Appendix A: Self Test Questions, Answers, and Explanations

1.  

In performing a risk analysis of your network, you determine that your company lost approximately $100,000 last year from losses relating to laptops being stolen from unattended offices. Your company s CEO and CFO agree that they want to implement some type of safeguard that will reduce that number to a maximum of $50,000. You have been presented with three options to reduce losses. Option 1: A fully staffed reception desk that will sign visitors in and out of the building and examine all outgoing equipment to ensure that it is not leaving the premises illegally. It is expected that this will reduce losses due to equipment theft by 80 percent. The total annual cost for this measure, including equipment and personnel, will be $60,000. Option 2: A card-swipe system will be installed on all entrances that will ensure that only employees carrying legitimate access cards will be able to enter company premises. It is expected that this measure will reduce losses due to equipment theft by 65 percent. The total annual cost for this measure, including equipment and installation, will be $15,000. Option 3: A user -awareness campaign will be launched to make users more cognizant of the risks inherent in leaving their laptops and other equipment unattended. Certain employees will be designated as Loss Prevention Monitors to keep an eye out for potentially hazardous situations such as laptops being left unattended, and inform management so that the offending employee can be reminded of the importance of securing his or her equipment. It is expected that this measure will reduce losses due to equipment theft by 25 percent. The total annual cost for this measure, including personnel time, will be $10,000. Which of these measures is the most cost-effective way to meet the request of your CEO and CFO?

1. Implement Option 1.

2. Implement Option 2.

3. Implement Option 3.

4. None of these solutions is cost-effective.

2.  

You are creating a security design for the Blue Sky LTD Corporation. The company CEO knows that many people on the network currently use information like their pets or children s names for their network passwords; she is extremely concerned about hackers attempting to guess these passwords and gain access to corporate network resources. She has requested that password security be made more stringent in the new design, with a minimum of a 24-character password for all systems. What would you tell her is a potential drawback of requiring user passwords to be this long?

1. Users will be more likely to write down a password that is so difficult to remember.

2. User passwords should be at least 30 characters long to guard against brute-force password attacks.

3. There are no drawbacks; this creates network passwords that will be impossible for an unauthorized user to penetrate .

4. Windows 2003 will not allow a password of more than eight characters.

3.  

You are a security analyst for the Widgets Corporation, which uses Windows Server 2003 servers to store data regarding several patent-pending products that they are developing. Because of the sensitive nature of this information, both successful and failed attempts to access product- related data on the file server is logged to the Windows Security log, and the information can only be accessed from within the Widgets headquarters ”there is no current means of using VPN or other forms of remote access. While you are looking over the security logs one week, you notice that one of the Widgets product managers, Ethan Hopkins, accessed files for a number of different projects on a day when you know that he was out of the office for several days. When you question Ethan about it, he verifies that he was out of the office on that day and has no idea what could have happened . However, you discover in a passing conversation with your help desk manager that someone claiming to be Mr. Hopkins called the help desk that day demanding to have his password reset, since he had been called in for an important sales presentation and couldn t wait. What kind of attack has occurred here?

1. Password guessing

2. Spoofing

3. Network sniffing

4. Social engineering

4.  

You are the network administrator for a large Windows Server 2003 network, supporting 40 servers and over 1000 Windows 2000 Professional and Windows XP Professional clients . You have received a call from a user who is complaining that his computer will no longer boot correctly. Upon investigating, you discover that the machine will only get halfway through the logon sequence before displaying the Blue Screen of Death. When you ask the user if he noticed anything unusual before the computer began misbehaving, he reports that he had just downloaded a game from a URL that a friend had sent him via e-mail. The machine seemed to run fine after the game was installed, but as soon as the user rebooted the machine, it no longer powered on correctly. What is the most likely reason why the user s machine is no longer booting correctly?

1. The downloaded game is not compatible with Windows XP Professional.

2. The workstation has suffered a hardware failure.

3. The downloaded game was actually malicious code containing a Trojan horse.

4. The workstation is undergoing a DoS attack.

5.  

You are performing a security audit of a Windows Server 2003 network for the branch office of a bank. You have detected an unauthorized computer that is capturing network traffic being sent between your head teller s workstation and the server used to settle account information at the end of the day. You suspect that this computer has changed some of the network data that has been transmitted between these two computers to alter the financial records coming from the teller workstation. What type of attack is most likely taking place in this scenario?

1. DoS

2. Man-in-the-middle

3. Password guessing

4. IP Spoofing

6.  

You are performing a Risk Analysis for Blue Sky, LTD., a charter plane service running a Windows Server 2003 network. Since Blue Sky receives a significant portion of its client referrals from the blueskyltd.com Web site, the CFO has decided that any losses due to a Web server outage would pose an extreme financial risk to the company. Because of this, you have decided to outsource the hosting of your Web site to a third party. You will pay this hosting service a monthly fee, in return for which they will guarantee 99.999-percent uptime and availability of the Blue Sky Web site for your customers. Which principle of Risk Management have you employed by taking this measure?

