Chapter 13. Answer Key to Sample Test 1

Answers A, C, and D are correct. These answers all represent legitimate trust models. Another common model also exists, called cross-certification ; however, it usually makes more sense to implement a bridge architecture over this type of model. Answer B is incorrect because it does not represent a valid trust model.

Answer B is correct. NetBus, Back Orifice, and Sub7 have two essential parts : a server and client. These programs are known as illicit servers . Answer A is incorrect because a software virus is a small chunk of code designed to attach to other code. Answer C is incorrect because a worm is a form of malicious code. Answer D is incorrect because a Trojan horse appears to be useful software, but there's code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code once it is executed, making your machine a zombie.

Answer C is correct. The email is likely a hoax, and although the policies may differ among organizations, given this scenario and the available choices, the best answer is to notify the system administrator. Answers A, B, and D are all therefore incorrect.

Answer B is correct. A screened subnet is an isolated subnet between the Internet and the internal network. A bastion host is the first line of security that a company allows to be addressed directly from the Internet; therefore, answer A is incorrect. A bastion host on the private network communicating directly with a border router is a screened host; therefore, answer C incorrect. Answer D is a fictitious term and is therefore incorrect as well.

Answer A is correct. You will need the full backup from Friday and the differential tape from Tuesday. Answer B is incorrect because four tapes are too many for any type of backup because Wednesday's backup has not been done yet. Answer C is incorrect because one tape would be enough only if full backups were done daily. Answer D is incorrect because three would be the number of tapes needed if the backup type was incremental.

Answer B is correct. A VPN is used to provide secure remote access services to the company's employees and agents . Answer A is incorrect because a DMZ is a small network between the internal network and the Internet that provides a layer of security and privacy. Answer C is incorrect because the purpose of a VLAN is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. Answer D is incorrect because NAT acts as a liaison between an internal network and the Internet.

Answer C is correct. SHA-1 is an update version of Secure Hash Algorithm (SHA), which is used with DSA. Answer A is incorrect because this is an algorithm that uses a public and private key pair and is not associated with the SHA-1. Answer B is incorrect because a digital signature is not an encryption algorithm. Answer D is incorrect because a Certificate Authority accepts or revokes certificates.

Answer A is correct. Class A fires involve combustibles such as wood and paper. Answer B is incorrect because a class B fire involves flammables or combustible liquids. Answer C is incorrect because a class C fire involves energized electrical equipment and is usually suppressed with nonconducting agents. Answer D is incorrect because a class D fire involves combustible metals such as magnesium.

Answers B and D are correct. Having Telnet enabled presents security issues and is not a primary method for minimizing threat. Logging is important for secure operations and is invaluable when recovering from a security incident. However, it is not a primary method for reducing threat. Answer A is incorrect because disabling all non-Web services may provide a secure solution for minimizing threats. Answer C is incorrect because each network service carries its own risks; therefore, it is important to disable all nonessential services.

Answers A and D are correct. Trusted Computer System Evaluation Criteria (TCSEC) and Information Technology Security Evaluation Criteria (ITSEC) are major security criteria efforts. Answer B is incorrect because CCSEC is a nonexistent organization. IPSec is a set of protocols to enable encryption, authentication, and integrity; therefore, answer C incorrect.

Answer C is correct. Separation of duties is considered valuable in deterring fraud, because fraud can occur if an opportunity exists for collaboration between various job- related capabilities. Separation of duty requires that for particular sets of transactions, no single individual be allowed to execute all transactions within the set. Answer A is incorrect because social engineering relies on the faults in human behavior. Answer B is incorrect because a virus is designed to attach itself to other code and replicate. Answer D is incorrect because nonrepudiation means that neither a sender nor a receiver can deny sending or receiving a message.

Answer B is correct. Honeypots are decoy systems designed to lure potential attackers away from critical systems. A bastion host is the first line of security that a company allows to be addressed directly from the Internet; therefore, answer A is incorrect. Answer C is incorrect because it is a made-up term. Answer D is incorrect because an IDS is used for intrusion detection.

Answer A is correct. Port 80 is used for HTTP traffic. Answer B is incorrect because UDP uses port 139 for network sharing. Answer C is incorrect because port 25 is used for SMTP outgoing mail. Answer D is incorrect because port 443 is used by HTTPS.

Answer C is correct. In computer security systems, social engineering attacks are usually the most successful, especially when the security technology is properly implemented and configured. Usually, these attacks rely on the faults in human beings. Answer A is incorrect because a Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code once it is executed. Answer B is incorrect because a mantrap is a physical barrier . Finally, because there is only one correct answer, answer D is incorrect.

