Review Questions

1.

Which of the following describes a security risk analysis?

1. Using the maximum amount of security possible on each asset in your organization

2. Reviewing the assets that need to be protected versus the cost of protecting the asset and the likelihood of the asset being attacked

3. Waiting for an attack to occur and then figuring out what you must do to repair the damage.

4. Determining what assets are at risk and providing the maximum amount of security to these assets

2.

When analyzing the security risks of a network, which of the following categories of assets should you be looking at? (Choose all that apply.)

1. Data

2. Hardware

3. Disks

4. Software

5. Backup plans

6. Documentation

3.

Jennifer’s company is worried about sensitive company data being used on laptops that are stolen from time to time from the company’s sales staff. The company sales force uses the data to sell products, issue quotes, and address customer concerns. There is not always a network connection and it is important that the sales force have the data. Jennifer wants to update the company’s security policy to reflect this concern. Which of the following should she include in the security policy?

1. Laptop users need strong passwords.

2. Data should not be saved to laptop computers.

3. Laptop users must use smart cards for authentication.

4. A suitable form of encryption must be used on sensitive files located on laptop computers.

4.

Elliott is concerned about the servers in his company. Many are stored in spare offices or closets and a few have been stolen lately. What type of security should Elliott address in his company’s security policy?

1. Logical

2. Physical

3. Data encryption

4. Password policy

5.

Helena needs to connect a Unix server that does not support Active Directory to the network. Which of the following would be a technical constraint of enforcing security on the network by this addition?

1. Users on the Unix OS will not be able to use resources on the rest of the network.

2. Users on the Unix OS will not have secure access to files because Unix does not support access control lists (ACLs).

3. Administrators will be unable to enforce password policies through Group Policy for users on the Unix server.

4. Users on the Windows Server 2003 network will not be able to connect to the Unix server.

6.

Faith works for a small firm that rents medical monitoring instruments to patients. Which of the following would need to be considered the most important part of its security policy?

1. Backup plan

2. Lockout period in the user password policy

3. Protection of data on laptop computers

4. Government industry regulations

7.

Ann is the CTO of a large bank. The bank wants to provide a Web presence where its customers can view their financial records. What is the biggest risk to the customer that Ann should consider?

1. Controlling access to the internal file servers

2. Maintaining the privacy of financial records over the Internet

3. Making sure the users cannot manipulate cookies on their own computers

4. Avoiding ActiveX controls like Macromedia Flash in the building of its website

8.

Dave manages a web application that his company’s sales force uses to check on product information, place orders, and manage their customers’ information. He only has a web server and FTP server installed. It is vital that this application is up for 24 hours, 7 days a week because it will translate into lost sales and potentially lost customers if it is down. Which of the following attacks should Dave be most concerned about?

1. Man in the middle

2. Spoofing

3. Spamming

4. Denial of service

9.

Lenin wants to automate the enforcement of many aspects of his company’s security policy. What tools in Windows Server 2003 could he use to accomplish this purpose? (Choose all that apply.)

1. Active Directory Users And Computers

2. Security Configuration And Analysis

3. Security Settings

4. Security Templates

10.

Which of the following should be considered when analyzing the requirements for securing data? (Choose the best answer.)

1. The type of data

2. Data synchronization with mobile users

3. Backup plan for the data

4. Data access patterns

1.

B. Security risk analysis involves looking at the value of the assets you have. In other words, how much would it cost to replace or live without the asset? This will initiate a discussion of how much security you will need for each asset.

2.

A, B, D, F. Data, hardware, software, and documentation are categories of items that should be looked at on a network when determining the network’s security risks. The disks and backup plans are specific assets in these categories.

3.

D. The policy would reflect that the sales staff will store files on their laptops and that the only real means of protecting sensitive information on laptops is through the use of encryption. A strong password policy and smart cards can be overcome simply by installing another version of Windows on the drive and using it to access the files. Strong passwords really provide security to network resources that are physically secure. The company could choose not to save data to laptops to be secure, but the sales force needs offline access to the data.

4.

B. Elliott will need to establish the physical security of his servers. Data encryption and password policies will not protect against theft or vandalism at the physical level. Logical security would represent the software security mechanisms like passwords and access rights.

5.

C. This is an example of technical constraints that may affect security on a network. Because the Unix server does not support Active Directory, it would have no information on the network’s password policy. The policy would have to be configured separately on the Unix Server and it might not support the same options as Windows Server 2003.

6.

D. The biggest cost to the small firm would be from penalties set in government regulations if it is not compliant. Therefore, although a backup plan, password policy, and protection of data on the laptops would also be prudent, government regulation will most likely cost the most in the short term.

7.

B. The bank’s strongest concern is the privacy of the customer’s data sent over the Internet. If this information is not secure, it can cost them in fraud, lost customers, and image.

8.

D. Dave should be concerned about a denial of service attack that will prevent legitimate users from accessing the web application. Man in the middle and spoofing involve changing information en route to the server, which may be a concern to Dave but are not his primary focus. Dave is probably not concerned with somebody using him as a spamming server because he is not running an SMTP server.

9.

B, D. Using the Security Configuration And Analysis snap-in in combination with the Security Templates snap-in allows Lenin to enforce many aspects of the security policy and to verify that the configured server is still in compliance at a later time. You could push the policy out with Group Policy through Active Directory.

10.

C. The data needs to be recoverable if it is to be secure, which means having a backup strategy that will successfully capture the data at regular intervals based on what the service level agreement defines as how much data can be lost. This will minimize the risk of deletion and corruption of the data. The type of data, access patterns, and data synchronization with mobile users are usually indirectly related to access control and encryption.