Академический Документы
Профессиональный Документы
Культура Документы
BasedQuestions
http://www.infosecinstitute.com/SecurityPlus
Copyright2013InfoSecInstitute
1of26
Question
1. Whatrulesshouldbeaddedtothefirewalltoallowtraffictothewebserverwhichwillbe
servingbothsecured,andunsecuredwebpagesinthediagrambelow.
Usea*toindicateAny.
Allow/
Deny
TCP/
UDP
SourceIPAddress
Copyright2013InfoSecInstitute
Source
Port
DestinationIP
Destination
Port
2of26
AnswertoPreviousPage
1. Whatrulesshouldbeaddedtothefirewalltoallowtraffictothewebserverwhichwillbe
servingbothsecured,andunsecuredwebpagesinthediagrambelow.
Usea*toindicateAny.
Allow/
Deny
TCP/
UDP
SourceIPAddress
Source
Port
DestinationIP
Destination
Port
Allow
TCP
192.0.2.9/32
80
Allow
TCP
192.0.2.9/32
443
Sincethequestionspecifiedthatbothsecuredandunsecuredwebpageswouldbeserved,
then,youneededtoallowbothHTTP(port80)andHTTPS(port443)throughthefirewall.Since
thetrafficiscomingfromtheinternet,allsourceIPaddressesshouldbeallowedin.
Copyright2013InfoSecInstitute
3of26
Question
2. Whatrulesshouldbeaddedtothefirewalltoallowtraffictothemailserverbelow.
AssumethatonlyinternalclientswillbeconnectingoverbothPOP3andIMAP4,but
everyonecansendSMTPtraffic.
Usea*toindicateAny.
Allow/
Deny
TCP/
UDP
SourceIPAddress
Copyright2013InfoSecInstitute
Source
Port
DestinationIP
Destination
Port
4of26
AnswertoPreviousPage
2. Whatrulesshouldbeaddedtothefirewalltoallowtraffictothemailserverbelow.
AssumethatonlyinternalclientswillbeconnectingoverbothPOP3andIMAP4,but
everyonecansendSMTPtraffic.
Usea*toindicateAny.
Allow/
Deny
TCP/
UDP
SourceIPAddress
Source
Port
DestinationIP
Destination
Port
Allow
TCP
192.0.2.10/32
25
Allow
TCP
203.0.113.0/24
192.0.2.10/32
110
Allow
TCP
203.0.113.0/24
192.0.2.10/32
143
InternalclientsneedtohaveaccesstobothIMAP(Port:143)andPOP3(Port:110)ports.Since
onlyinternalclientsareallowedtohaveaccess,thesourceIPAddressneedstobelimitedtothe
internalnetwork.SincethemailserverwouldreceiveSMTP(Port:25)fromanywhere,that
trafficneedstobeallowedfromanywhere.
Copyright2013InfoSecInstitute
5of26
Question
3. AnadministratorwantstomakeitsothatshecanmanagethemailserveroverSSH.
Shealsowantstoensurethatshedoesntaccidentlyusetelnettocommunicatewiththe
server.Whatchangesdoessheneedtomaketothefirewallinordertoaccommodate
that?
Usea*toindicateAny.
Allow/
Deny
TCP/
UDP
SourceIPAddress
Copyright2013InfoSecInstitute
Source
Port
DestinationIP
Destination
Port
6of26
AnswertoPreviousPage
3. AnadministratorwantstomakeitsothatshecanmanagethemailserveroverSSH.
Shealsowantstoensurethatshedoesntaccidentlyusetelnettocommunicatewiththe
server.Whatchangesdoessheneedtomaketothefirewallinordertoaccommodate
that?
Usea*toindicateAny.
Allow/
Deny
TCP/
UDP
SourceIPAddress
Source
Port
DestinationIP
Destination
Port
Allow
TCP
203.0.113.45/32
192.0.2.10/32
22
Deny
TCP
203.0.113.45/32
192.0.2.10/32
23
SinceSSHisonport22,thisistheportthatmustbeallowedin.Also,sincethisisan
administrativetool,onlytrafficfromtheAdministratorComputershouldbeletthrough,andnot
fromtheinternalnetworkasawhole.