1. Risk Avoidance

2. Risk Mitigation

3. Risk Transference

4. Risk Acceptance

7.  

You are working as the network administrator responsible for monitoring and maintaining 25 Windows Server 2003 servers and 500 Windows XP Professional workstations. You are checking the Network Monitor that is running on your Web server and notice a sudden influx of TCP SYN (Synchronization) packet requests with no subsequent completion of the TCP handshake. What is this type of activity most likely an indicator of?

1. Your network is beginning to sustain a DoS attack.

2. Someone is attempting to guess passwords of user accounts on your network.

3. This is normal activity and not something that you should worry about.

4. Your company s Internet connection has failed and you should contact your Internet service provider (ISP).

8.  

You have been hired as a consultant by the Widgets, Inc. manufacturing company to design security for their company headquarters. The current network consists of several Windows NT4 application and file servers; users connect to the servers via NT4 workstations located throughout the floor of the manufacturing plant. Because of a specialized interface between the manufacturing equipment and the mission-critical software that controls it, user workstations cannot be upgraded away from NT4 until the Widgets developers are able to port the application to a new version of the desktop operating system. Because of a concern regarding the security of user passwords and logon information, the Widget s CTO wants all network communications to be encrypted. What is the highest level of encryption that you would recommend in this scenario?

1. LM

2. NTLM

3. NTLMv2

4. Kerberos

9.  

You have been contracted to create an Internet-based VPN solution for an organization with a large traveling sales force. The organization has standardized on Windows Server 2003 servers. Sixty percent of the sales force has been issued a new laptop running the Windows 2000 Professional operating system within the past year. As part of the VPN deployment, the remainder of the sales force will receive laptops that are running Windows XP Professional. The CEO and CTO both agree that the VPN solution should use the best security possible. Which protocol should you recommend when designing a VPN solution in this scenario?

1. SPAP

2. IPSEC/L2TP

3. PPTP

4. MS-CHAPv2

10.  

You are the network administrator for a network whose infrastructure is made up of a combination of Windows Server 2003 and UNIX servers. Currently, your company s DNS servers all exist on DNS servers using BIND version 8.1.2. You would like to transition the DNS service to Windows Server 2003 in order to take advantage of secure updates. Your CTO is concerned that the transition needs to be seamless, and has asked you to bring a single Windows Server 2003 DNS server online and configure it to coexist with the existing BIND servers to ensure that client name resolution will not be interrupted . What should you be concerned with when configuring a Windows Server 2003 DNS server to coexist with a BIND DNS server? (Choose all that apply.)

1. Securing the zone transfer process.

2. Securing WINS lookups from the BIND DNS servers.

3. Configuring the BIND servers to use NTLMv2 authentication.

4. Securing the record update process.

1.  

¾ B . When you are assessing the cost-effectiveness of a security measure, you need to take the amount of money that it is expected to save, and subtract from that the actual cost of the safeguard itself. In Option 2, the cost related to equipment losses will be reduced by $65,000 (65 percent of 100,000). You then need to subtract the cost of the safeguard itself, so the total savings to the company will be $65,000 “ $15,000 = $50,000. This meets the requirements put forth by the company CEO and CFO.

x Answer A is incorrect, because the cost savings from Option 1 will be $80,000 (80 percent of $100,000) minus the cost of the safeguard. Therefore, the total savings to the company will be $80,000 “ $60,000 = $20,000. This does not meet the requirements put forth by the CEO and CFO. Answer C is incorrect because the cost savings will be $25,000 (25 percent of $100,000). You then subtract the cost of the safeguard itself for a total cost savings of $25,000 “ $10,000 = $15,000. This does not meet the requirements put forth by the company CEO and CFO. Answer D is incorrect because Option 2 is a cost-effective solution that meets the requirements set forth by company management.

2.  

¾ A . Even if you could set a minimum password requirement of 25 characters (the maximum for this setting is 14 characters), a 25-character password would be unreasonably long, and would prompt your users to write it down on their monitors or in their wallets. This creates another avenue of attack that can easily render such a strong password meaningless.

x Answer B is incorrect, because a password length of 8 to 14 characters is usually sufficient to guard against most brute-force attacks. Answer C is incorrect because a 25-character password will create the issues described in Answer A . Answer D is incorrect because Windows passwords can be up to 255 characters in length.

3.  

¾ D . Social engineering attacks take advantages of unsuspecting users and weaknesses in administrative security policies to gain access to a user account or password. This type of attack can be addressed through security awareness and a stringent adherence to security policies for administrators, help desk associates , and end users of all levels.

x Answer A is incorrect because in this case, the attacker did not need to guess the user s password ”it was given to him by the help desk as a result of his social engineering. Answer B is incorrect because spoofing is a technical attack in which one machine is made to look like another. Answer C is incorrect because network sniffing is a technical attack in which network packets are physically intercepted and analyzed by someone running a copy of Network Monitor or some other packet sniffer.

4.  

