Chapter 15. Answer Key to Sample Test 2

Answer D is correct. Forensics is the practice of using tools to investigate and establish facts, usually for evidence within a court of law. According to the question, the attack has already taken place, and evidence is being retrieved; therefore, answer A is incorrect. Answer B and C are also both incorrect. Due care describes a process before an attack takes place, and due process describes the course taken during court proceedings designed to safeguard the legal rights of individuals.

Answer A is correct. A threat is something that could intentionally (for example, a malicious hacker) or unintentionally (for example, a tornado ) do harm to your computer systems and network. Answer B is incorrect because a risk describes the possibility of realizing a threat. Answer C is incorrect because a vulnerability describes the susceptibility to attack. Answer D is also incorrect because answer B is incorrect.

Answers A and C are correct. Both MD5 and 3DES are cryptography algorithms, whereas answers B and D are both tunneling protocols used in Virtual Private Networks. Therefore, answers B and D are incorrect.

Answers A and B are correct. Encapsulated Secure Payload can encrypt data as well as verify data integrity, but Authentication Header can only verify data integrity. Therefore, answers C and D are incorrect.

Answer C is correct. A router is a networking device that works at layer 3 in the OSI model. Answer A is incorrect because a hub works at layer 1. A switch works at layer 2; therefore, answer B is incorrect. A toaster (a device typically used to crisp bread) is not a networking device (at least not yet); therefore, answer D is incorrect.

Answer D is correct. Both PPTP and L2F are leveraged within L2TP. Answers A, B, and C are all incorrect because each answer contains a protocol that is not a tunneling protocol.

Answer C is correct. S/MIME is the secure version of MIME and is used to protect email messages. Answers A and B are incorrect because L2TP and PPTP are tunneling protocols. Answer D is incorrect because MIME is used for plaintext, the unsecured version of S/MIME.

Answer A is correct. Digital certificates are issued by Certificate Authorities (CAs) and serve as a virtual ID or passport, commonly used to conduct business over the Web. Answer B is incorrect because a Certificate Authority is the issuer of these certificates used to establish identification. Answer C is incorrect because this describes a Microsoft authentication service. A password is a secret word or phrase used to gain access; therefore, answer D is incorrect.

Answer C is correct. A password and a PIN are usually private alphanumeric codes that are known by an individual. Something you have describes an item such as a swipe card or token; therefore, answer A is incorrect. Something you make is not associated with authentication; therefore, answer B is incorrect. Answer D is incorrect because something you are involves biometrics such as fingerprints and voiceprints.

Answers B and C are correct. Mandatory Access Control (MAC) and Discretionary Access Control (DAC) are both common types of access control mechanisms used within computer systems. LDAP is a directory protocol; therefore, answer A is incorrect. TACACS is an authentication protocol; therefore, answer D is incorrect.

Answer A is correct. A denial of service (DoS) attack is designed to bring down a network by flooding the system with an overabundance of useless traffic. Although answers B and C are both types of denial of service attacks, they are incorrect because DoS more accurately describes "the type of attack." Answer D is incorrect because social engineering describes the nontechnical means of obtaining information.

Answers A, B, and D are correct. These answers all describe attacks designed to prevent legitimate service. Answer C is incorrect because this is characteristic of a Trojan horse, and naturally answer E is also incorrect.

Answer C is correct. A distributed denial of service (DDoS) attack is similar to a denial of service (DoS) attack in that they both try to prevent legitimate access to services. However, a DDoS attack is a coordinated effort among many computer systems; therefore, answer A is incorrect. Masquerading involves using someone else's identity to access resources; therefore, answer B is incorrect. A Trojan horse is a program used to perform hidden functions; therefore, answer D is incorrect.

Answer D is correct. A firewall is a hardware or software device used to prevent a network from unauthorized access. Many firewalls are also designed to prevent unauthorized traffic from leaving the network. Answer A is incorrect because is not a legitimate term . Answer B is also incorrect because Windows XP is a Microsoft operating system. A honeypot is used as a decoy to lure malicious attacks; therefore, answer C is incorrect.

Answer B is correct. A packet-filtering firewall inspects each packet and makes decisions based on user -defined rules. Although answers A, C, and D are all types of firewall techniques, each of these are incorrect. A circuit-level gateway applies security once a connection is established. An application gateway applies security to specific applications, and a proxy server hides the internal network by intercepting all traffic.

Answer D is correct. Traditionally a worm replicates itself, and a virus must be activated in order to replicate. Answer A is incorrect because a virus must be activated to propagate. Answer B is incorrect because a worm can perform its functions without being triggered. Answer C is also an incorrect statement.

Answer A is correct. A honeypot is used to serve as a decoy and lure a malicious attacker. Answers B, C, and D are all incorrect answers and do not reflect legitimate terms for testing purposes.

Answer A is correct. Wired Equivalent Privacy (WEP) is part of the 802.11b standard, and it is designed to provide for the same level of security as on a wired network. You may find WEP spelled out incorrectly outside the exam, but answers B, C, and D are all incorrect.

Answer E is correct. A good password will use uppercase and lowercase letters as well as numbers and special characters ; therefore, answer F is incorrect.

Answer D is correct. Answer D is a good password because it is eight characters long and uses mixed case, numbers, and a special character ($). Answer A is incorrect because it uses a familiar keyboard pattern. Although answer B might make a good password, it would be better if it incorporated numbers within the password (not at the beginning or end) and if it were not a word found in the dictionary; therefore, answer B is incorrect. Answer C is incorrect because a person's name shouldn't be used as a password.

Answer A is correct. A VPN tunnel is an example of data securitynot physical security. Mantrap, fence, and CCTV are all components of physical security; therefore, answers B, C, and D are incorrect.

Answer B is correct. Biometrics is the study of biological characteristics. Geometrics describes geometric qualities or properties; therefore, answer A is incorrect. Answer C, photometrics, is incorrect because this is the study and measurement of the properties of light. Telemetrics is the study and measurement of the transmission of data over certain mediums; therefore, answer D is incorrect.

Answer A is correct. A firewall is a hardware or software system designed to protect networks against threats, and it can be used to permit or deny traffic based on IP address. Answer B is incorrect because an intranet is a private network. Answer C is incorrect because DoS is a type of attack meant to disrupt service. Although a firewall may be called a firewall server, answer D is incorrect because it is not specific enough.

Answer D is correct. X.509 is the defining standard on which digital certificates are based. Answer A is incorrect because X.25 is a standard for connecting packet-switched networks. X.400 is a standard for transmitting email; therefore, answer B is incorrect. X.200 deals with the top layer of the OSI model; therefore, answer C is incorrect.

Answer D is correct. Public Key Infrastructure (PKI) describes the trust hierarchy system for implementing a secure public key cryptography system over TCP/IP networks. Answers A, B, and C are incorrect because these are bogus terms.

Answers A and D are correct. MIME is a specification for formatting messages but does not support encryption, and S/PGP does not exist. However, Pretty Good Privacy (PGP) uses encryption to secure email messages, as does S/MIME. Therefore, answers B and C are incorrect because these are both methods for sending secure email.

Answer C is correct. Public key encryption uses a public and private key pair. Answer A is incorrect because there are no encryption technologies that use only public keys. Answer B is incorrect because only a symmetric key cryptography system would use just a private key. Answer D is incorrect for the same reason as answer A, and answer E is incorrect for the same reason as answer B.

Answer C is correct. A Gargomel attack, although cool sounding, does not actually exist. Fraggle, Smurf, Teardrop, ping of death, and Trinoo are names of specific denial of service attacks. Therefore, answers A, B, D, E, and F are incorrect.

Answers A and B are correct. A log report that shows multiple login failures for a single account should raise suspicion because this might be an attempt by an unauthorized person to gain access. Multiple connections in a half- open state are likely waiting for a SYN-ACK and may be indicative of a SYN flood attack. Answers C and D are incorrect because these appear to be typical network problems or the results of controls that have been implemented by an administrator.

Answer A is correct. Access controls allow an administrator to allow, restrict, or deny access to resources. Two common access control methods include Discretionary Access Control (DAC) and Mandatory Access Control (MAC). Answers B and C are both incorrect because neither of these relates to administrative controls for administering the security on resources. Answer D is incorrect because PGP is used for secure email.

Answer B is correct. Separation of duties , as well as responsibilities, is used to ensure a system of checks and balances . Answer A is incorrect because the principle of least privilege is used to ensure that users are granted only the minimum level of access required to perform their job functions. Answer C is incorrect because access controls allow for the control of access to resources. Answer D is incorrect because this is an invalid term.

Answer C is correct. The three tenets of information security are confidentiality, integrity, and availability. Privacy, although similar to confidentiality, is not considered one of the three. Therefore, answers A, B, and D are incorrect.

Answer D is correct. A demilitarized zone (DMZ) sits between a public network, such as the Internet, and an organization's internal network. A Web content zone is a security term used in Microsoft's Web browser; therefore, answer A is incorrect. Both answers B and C are made-up terms; therefore, they are incorrect.

Answer A is correct. A brute-force attack will attempt to use every key and relies on adequate processing power. Answer B is incorrect because a denial of service attack is an attempt to prevent legitimate service. Answer C is incorrect because this describes an attempt to intercept data without altering it. Answer D is incorrect because this is a crypto system that relies on secret keys.

Answer A is correct. A token is a physical device used to gain access and is usually accompanied by something the user knows, such as a password. Answer B is incorrect because this term is typically used when describing software authentication systems. Biometrics is the study and measurement of biological characteristics; therefore, answer C is incorrect. Answer D is incorrect because a password is something a user knows in order to gain access.