Shedeniedtrafficonport23(theTelnetport)sinceshedoesntwantnonencrypted,
administrativetraffictobegoingtotheserver.Thisisanadmittedlysomewhatartificialexample,
butitdemonstrateshowtopreventtrafficfromgoingthroughafirewall.
Copyright2013InfoSecInstitute
7of26
Questions
4. Matchtheporttotheprotocol.
a. FTPDataChannel
b. LDAP
c. NetBIOSnameservice
d. DNS
1.TCP/UDP:53
2.TCP/UDP:389
3.TCP:20
4.TCP/UDP:137
5. Matchtheporttotheprotocol.
a. SSH
b. FTPControlChannel
c. TFTP
d. HTTPS
1.TCP:21
2.TCP:443
3.TCP:22
4.UDP:69
6. Matchtheporttotheprotocol.
a. POP3
b. NetBIOSsessionservice
c. SCP
d. SNMP
1.TCP:22
2.TCP:110
3.UDP:161
4.TCP/UDP:139
7. Matchtheporttotheprotocol.
a. Telnet
b. HTTP
c. NetBIOSdatagramservice
d. LDAP/SSL
1.TCP:80
2.TCP/UDP:138
3.TCP:636
4.TCP:23
Copyright2013InfoSecInstitute
8of26
AnswertoPreviousPage
4. Matchtheporttotheprotocol.
a. 3FTPDataChannel
b. 2LDAP
c. 4NetBIOSnameservice
d. 1DNS
1.TCP/UDP:53
2.TCP/UDP:389
3.TCP:20
4.TCP/UDP:137
5. Matchtheporttotheprotocol.
a. 3SSH
b. 1FTPControlChannel
c. 4TFTP
d. 2HTTPS
1.TCP:21
2.TCP:443
3.TCP:22
4.UDP:69
6. Matchtheporttotheprotocol.
a. 2POP3
b. 4NetBIOSsessionservice
c. 1SCP
d. 3SNMP
1.TCP:22
2.TCP:110
3.UDP:161
4.TCP/UDP:139
7. Matchtheporttotheprotocol.
a. 4Telnet
b. 1HTTP
c. 2NetBIOSdatagramservice
d. 3LDAP/SSL
1.TCP:80
2.TCP/UDP:138
3.TCP:636
4.TCP:23
Whenitcomestomatchingprotocolstoports,thereisnosubstitutionformemorizingthe
correctportprotocolmapping.
Copyright2013InfoSecInstitute
9of26
Question
8. TheEngineeringTeamhasaskedyoutosetupaWAPforthemsothatonlythose
peoplewhoknowaboutthenetworkOURNETWORK,wouldbeabletoconnect.They
wanteveryonetouseLOGINTOOURWAPforthepasswordtologintothewireless
network.Whatchangestothefollowingconfigurationscreenswouldneedtobemadeto
implementthis?
Copyright2013InfoSecInstitute
10of26
AnswertoPreviousPage
8. TheEngineeringTeamhasaskedyoutosetupaWAPforthemsothatonlythose
peoplewhoknowaboutthenetworkOURNETWORK,wouldbeabletoconnect.They
wanteveryonetouseLOGINTOOURWAPforthepasswordtologintothewireless
network.Whatchangestothefollowingconfigurationscreenswouldneedtobemadeto
implementthis?
Whenpeopleseethewirelessnetworks,whattheyareseeing,istheSSID.Whetheror
notitisvisible,isdeterminedbywhetherornottheSSIDisbroadcastornot.Soforthis,
wewanttosettheSSIDtoOURNETWORK,anddisablebroadcastingoftheSSID
(sincetheyonlywantpeoplewhoknowaboutittobeabletologintoit).
OfthevariousSecurityModes,WPA2providesthebestencryptionpossiblehere.Using
PSK,oraPreSharedKey,allowsalluserstoconnectusingthesamepassphrase.
