CASP ? 181-210 Network Diagrams

1. Company A has experienced external attacks on their network and wants to minimize the attacks from reoccurring. Modify the proposed network diagram to prevent SQL injections, XSS attacks, smurf attacks, email spam,downloaded malware viruses and ping attacks. The company can spend a maximum of 50,000$ USD. A cost list for each item is listed below.1. Anti-Virus-Server 10,000$2. Firewall 15,000$3. Load Ballance Server 10,000$4. NIDS/NIPS 10,000$5. Packet Analyzer 5,000$6. Patch Server 10,000$7. Proxy Server 10,000$8. Router 10,000$9. Spam Filter 5,000$10. Traffic Shaper 20,000011. Web Application Firewall 10,000$Instructions: Not all placeholders in the diagram need to be filled and items can only be billed once. If you place an object on the network diagram, you can remove it by clicking the (x) in the upper right hand corner of the object.

Option 2

not-available-via-ai

Explanation

not-available-via-ai

2. Compliance with company policy requires a quarterly review of firewall rules. A new administrator is asked to conduct this review on the internal firewall sitting between several internal networks. The intent of this firewall is to make traffic more restrictive. Given the following information answer the questions below.User Subnet 192.168.1.0/24Server Subnet 192.168.2.0/24Finance Subnet 192.168.3.0/24Instructions: To perform the necessary tasks, please modify the DST port, Protocol, Action and/or rule order columns, Firewall ACLs and read from the top down administrator added a rule to allow their machine terminal server access to the sever subnet. This is not working. Identify this rule and correct this web servers have been changed to communicate soley over SSL. Modify the appropriate rule to allow communications. Administrator added a rule to block access to the SQL server from anywhere on the network. This rule is not working. Identify and correct this issue. Other than allowing all hosts to do network time and SSL, modify a rule to ensure that no other traffic is allowed.

Option 4

192.18.1.0/24 any 192.168.20.0/24 3389 any

The given correct answer (Option 4) is the rule that the new administrator added to allow their machine terminal server access to the server subnet. However, this rule is not working as intended. The correct configuration should be 192.168.1.0/24 any 192.168.20.0/24 3389 any, which means allowing any traffic from the user subnet (192.168.1.0/24) to the server subnet (192.168.20.0/24) on port 3389 (which is the port used for terminal server access).

Explanation

The given correct answer (Option 4) is the rule that the new administrator added to allow their machine terminal server access to the server subnet. However, this rule is not working as intended. The correct configuration should be 192.168.1.0/24 any 192.168.20.0/24 3389 any, which means allowing any traffic from the user subnet (192.168.1.0/24) to the server subnet (192.168.20.0/24) on port 3389 (which is the port used for terminal server access).

3.

Answer: You need to check the hash value of download software with md5 utility.

Option 2

not-available-via-ai

Explanation

not-available-via-ai

4. A healthcare company recently purchased the building next door located on the same campus.The building previously did not have any IT infrastructure. The building manager has selected fourpotential locations to place IT equipment consisting of a half height open server rack with fiveswitches, a router, a firewall, and two servers. Given the descriptions below, where would thesecurity engineer MOST likely recommend placing the rack?The Boiler Room: The rack can be placed 5 feet (1.5 meters) up on the wall, between the secondand third boiler. The room is locked and only maintenance has access to it.The Reception AreA. The reception area is an open area right as customers enter. There is acloset 5 feet by 5 feet (1.5 meters by 1.5 meters) that the rack will be placed in with floor mounts.There is a 3 digit PIN lock that the receptionist sets.The Rehabilitation AreA. The rack needs to be out of the way from patients using the whirlpoolbath, so it will be wall mounted 8 feet (2.4 meters) up as the area has high ceilings. The rehabarea is staffed full time and admittance is by key card only.The Finance AreA. There is an unused office in the corner of the area that can be used for theserver rack. The rack will be floor mounted. The finance area is locked and alarmed at night.

The Rehabilitation Area

The Reception Area

The Boiler Room

The Finance Area

The security engineer would most likely recommend placing the rack in the Finance Area. This area is locked and alarmed at night, providing an extra layer of security. Additionally, the rack will be floor mounted, which can provide stability and easier access for maintenance. The unused office in the corner of the Finance Area can be utilized for the server rack, ensuring that it is out of the way and not interfering with daily operations.

Explanation

The security engineer would most likely recommend placing the rack in the Finance Area. This area is locked and alarmed at night, providing an extra layer of security. Additionally, the rack will be floor mounted, which can provide stability and easier access for maintenance. The unused office in the corner of the Finance Area can be utilized for the server rack, ensuring that it is out of the way and not interfering with daily operations.

5. The root cause analysis of a recent security incident reveals that an attacker accessed a printerfrom the Internet. The attacker then accessed the print server, using the printer as a launch padfor a shell exploit. The print server logs show that the attacker was able to exploit multipleaccounts, ultimately launching a successful DoS attack on the domain controller. Defendingagainst which of the following attacks should form the basis of the incident mitigation plan?

DDoS

SYN flood

Buffer overflow

Privilege escalation

The incident analysis reveals that the attacker was able to exploit multiple accounts and launch a successful DoS attack on the domain controller. This indicates that the attacker was able to elevate their privileges within the system, which is known as privilege escalation. Therefore, defending against privilege escalation should form the basis of the incident mitigation plan to prevent similar attacks in the future.

Explanation

The incident analysis reveals that the attacker was able to exploit multiple accounts and launch a successful DoS attack on the domain controller. This indicates that the attacker was able to elevate their privileges within the system, which is known as privilege escalation. Therefore, defending against privilege escalation should form the basis of the incident mitigation plan to prevent similar attacks in the future.

6. An existing enterprise architecture included an enclave where sensitive research and developmentwork was conducted. This network enclave also served as a storage location for proprietarycorporate data and records. The initial security architect chose to protect the enclave by restrictingaccess to a single physical port on a firewall. All downstream network devices were isolated fromthe rest of the network and communicated solely through the single 100mbps firewall port. Overtime, researchers connected devices on the protected enclave directly to external resources andcorporate data stores. Mobile and wireless devices were also added to the enclave to support highspeed data research. Which of the following BEST describes the process which weakened thesecurity posture of the enclave?

Emerging business requirements led to the de-perimiterization of the network.

Emerging security threats rendered the existing architecture obsolete.

The single firewall port was oversaturated with network packets.

The shrinking of an overall attack surface due to the additional access.

The correct answer is "Emerging business requirements led to the de-perimeterization of the network." This means that as the business needs evolved, the network architecture shifted away from a perimeter-based security model where all devices were isolated behind a single firewall port. Instead, devices on the protected enclave started connecting directly to external resources and corporate data stores, and mobile and wireless devices were added. This weakened the security posture of the enclave as it allowed for more direct access to sensitive data and increased the potential attack surface.

Explanation

The correct answer is "Emerging business requirements led to the de-perimeterization of the network." This means that as the business needs evolved, the network architecture shifted away from a perimeter-based security model where all devices were isolated behind a single firewall port. Instead, devices on the protected enclave started connecting directly to external resources and corporate data stores, and mobile and wireless devices were added. This weakened the security posture of the enclave as it allowed for more direct access to sensitive data and increased the potential attack surface.

7. Which of the following potential vulnerabilities exists in the following code snippet?var myEmail = document.getElementById("formInputEmail").value;if (xmlhttp.readyState==4 && xmlhttp.status==200){Document.getElementById("profileBox").innerHTML = "Emails will be sent to " + myEmail +xmlhttp.responseText;}

Javascript buffer overflow

AJAX XHR weaknesses

DOM-based XSS

JSON weaknesses

The potential vulnerability that exists in the given code snippet is DOM-based XSS (Cross-Site Scripting). This vulnerability occurs when untrusted data is included in the DOM (Document Object Model) without proper sanitization or validation. In this code, the value of the "myEmail" variable is directly concatenated with the responseText from the XMLHttpRequest, which could potentially allow an attacker to inject malicious scripts into the DOM and execute them in the user's browser. This can lead to unauthorized access, data theft, or other malicious activities.

Explanation

The potential vulnerability that exists in the given code snippet is DOM-based XSS (Cross-Site Scripting). This vulnerability occurs when untrusted data is included in the DOM (Document Object Model) without proper sanitization or validation. In this code, the value of the "myEmail" variable is directly concatenated with the responseText from the XMLHttpRequest, which could potentially allow an attacker to inject malicious scripts into the DOM and execute them in the user's browser. This can lead to unauthorized access, data theft, or other malicious activities.

8.

Option 1

Option 2

Option 3

Option 4

not-available-via-ai

Explanation

not-available-via-ai

9. At one time, security architecture best practices led to networks with a limited number (1-3) ofnetwork access points. This restriction allowed for the concentration of security resources andresulted in a well defined attack surface. The introduction of wireless networks, highly portablenetwork devices, and cloud service providers has rendered the network boundary and attacksurface increasingly porous. This evolution of the security architecture has led to which of the following?

Increased security capabilities, the same amount of security risks and a higher TCO but asmaller corporate data center on average.

Increased business capabilities and increased security risks with a lower TCO and smallerphysical footprint on the corporate network.