Answer C is correct. Remote Authentication Dial-In User Service (RADIUS) is a client/server system that facilitates the communication between remote access servers and a central server. The central server will authenticate the dial-in users and authorize their access. Answer A is incorrect because single sign-on provides the mechanism whereby a user only needs to authenticate to a system one time and is able to access multiple systems without the need to reauthenticate or maintain separate usernames and passwords. Answer B is incorrect because a Remote Access Server (RAS) is the system used to handle remote user access, and your manager wants a central server to communicate with these servers. Answer D is incorrect because PPTP is a tunneling protocol.

Answer C is correct. Mutual authentication describes the process whereby a client and server both authenticate each other, rather than the server only authenticating the client. Answers A, B, and D are all invalid terms and are therefore incorrect.

Answer B is correct. Most computer systems support the basic authentication method of using a username and password combination. Although biometrics is promising , its widespread use has still yet to be seen; therefore, answer A is incorrect. Tokens are gaining in popularity but are primarily used with usernames and passwords; therefore, answer C is incorrect. Answer D is also incorrect because it describes the process of clients and servers both authenticating to each other.

Answer C is correct. Wired Equivalent Privacy (WEP) is a security protocol designed for wireless local area networks, and it is defined in the 802.11b standard. Answers A, B, and D are all incorrect. 802.11a is similar to 802.11b, but offers greater bandwidth capabilities at a shorter range. The IEEE (or Institute of Electrical and Electronics Engineers) developed the 802.11 standards, and X.509 is the standard for defining digital certificates.

Answers A and B are correct. Both Secure Sockets Layer (SSL) and Secure HTTP (S-HTTP) are protocols designed to transmit data securely across the Web. SSL uses public key encryption to encrypt the data, and S-HTTP creates a secure connection between the client and server. File Transfer Protocol (FTP) is a simple and unsecured protocol for the transfer of files across the Internet, and TCP/IP, which is inherently unsecured, is the language of the Internet. Therefore, answers C and D are incorrect.

Answer D is correct. Wired Equivalent Privacy (WEP) was developed in response to the vulnerabilities present in wireless networks. Its developers wanted to provide mechanisms to put wireless networks on par with their physically contained and more secure counterpart . Answer A is incorrect because this is a bogus term. Answer B is incorrect because WAP is specification for a set of communication protocols to standardize Internet access for wireless devices. WSP is part of WAP; therefore, answer C is incorrect.

Answers A, B, and C are correct. Risk can be defined as the probability of a threat exploiting a vulnerability. Answer D is incorrect. Value is not a component of risk; however, value may affect your decision of whether to accept a risk.

Answer A is correct. The Network News Transfer Protocol (NNTP) provides access to newsgroups and uses TCP port 119. The Hypertext Transfer Protocol (Web) uses port 80; therefore, answer B is incorrect. Answers C and D are also incorrect because these ports are used to send and receive mail. Port 25 is for the Simple Mail Transfer Protocol (SMTP), and port 110 is for the Post Office Protocol (POP).

Answer D is correct. The most likely answer is spoofing because this allows an attacker to misrepresent the source of the requests . Answer A is incorrect because this type of attack records and replays previously sent valid messages. Answer B is incorrect because this is not a type of attack but is instead the granting of access rights based on authentication. Answer C is incorrect because social engineering involves the nontechnical means of gaining information.

Answer B is correct. On a firewall, static packet filtering provides a simple solution for the basic filtering of network traffic based on source, destination addresses, and protocol types. Answer A is incorrect because NAT is used to hide internal addresses. Answer C is incorrect because a VLAN is used to make computers on physically different network segments appear as if they are one physical segment. Answer D is incorrect because an intrusion-detection system is used to identify suspicious network activity.

Answer C is correct. Stateful inspection (also called dynamic packet filtering ) monitors the connection throughout the session and verifies the validity of IP packet streams. Answer A is incorrect because static packet filtering examines packets based on information in their headers. Answer B is incorrect because there is no such firewall architecture. As opposed to stateful inspection, nonstateful inspection does not maintain the state of the packets; therefore, answer D is incorrect.

Answer A is correct. A passive attack attempts to passively monitor data being sent between two parties and does not insert data into the data stream. A reply attack records and replays previously sent valid messages; therefore, answer B is incorrect. An active attack makes attempts to insert false packets into the data stream; therefore, answer C is incorrect. Authentication is the process of verifying the identify of a source and is not a type of attack; therefore, answer D is incorrect.

Answer D is correct. TEMPEST originated with the U.S. military and deals with the study of devices that emit electromagnetic radiation. Electromagnetic radiation (EMR) is emitted from devices; therefore, answer A is incorrect. Answer B is a bogus term and is therefore incorrect. Answer C is incorrect because wiretapping involves the secret monitoring of information being passed.