Copyright2013InfoSecInstitute
11of26
Question
9. Afterusingthisforawhile,Engineeringdepartmentrealizedthattheywantedeach
persontologinusingauniqueusername/passwordcombination.Howshouldthe
configurationbechangedtoaccommodatethis?
Someports:
RADIUSAuthentication:1812
RADIUSAccounting:1813
Copyright2013InfoSecInstitute
12of26
AnswertoPreviousPage
9. Afterusingthisforawhile,Engineeringdepartmentrealizedthattheywantedeach
persontologinusinguniqueusername/passwordcombination.Howshouldthe
configurationbechangedtoaccommodatethis?
Radiusserversarecommonlyusedtoprovideauthenticationservicesforwireless
accesspoints.Sinceweareusingthisforauthentication(confirmingthatthisisaperson
thesystemrecognizes),weneedtouseport1812.
Copyright2013InfoSecInstitute
13of26
Question
10.Giventhediagramabove,whatelsecouldbeimplementedtoimprovethesecurityonthe
WAP?
11. Afterthatisimplemented,forthisdiagram,howmanydeviceswouldhaveaccesstothe
WAP?
Copyright2013InfoSecInstitute
14of26
AnswertoPreviousPage
10. Giventhediagramabove,whatelsecouldbeimplementedtoimprovethesecurityonthe
WAP?
MACaddressfiltering.
11. Afterthatisimplemented,forthisdiagram,howmanydeviceswouldhaveaccesstothe
WAP?
ByimplementingMACaddressfiltering,thedeviceswiththeMACAddress
998877665501or998877665548wouldhaveaccesstothesystem.Thus2
deviceswouldhaveaccess.
Copyright2013InfoSecInstitute
15of26
Questions
Belowarediagramsofvarioustypesofattacks.Selectthebestoptionforeachone.
a. Maninthemiddle
b. DDoS
c. DoS
d. Replay
e. EvilTwin
12.___
13.____
Copyright2013InfoSecInstitute
16of26
AnswertoPreviousPage
Belowarediagramsofvarioustypesofattacks.Selectthebestoptionforeachone.
a. Maninthemiddle
b. DDoS
c. DoS
d. Replay
e. EvilTwin
12.b.
Theuseofmultiple(distributed)machineswiththegoalisofmakingitsothatthevictimmachine
isnotabletoperformitstasksmakesthisaDistributedDenialofServiceattack.
13.c.
Asthekeygoalismakingitsothatthevictimisnotabletoprocessitsregulartasks,makesthis
aDenialofServiceattack.
Copyright2013InfoSecInstitute
17of26
Questions
Belowarediagramsofvarioustypesofattacks.Selectthebestoptionforeachone..
a. Maninthemiddle
b. DDoS
c. DoS
d. Replay
e. EvilTwin
14.____
15.____
Copyright2013InfoSecInstitute
18of26
AnswerstoPreviousPage
Belowarediagramsofvarioustypesofattacks.Selectthebestoptionforeachone.
a. Maninthemiddle
b. DDoS
c. DoS
d. Replay
e. EvilTwin
14.a.
Asonewouldexpectfromthename,theManinthemiddleinvolvesgettinginthemiddleof
requestsgoingtoandfromtheserver.Theattackercanthenmodifythetraffictosuithisneeds.
15.e.
AnEvilTwinattackusesanaccesspointwhichhasduplicatedthelegitimateaccesspoints
SSID,inordertoenticemachinestoconnecttothem.Atthispoint,theattackercansnoopthe
victimstraffic.WhilethisisatypeofManInTheMiddleattackEvilTwinisabetterchoice,since
theEvilTwinisaspecificimplementationofaManInTheMiddleattack.
Copyright2013InfoSecInstitute
19of26
Questions
16.Whichofthefollowingcanbeusedforlimitingrisksassociatedwithusingmobiledevices.
A.
B.
C.
D.
E.
F.
G.