Answer D is correct. CHAP continues the challenge/response activity throughout the connection to be sure that the user holds the proper credentials to communicate with the authentication server. This makes answers A, B, and C incorrect.

Answer C is correct. DAC enables the owner of the resources to specify who can access those resources. Answer A is incorrect because roles are used to group access rights by role name ; the use of resources is restricted to those associated with an authorized role. Answer B is incorrect because rules are mandatory access control. Answer D is incorrect because security labels are also used in mandatory access control.

Answer C is correct. A back door is an opening in a program, often left by a developer, that enables access through nontraditional means. Answer A is incorrect because a software virus is a small chunk of code designed to attach to other code. Answer B is incorrect because an algorithm comprises the steps to arrive at a result. Answer D is incorrect because a demilitarized zone is a zone within a network where publicly accessible servers are typically placed.

Answer B is correct. The use of emails is passive; therefore, answer B is not the best choice. Security training during employee orientation, periodic presentations, and yearly seminars are the best choices because they are active methods of raising security awareness. Answers A, C, and D are the best choices and therefore the incorrect answers for this question.

Answer B is correct. A port scanner is a program that searches for unsecured ports. The number of open ports can help determine whether the network is locked down enough to deter malicious activity. Answer A is incorrect because password sniffers monitor network traffic and record the packets sending passwords. Answer C is incorrect because a keystroke logger is able to capture passwords locally on the computer as they are typed and record them. Answer D is incorrect because cookies are small text files used to identify a Web user and enhance the browsing experience.

Answer B is correct. Role-Based Access Control (RBAC) ensures the principle of least privilege by identifying the user's job function and ensuring a minimum set of privileges required to perform that job. IPSec is a set of protocols to enable encryption, authentication, and integrity; therefore, answer A is incorrect. Answer C is incorrect because an IDS is used for intrusion detection, and answer D is incorrect because a DRP is a plan used in the event of disaster.

Answer D is correct. DNS is the UDP service that runs on port 53. Answer A is incorrect because FTP is a TCP service that runs on port 21 (or 20). Sharing runs on UDP port 139; therefore, answer B is incorrect. HTTP (Web server) is a TCP service that runs on port 80; therefore, answer C is incorrect.

Answer C is correct. The dusting and collection of fingerprints is a law-enforcement forensics function. Collecting and analyzing data from disk drives , memory, and labeling and photographing evidence are all functions of computer forensics. Therefore, answers A, B, and D are incorrect.

Answers B and D are correct. Both SATAN and SAINT are vulnerability testing tools. Answers A and C are incorrect because John the Ripper and L0phtCrack are both used to crack passwords.

Answer C is correct. When data that is going to be encrypted is broken into chunks of data and then encrypted, the type of encryption is called a block cipher. Although many symmetric algorithms use a block cipher, answer A is incorrect because block cipher is a more precise and accurate term for the given question. Answer B is incorrect because elliptic curve is a type of asymmetric encryption algorithm. Answer D is an incorrect choice because only one answer is correct.

Answers B and D are correct. L2TP and PPTP are both tunneling protocols used in Virtual Private Networks. Both MD5 and 3DES are cryptography algorithms; therefore, answers A and C are incorrect.

Answer A is correct. A combination of both uppercase and lowercase letters along with numbers and symbols will make guessing the password difficult. It will also take longer to crack using brute force. Answer B is incorrect because randomly generated passwords are difficult if not impossible for users to remember. This causes them to be written down, thereby increasing the risk of other people finding them. Answers C and D are incorrect because both can easily be guessed or cracked.

Answers B and D are correct. A digital signature is applied to a message, which keeps it from being modified or imitated. Digital signatures can also be automatically timestamped. Answer A is incorrect because digital signatures are based on an asymmetric scheme. Skipjack is a symmetric key algorithm designed by the U.S. National Security Agency (NSA). Answer C is incorrect because digital signatures allow for nonrepudiation. This means the sender cannot deny that the message was sent.

Answers A and C are correct. The Key Distribution Center (KDC) used by Kerberos provides authentication services and ticket-distribution services. Time-based induction is a virtual machine used in IDS; therefore, answer B is incorrect. Answer D is incorrect because TEMPEST is the study and control of electrical signals.

Answers A and B are correct. A smartcard provides for two-factor authentication. The user must enter something he knows (a user ID or PIN) to unlock the smartcard, which is something he has. A biometric technique based on distinct characteristics, such as a fingerprint scan, is considered something you are; therefore, answer C is incorrect. Answer D has nothing to do with authentication and is therefore incorrect.