Answers A and B are correct. Both collecting and analyzing data from disk drives ' memory are functions of computer forensics; however, the dusting and collection of fingerprints is a law-enforcement forensics function; therefore, answer C is incorrect. Answer D is also incorrect because only answers A and B are correct.

Answers A and D are correct. Security training during employee orientation as well as yearly seminars are the best choices because these are active methods of raising security awareness. On the other hand, using emails and posters are passive methods of raising security awareness. Therefore, answers B and C are incorrect.

Answer B is correct. Single sign-on provides the mechanism whereby a user only needs to authenticate to a system one time and is able to access multiple systems without the need to reauthenticate or maintain separate usernames and passwords. Answer A is incorrect because authentication is simply the process of identification. Answer C is incorrect because LDAP is a protocol for directory access. Answer D is incorrect because answer B is correct.

Answer B is correct. Unlike any of the FAT file systems, NTFS supports file-and folder-level permissions. FAT file systems provide complete access locally to the entire FAT partition. Network access can be achieved regardless of the file system used; therefore, answer A is incorrect. Support for multiple operating systems is not a feature of NTFS over FAT file systems; therefore, answer C is incorrect. Streaming video is not a function of the type of file system; therefore, answer D is incorrect.

Answer C is correct. Although there might be better solutions, depending on the circumstances, implementing proper controls at the firewall is the best choice for this internal server. Although CGI scripts may present certain dangers, disabling them is not the best choice; therefore, answer A is incorrect. Antivirus software will protect your systems against viruses but will not control unauthorized access; therefore, answer B is incorrect. You would not want to place the server in the DMZ because it is a private Web server and is not meant for access by public users; therefore, answer D is incorrect.

Answer D is correct. Access control defines what users can access as well as what they can specifically view and alter. Confidentiality ensures data remains private; therefore, answer A is incorrect. Integrity describes the reliability of the data in that it has not been altered ; therefore, answer B is incorrect. Authentication verifies the identify of a user or system; therefore, answer C is incorrect.

Answer C is correct. The SSL handshake uses public key cryptography to verify the identify of the server. Answer A is incorrect; however, Netscape did originally develop the SSL protocol. Encryption uses public keys, private keys, or a combination of both; therefore, answer B is incorrect. SSL uses public key encryption during the SSL handshake, and it does not use private key encryption; therefore, answer D is incorrect.

Answer A is correct. By using the netstat command, you can check the number of open connections that have received a SYN but not an ACK, which may indicate connections left in a half-opened state. Ping, Tracert, and IPConfig are other useful utilities but will not show connection states like Netstat. Therefore, answers B, C, and D are incorrect.

Answer C is correct. Spam or junk email is unsolicited and unwanted email usually sent in bulk. Although Exchange is a Microsoft Mail server, it is not the correct answer; therefore, answer A is incorrect. An email hoax may be considered spam; however, spam is the more accurate answer; therefore, answer B is incorrect. Answer D is incorrect because Biba is actually a security model used to define different levels of integrity.

Answer A is correct. Port 25 is used for the Simple Mail Transfer Protocol (SMTP). The Hypertext Transfer Protocol (Web) uses port 80; therefore, answer B is incorrect. Answers C is incorrect because port 53 is used for DNS. Because only one of the listed ports is correct, answer D is also incorrect.

Answer B is correct. The terms service and daemon are synonymous. They describe programs that run continuously and handle service requests to a computer system. Uniservice is a bogus term; therefore, answer A is incorrect. A parser is a program that is usually part of a compiler; therefore, answer C is incorrect. Shell is a commonly used Unix term given to the interactive interface; therefore, answer D is incorrect.

Answer A is correct. A back door is an opening in a program, often left by a developer that enables access through nontraditional means. Answer B is incorrect because an algorithm is a series of steps to arrive at a result. Blowfish is a type of symmetric block cipher; therefore, answer C is incorrect. Answer D is incorrect because a demilitarized zone is a zone within a network where publicly accessible servers are typically placed.

Answer C is correct. Port 80 is used for Web services, also known as Hypertext Transfer Protocol. Port 21 is used for the File Transfer Protocol (FTP); therefore, answer A is incorrect. Port 25 is used for the Simple Mail Transfer Protocol (SMTP); therefore, answer B is incorrect. Port 110 is used for the Post Office Protocol (POP); therefore, answer D is incorrect.

Answer D is correct. Covert channel communication allows the transfer of information in a manner that violates the system's security policy. Answers A, B, and C are not legitimate uses of a covert channel; therefore, these answers are incorrect.

Answer B is correct. Data aggregation is the process of combining separate pieces of data that, by themselves , may be of no use, but when combined with other bits of data they will provide greater understanding. The other choices are all invalid answers; therefore, answers A, C, and D are incorrect.

Answer A is correct. Individuals granted widespread authorization to data have a much easier chance to perform data aggregation. Ensuring the separation of duties provides a countermeasure against such data collection. Classifying the data does not help against the risk that the information may be collected by authorized individuals; therefore, answer B is incorrect. Answers C and D are also incorrect because these are irrelevant to the process of piecing together separate pieces of data.

Answer A is correct. Blind FTP is often used for files sensitive in nature. Files listed in the Blind FTP directory are hidden from view. Answer B is incorrect because Secure Shell (SSH) is a program that provides secure shell access. SSH is basically a secure version of Telnet. Answer C is incorrect as this choice serves as a distracter. Anonymous FTP allows access without proper identification. Although a Blind FTP implementation may also be anonymous, the question specifically relates to blind FTP.

Answer C is correct. Although the two are not interoperable, TLS is based on SSL and provides security between Web applications and their clients. TLS was designed to be the successor to Secure Sockets Layer; therefore, answer A is incorrect. The Point-to-Point Tunneling Protocol is used to create secure tunnels, such as in a Virtual Private Network; therefore, answer B is incorrect. Internet Protocol Security (IPSec) is also used to create Virtual Private Networks; therefore, answer D is incorrect.

Answer B is correct. The Password Authentication Protocol (PAP) is a basic form of authentication whereby the username and password are transmitted unencrypted. Both CHAP and MS-CHAP v2 support the secure transmission of usernames and passwords. Therefore, answers A, C, and D are all incorrect.

Answer B is correct. PPP, a protocol for communicating between two points using a serial interface, provides service at the second layer of the OSI modelthe Data Link layer. Layer 1 (Physical), layer 3 (Network), and layer 4 (Transport) are not the layers at which PPP provides its service. Therefore, answers A, C, and D are all incorrect.

Answer D is correct. The OSI reference model is based on seven layers for how data should be transmitted between any two points. The seven layers from bottom to top are Physical, Data Link, Network, Transport, Session, Presentation, and Application. Answers A, B, and C are in the wrong order and are therefore incorrect.

Answer A is correct. PPP is able to handle synchronous as well as asynchronous connections. Therefore, answers B, C, and D are all incorrect.

Answer A is correct. Access rights are grouped by the role name, and the use of resources are restricted to those associated with the authorized role. Answers B, C, and D are all incorrect methods for describing how access rights are grouped within RBAC.

Answer B is correct. An access control list (ACL) coordinates access to resources based on a list of allowed or denied items such as users or network addresses. Answer A is incorrect because ACLU identifies a nonprofit organization that seeks to protect the basic civic liberties of Americans. An access point (AP) is often used in relation to a wireless access point (WAP); therefore, answer C is incorrect. Answer D is also incorrect because only answer B is correct.

Answer D is correct. Passwords, home directories, and usernames in most cases are unique to the individual users. Although the use of shared usernames and passwords is common in many instances, it is a practice that generally should not be used.

Answer C is correct. The email is likely a hoax, and although the policies may differ among organizations, given this scenario and the available choices, the best answer is to notify the system administrator. Answers A, B, and D are therefore all incorrect.

Answer A is correct. Logging is the process of collecting data to be used for monitoring and auditing purposes. Auditing is the process of verification that normally involves going through log files; therefore, answer B is incorrect. Typically, the log files are frequently inspected, and inspection is not the process of collecting the data; therefore, answer C is incorrect. Vetting is the process of thorough examination or evaluation; therefore, answer D is incorrect.

Answer A is correct. Users should not be given privileges above those necessary to perform their job function. The other choices do not adequately and accurately describe the principle of least privilege. Therefore, answers B, C, and D are incorrect.

Answer C is correct. The potential for fraudulent activity is greater when the opportunity exists for one who is able to execute all the transactions within a given set. The separation of duties is not a deterrent to Trojan horses, viruses, or corporate audits . Therefore, answers A, B, D, and E are all incorrect.

Answer C is correct. A retinal scan is a biometric technique based on distinct characteristics within the human eye. This is considered something you are, in contrast to something you have, such as a token or smartcard . Something you know would be a password, for example. Therefore, answers A, B, and D are all incorrect.

Answer A is correct. By locking an account after a few consecutive attempts, the likelihood of a brute-force attack is reduced. Having an employee show proper identification does nothing to reduce brute-force attacks; therefore, answer B is incorrect. Increasing the value of the password history only prevents the user from using previously used passwords; therefore, answer C is incorrect. Password resets is an adequate mechanism to use in case a password has been compromised; however, it does little to circumvent brute-force attacks; therefore, answer D is incorrect.

Answer C is correct. Proper labeling concerning the sensitivity of information should be placed on media such as tapes and disks to prevent the mishandling of the information. A token is a hardware device; therefore, answer A is incorrect. SSL is a protocol for protecting documents on the Internet; therefore, answer B is incorrect. Answer D, ticketing, is also incorrect.

Answers A, B, and C are correct. Protecting data against accidental or malicious events is based on the classification level of the data, the data's value, as well as the level of risk or compromise of the data. The size of the organization has no bearing on the level of protection to be provided; therefore, answer D is incorrect.

Answer B is correct. Once an IDS detects an attacker, the attacker may then be transparently transferred to a padded - cell host, which is a simulated environment where harm cannot be done. In contrast, a honeypot exists with the purpose of attracting the attacker; therefore, answer A is incorrect. Both the terms in answers C and D are incorrect because these are not related to intrusion-detection systems.

Answers A, B, and C are correct. All accept answers D and E are advantages of honeypots and padded-cell systems. Currently the legal implications of using such systems is not that well defined, and the use of these systems will typically require more administrative resources.

Answer A is correct. A policy is the formal set of statements that defines how systems are to be used. Standards are definitions or formats that are approved and must be used; therefore, answer B is incorrect. Guidelines are similar to standards but serve as more of a suggestion; therefore, answer C is incorrect. Procedures typically provide step-by-step instructions to follow; therefore, answer D is incorrect.

Answer B is correct. 802.11 is the IEEE standard relating to the family of specifications for wireless LAN technologies. 802.2 is the standard for the Data Link layer in the OSI reference model; therefore, answer A is incorrect. 802.1 is the standard related to network management; therefore, answer C is incorrect. 802.6 is the standard for metropolitan area networks (MANs); therefore, answer D is incorrect.

Answer B is correct. The well-known ports are those from 0 through 1023. Registered ports are those from 1024 through 49151, and dynamic and/or private ports are those from 49152 through 65535. Therefore, answers A, C, and D are all incorrect.

Answer D is correct. A policy is a formal set of statements that defines how systems are to be used. Standards are definitions or formats that are approved and must be used; therefore, answer A is incorrect. Procedures typically provide step-by-step instructions to follow; therefore, answer B is incorrect. Guidelines are similar to standards but serve as more of a suggestion; therefore, answer C is incorrect.

Answer B is correct. Asymmetric encryption, also known as public key encryption , uses two keys. One key is the private key, and the other key is the public key. Symmetric encryption uses only one key; therefore, answer A is incorrect. Answers C and D are also incorrect.

Answer D is correct. NTFS (NT File System) is the preferred system because it supports file and folder permissions, among many other benefits. CDFS (CD-ROM File System) is used to control the CD-ROM; therefore, answer A is incorrect. Network File System (NFS) is a protocol and a client/server application; therefore, answer B is incorrect. File Allocation Table (FAT) file systems are not recommended because they lack native file-level security support; therefore, answer C is incorrect.

Answers A, B, and C are correct. The NetBIOS name service uses port 137. The NetBIOS datagram service uses port 138, and the NetBIOS session service uses port 139. Port 140 is used by a service called the EMFIS Data Service; therefore, answer D is incorrect.

Answer C is correct. An incremental backup backs up daily files created or changed since the last normal or incremental backup and clears the archive bit. A copy backup backs up all selected files but doesn't clear the archive bit; therefore, answer A is incorrect. A daily backup copies all selected files that you have modified the day the backup is performed but does not clear the archive; therefore, answer B is incorrect. A differential backup is similar to an incremental backup; however, it does not clear the archive bit; therefore, answer D is incorrect.

Answer A is correct. Nonrepudiation provides the means by which neither party can deny having either sent or received the data in question. Both answers B and C are incorrect because they are incorrect terms. Repudiation is defined as the act of repudiation or refusal; therefore, answer D is incorrect.

Answer C is correct. A disaster recovery plan is an agreed-upon plan that details the restoration of operations in the event of a disaster, and it should already be in existence prior to a disaster striking. Therefore, answers A and B are incorrect.

Answer B is correct. Hardening refers to the process of securing an operating system. Handshaking relates the agreement process before communication takes place; therefore, answer A is incorrect. A hotfix is simply a security patch that gets applied to an operating system; therefore, answer C is incorrect. Because hardening is the only correct answer, answer D is also incorrect.

Answers B and D are correct. Netbus is an example of a well-known Trojan horse (also called an illicit server ) that typically uses port 12345. Netbus is not an IP testing tool or network scanning tool. Therefore, answers A and C are incorrect.

Answer C is correct. Polymorphic viruses are designed to change part of their code after they infect a file in an attempt to evade detection. A stealth virus tries to hide its existence by taking over portions of your system; therefore, answer A is incorrect. A cavity virus attempts to install itself within a program; therefore, answer B is incorrect. A multipartite virus uses multiple methods of infecting a system; therefore, answer D is incorrect.

Answer B is correct. Macro viruses are easy to create, do not require knowledge of complex programming languages, and are known to infect office documents such as those created with Microsoft Word. Stealth, polymorphic, and multipartite viruses, unlike macro viruses, require programming and are associated with infecting the operating system. Therefore, answers A, C, and D are incorrect.