Increased business capabilities and increased security risks with a higher TCO and a largerphysical footprint.

Decreased business capabilities and increased security risks with a lower TCO and increasedlogical footprint due to virtualization.

The introduction of wireless networks, portable network devices, and cloud service providers has made the network boundary more porous, resulting in increased business capabilities. However, this evolution of security architecture has also led to increased security risks, as the attack surface has become larger. Additionally, maintaining and securing these new technologies and resources can lead to a higher total cost of ownership (TCO). Lastly, the physical footprint of the corporate network may also increase due to the addition of these new technologies.

Explanation

The introduction of wireless networks, portable network devices, and cloud service providers has made the network boundary more porous, resulting in increased business capabilities. However, this evolution of security architecture has also led to increased security risks, as the attack surface has become larger. Additionally, maintaining and securing these new technologies and resources can lead to a higher total cost of ownership (TCO). Lastly, the physical footprint of the corporate network may also increase due to the addition of these new technologies.

10. A financial institution wants to reduce the costs associated with managing and troubleshootingemployees' desktops and applications, while keeping employees from copying data onto externalstorage. The Chief Information Officer (CIO) has asked the security team to evaluate four solutionssubmitted by the change management group. Which of the following BEST accomplishes thistask?

Implement desktop virtualization and encrypt all sensitive data at rest and in transit.

Implement server virtualization and move the application from the desktop to the server.

Implement VDI and disable hardware and storage mapping from the thin client.

Move the critical applications to a private cloud and disable VPN and tunneling.

Implementing VDI (Virtual Desktop Infrastructure) allows the financial institution to centralize desktop management and troubleshooting, reducing costs associated with managing and troubleshooting employees' desktops and applications. By disabling hardware and storage mapping from the thin client, employees are prevented from copying data onto external storage, ensuring data security. This solution effectively addresses the CIO's objective of reducing costs and preventing data leakage.

Explanation

Implementing VDI (Virtual Desktop Infrastructure) allows the financial institution to centralize desktop management and troubleshooting, reducing costs associated with managing and troubleshooting employees' desktops and applications. By disabling hardware and storage mapping from the thin client, employees are prevented from copying data onto external storage, ensuring data security. This solution effectively addresses the CIO's objective of reducing costs and preventing data leakage.

11. An ecommerce application on a Linux server does not properly track the number of incomingconnections to the server and may leave the server vulnerable to which of following?

Buffer Overflow Attack

Storage Consumption Attack

Denial of Service Attack

Race Condition

A denial of service (DoS) attack is a type of cyber attack where the attacker overwhelms a server or network with a flood of illegitimate requests, causing it to become unavailable to legitimate users. In this scenario, the ecommerce application's failure to track incoming connections properly means that it cannot effectively manage the number of requests it receives. This vulnerability can be exploited by an attacker to flood the server with a large number of requests, ultimately leading to a denial of service for legitimate users.

Explanation

A denial of service (DoS) attack is a type of cyber attack where the attacker overwhelms a server or network with a flood of illegitimate requests, causing it to become unavailable to legitimate users. In this scenario, the ecommerce application's failure to track incoming connections properly means that it cannot effectively manage the number of requests it receives. This vulnerability can be exploited by an attacker to flood the server with a large number of requests, ultimately leading to a denial of service for legitimate users.

12. A company has recently implemented a video conference solution that uses the H.323 protocol.The security engineer is asked to make recommendations on how to secure video conferences toprotect confidentiality. Which of the following should the security engineer recommend?

Implement H.235 extensions with DES to secure the audio and video transport.

Recommend moving to SIP and RTP as those protocols are inherently secure.

Recommend implementing G.711 for the audio channel and H.264 for the video.

Encapsulate the audio channel in the G.711 codec rather than the unsecured Speex.

The security engineer should recommend implementing H.235 extensions with DES to secure the audio and video transport. H.235 is a security protocol that provides encryption and authentication for H.323 video conferences. DES (Data Encryption Standard) is a symmetric encryption algorithm that can be used to encrypt the audio and video data, ensuring confidentiality. By implementing H.235 extensions with DES, the company can protect the confidentiality of their video conferences and prevent unauthorized access to the audio and video data.

Explanation

The security engineer should recommend implementing H.235 extensions with DES to secure the audio and video transport. H.235 is a security protocol that provides encryption and authentication for H.323 video conferences. DES (Data Encryption Standard) is a symmetric encryption algorithm that can be used to encrypt the audio and video data, ensuring confidentiality. By implementing H.235 extensions with DES, the company can protect the confidentiality of their video conferences and prevent unauthorized access to the audio and video data.