Answer C is correct. An active attack makes attempts to insert false packets into the data stream. A passive attack attempts to passively monitor data being sent between two parties and does not insert data into the data stream; therefore, answer A is incorrect. A reply attack records and replays previously sent valid messages; therefore, answer B is incorrect. Authentication is the process of verifying the identity of a source and is not a type of attack; therefore, answer D is incorrect.

Answer B is correct. A mantrap is an area of physical security where people have to go through two doors so their credentials can be checked. A VPN tunnel, bastion host, and IPSec are all examples of data security, not physical security. Therefore, answers A, C, and D are incorrect.

Answer A is correct. Enticement is ethical and legal. Entrapment is unethical and illegal. Answers B, C, and D are all incorrect because they do not properly describe enticement and entrapment.

Answers B and C are correct. PGP (Pretty Good Privacy) uses encryption to secure email messages, as does S/MIME. Answers A and D are incorrect because these are both methods for sending unsecure email.

Answer D is correct. The Internet Numbers Authority (IANA) has reserved three blocks of IP addresses for private networks. These include 10.0.0.010.255.255.255, 172.16.0.0172.31.255.255, and 192.168.0.0192.168.255.255. Additionally, the range 169.254.0.0169.254.255.255 is reserved for Automatic Private IP Addressing. Therefore, answers A, B, and D are incorrect.

Answer B is correct. SSL only provides security for the connection, not the data once it is received. The data is encrypted while it is being transmitted, but once received by the computer, it is no longer encrypted. Therefore, answers A, C, and D are incorrect.

Answer C is correct. A hot site is a facility and equipment that are already set up and ready to occupy. Answer A is incorrect because a cold site requires the customer to provide and install all the equipment needed for operations. Answer B is incorrect because it describes a mutual agreement. Answer D is incorrect because it describes a warm site.

Answer B is correct. Diffie-Hellman uses public and private keys, so it is considered an asymmetric encryption algorithm. Because Rijndael and AES are now one in the same, they both can be called symmetric encryption algorithms; therefore, answers A and D are incorrect. Answer C is incorrect because RC6 is symmetric as well.

Answers A, B, and C are correct. The RBAC model can use role-based access, determined by the role the user has, task-based access, determined by the task assigned to the user, or lattice-based access, determined by the sensitivity level assigned to the role. Discretionary-based access is a characteristic of Discretionary Access Control (DAC); therefore, answer D is incorrect.

Answer B is correct. tracert traces the route a packet takes and records the hops along the way. This is a good tool to use to find out where a packet is getting hung up. Answer A is incorrect because netstat displays all the ports on which the computer is listening. Answer C is incorrect because ipconfig is used to display the TCP/IP settings on a Windows machine. Answer D is also incorrect because nslookup is a command-line utility used to troubleshoot a Domain Name Server (DNS) database.

Answer C is correct. Wired Equivalent Privacy (WEP) is part of the 802.11b standard and is designed to provide for the same level of security on a wired network. Answers A, B, and D are all incorrect.

Answers B and D are correct. Fiber- optic cable is insensitive to electrical and magnetic interference but is expensive. Answers A and C are incorrect.

Answer C is correct. CHAP is a four-step process. First, the user sends a logon request. Second, the server sends the user a challenge. Third, the challenge is returned to the server. Lastly, the server compares values and then determines whether to authorize the request. Answers A, B, and D are incorrect.

Answer A is correct. S-HTTP protects each message sent, whereas HTTPS protects the communication channel. S-HTTP is used if an individual message needs to be encrypted. HTTPS is used if all communication needs to be encrypted. S-HTTP does support multiple encryption types. Therefore, answers B, C, and D are incorrect.

Answer C is correct. War-dialing is the process of systematically dialing a range of phone numbers hoping to gain unauthorized access to a network via unprotected dial-in modems. Sniffing is the process of capturing packets traveling across the network; therefore, answer A is incorrect. Answer B is incorrect because war-driving involves using wireless technology to connect to unprotected networks from outside the building. Social engineering preys upon weaknesses in the human factor; therefore, answer D is incorrect.

Answer B is correct. With mandatory controls, only administrators may change the category of a resource, and no one may grant a right of access that is explicitly forbidden in the access control. Therefore, answers A, C, and D are incorrect.