RemoteWipe
LockedCabinet
Encryption
Passcode
SecuredRooms
AutomaticLocking
Wipeafter10FailedSecurityCodeEntries
17.Whichofthefollowingcanbeusedforlimitingrisksassociatedwithservers.
A.
B.
C.
D.
E.
F.
G.
LockedCabinet
Wipeafter10FailedSecurityCodeEntries
SecuredRoom
RemoteWipe
CCTV
EnvironmentalControls
AccessLogs
Copyright2013InfoSecInstitute
20of26
AnswerstoPreviousPage(CorrectAnswersinBold)
16.Whichofthefollowingcanbeusedforlimitingrisksassociatedwithusingmobiledevices.
A.
B.
C.
D.
E.
F.
G.
RemoteWipe
LockedCabinet
Encryption
Passcode
SecuredRooms
AutomaticLocking
Wipeafter10FailedPasscodeEntries
A:Remotewipeallowsacompanytoremoveinformationfromthedeviceonceitleaves
itscontrol.
C,D,F:Encryptingthecontentsofamobiledeviceandsecuringitwithapasscode
reducesanattackersabilitytogetatthedataonthedeviceshouldshegaincontrolof
thedevice.Automaticallylockingthedevicereducesthechanceanattackerwillgain
controlofanunlockeddevice.
G:Wipeafter10FailedPasscodeEntrieswillreducethechanceofgettingatadevices
datashoulditbelost/stolen.
B,E:Allofthesewouldeliminatethemobilityofthedevice,andthuseliminatetheability
touseiteffectively.Thus,theyarenotpracticalcontrols.
17.Whichofthefollowingcanbeusedforlimitingrisksassociatedwithservers.
A.
B.
C.
D.
E.
F.
G.
LockedCabinet
Wipeafter10FailedSecurityCodeEntries
SecuredRoom
RemoteWipe
CCTV
EnvironmentalControls
AccessLogs
A,C:Thesehelplimitaccesstotheserver.
E,G:Increasesthelikelihoodthatintruderswouldbenoticed,anddetersinsidersfrom
maliciousactions.
F:Dependingonthecontrolsimplementedthesecanreducetherisksassociatedwith
itemssuchEMI,humidity,andtemperature.
B,D:Thesecouldactuallyincreaserisksassociatedwithserver,asDoSattacksare
possible.
Copyright2013InfoSecInstitute
21of26
Question
18.Forthefollowingnetwork,thenetworklogfilescanbeseenfortheRouter,Firewall,andEnd
UserComputer.WhichdeviceisnotsetupforImplicitDeny?
Router
Time
20131112
14:10:20
20131112
14:10:21
20131112
14:10:22
20131112
14:10:22
Severity Message
Sessionpermitted.
Info
ACL3
Sessionpermitted.
Info
ACL4.
Sessionpermitted.
Info
NoACLmatch.
SourceIP
Source
Port
203.0.113.42
23896
203.0.113.21
23323
17.178.96.59
69
Info
203.0.113.21
23323
17.178.96.59
80
SessionACL3.
Copyright2013InfoSecInstitute
DestinationIP
Destination
Port
216.34.181.45
80
74.125.134.26 42563
192.0.2.10
25
22of26
Firewall
Time
20131112
14:10:20
20131112
14:10:20
20131112
14:10:21
20131112
14:10:21
20131112
14:10:22
Severity Message
Session
Info
established.
SessionDenied.No
Info
ACLmatched
Session
Info
established.
Session
Info
established.
Info
EndUserMachine
Time
2013111214:10:15
2013111214:10:25
2013111214:10:30
SourceIP
Source
Port
DestinationIP
Destination
Port
203.0.113.42
23896
216.34.181.45
80
203.0.113.41
43512
74.125.225.230
69
203.0.113.44
32355
74.125.225.230
80
192.0.2.10
25
17.178.96.59
80
74.125.134.26 42563
Sessionestablished 203.0.113.21
23323
Severity Message
Sessionestablished.ACLRule2match.DestinationIP192.0.2.10,Port:
Info
143.