¾ C . Trojan horses are pieces of malicious code embedded in an otherwise harmless-looking program such as a game or a screensaver. These attacks most often infect end-user workstations via files downloaded from the Internet or from an e-mail attachment. Based on the description of the problem, this is the most likely reason why the user s workstation is not booting correctly.

x Answers A , B , and D , while all possibilities, are far less likely reasons for the workstation failure than the likelihood that the downloaded game contained malicious code such as a Trojan horse.

5.  

¾ B . When an attacker intercepts network traffic between two parties and alters the data before the transmission is completed, this is called a MITM attack. When this occurs, both parties believe that they are only communicating with one another, when in fact the attacker is intercepting the entire conversation.

x Answer A is incorrect because a DoS attack is designed to overwhelm a vulnerable computer so that it cannot provide resources and access to legitimate users. Answer C is incorrect because a password-guessing attack cannot alter network data, but simply attempts to brute-force its way into guessing a legitimate user s password. Answer D is incorrect because a spoofing attack is one where an attacker disguises his or her attack so that it appears that it is coming from another location, or else impersonates a trusted computer to trick unsuspecting users into giving the attacker their information.

6.  

¾ C . When you transfer the responsibilities associated with a particular risk to a third party, you have transferred that risk. A similar tactic would be performing risk transference by taking out an insurance policy against the theft of an automobile.

x Answer A is incorrect because hosting your Web site externally does not remove the possibility that losses associated with downtime will occur. An example of Risk Avoidance would be to avoid risks associated with Web server downtime by removing your company s Web presence altogether. Answer B is incorrect because Risk Mitigation refers to taking steps to lessen the likelihood that a risk will occur. Placing a Web server behind a firewall and proactively installing security patches would be a method of Risk Mitigation. Answer D is incorrect because Risk Acceptance means that you are taking no further measures to alleviate any risks to your network, either because the value of the asset is too little, or because the risk cannot be reduced any further in a cost-effective manner.

7.  

¾ A . A common way to begin a DoS attack is to send a stream of TCP SYN, or Synchronization, packets to a server and never complete the rest of the TCP connection. Because most servers will leave these half- open connections waiting to be completed, they can overwhelm a server to the point that it cannot respond to legitimate user requests.

x Answer B is incorrect because a password-guessing attack would not use the TCP SYN flooding that is common with DoS attacks. In a password attack, you would be more likely to see a series of failed logon attempts in the Security Log of the Event Viewer. Answer C is incorrect because TCP SYN flooding is not a normal network condition, and therefore one that you should investigate as a potential security incident. Answer D is incorrect because a lost Internet connection would manifest itself by an inability to reach hosts on the Internet, transmit e-mail and the like; it does not typically create a SYN flood against a specific server.

8.  

¾ C . If the Windows NT 4 workstations cannot be upgraded to a more recent version of the operating system, the highest encryption level that this network can currently support is NTLM, version 2. Windows NT 4 Workstation does not support the use of Kerberos for LAN communications.

x Answer A is incorrect, because LM authentication is a legacy authentication method that predates even Windows NT4 and was used primarily for the Windows 9 x family of operating systems. LM authentication is fairly insecure with several well-known vulnerabilities that can allow passwords and other information to be obtained by anyone running a network sniffer. Answer B is incorrect, because while NTLM authentication is an improvement over LM, the updated NTLMv2 resolves several vulnerabilities and provides greater encryption than its predecessor. Answer D is incorrect because the Windows NT4 operating system does not support Kerberos; this is only supported in Windows 2000 or later.

9.  

¾ B . When designing a VPN solution, the IPSec/L2TP will provide the best security if all clients can support it. IPSec/L2TP is supported natively by Windows 2000 and XP Professional, and support for it can be added to Windows NT4.

x Answer A is incorrect because SPAP is a legacy protocol used for dial-up accounts that uses minimal encryption and can easily be sniffed. Answer C is incorrect, because while PPTP was the standard VPN protocol for use with NT4 and previous operating systems, the more modern OSs specified in this scenario will allow you to use IPSec/L2TP. Answer D is incorrect because MS-CHAPv2 is used for negotiating basic dial-up modem connectivity, not for securing VPN traffic.

10.  

¾ A , D . When you are configuring a Windows Server 2003 DNS server to coexist with a UNIX-based DNS server, you need to ensure that the zone transfer process has been secured. In a homogeneous Windows environment, you can control which servers can and cannot retrieve zone transfer information through the Windows GUI. If you will be requesting zone transfers from a UNIX server, these same kinds of controls need to be created. Therefore, Answer A is correct. Second, you need to ensure that the process of sending record updates to the UNIX DNS server is encrypted so that your company s DNS information cannot be intercepted by a curious or malicious user running a packet sniffer. Therefore, Answer D is correct.

x Answer B is incorrect because only BIND DNS servers do not integrate with the Windows Server 2003 WINS service when performing DNS lookups. Answer C is incorrect because NTLM is a Windows-specific authentication mechanism ”you will need to find a secure alternative when configuring authentication to a UNIX DNS server.