Answer D is correct. Dial-up testing would involve attempting to penetrate a network's security through telephonic connectivity to a RAS server supporting modem dial-in. Answers A and B are incorrect because they involve a general audit, either with or without prior knowledge of the network, and do not target remote access servers specifically. Answer C is incorrect because an Internet services test would focus on Internet-accessible avenues of penetration rather than dial-up access. Answer E is incorrect because an infrastructure test involves the analysis of networking, protocols, and distributed resources and services, without focusing specifically on RAS services.

Answer C is correct. RADIUS is a protocol for allowing authentication, authorization, and configuration information between an access server and a shared authentication server. Answer A is incorrect because Kerberos is a network authentication protocol that uses secret key cryptography. Answer B is incorrect because IPSec is used for the tunneling and transport of data. PPTP is an Internet tunneling protocol; therefore, answer D is incorrect.

Answers A and B are correct. ESP can encrypt data as well as verify data integrity, but AH can only verify data integrity. Therefore, answers C and D are incorrect.

Answer D is correct. A firewall is a hardware or software device used to prevent a network from unauthorized access. Many firewalls are also designed to prevent unauthorized traffic from leaving the network. Answer A is incorrect because intrusion-detection systems are designed to analyze data, identify attacks, and respond to the intrusion. Answer B is also incorrect because a digital certificate electronically identifies an individual. Answer C is incorrect because a honeypot is used as a decoy to lure malicious attacks.

Answers A and D are correct. Spoofing involves modifying the source address of traffic or source of information. In this instance, the email was spoofed to make the user think it came from the administrator. By replying to the request, the user was tricked into supplying compromising information, which is a classic sign of social engineering. Answer B is incorrect because a man-in-the-middle attack is commonly used to gather information in transit between two hosts . In a replay, an attacker intercepts traffic between two endpoints and retransmits or replays it later; therefore, answer C is incorrect.

Answer D is correct. Logs should be centralized for easy analysis and stored on a machine that has been hardened , logging information traveling on the network should be encrypted if possible, and log files must not be modifiable without a record of the modification. Therefore, answers A, B, and C are incorrect.

Answer B is correct. A PKI structure with a single CA and multiple subordinate CAs would benefit the most from a hierarchical structure. This is because it allows the top CA to be the root CA and control trust throughout the PKI. Answer A is incorrect because a cross-certified model is where CAs have a trust relationship with each other; they trust certificates from other CAs. Answer C is incorrect because a bridge is a central point for cross-certified model. Answer D is incorrect because linked is not a PKI trust model.

Answer D is correct. All the statements are good reasons why it is unsafe to run signed code on your system.

Answer C is correct. A wet-pipe system constantly has water in it. In dry-pipe systems, water is used but is held back by a valve until a certain temperature is reached. Therefore, answers A, B, and D are incorrect.

Answer B is correct. A DRP is an immediate action plan to be implemented just following a disaster. Answer A is incorrect because it describes physical disasters. Answer C is incorrect because it describes loss prevention. Answer D is incorrect because it describes a business continuity plan.

Answer C is correct. A DoS attack attempts to block service or reduce activity on a host by sending requests directly to the victim. Answer A is incorrect because spoofing involves modifying the source address of traffic or the source of information. Answer B is incorrect because a man-in-the middle attack is commonly used to gather information in transit between two hosts. Answer D is incorrect because a worm is a form of malicious code.

Answers A and C are correct. SSL/TLS supports authentication and encryption. SSL/TLS does not support either Certificate Revocation Lists or attribute certificates; therefore, answers B and D are incorrect.

Answer D is correct. The OSI reference model is based on seven layers for how data should be transmitted between any two points. The seven layers from bottom to top are Physical (1), Data Link (2), Network (3), Transport (4), Session (5), Presentation (6), and Application (7). Answers A, B, and C all provide the wrong number of layers and are therefore incorrect.

Answer B is correct. Users should not be given privileges above those necessary to perform their job functions. The other choices do not adequately and accurately describe the principle of least privilege. Therefore, answers A, C, and D are incorrect.

Answer C is correct. By an account being locked after a few consecutive attempts, the effectiveness of a brute-force attack is reduced. Increasing the value of the password history only prevents the user from using previously used passwords; therefore, answer A is incorrect. Having an employee show proper identification does nothing to reduce brute-force attacks; therefore, answer B is incorrect. The use of password resets is an adequate mechanism in case a password has been compromised; however, it does little to circumvent brute-force attacks; therefore, answer D is incorrect.

Answer A is correct. A service-level agreement is a contract between two companies that guarantees service. Answers B, C, and D all describe plans that are not part of an SLA.

Answer D is correct. The ability to log on once and gain access to all needed resources is referred to as single sign-on . Answer A is incorrect because it describes MAC. Answer B is incorrect because multifactor authentication uses two or more authentication techniques. Answer C is incorrect because biometrics have to do with authentication.

Answer C is correct. SSL/TLS is used to secure Web communications and ensure that customer information is securely transferred. Answer A is incorrect because S/MIME is used to secure email communications. Answer B is incorrect because VPN is not used to secure public anonymous connections to Web servers but instead is used to provide secure remote access services to the company's agents. Answer D is incorrect because SSH is used to secure file transfers and terminal sessions.

Answer B is correct. Verifying the path of evidence from the crime scene to the courtroom is called the chain of custody . Answers A, C, and D are incorrect.

Answers B, C, and E are correct. Confidentiality, integrity, and availability make up the security triad. Answers A and D are incorrect because they are not associated with the security triad .

Answer B is correct. The Certificate Revocation List (CRL) provides a detailed list of all the certificates that are no longer valid for a CA. Answers A and D are both incorrect because these terms relate to the polices and practices of certificates and the issuing authorities. Answer C is incorrect because a corporate security policy is a set of rules and procedures on how information is protected.

Answers B, C, and D are correct. Natural disasters, unwanted access, and user restrictions are all physical security issues. Preventing Internet users from getting to data is data security, not physical security; therefore, answer A is incorrect.

Answer B is correct. SMTP relay is a process whereby port 25 is used to forward email. If a hacker can exploit your system, he can send junk mail through your server. Answer A is incorrect because a DNS zone transfer is when a DNS server transfers its database information to another DNS server. DNS servers are used for name resolution, not mail. Answer C is incorrect because port scanning involves a utility being used to scan a machine for open ports that can be exploited. Answer D is incorrect because a man-in-the-middle attack is commonly used to gather information in transit between two hosts.

Answers B and C are correct. CGI is a standard that allows a Web server to execute a separate program in order to output content. Because of this, CGI scripts can be tricked into executing commands and could also expose system information. Answer A is incorrect because SMTP is used for email relay. Answer D is incorrect because cookies store the IP address of your computer.

Answer D is correct. Multifactor authentication uses two or more authentication techniques. Mutual authentication is a process that authenticates both sides of a connection; therefore, answer C is incorrect. Answers A and B are fictitious terms and are therefore incorrect as well.

Answers B, C, and D are correct. Digital certificates include information about the user, the digital signature of the issuing CA, and the user's public key. A user's private key should never be distributed outside of the user's control; therefore, answer A is incorrect.

Answer D is correct. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code once it is executed. Answers A is incorrect because a Trojan horse is not self-executing. Answer B is incorrect because spoofing makes data appear to come from somewhere other than where it really originated, not a Trojan horse. Answer C is incorrect because viruses are based on exploits of Microsoft Visual Basic, not Trojan horses.

Answer C is correct. An application-level gateway understands services and protocols. Answer A is incorrect because it is too generic to be a proper answer. Answer B is incorrect because a circuit-level gateway's decision is based on source and destination addresses. Answer D is incorrect because it is an example of a circuit-level gateway.

Answer D is correct. When encrypting and decrypting data using an asymmetric encryption algorithm, you use only the private key to decrypt data encrypted with the public key. Answers A and B are both incorrect because in public key encryption, if one key is used to encrypt, you can use the other to decrypt the data. Answer C is incorrect because the public key cannot decrypt the same data it encrypted.

Answer C is correct. Cookies are used in Web page viewing and do not use the network login or password. Cookies use the name and IP address of your machine, your browser type, your operating system, and the URLs of the last pages you visited. Therefore, answers A, B, and D are incorrect.

Answer C is correct. The purpose of a VLAN is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. Answer A is incorrect because a DMZ is a small network between the internal network and the Internet that all provides a layer of security and privacy. Answer B is incorrect because a VPN is used to provide secure remote access services to the company's employees and agents. Answer D is incorrect because NAT acts as a liaison between an internal network and the Internet.

Answer C is correct. Most companies do not report such attacks because they are afraid that customers will lose faith in their business or they will be accountable to the shareholders for failing to properly protect the company assets. Although the other answers may indicate why a specific incident was not reported , the most common reason is fear. Therefore, answers A, B, and D are incorrect.

Answers A and C are correct. FTP is vulnerable because the authentication credentials are sent in cleartext, which makes it vulnerable to sniffing and eavesdropping. Answers B and D are incorrect because they do not accurately describe FTP.