Error
SessionDenied.Norulematch.DestinationIP:192.0.2.10,Port:69
Info
SessionEstablished.ACLRule1match.74.125.225.230,Port:80
Copyright2013InfoSecInstitute
23of26
AnswertoQuestion18
18.Forthefollowingnetwork,thenetworklogfilescanbeseenfortheRouter,Firewall,andEnd
UserComputer.WhichdeviceisnotsetupforImplicitDeny?
WhencheckingforafailureofImplicitDeny,thequestioniswhichdeviceletstraffic
throughifnoruleismatched.Thekeypiecesfromthelogsarehere:
Router
20131112
14:10:22
Info
Sessionpermitted.
NoACLmatch.
203.0.113.21
23323
17.178.96.59
69
Info
SessionDenied.No
ACLmatched
203.0.113.41
43512
74.125.225.230
69
Firewall
20131112
14:10:20
EndUserMachine
2013111214:10:25
Error
SessionDenied.Norulematch.DestinationIP:192.0.2.10,Port:69
WhenthereisnotanACLmatch,thentrafficmustbedeniedforImplicitDenytobein
place.InthiscasetheRouterissetuptopermittrafficthroughwhennoruleismatched,
soitisnotsetupproperlyforImplicitDeny.
Copyright2013InfoSecInstitute
24of26
Questions
19.Ofthefollowingfourstoragetypes,rankthemfrommostvolatiletoleastvolatile.
____PageFile
____CacheMemory
____NetworkDrive
____HardDrive
20.Ofthefollowingfourstoragetypes,rankthemfrommostvolatiletoleastvolatile.
____RAM
____CDRarchivemedia
____PageFile
____HardDrive
21.Ofthefollowingfourstoragetypes,rankthemfrommostvolatiletoleastvolatile.
____RAM
____CacheMemory
____NetworkDrive
____CDRarchivemedia
Bonus:Identifyallofthedifferentstoragetypespresented,andrankthemaccordingly.
Copyright2013InfoSecInstitute
25of26
AnswerstoPreviousPage
19.Ofthefollowingfourstoragetypes,rankthemfrommostvolatiletoleastvolatile.
2PageFile
1CacheMemory
4NetworkDrive
3HardDrive
20.Ofthefollowingfourstoragetypes,rankthemfrommostvolatiletoleastvolatile.
1RAM
4CDRarchivemedia
2PageFile
3HardDrive
21.Ofthefollowingfourstoragetypes,rankthemfrommostvolatiletoleastvolatile.
2RAM
1CacheMemory
3NetworkDrive
4CDRarchivemedia
Hereisabriefsummaryofthedifferenttypesofstorage,andtheiroverallorderofvolatility.
1. CacheMemoryAcacheisusedtostorefrequentlyorrecentlyaccessedmemory.Itis
fasterforaCPUtoaccessdatastoredinthecachethanallotherformsofmemory.Itis
overwrittenbydatafromRAMfrequentlyaspartofthestandardoperationoftheoperating
system.Itisnotpersistentonpowerdown.
2. RAMRAM,orRandomAccessMemoryisusedbythesystemaspartoftheregular
operationofthecomputer.Itisnotpersistentonpowerdown.
3. PageFileOperatingsystemswilltemporarilystoredatathatwouldbekeptinRAMina
fileontheharddisk.Thisfile,calledapagefile,pagingfile,orswapfile.Thisfilecan
survivethesystempoweringdown,howeversomeoperatingsystemswilldeletethefile
whengoingthroughacleanshutdown.
4. HardDriveDatastoredonaharddriveismaintainedthroughoutasystemshutdown.
5. NetworkDrive/RemoteSystemDatastoredonanetworkdrivewouldsurviveevenifthe
targetsystemisentirelyinoperableorincapableofbeinginvestigated.
6. CDRopticalmediaArchivemediasuchCDRnotonlycansurviveasystempower
down,oncethedataiswrittentothemedia,andthemediadisconnectedfromthe
system,itcannotbemodifiedinanywaybythetargetsystem.
Copyright2013InfoSecInstitute
26of26