Chapter 5 : Security Fundamentals (Domain

network and the internal network. A network with SSL

encryption is not considered trusted; it is considered encrypted.

A network with SSL can travel over an untrusted network such

as the Internet.

5. B.  Distributed denial of service, or DDoS, is a common attack

technique used to deny others of service. It is performed by

overwhelming the service with bogus traffic. When it is

performed from multiple hosts on the Internet, it is very difficult

to prevent and stop. A denial of service (DoS) attack is typically

carried out by one source and is relatively easy to mitigate. IP

address spoofing is a tactic in which the source IP address is

spoofed in a packet in an attempt to bypass security. Session

hijacking is an attack in which a conversation between two hosts

is hijacked by an attacker.

6. B.  An intrusion detection system, or IDS, can detect an attack

based upon its signature. They are commonly found in firewall

systems such as Firepower Threat Defense (FTD). Although

similar to an IPS, the IDS will only notify someone in the event

of a detection. Honey pots are server or network appliances that

have been security weakened to attract bad actors so their

actions and tactics can be examined. An intrusion prevention

system, or IPS, can detect and prevent attacks based on their

signature. They too are commonly found in firewall systems

such as Firepower Threat Defense (FTD). A host intrusion

detection system (HIDS) is an application that runs on a host to

detect intrusions. A HIDS is similar to an IDS, but it is all

software based and resides on the host it is to protect.

7. D.  Ping sweep scans are used by attackers to discover hosts on a

network. The scan sends a flood of ICMP echo requests to the

perimeter network and awaits echo replies. When ICMP is

blocked at the perimeter, an attacker would not be able to scan

the network via ICMP. Although deploying a host intrusion

detection system (HIDS) and intrusion detection system (IDS) is

a good idea, these systems will only notify you of a ping sweep

scan and will not prevent it. Blocking RFC 1918 addresses at the

perimeter is also a positive security measure. However, RFC

1918 addresses are not Internet routable, and this measure does

not prevent an internal ping sweep scan.

8. C.  An intrusion prevention system (IPS) will help mitigate

denial of service attacks (DoS). Common features of IPS can be

found in the Cisco Adaptive Security Appliance. Honey pots are

server or network appliances that have been security weakened

to attract bad actors so their actions and tactics can be

examined. An intrusion detection system, or IDS, can detect an

attack based upon its signature. They are also commonly found

in firewall systems such as Firepower Threat Defense (FTD)

devices. Although similar to an IPS, the IDS will only notify

someone in the event of a detection. A host intrusion detection

system (HIDS) is an application that runs on a host to detect

intrusions. A HIDS is similar to an IDS, but it is all software

based and resides on the host it is to protect.

9. C.  IP address spoofing is a common attack method used to

attempt to gain access to a system by spoofing the originating IP

address. A denial of service, or DoS, attack is typically carried

out by one source and is relatively easy to mitigate. Distributed

denial of service, or DDoS, is a common attack technique used to

deny others of service. It is performed by overwhelming the

service with bogus traffic. When it is performed from multiple

hosts on the Internet, it is very difficult to prevent and stop.

Session hijacking is an attack in which a conversation between

two hosts is hijacked by an attacker.

10. C.  Secure Sockets Layer (SSL) communications offer both

encryption and authentication of the data via certificate signing.

This would prevent tampering of the data end to end. Access

control lists (ACLs) are used to control traffic by either allowing,

denying, or logging traffic depending on specific conditions.

Spoofing mitigation is the action of inspecting the source IP

addresses of a packet to block packets from outside the network

spoofing internal addresses. Encryption of the data alone will

not prevent tampering; SSL provides encryption and

authentication.

11. D.  This attack is called a man in the middle attack. The attacker

sits in the middle of communications and relays it back while

capturing it and possibly modifying it. A Smurf attack is an

attack where a number of computers are told to respond to a

victim IP address via a spoofed packet. A compromised key

attack involves a key pair that has been tampered with or copied,

such as SSL or SSH key pairs. A sniffer attack is a passive attack

where an attacker will collect packets with a network sniffer for

later playback or analysis.

12. A.  Access control lists (ACLs) are an effective way to mitigate

spoofing of internal IPs from outside the trusted network. ACLs

are used to control traffic by either allowing, denying, or logging

traffic depending on specific conditions. An intrusion detection

system (IDS) can be used to notify you if it detects an attack, but

it will not prevent an attack. Secure Sockets Layer (SSL)

communications offer both encryption and authentication of the

data via certificate signing. This would prevent tampering of the

data end to end, but it will not prevent spoofing. A host

intrusion detection system (HIDS) is an application that runs on

a host to detect intrusions. A HIDS is similar to an IDS, but it is

all software based and resides on the host it is to protect.

13. A.  A requirement of DHCP snooping is that the device is on the

VLAN that DHCP snooping is monitoring. There is nothing that

requires the DHCP server to run on a layer 2 switch. The device

that is being protected must be on a layer 2 switched port on the

same VLAN and not a layer 3 routed port. DHCP snooping does

not require a dedicated IP address to be configured for its

operations.