13. A company recently experienced a malware outbreak. It was caused by a vendor using anapproved non-company device on the company's corporate network that impacted manufacturinglines, causing a week of downtime to recover from the attack. Which of the following reduces thisthreat and minimizes potential impact on the manufacturing lines?

Disable remote access capabilities on manufacturing SCADA systems.

Require a NIPS for all communications to and from manufacturing SCADA systems.

Add anti-virus and client firewall capabilities to the manufacturing SCADA systems.

Deploy an ACL that restricts access from the corporate network to the manufacturing SCADAsystems.

Deploying an ACL (Access Control List) that restricts access from the corporate network to the manufacturing SCADA (Supervisory Control and Data Acquisition) systems would reduce the threat and minimize potential impact on the manufacturing lines. By implementing this measure, unauthorized devices or vendors using non-company devices would be prevented from accessing the SCADA systems, reducing the risk of malware outbreaks and potential downtime. This would ensure that only authorized and approved devices have access to the manufacturing systems, enhancing security and protecting against future attacks.

Explanation

Deploying an ACL (Access Control List) that restricts access from the corporate network to the manufacturing SCADA (Supervisory Control and Data Acquisition) systems would reduce the threat and minimize potential impact on the manufacturing lines. By implementing this measure, unauthorized devices or vendors using non-company devices would be prevented from accessing the SCADA systems, reducing the risk of malware outbreaks and potential downtime. This would ensure that only authorized and approved devices have access to the manufacturing systems, enhancing security and protecting against future attacks.

14. A security architect is seeking to outsource company server resources to a commercial cloudservice provider. The provider under consideration has a reputation for poorly controlling physicalaccess to datacenters and has been the victim of multiple social engineering attacks. The serviceprovider regularly assigns VMs from multiple clients to the same physical resources. Whenconducting the final risk assessment which of the following should the security architect take intoconsideration?

The ability to implement user training programs for the purpose of educating internal staff aboutthe dangers of social engineering.

The cost of resources required to relocate services in the event of resource exhaustion on aparticular VM.

The likelihood a malicious user will obtain proprietary information by gaining local access to thehypervisor platform.

Annual loss expectancy resulting from social engineering attacks against the cloud serviceprovider affecting corporate network infrastructure.

The security architect should take into consideration the likelihood that a malicious user will obtain proprietary information by gaining local access to the hypervisor platform. This is because the commercial cloud service provider has a reputation for poorly controlling physical access to datacenters and has been the victim of multiple social engineering attacks. Therefore, there is a higher risk of unauthorized access to the hypervisor platform, which could result in the theft of proprietary information.

Explanation

The security architect should take into consideration the likelihood that a malicious user will obtain proprietary information by gaining local access to the hypervisor platform. This is because the commercial cloud service provider has a reputation for poorly controlling physical access to datacenters and has been the victim of multiple social engineering attacks. Therefore, there is a higher risk of unauthorized access to the hypervisor platform, which could result in the theft of proprietary information.

15. A company is planning to deploy an in-house Security Operations Center (SOC).One of the new requirements is to deploy a NIPS solution into the Internet facing environment.The SOC highlighted the following requirements:Perform fingerprinting on unfiltered inbound traffic to the companyMonitor all inbound and outbound traffic to the DMZ'sIn which of the following places should the NIPS be placed in the network?

In front of the Internet firewall and in front of the DMZs

In front of the Internet firewall and in front of the internal firewall

In front of the Internet firewall and behind the internal firewall

Behind the Internet firewall and in front of the DMZs

The NIPS should be placed in front of the Internet firewall and in front of the DMZs because it needs to perform fingerprinting on unfiltered inbound traffic to the company and monitor all inbound and outbound traffic to the DMZs. Placing the NIPS in this location allows it to inspect and analyze the traffic before it reaches the DMZs, providing an additional layer of security and protection for the company's network.

Explanation

The NIPS should be placed in front of the Internet firewall and in front of the DMZs because it needs to perform fingerprinting on unfiltered inbound traffic to the company and monitor all inbound and outbound traffic to the DMZs. Placing the NIPS in this location allows it to inspect and analyze the traffic before it reaches the DMZs, providing an additional layer of security and protection for the company's network.

16. An administrator is unable to connect to a server via VNC. Upon investigating the host firewallconfiguration, the administrator sees the following lines:A INPUT -m state --state NEW -m tcp -p tcp --dport 3389 -j DENYA INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DENYA INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPTA INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j DENYA INPUT -m state --state NEW -m tcp -p tcp --sport 3389 -j ACCEPTWhich of the following should occur to allow VNC access to the server?