Answer C is correct. On Windows 2000 systems, the account with the greatest privileges is referred to as Administrator; however, on Unix systems, this account is named root . Therefore, answers A, B, and D are all incorrect.

Answer C is correct. SSH provides for the secure access of remote computers and uses RSA public key cryptography. SET is a system for ensuring the security of financial transactions on the Web; therefore, answer A is incorrect. Answer B is incorrect because SHA is a hashing algorithm used to create a condensed version of a message. Telnet is used to access a computer remotely; however, it is unsecured; therefore, answer D is incorrect.

Answer A is correct. DNS uses port 53 for zone transfers. The Hypertext Transfer Protocol (Web) uses port 80; therefore, answer B is incorrect. The NetBIOS name service uses port 137, and the NetBIOS datagram service uses port 138. Therefore, answers C and D are incorrect.

Answer B is correct. Although the assigned port for the Hypertext Transfer Protocol (Web) is port 80, it is not required. In most cases Web servers do run on port 80 because browsers use this port by default, and the port number does not need to be specified within the Uniform Resource Locator (URL).

Answer C is correct. A host-based IDS monitors packet activity on each computer or host, whereas network-based IDS monitors and analyzes packets flowing through the network; therefore, answer A is incorrect. A LAN based IDS is synonymous with network-based IDS; therefore, answer B is incorrect. Answer D is also incorrect.

Answer A is correct. A buffer overflow occurs when a program attempts to store more data than it was intended to hold in temporary storage areas, also known as buffers . Answer B is incorrect because a patch is a small program that typically provides a quick fix to another program. Answer C is incorrect because a SYN flood is an attempt to send TCP connection requests faster than the machine can process the requests. SMTP relay refers to a mail server that allows mail to be relayed from the system to other destinations; therefore, answer D is incorrect.

Answer B is correct. Password sniffers monitor traffic and record the packets sending passwords. Answer A is incorrect because a keyboard sniffer is able to capture passwords locally on the computer as they are typed and recorded. A Trojan horse is a program that has a hidden function; therefore, answer C is incorrect. Answer D is incorrect because cookies are small text files used to identify a Web user and enhance the browsing experience.

Answer C is correct. A class C fire involves energized electrical equipment and is usually suppressed with nonconducting agents . Class A fires involve combustibles such as wood and paper; therefore, answer A is incorrect. Answer B is incorrect because a class B fire involves flammables or combustible liquids. Answer D is incorrect because a class D fire involves combustible metals such as magnesium.

Answers A, B, and D are correct. A physical security plan should be a written plan addressing your current physical security needs as well as future direction. Answer C is incorrect because all of the answers are correct and should be addressed in a physical security plan. A hard disk's physical blocks pertain to the file system.

Answer B is correct. There are numerous reasons why a certificate may need to be revoked . Among these include a certificate being issued to the incorrect person. A CPS is a published document from the CA describing its policies and procedures for issuing and revoking certificates; therefore, answer A is incorrect. A private key compromise is actually another reason to perform revocation of a certificate; therefore, answer C is incorrect. Answer D is incorrect because this is a bogus term.

Answer C is correct. Each network service carries its own risks; therefore, it is important to disable all nonessential services. Although disabling all non-Web services may provide a secure solution for minimizing threats, having Telnet enabled for interactive logins presents security issues and is not a primary method for minimizing threat; therefore, answer A is incorrect. Answer B is incorrect because neither of these services should be enabled on a Web server. Logging is important for secure operations and is invaluable when recovering from a security incident; however, it is not a primary method for reducing threat; therefore, answer D is incorrect.

Answer B is correct. A network-based intrusion-detection system (NIDS) scans a computer network and can identify signs of a computer break-in. DNS describes the process of name translation used on the Internet; therefore, answer A is incorrect. Answer C is incorrect because FTP is a method for transferring files. Answer D is incorrect because an RFP is a written Internet standard.

Answer B is correct. Role-Based Access Control (RBAC) ensures the principle of least privilege by identifying the user's job function and ensuring a minimum set of privileges required to perform that job. IPSec is a set of protocols to enable encryption, authentication, and integrity; therefore, answer A is incorrect. Answer C is incorrect because an IDS is used for intrusion detection, and answer D is incorrect because a DRP is a plan used in the event of disaster.

Answer C is correct. Trusted Computer System Evaluation (TCSEC) and Information Technology Security Evaluation Criteria (ITSEC) are major security criteria efforts, and the Common Criteria is based on both TCSEC and ITSEC; therefore, answers A, B, and D are the three major security evaluation criteria efforts. IPSec, however, is a set of protocols to enable encryption, authentication, and integrity.