Answer A is correct. Centralized security requires that a single group of administrators manages privileges and access. This makes the model more secure but less scalable than decentralized security, which is made up of teams of administrators trained to implement security for their area. Therefore, answers B, C, and D are incorrect.

Answer C is correct. A logic bomb is a virus or Trojan horse that is built to go off when a certain event occurs or when a period of time goes by. Answers A and D are incorrect because a specified time element is involved. Answer B is incorrect because spoofing involves modifying the source address of traffic or the source of information.

Answers C and E are correct. Value is not a component of risk; however, value may affect your decision of whether to accept a risk. Also, analysis has nothing to do with risk. Risk can be defined as the probability of a threat exploiting a vulnerability. Therefore, answers A, B, and D are incorrect.

Answer A is correct. A bastion host is the first line of security that a company allows to be addressed directly from the Internet. A screened subnet is an isolated subnet between the Internet and internal network; therefore, answer B is incorrect. A bastion host on the private network communicating directly with a border router is a screened host; therefore, answer C incorrect. Bastion subnet is a fictitious term; therefore, answer D is incorrect.

Answer C is correct. The process of elevating privilege or access is referred to as privilege escalation. Answer A is incorrect because privilege management has to do with programming functions. A Trojan horse is a program used to perform hidden functions; therefore, answer B is incorrect. The ability to log on once and gain access to all needed resources is referred to as single sign-on; therefore, answer D is incorrect.

Answer A is correct. A vulnerability is a weakness in hardware or software. Answer B is incorrect because it describes a threat. Answer C is incorrect because it describes a risk. Answer D is incorrect because it describes exposure factor.

Answer B is correct. A man-in-the-middle attack is commonly used to gather information in transit between two hosts. Answer A is incorrect because spoofing involves modifying the source address of traffic or source of information. Answer C is incorrect because in a replay, an attacker intercepts traffic between two endpoints and retransmits or replays it later. Because the purpose of a DoS attack is to deny use of resources or services to legitimate users, answer D is incorrect.

Answer B is correct. Secure FTP is a client software that allows for a secure connection via SSL. Therefore, answers A, C, and D are incorrect.

Answer B is correct. It is management's responsibility to set the tone for what type of role security plays in the organization. Answers A, C, and D are incorrect because, although they all play a part in security, the ultimate responsibility lies with management.

Answer B is correct. Rolling back changes should be the next step to recovering the servers and making them quickly available for users. Answers A, C, and D are incorrect. Even though they are all options, answer B is the best choice.

Answer C is correct. Stateful inspection will look for strings in the data portion of the TCP/IP packet stream on a continuous basis. Answer A is incorrect because heuristics is all about detecting virus-like behavior, rather than looking for specific signatures. Answer B is incorrect because anomaly analysis is used to detect abnormal behavior patterns. Answer D is incorrect because pattern matching searches through thousands of patterns, including popular, obscure, and discontinued patterns.

Answer B is correct. SNMP was developed specifically to manage devices. Answer A is incorrect because Simple Mail Transfer Protocol (SMTP) is a mail protocol used for outgoing mail service. Answer C is incorrect because Lightweight Directory Access Protocol (LDAP) is a directory services protocol. Answer D is incorrect because L2TP is used for packet encapsulation.

Answer A is correct. A router is a networking device that works at layer 3 in the OSI model. Answer B is incorrect because a hub works at layer 1. Answer C is incorrect because a switch works at layer 2. Answer D is incorrect because a modem is a device used for dial-up connections.

Answer B is correct. A distributed denial of service (DDoS) attack is similar to a denial of service (DoS) attack in that they both try to prevent legitimate access to services. However, a DDoS attack is a coordinated effort among many computer systems; therefore, answer A is incorrect. A Trojan horse is a program used to perform hidden functions; therefore, answer C is incorrect. Masquerading involves using someone else's identity to access resources; therefore, answer D is incorrect.

Answer C is correct. CHAP is an authentication protocol that uses a challenge/response mechanism. Answers A, B, and D are all incorrect because they are the three main tunneling protocols used in VPN connections.

Answer A is correct. A worm is similar to a virus and Trojan horse, except that it replicates by itself, without any user interaction; therefore, answer B is incorrect. A worm can propagate via email, TCP/IP, and disk drives; therefore, answer C is incorrect. Answer D is incorrect because it describes a self-garbling virus, not a worm.

Answer B is correct. TACACS is a client/server protocol that provides the same functionality as RADIUS, except that RADIUS is an actual Internet standard; therefore, answers A and C are incorrect. Answer D is incorrect because both RADIUS and TACACS are authentication protocols.

Answer A is correct. SET was developed by several technological companies, including credit card companies, to ensure the security of financial transactions. None of the other choices accurately completes the statement; therefore, answers B, C, and D are incorrect.

Answer C is correct. The Wired Equivalent Privacy (WEP) was developed in response to the vulnerabilities present in wireless networks; its developers wanted to provide mechanisms to put wireless networks on par with their physically contained and more secure counterpart . Answer A is incorrect because Wireless Encryption Protocol is a bogus term. Answer B is incorrect because WAP is a standardized set of communication protocols used for wireless devices. Answer D is incorrect because WSP is part of WAP.

Answers A and C are correct. PGP uses a web of trust rather than the hierarchical structure. It also uses public key encryption. Based on this, answers B and D are incorrect.

Answer B is correct. Although the Message Digest series of algorithms is classified globally as a symmetric key encryption algorithm, the correct answer is hashing algorithm, which is the method that the algorithm uses to encrypt data. Answer A in incorrect because a block cipher divides the message into blocks of bits. Answer C is incorrect because MD5 is a symmetric key algorithm, not an asymmetric encryption algorithm (examples of this would be RC6, Twofish, and Rijndael). Answer D is incorrect because cryptographic algorithm is a bogus term.

Answer C is correct. Onsite backup is the most common way for companies to protect their data. Although the other answers are viable solutions, for a small company, onsite backup is the best choice. Therefore, answers A, B, and D are incorrect.

Answer B is correct. System hardening is a process by which all unnecessary services are removed to make the system more secure. Answer A is incorrect because nonrepudiation means that neither a sender nor a receiver can deny sending or receiving a message. Answer C is incorrect because auditing is a process whereby events are traced in log files. Answer D is incorrect because hashing is an algorithm method.

Answer D is correct. A business continuity plan looks at the long-term actions taken by a company after a disaster has taken place. Answer A is incorrect because emergency response can be a part of disaster recovery. Answer B is incorrect because it deals with the security of a company as a whole, not disaster planning. Answer C is incorrect because a DRP is an immediate action plan to be implemented following a disaster.

Answer C is correct. Group-based privilege management focuses on business units such as marketing to assign and control users. Answer A is incorrect because functions such as server maintenance are role based. Answer B is incorrect because users get to decide who has access to files used and the level of permissions that will be set. Answer D is incorrect because users are directly assigned privilege based on job function or business need.

Answer A is correct. In a decentralized key-management scheme, the user will create both the private and public key and then submit the public key to the CA to allow it to apply its digital signature once it has authenticated the user. Answer B is incorrect because centralized key management allows the organization to have complete control over the creation, distribution, modification, and revocation of the electronic credentials that it issues. Answers C and D are incorrect because they are nonexistent terms.

Answer B is correct. Nonrepudiation means that neither a sender nor a receiver can deny sending or receiving a message or data. Answer A is incorrect because it describes an algorithm. Answer C is incorrect because it describes steganography. Answer D is incorrect because it describes RAID.

Answers A and C are correct. John the Ripper and L0phtCrack are both used to crack passwords. Answers B and D are incorrect because both SATAN and SAINT are vulnerability-testing tools.

Answers A and D are correct. UDP ports 161 and 162 and used by SNMP. Answer B is incorrect because UDP uses port 139 for network sharing. Answer C is incorrect because port 138 is used to allow NetBIOS traffic for name resolution.

Answer D is correct. A combination of both systems is likely to provide the best protection. Network-based IDS is the best option for monitoring malicious intent, but it will not see tunneled data traveling the VPN connections users establish outside.

Answer C is correct. Certificate Revocation Lists are used to identify revoked certificates; however, they are being replaced by the Online Certificate Status Protocol (OSCP), which provides certificate status in real time. Answer A is incorrect because a digital signature is an electronic signature used for identity authentication. Answers B and D are both incorrect because these terms relate to the polices and practices of certificates and the issuing authorities.

Answers B and C are correct. Transport Layer Security (TLS) is based on Netscape's SSL3 and ensures privacy on the Internet and that there is no tampering. Answer A is incorrect because TLS and SSL are not interoperable. Answer D is incorrect because TLS is composed of two layers: the TLS record protocol and the handshake protocol.

Answer C is correct. Wireless Transport Layer Security (WTLS) is the security layer for WAP applications. Even though answer B is part of the WAP, it is not the security layer. Answers A and D are incorrect because the Wireless Security Layer and Wireless Security Layer Transport don't exist.