DENY needs to be changed to ACCEPT on one line.

A line needs to be added.

A line needs to be removed.

Fix the typo in one line.

Based on the given information, the administrator is unable to connect to the server via VNC. The firewall configuration shows that all incoming connections on ports 3389, 22, and 80 are being denied, while incoming connections on port 10000 are being allowed. However, there is no rule specifically allowing incoming connections on the VNC port (typically port 5900). Therefore, to allow VNC access to the server, a line needs to be added to the firewall configuration to accept incoming connections on the VNC port.

Explanation

Based on the given information, the administrator is unable to connect to the server via VNC. The firewall configuration shows that all incoming connections on ports 3389, 22, and 80 are being denied, while incoming connections on port 10000 are being allowed. However, there is no rule specifically allowing incoming connections on the VNC port (typically port 5900). Therefore, to allow VNC access to the server, a line needs to be added to the firewall configuration to accept incoming connections on the VNC port.

17. The Chief Information Security Officer (CISO) has just returned from attending a securityconference and now wants to implement a Security Operations Center (SOC) to improve andcoordinate the detection of unauthorized access to the enterprise. The CISO's biggest concern isthe increased number of attacks that the current infrastructure cannot detect. Which of thefollowing is MOST likely to be used in a SOC to address the CISO's concerns?

DLP, Analytics, SIEM, Forensics, NIPS, HIPS, WIPS and eGRC

Forensics, White box testing, Log correlation, HIDS, and SSO

Vulnerability assessments, NIDP, HIDS, SCAP, Analytics and SIEM

EGRC, WIPS, Federated ID, Network enumerator, NIPS and Port Scanners

The Chief Information Security Officer (CISO) wants to implement a Security Operations Center (SOC) to improve and coordinate the detection of unauthorized access to the enterprise. The CISO's biggest concern is the increased number of attacks that the current infrastructure cannot detect. To address these concerns, the SOC would likely use a combination of tools and technologies such as Data Loss Prevention (DLP), Analytics, Security Information and Event Management (SIEM), Forensics, Network Intrusion Prevention Systems (NIPS), Host Intrusion Prevention Systems (HIPS), Wireless Intrusion Prevention Systems (WIPS), and Enterprise Governance, Risk, and Compliance (eGRC) solutions. These tools and technologies would help enhance the organization's ability to detect and respond to security incidents.

Explanation

The Chief Information Security Officer (CISO) wants to implement a Security Operations Center (SOC) to improve and coordinate the detection of unauthorized access to the enterprise. The CISO's biggest concern is the increased number of attacks that the current infrastructure cannot detect. To address these concerns, the SOC would likely use a combination of tools and technologies such as Data Loss Prevention (DLP), Analytics, Security Information and Event Management (SIEM), Forensics, Network Intrusion Prevention Systems (NIPS), Host Intrusion Prevention Systems (HIPS), Wireless Intrusion Prevention Systems (WIPS), and Enterprise Governance, Risk, and Compliance (eGRC) solutions. These tools and technologies would help enhance the organization's ability to detect and respond to security incidents.

18. Company A has a remote work force that often includes independent contractors and out of statefull time employees. Company A's security engineer has been asked to implement a solution allowing these users to collaborate on projects with the following goals:-All communications between parties need to be encrypted in transportUsers must all have the same application sets at the same versionAll data must remain at Company A's siteAll users must not access the system between 12:00 and 1:00 as that is the maintenancewindowEasy to maintain, patch and change application environmentWhich of the following solutions should the security engineer recommend to meet the MOSTgoals?

Create an extranet web portal using third party web based office applications. Ensure thatCompany A maintains the administrative access.

This solution meets the most goals outlined in the question. By installing an SSL VPN to Company A's datacenter, all communications between parties will be encrypted in transport. Having users connect to a standard virtual workstation image ensures that they all have the same application sets at the same version. Setting workstation time of day restrictions allows for the system to be inaccessible between 12:00 and 1:00, satisfying that requirement. Additionally, by using a virtual workstation image, it is easy to maintain, patch, and change the application environment.

Explanation

This solution meets the most goals outlined in the question. By installing an SSL VPN to Company A's datacenter, all communications between parties will be encrypted in transport. Having users connect to a standard virtual workstation image ensures that they all have the same application sets at the same version. Setting workstation time of day restrictions allows for the system to be inaccessible between 12:00 and 1:00, satisfying that requirement. Additionally, by using a virtual workstation image, it is easy to maintain, patch, and change the application environment.

