the perimeter and beyond, and the ability to
intercede upstream or disable a threat agent’s tools. Page 742.

14. Which of the following statements about open e-mail relays is incorrect?

An open e-mail relay is a server that forward e-mail from domains otherthan the ones it serves.

Open e-mail relays are a principal tool for distribution of spam.

An open e-mail relay is widely considered a sign of bad systemadministration.

Although using blacklists as one indicator in spam fi ltering has
its merits, it is risky to use them as an exclusive indicator. Generally, they are run by
private organizations and individuals according to their own rules, they are able to
change their policies on a whim, they can vanish overnight for any reason, and they
can rarely be held accountable for the way they operate their lists. Page 827.

Explanation

Although using blacklists as one indicator in spam fi ltering has
its merits, it is risky to use them as an exclusive indicator. Generally, they are run by
private organizations and individuals according to their own rules, they are able to
change their policies on a whim, they can vanish overnight for any reason, and they
can rarely be held accountable for the way they operate their lists. Page 827.

15. Which of the following confi gurations of a WLAN's SSID off ers adequate security protection?

Using an obscure SSID to confuse and distract an attacker

Not using any SSID at all to prevent an attacker from connecting to thenetwork

Not broadcasting an SSID to make it harder to detect the WLAN

None of the above

Correct answer is d. SSIDs are not for authentication. Page 778.

Explanation

Correct answer is d. SSIDs are not for authentication. Page 778.