Answer A is correct. An extranet is a connection to a private network accessed by outside business partners . Answer B is incorrect because an intranet is used by employees. Answer C is incorrect because an internet is a public network. Answer D is incorrect because ARPAnet is an early version of the Internet.

Answer D is correct. Users who are uneducated about security policies are the weakest links. Answer A is incorrect because management is responsible for setting the security policies of a company. Answers B and C are incorrect because they are a result of poor security policies.

Answer A is correct. Buffer overflows are a result of programming flaws that allow for too much data to be sent. When the program does not know what to do with all this date, it crashes, leaving the machine in a state of vulnerability. Answer B is incorrect because a reply attack records and replays previously sent valid messages. Answer C is incorrect because spoofing involves modifying the source address of traffic or the source of information. Answer D is incorrect because the purpose of a DoS attack is to deny the use of resources or services to legitimate users.

Answer A is correct. An access control list (ACL) coordinates access to resources based on a list of allowed or denied items, such as users or network addresses. An access point (AP) is often used in relation to a wireless access point (WAP); therefore, answer B is incorrect. Answer C is incorrect because ACLU identifies a nonprofit organization that seeks to protect the basic civic liberties of Americans. Answer D is incorrect because only answer A is correct.

Answers B and C are correct. Because DHCP dynamically assigns IP addresses, anyone hooking up to the network can be automatically configured for network access. Anyone can run her own DHCP server. Therefore, a rogue server can misdirect clients to the wrong DNS server. Answer A is incorrect because a man-in-the-middle attack is commonly used to gather information in transit between two hosts. This is a media concern, not a DHCP issue. Answer D is incorrect because there are security concerns with using DHCP.

Answer A is correct. A record of user logins with time and date stamps must be kept. User accounts should be disabled and data kept for a specified period of time as soon as employment is terminated. Answers B, C, and D are incorrect because they are not actions you should take when you find out an employee has been terminated .

Answer C is correct. In many organizations, accounts are created and then nobody ever touches those accounts again. This is a very poor security practice. Accounts should be monitored regularly; therefore, answer B is incorrect. You should look at unused accounts and should have a procedure in place to ensure that departing employees have their rights revoked prior to leaving the company. You should also have a procedure in place to verify password strength or to ensure that there are no accounts without passwords. Therefore, answers A and D are incorrect.

Answer D is correct. Authentication is what you are authorized to perform, access, or do. The two processes are not the same; therefore, answer A is incorrect. Identification is a means to verify who you are; therefore, answers B and C are incorrect.

Answer B is correct. 802.11 is the IEEE standard relating the family of specifications for wireless LAN technologies. 802.5 is the standard related to Token Ring LANs; therefore, answer A is incorrect. 802.2 is the standard for the Data Link layer in the OSI reference model; therefore, answer C is incorrect. 802.10 is the specification for network security; therefore, answer D is incorrect.

Answer C is correct. An early exploit of JavaScript allowed access to files located on the client's system if the name and path were known. Answers A, D, and E are incorrect because JavaScript, not Java, can be used to execute arbitrary instructions on the server, send email as the user, and allow access to cache information. Answer B is incorrect because Java, not JavaScript, can continue running even after the applet has been closed.

Answer C is correct. Confidential documents should be destroyed by an authorized destruction company. Shredding them or ripping them into small pieces and putting in the trash is not a safe way to dispose of them; therefore, answers A and B are incorrect. They should never be put in the recycle bin; therefore, answer D is incorrect.

Answer B is correct. Data integrity ensures that data is sequenced , timestamped, and numbered. Answer A is incorrect because data authentication ensures that the user is properly identified. Answer C is incorrect because data availability ensures that no disruption in the process occurs. Answer D is incorrect because data confidentiality ensures that the data is only available to authorized users.

Answer C is correct. As computers get faster, so does the ability for hackers to use distributed computing as a method of breaking encryption algorithms. With computer performance, in some cases, increasing by 30 to 50 percent a year on average, this could become a concern for some older algorithms. Answer A is incorrect because weak keys exhibit regularities, and the weakness has nothing to do with performance. Answer B is incorrect because the weakness in keys comes from a block cipher regularity in the encryption of secret keys. The keys will not repeat themselves on other machines. Answer D is incorrect because there is only one correct answer.

Answer A is correct. Network Address Translation (NAT) servers alter packets from internal hosts so they can be sent across the Internet. Answer B is incorrect because DNS resolves IP addresses to domain names . Answer C is incorrect because DHCP is used to configure clients with IP addresses.