Answer D is correct. Zone transfers are associated with DNS servers. If a malicious hacker were to obtain a DNS zone file, she could identify all the hosts present within the network. Zone transfers are not functions of a database, file and print, or Web server. Therefore, answers A, B, and C are incorrect.

Answer A is correct. A choke or interior router is the internal router when used with another router in a firewall configuration. This router does most of the packet filtering for the firewall. Answers B, C, and D are all incorrect choices meant to distract you.

Answer A is correct. A bastion host is the only host on an internal network visible to the Internet; therefore, it is exposed to attack. With a screened host, each host on the internal network is still exposed to the Internet. Therefore, answer B and C are incorrect. Answer D is also incorrect because there is a correct answer.

Answer A is correct. Signals within fiber- optic cables are not electrical in nature. Therefore, they do not emit electromagnetic radiation to be detected . This makes fiber-optic cabling ideal for high-security networks. Both UTP and STP are susceptible to eavesdropping; however, STP is less susceptible than UTP. Therefore, answers B and C are incorrect. Answer D is incorrect because coaxial thicknet is also susceptible to eavesdropping, yet it is a better choice over UTP.

Answer C is correct. The plenum is the space between the ceiling and the floor of a building's next level. It is commonly used to run network cables, which must be of plenum-grade. A raised floor, sometimes called a plenum floor , is open space below a floor; therefore, answer A is incorrect. Answer B is also incorrect. In fact, there the plenum is of concern during a fire because there is actually little if any barriers to contain fire and smoke. Answer D is incorrect because Teflon is a trademarked product of the DuPont corporation. Teflon is often used to coat wiring placed in the plenum of a building.

Answer C is correct. Simple Network Management Protocol (SNMP) is a set of protocols used for managing networks. SNMP sends messages, called protocol data units (PDUs), across the network, and SNMP-enabled devices store data about themselves in Management Information Bases (MIBs). Therefore, answers A, B, and D are incorrect.

Answer B is correct. The Internet Numbers Authority (IANA) has reserved three blocks of IP addresses for private networks: 10.0.0.010.255.255.255, 172.16.0.0172.31.255.255, and 192.168.0.0192.168.255.255. Additionally, the range 169.254.0.0169.254.255.255 is reserved for Automatic Private IP Addressing. Therefore, answers A, C, and D are incorrect.

Answer D is correct. A cold site is a disaster recovery service, similar to a hot site. A cold site, however, requires the customer to provide and install all the equipment needed for operations, whereas a hot site is all ready to go; therefore, answer C is incorrect. Naturally, a cold site is less expensive than a hot site.

Answer B is correct. A Faraday cage is a solid or mesh metal box used to trap and ground stray electrical signals. The box completely surrounds the protected equipment and is well grounded to dissipate stray signals from traveling to or from the cage. TEMPEST is a government standard describing methods implemented to block or limit electromagnetic radiation (EMR) from electronic equipment. Therefore, answer A and C are incorrect. Answer D is also incorrect because there is a correct answer.

Answer C is correct. An SLA is a written contract between a service provider and the customer, and it specifies the services the provider will furnish to the customer. Answers A, B, and D are all incorrect. However, answer B may describe a specific type of SLA, but it is not the best answer.

Answer A is correct. A buffer overflow occurs when a program or process attempts to store more data in a buffer than the buffer was intended to hold. The overflow of data can flow over into other buffers, thus overwriting or deleting data. Denial of service is a type of attack in which too much traffic is sent to a host, preventing it from responding to legitimate traffic; therefore, answer B is incorrect. Distributed denial of service is similar but is initiated through multiple hosts; therefore, answer C is incorrect. Although answer D sounds correct, it is not.

Answer B is correct. Hashing, which is used in many encryption algorithms, involves creating a smaller number achieved from a larger string of text. Cipher block chaining is an operation in which a sequence of bits is encrypted as a single unit; therefore, answer A is incorrect. PKI is composed of various components making up the infrastructure to provide public and private key cryptography over networks; therefore, answer C is incorrect. Answer D is incorrect because ciphertext is synonymous with encrypted text.

Answer A is correct. Before attempting to break into a system, the hacker will first try to analyze and footprint as much information as possible. Cracking describes malicious attacks on network resources; therefore, answer B is incorrect. Answer C is incorrect because social engineering is the nontechnical means of intrusion that often relies on tricking people into divulging security information. Spoofing is the electronic means of pretending to be another; therefore, answer D is incorrect.

Answer C is correct. A proxy server provides security and caching services by serving as the intermediary between the internal network and external resources. Answer A is incorrect because the Web server is usually the target server in question. Answer B is incorrect because a packet filter is a type of firewall in which each packet is examined and is either allowed or denied based on policy. A firewall is similar to a proxy server in the security it provides; however, a firewall does not seek to fulfill requests as does a proxy server, which will maintain previously accessed information in its cache; therefore, answer D is incorrect.