19. Company ABC has a 100Mbps fiber connection from headquarters to a remote office 200km (123miles) away. This connection is provided by the local cable television company. ABC would like toextend a secure VLAN to the remote office, but the cable company says this is impossible sincethey already use VLANs on their internal network. Which of the following protocols should thecable company be using to allow their customers to establish VLANs to other sites?

IS-IS

EIGRP

MPLS

802.1q

The cable company should be using MPLS (Multiprotocol Label Switching) to allow their customers to establish VLANs to other sites. MPLS is a protocol that enables the creation of virtual private networks (VPNs) over a shared network infrastructure. It allows for the creation of secure and isolated VLANs, which would meet the requirements of ABC to extend a secure VLAN to the remote office.

Explanation

The cable company should be using MPLS (Multiprotocol Label Switching) to allow their customers to establish VLANs to other sites. MPLS is a protocol that enables the creation of virtual private networks (VPNs) over a shared network infrastructure. It allows for the creation of secure and isolated VLANs, which would meet the requirements of ABC to extend a secure VLAN to the remote office.

20. An administrator notices the following file in the Linux server's /tmp directory.-rwsr-xr-x. 4 root root 234223 Jun 6 22:52 bash*Which of the following should be done to prevent further attacks of this nature?

Never mount the /tmp directory over NFS

Stop the rpcidmapd service from running

Mount all tmp directories nosuid, noexec

Restrict access to the /tmp directory

not-available-via-ai

Explanation

not-available-via-ai

21. Company ABC has entered into a marketing agreement with Company XYZ, whereby ABC willshare some of its customer information with XYZ. However, XYZ can only contact ABC customerswho explicitly agreed to being contacted by third parties. Which of the following documents wouldcontain the details of this marketing agreement?

BPA

ISA

NDA

SLA

A Business Partner Agreement (BPA) would contain the details of the marketing agreement between Company ABC and Company XYZ. This agreement would outline the terms and conditions of sharing customer information and the explicit consent required for XYZ to contact ABC customers.

Explanation

A Business Partner Agreement (BPA) would contain the details of the marketing agreement between Company ABC and Company XYZ. This agreement would outline the terms and conditions of sharing customer information and the explicit consent required for XYZ to contact ABC customers.

22. A network security engineer would like to allow authorized groups to access network devices witha shell restricted to only show information while still authenticating the administrator's group to anunrestricted shell. Which of the following can be configured to authenticate and enforce these shellrestrictions? (Select TWO).

Single Sign On

Active Directory

Kerberos

NIS+

RADIUS

TACACS+

RADIUS and TACACS+ can be configured to authenticate and enforce shell restrictions. RADIUS (Remote Authentication Dial-In User Service) is a protocol that provides centralized authentication, authorization, and accounting for remote access to network resources. It can be configured to enforce restrictions on the shell access based on user groups. TACACS+ (Terminal Access Controller Access Control System Plus) is a similar protocol that provides authentication, authorization, and accounting services. It can also be configured to enforce shell restrictions based on user groups. Both protocols allow network security engineers to control access to network devices and restrict the shell functionalities for different user groups.

Explanation

RADIUS and TACACS+ can be configured to authenticate and enforce shell restrictions. RADIUS (Remote Authentication Dial-In User Service) is a protocol that provides centralized authentication, authorization, and accounting for remote access to network resources. It can be configured to enforce restrictions on the shell access based on user groups. TACACS+ (Terminal Access Controller Access Control System Plus) is a similar protocol that provides authentication, authorization, and accounting services. It can also be configured to enforce shell restrictions based on user groups. Both protocols allow network security engineers to control access to network devices and restrict the shell functionalities for different user groups.

Submit

23. A startup company offering software on demand has hired a security consultant to provideexpertise on data security. The company's clients are concerned about data confidentiality. Thesecurity consultant must design an environment with data confidentiality as the top priority, overavailability and integrity. Which of the following designs is BEST suited for this purpose?

In this scenario, the best design for prioritizing data confidentiality is to assign each client a set of virtual hosts running shared hardware. The physical storage is partitioned into LUNS and assigned to each client, ensuring that their data is kept separate. MPLS technology is used to segment and encrypt each client's networks, providing an additional layer of security. The use of PKI-based remote desktop with hardware tokens adds another level of authentication and secure access for the clients. This design ensures that each client's data is kept confidential and protected from unauthorized access.

Explanation

In this scenario, the best design for prioritizing data confidentiality is to assign each client a set of virtual hosts running shared hardware. The physical storage is partitioned into LUNS and assigned to each client, ensuring that their data is kept separate. MPLS technology is used to segment and encrypt each client's networks, providing an additional layer of security. The use of PKI-based remote desktop with hardware tokens adds another level of authentication and secure access for the clients. This design ensures that each client's data is kept confidential and protected from unauthorized access.

24. Capital Reconnaissance, LLC is building a brand new research and testing location, and thephysical security manager wants to deploy IP-based access control and video surveillance. Thesetwo systems are essential for keeping the building open for operations. Which of the followingcontrols should the security administrator recommend to determine new threats against the newIP-based access control and video surveillance systems?

Develop a network traffic baseline for each of the physical security systems.

Air gap the physical security networks from the administrative and operational networks.

Require separate non-VLANed networks and NIPS for each physical security system network.

Have the Network Operations Center (NOC) review logs and create a CERT to respond tobreaches.

To determine new threats against the new IP-based access control and video surveillance systems, the security administrator should recommend developing a network traffic baseline for each of the physical security systems. This involves monitoring and analyzing the normal network traffic patterns and behaviors of the access control and video surveillance systems. By establishing a baseline, any deviations or anomalies in network traffic can be identified, indicating potential threats or attacks against the systems. This proactive approach allows for early detection and response to any security breaches or vulnerabilities.

Explanation

To determine new threats against the new IP-based access control and video surveillance systems, the security administrator should recommend developing a network traffic baseline for each of the physical security systems. This involves monitoring and analyzing the normal network traffic patterns and behaviors of the access control and video surveillance systems. By establishing a baseline, any deviations or anomalies in network traffic can be identified, indicating potential threats or attacks against the systems. This proactive approach allows for early detection and response to any security breaches or vulnerabilities.

25. Company A is trying to implement controls to reduce costs and time spent on litigation. Toaccomplish this, Company A has established several goals:Prevent data breaches from lost/stolen assetsReduce time to fulfill e-discovery requestsPrevent PII from leaving the networkLessen the network perimeter attack surfaceReduce internal fraudWhich of the following solutions accomplishes the MOST of these goals?

The solution that accomplishes the most of the given goals is to implement separation of duties, enable full encryption on USB devices and cell phones, allow cell phones to remotely connect to e-mail and network VPN, and enforce a 90-day data retention policy. This solution addresses multiple goals such as preventing data breaches from lost/stolen assets through encryption, reducing time to fulfill e-discovery requests by allowing remote access to e-mail and network VPN, preventing PII from leaving the network through encryption, and reducing internal fraud through separation of duties. The 90-day data retention policy also helps in meeting compliance requirements.

Explanation

The solution that accomplishes the most of the given goals is to implement separation of duties, enable full encryption on USB devices and cell phones, allow cell phones to remotely connect to e-mail and network VPN, and enforce a 90-day data retention policy. This solution addresses multiple goals such as preventing data breaches from lost/stolen assets through encryption, reducing time to fulfill e-discovery requests by allowing remote access to e-mail and network VPN, preventing PII from leaving the network through encryption, and reducing internal fraud through separation of duties. The 90-day data retention policy also helps in meeting compliance requirements.

26. A health service provider is considering the impact of allowing doctors and nurses access to theinternal email system from their personal smartphones. The Information Security Officer (ISO) hasreceived a technical document from the security administrator explaining that the current emailsystem is capable of enforcing security policies to personal smartphones, including screen lockoutand mandatory PINs. Additionally, the system is able to remotely wipe a phone if reported lost orstolen. Which of the following should the Information Security Officer be MOST concerned withbased on this scenario? (Select THREE).

The email system may become unavailable due to overload.

Compliance may not be supported by all smartphones.

Equipment loss, theft, and data leakage.

Smartphone radios can interfere with health equipment.

Data usage cost could significantly increase.

Not all smartphones natively support encryption.

Smartphones may be used as rogue access points.

The Information Security Officer should be most concerned with the following based on the scenario:

1. Compliance may not be supported by all smartphones: This is a concern because if not all smartphones support the necessary security policies, it could create vulnerabilities in the system.

2. Equipment loss, theft, and data leakage: Allowing doctors and nurses to access the internal email system from their personal smartphones increases the risk of equipment loss, theft, and potential data leakage if the phones are not properly secured.

3. Not all smartphones natively support encryption: Encryption is an important security measure to protect sensitive data. If not all smartphones natively support encryption, it could pose a risk to the confidentiality of the information being transmitted.

Explanation

The Information Security Officer should be most concerned with the following based on the scenario:

1. Compliance may not be supported by all smartphones: This is a concern because if not all smartphones support the necessary security policies, it could create vulnerabilities in the system.

2. Equipment loss, theft, and data leakage: Allowing doctors and nurses to access the internal email system from their personal smartphones increases the risk of equipment loss, theft, and potential data leakage if the phones are not properly secured.

3. Not all smartphones natively support encryption: Encryption is an important security measure to protect sensitive data. If not all smartphones natively support encryption, it could pose a risk to the confidentiality of the information being transmitted.

Submit

27. The IT Manager has mandated that an extensible markup language be implemented which can beused to exchange provisioning requests and responses for account creation. Which of thefollowing is BEST able to achieve this?

XACML

SAML

SOAP

SPML

SPML (Service Provisioning Markup Language) is the best option to achieve the implementation of an extensible markup language for exchanging provisioning requests and responses for account creation. SPML is specifically designed for managing the provisioning and deprovisioning of services in a distributed network environment. It provides a standardized way to communicate provisioning requests and responses between different systems and applications. XACML (eXtensible Access Control Markup Language) is used for access control policies, SAML (Security Assertion Markup Language) is used for exchanging authentication and authorization data, and SOAP (Simple Object Access Protocol) is a protocol for exchanging structured information in web services. None of these options are specifically designed for provisioning requests and responses like SPML.

Explanation

SPML (Service Provisioning Markup Language) is the best option to achieve the implementation of an extensible markup language for exchanging provisioning requests and responses for account creation. SPML is specifically designed for managing the provisioning and deprovisioning of services in a distributed network environment. It provides a standardized way to communicate provisioning requests and responses between different systems and applications. XACML (eXtensible Access Control Markup Language) is used for access control policies, SAML (Security Assertion Markup Language) is used for exchanging authentication and authorization data, and SOAP (Simple Object Access Protocol) is a protocol for exchanging structured information in web services. None of these options are specifically designed for provisioning requests and responses like SPML.

28. Which of the following are security components provided by an application security library orframework? (Select THREE).

Directory services

Encryption and decryption

Authorization database

Fault injection

Input validation

Secure logging

An application security library or framework typically provides several security components to enhance the security of an application. Input validation is one such component that helps validate and sanitize user input to prevent common security vulnerabilities like SQL injection or cross-site scripting. Secure logging is another important component that ensures sensitive information is logged securely, protecting it from unauthorized access. Encryption and decryption are also crucial components that help protect sensitive data by converting it into an unreadable format and then back to its original form when needed, ensuring confidentiality and integrity.

Explanation

An application security library or framework typically provides several security components to enhance the security of an application. Input validation is one such component that helps validate and sanitize user input to prevent common security vulnerabilities like SQL injection or cross-site scripting. Secure logging is another important component that ensures sensitive information is logged securely, protecting it from unauthorized access. Encryption and decryption are also crucial components that help protect sensitive data by converting it into an unreadable format and then back to its original form when needed, ensuring confidentiality and integrity.

Submit

29. The security administrator at a company has received a subpoena for the release of all the emailreceived and sent by the company Chief Information Officer (CIO) for the past three years. Thesecurity administrator is only able to find one year's worth of email records on the server and isnow concerned about the possible legal implications of not complying with the request. Which ofthe following should the security administrator check BEFORE responding to the request?

The company data privacy policies

The company backup logs and archives

The company data retention policies and guidelines

The company data retention procedures

The security administrator should check the company backup logs and archives before responding to the request. This is because the administrator was only able to find one year's worth of email records on the server, indicating that older records may be stored in the backup logs and archives. By checking these sources, the administrator can ensure that all relevant email records are provided in compliance with the subpoena.

Explanation

The security administrator should check the company backup logs and archives before responding to the request. This is because the administrator was only able to find one year's worth of email records on the server, indicating that older records may be stored in the backup logs and archives. By checking these sources, the administrator can ensure that all relevant email records are provided in compliance with the subpoena.

30. The IDS has detected abnormal behavior on this network. Click on the network devices to view device information. Based on this information, the following tasks need to be completed.1. Select the server that is a victim of a SQL injection attack.2. Select the source of the buffer overflow attack.3. Modify the access control list (ACL) on the routers to ONLY block the buffer overflow attack.

The explanation provides a step-by-step guide on how to complete the tasks based on the given information. It instructs the user to first identify the SQL Server on the server and note its IP address. Then, they should identify the attacker on the host machine and note its IP address. Finally, they should modify the access control list on the routers by adding the host machine's IP address to the source field and the SQL Server's IP address to the destination field, and then check the deny option and uncheck the permit option.

Explanation

The explanation provides a step-by-step guide on how to complete the tasks based on the given information. It instructs the user to first identify the SQL Server on the server and note its IP address. Then, they should identify the attacker on the host machine and note its IP address. Finally, they should modify the access control list on the routers by adding the host machine's IP address to the source field and the SQL Server's IP address to the destination field, and then check the deny option and uncheck the permit option.

Submit