14. D.  Any service that allows the user to create a connection or

access to information can be used as an attack vector. In the case

of DHCP, the attacker will set the gateway to their IP address. In

the case of DNS, the attacker could spoof a request to redirect

the traffic. In the case of wireless, the attacker can spoof the

Service Set Identifier (SSID).

15. A.  Double tagging is an attack that can be used against the

native VLAN. The attacker will tag the native VLAN on a frame

and then tag another inside that frame for the VLAN that the

attacker intends to compromise. When the switch receives the

first frame, it removes the default VLAN tag and forwards it to

other switches via a trunk port. When the other switch receives

the frame with the second VLAN tag, it forwards it to the VLAN

the attacker is targeting. VLAN traversal is not an attack; it is a

term to describe a VLAN traversing a trunk link between two

switches. Trunk popping is not a valid attack; it is not a term

used in networking, and therefore, it is an invalid answer. A

denial of service (DoS) attack is an attack in which an attempt to

exhaust services resources is launched to knock a service offline.

16. A.  The command 

ip dhcp snooping trust

 will configure the

interface as a trusted port. The command 

dhcp snooping trust

 is

incorrect. The command 

ip dhcp snooping trust interface gi

2/3

 is incorrect. The command 

ip dhcp trust

 is incorrect.

17. C.  The native VLAN is the default configuration on all switches.

It is very possible that a user could be configured by accident for

the native VLAN of 1. This would allow management access to

switching and routing. The native VLAN will not contain frames

from all VLANs. The native VLAN will only contain frames that

are placed onto a trunk that have not been tagged. The native

VLAN is not configured on all switches for logging; logging can

be transmitted over any VLAN. All VLANs provide no

encryption, regardless of whether they are the native VLAN.

18. A.  End user training and vigilance is the best way to protect

users from phishing attacks. A phishing attack is an email or site

that looks legitimate and baits the user to enter their credentials.

If a user can identify a phishing attempt that looks like a

legitimate request, they can protect themselves by ignoring the

phishing attempt or deleting it. Anti-malware and antivirus

software will not protect you from phishing attacks since they

are engineered to protect you from malware or viruses.

Certificates can be used internally to sign emails, but external

vendors do not normally use certificates to sign emails.

19. A.  A hardware or software token creates a numeric password

that is only valid only for a specific amount of time before a new

one is displayed. Certificate authentication is not time-limited

for a session. Smart card authentication is not time-limited for a

session. License is a term used with the licensing of software and

therefore an incorrect answer.

20. C.  This is most likely a phishing attack aimed at the user. Spam

would not have links to a bank website for login. Password

cracking is the act of trying several different passwords in an

attempt to gain access. A worm is malware that replicates itself

and infects other systems.

21. B.  Privacy filters are either film or glass add-ons that are placed

over a monitor. They prevent the data on the screen from being

readable when viewed from the sides. Security is the overall goal

and not the correct answer. Degaussing is associated with

magnetic media erasure. Tempered describes a type of glass that

does not prevent side viewing.

22. A.  Shoulder surfing involves looking over someone’s shoulder

as they enter information. Phishing is the act of attempting to

steal credentials by sending an email that takes you to a

fraudulent login. Tailgating is the act of following a person

through an access control point and using their credentials.

Whaling is a form of phishing that targets high-profile

individuals.

23. D.  By implementing least privilege and removing the

administrative privileges from the office workers, you can easily

secure the network. Biometric authentication will secure the

network, but it is not easily implemented. Hardware tokens will

secure the network, but they are not easily implemented. Active

Directory will not add security to the network anymore because

it is only a centralized authentication system.

24. C.  Anti-malware software covers a wide array of security threats

to users, including Trojans, viruses, and phishing emails.

Multifactor authentication combines two or more single-factor

authentication methods to create very secure authentication for

users. Software firewalls will not prevent threats such as

Trojans, viruses, and phishing emails. Antivirus software

protects you only from viruses and Trojans, not phishing emails.

25. B.  Using mantraps (small rooms that limit access to one or a

few individuals) is a great way to stop tailgating. User

authentication will not prevent or stop tailgating. Strong

passwords will not prevent tailgating because tailgating is a

physical security problem. Changing SSIDs will not stop

tailgating because tailgating does not pertain to wireless.

26. C.  The command 

enable secret Password20!

 will set the enable

password and encrypt the Password20! password. The

command 

password enable Password20!

 is incorrect. The

command 

enable Password20!

 is incorrect. The command 

secret

enable Password20!

 is incorrect.

27. D.  The command 

line vty 0 5

 will enter you into the line for

the virtual teletype, which is where you configure your Telnet

password. The command 

interface vlan 1

 is incorrect; this

command will set the focus to the switched virtual interface

(SVI) of VLAN 1. The command 

line console 1

 is incorrect; this

command will set the focus to the console line 1. The command

line aux 1

 is incorrect; this command will set the focus to the

auxiliary line 1.

28. B.  If the enable password is set and the enable secret is set, the

enable password will be ignored. Therefore, the enable secret is

being used to authenticate the user, and you are typing the

wrong password. The command 

enable password

 exists for

backward compatibility with pre-10.3 IOSs and should no longer

be used. Although the originally entered password could be

wrong, the enable password is ignored. The password

Download 10,86 Mb.

Do'stlaringiz bilan baham: