Pen used to do a practice exam.

Domain 2 Quiz

Domain 2 Quiz

  1. Decide where things go.
    Network security components
    WAF on web server.

    DLP on firewall. In a later quiz I say DLP goes either at a perimeter firewall or on endpoints, or workstations. But we have just two. Putting DLP on just one or two workstations is wrong. The idea is really "On what type of place does this go?", it's all or none. I don't have two workstations, or two border firewalls, so I picked firewall and file server on the exam, and I think it was graded as correct.

    DLP on file server.

    3 802.1x on 3 switches.

    ACL on router.

    Rules on firewall.

    RADIUS on spare server.
  2. The content management group is considering the use of DNS Round Robin technology. What benefit could this provide?
    1. Load balancing
    2. Transparent proxying
    3. Anti-spoofing
    4. Certificate sharing
    The DNS server returns a list of IP addresses, rotating the last one to the head of the list at each additional response. The clients will distribute their activity across the multiple servers, which hold identical data sets, in roughly equal amounts.

    As a practical example, at one time www.jpl.nasa.gov resolved to a list of IP addresses, one server at each major NASA facility in the US. The list you got was in an arbitrary order, and your browser used the first on in the list. It worked, you saw the images from the current mission, and all NASA web servers had roughly equal loads.
  3. Gina has been asked by her manager to set up wireless connectivity for the new software development team. They will be working in a small remote facility. What would be the best choice? Pick two.
    1. Fat
    2. Thin
    3. Controller-based
    4. Standalone
    A fat or standalone controller (two terms for the same thing) has enough capability to do every needed on its own. There is no central server managing it, as there is with thin or controller-based systems. One fat/standalone controller is the simplest, thus best, solution for that setting.
  4. Users are reporting that they can't access the financial department's secure web page. The following command output is observed. What is wrong?
    $ netstat -an
    Active Internet connections (including servers)
    Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
    tcp4       0      0 10.138.0.3:22          184.16.205.240:50966   ESTABLISHED
    tcp4       0      0 127.0.0.1:9000         127.0.0.1:37632        TIME_WAIT
    tcp4       0      0 127.0.0.1:11628        127.0.0.1:9000         TIME_WAIT
    tcp4       0      0 127.0.0.1:12042        127.0.0.1:9000         TIME_WAIT
    tcp4       0      0 10.138.0.3:80          130.15.4.209:46944     TIME_WAIT
    tcp4       0      0 10.138.0.3:80          46.229.168.70:15234    TIME_WAIT
    tcp4       0      0 10.138.0.3:80          173.187.65.22:50598    ESTABLISHED
    tcp4       0      0 10.138.0.3:80          212.3.84.1:55989       ESTABLISHED
    tcp4       0      0 10.138.0.3:80          212.3.84.1:55987       ESTABLISHED
    tcp4       0      0 10.138.0.3:80          212.3.84.1:55988       TIME_WAIT
    tcp4       0      0 10.138.0.3:80          212.3.84.1:55986       TIME_WAIT
    tcp4       0      0 *:80                   *.*                    LISTEN
    tcp4       0      0 127.0.0.1:9000         *.*                    LISTEN
    tcp4       0      0 *:22                   *.*                    LISTEN
    tcp4       0      0 127.0.0.1:25           *.*                    LISTEN
    udp4       0      0 127.0.0.1:123          *.*                    
    udp4       0      0 10.138.0.3:123         *.*                    
    udp4       0      0 *:123                  *.*                    
    udp4       0      0 *:514                  *.*                    
    
    1. The web server is down
    2. The server is up but its web service isn't running
    3. The certificate is expired
    4. The certificate has been revoked
    5. HTTPS isn't enabled
    6. A firewall is blocking connections
    Read the output. There are multiple TCP services, all with either 127.0.0.1 (localhost), or 10.138.0.3 (apparently the Ethernet interface address), or "*" (meaning "on all interfaces") in the "Local Address" column, and some of those are less than 1024 (22, 80, 25, 123, 514). The "Foreign Address" column has a variety of IP addresses at high-number ports. So, this command ran on the server. Now look at the listening TCP services: just 22 (SSH), 25 (SMTP), 80 (HTTP), and whaever that it on TCP/9000. So the server OS is running, and it is running HTTP, but it is not running HTTPS. One small omission in the web server configuration file.

    This is real output, copy and paste from a connection to my web server, but with listening HTTPS removed and all instances of TCP/443 changed to TCP/80. My server is at Google, in a 10.38.0.0/24 VLAN.
  5. You observe this data.
    11:43:57.293662 IP 192.168.1.1 > 192.168.1.7: ICMP echo request, id 5331, seq 1, length 64
    11:43:57.294143 IP 192.168.1.7 > 192.168.1.1: ICMP echo reply, id 5331, seq 1, length 64
    11:43:58.294308 IP 192.168.1.1 > 192.168.1.7: ICMP echo request, id 5331, seq 2, length 64
    11:43:58.294730 IP 192.168.1.7 > 192.168.1.1: ICMP echo reply, id 5331, seq 2, length 64
    11:43:59.322328 IP 192.168.1.1 > 192.168.1.7: ICMP echo request, id 5331, seq 3, length 64
    11:43:59.322645 IP 192.168.1.7 > 192.168.1.1: ICMP echo reply, id 5331, seq 3, length 6 
    Which tool or defensive measure was involved? Select two.
    1. Wireshark
    2. ping
    3. nmap
    4. tcpdump
    5. netstat
    6. arp
    7. ifconfig
    That's the output from tcpdump, which you could also get by saving Wireshark output to a text file (or running the text-output version, tshark). Yes, a ping command was running to generate this traffic, but its output is different.
  6. You observe this data.
    www.google.com (172.217.6.4) 56(84) bytes of data.
    64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=1 ttl=116 time=26.9 ms
    64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=2 ttl=116 time=28.2 ms
    64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=3 ttl=116 time=27.2 ms
    64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=4 ttl=116 time=27.2 ms
    64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=5 ttl=116 time=28.5 ms
    
    --- www.google.com statistics ---
    5 packets transmitted, 5 received, 0% packet loss, time 4005ms
    rtt min/avg/max/mdev = 26.976/27.673/28.568/0.621 ms 
    Which tool or defensive measure was involved?
    1. Wireshark
    2. ping
    3. nmap
    4. tcpdump
    5. netstat
    6. arp
    7. ifconfig
    That's ping output with its name removed. On the test you can go back, so if you realize that this is ping output while earlier that must have been tcpdump capture of it, you can go back and change your answer.
  7. You observe this data.
    enp9s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 192.168.1.1  netmask 255.255.255.0  broadcast 192.168.1.255
            inet6 2601:249:4300:cb:a62:66ff:fe2c:ab1c  prefixlen 64  scopeid 0x0<global>
            inet6 fe80::a62:66ff:fe2c:ab1c  prefixlen 64  scopeid 0x20<link>
            ether 08:62:66:2c:ab:1c  txqueuelen 1000  (Ethernet)
            RX packets 16332198  bytes 4799272313 (4.7 GB)
            RX errors 0  dropped 3  overruns 0  frame 0
            TX packets 27220877  bytes 32805346549 (32.8 GB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0 
    Which tool or defensive measure was involved?
    1. Wireshark
    2. ping
    3. nmap
    4. tcpdump
    5. netstat
    6. arp
    7. ifconfig
    That's ifconfig output, the now outdated tool on Linux. If they showed you the up-to-date ip addr command instead, it would look like this:
    2: enp9s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 08:62:66:2c:ab:1c brd ff:ff:ff:ff:ff:ff
        inet 192.168.1.1/24 brd 192.168.1.255 scope global enp9s0
           valid_lft forever preferred_lft forever
        inet 192.168.1.2/24 brd 192.168.1.255 scope global secondary enp9s0
           valid_lft forever preferred_lft forever
        inet6 2601:249:4300:cb:a62:66ff:fe2c:ab1c/64 scope global dynamic mngtmpaddr
           valid_lft 345510sec preferred_lft 345510sec
        inet6 fe80::a62:66ff:fe2c:ab1c/64 scope link
           valid_lft forever preferred_lft forever 
  8. You observe this data.
    Host is up (0.00031s latency).
    rDNS record for 192.168.1.40: hplj4250n.kc9rg.org
    Not shown: 993 closed ports
    PORT      STATE SERVICE    VERSION
    80/tcp    open  http       Virata-EmWeb 6.2.1 (HP LaserJet http config)
    280/tcp   open  http       Virata-EmWeb 6.2.1 (HP LaserJet http config)
    443/tcp   open  ssl/https?
    515/tcp   open  printer
    7627/tcp  open  http       HP-ChaiSOE 1.0 (HP LaserJet http config)
    9100/tcp  open  jetdirect?
    14000/tcp open  tcpwrapped
    MAC Address: 00:12:79:DF:81:B1 (Hewlett Packard)
    Device type: printer
    Running: HP embedded
    OS details: HP LaserJet 4250 (JetDirect) printer
    Network Distance: 1 hop
    Service Info: Host: 192.168.1.40; Device: printer 
    Which tool or defensive measure was involved?
    1. Wireshark
    2. ping
    3. nmap
    4. tcpdump
    5. netstat
    6. arp
    7. ifconfig
    That's nmap output, with the first and last lines showing its own name removed. I scanned my laser printer.
  9. You observe this data.
    192.168.1.4 at dc:a6:32:36:a9:4e [ether] on enp9s0
    192.168.1.218 at b8:27:eb:1f:f6:87 [ether] on enp9s0
    192.168.1.20 at b8:27:eb:03:6b:37 [ether] on enp9s0
    192.168.1.205 at b8:27:eb:f9:ea:4d [ether] on enp9s0
    192.168.1.7 at b8:27:eb:95:25:5b [ether] on enp9s0
    192.168.1.40 at 00:12:79:df:81:b1 [ether] on enp9s0
    192.168.1.254 at 38:94:ed:fa:48:88 [ether] on enp9s0
    192.168.1.42 at 00:1c:50:ac:72:1e [ether] on enp9s0
    192.168.1.3 at dc:a6:32:36:a9:4e [ether] on enp9s0 
    Which tool or defensive measure was involved?
    1. Wireshark
    2. ping
    3. nmap
    4. tcpdump
    5. netstat
    6. arp
    7. ifconfig
    Windows uses dashes instead of colons in MAC addresses in arp output.
  10. You observe this data.
    Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
    tcp        0      0 www.http               ec2-54-251-14-39.http  SYN_RCVD
    tcp        0      0 www.http               97-127-152-158.c.http  SYN_RCVD
    tcp        0     72 www.ssh                c-67-162-124-176.57046 ESTABLISHED
    tcp        0      0 www.ssh                c-67-162-124-176.56956 TIME_WAIT
    tcp        0      0 www.57694              metadata.google..http  ESTABLISHED
    tcp        0      0 localhost.9000         localhost.45172        TIME_WAIT
    tcp        0      0 www.https              cpe-184-153-88-7.45718 ESTABLISHED
    tcp        0      0 www.https              ec2-54-90-33-176.40684 ESTABLISHED
    tcp        0      0 www.https              petalbot-114-119.32762 TIME_WAIT
    tcp        0      0 www.https              static.kpn.net.49168   ESTABLISHED
    tcp        0      0 www.https              static.kpn.net.49169   ESTABLISHED
    tcp        0      0 www.https              185-97-201-166.n.1480  ESTABLISHED
    tcp        0      0 www.https              185-97-201-166.n.1478  ESTABLISHED
    tcp        0      0 www.https              185-97-201-166.n.1476  ESTABLISHED
    tcp        0      0 www.https              crawl-66-249-79-.52368 TIME_WAIT
    tcp        0      0 www.https              crawl-66-249-79-.35610 TIME_WAIT
    tcp        0      0 www.http               crawl-66-249-68-.58406 TIME_WAIT
    tcp        0      0 www.https              84.93.94.244.56895     ESTABLISHED
    tcp        0      0 www.https              ip-99-203-20-246.19011 ESTABLISHED
    tcp        0      0 www.https              pool-96-252-105-.51616 TIME_WAIT
    tcp        0     63 www.https              CPE589630c056fc-.59897 FIN_WAIT_1
    tcp        0      0 www.http               200.46.45.114.50849    CLOSED
    tcp        0      0 www.http               201.130.137.117..44167 CLOSED
    tcp        0      0 *.https                *.*                    LISTEN
    tcp        0      0 *.http                 *.*                    LISTEN
    tcp        0      0 localhost.9000         *.*                    LISTEN
    tcp        0      0 *.ssh                  *.*                    LISTEN
    tcp6       0      0 *.ssh                  *.*                    LISTEN
    tcp        0      0 localhost.smtp         *.*                    LISTEN 
    Which tool or defensive measure was involved?
    1. Wireshark
    2. ping
    3. nmap
    4. tcpdump
    5. netstat
    6. arp
    7. ifconfig
    I just ran netstat -a on my server, with some clients caught in the act of downloading pages.

    A questions on an earlier quiz showed the command. Once in a while on the real test, one question tells you the answer to a different question.
  11. You observe this command output.
    Server:         192.168.1.3
    Address:        192.168.1.3#53
    
    ** server can't find www.faasdfjh.com: NXDOMAIN 
    What is wrong?
    1. DNS cache poisoning has happened
    2. Your workstation cannot contact the nameserver
    3. The domain faasdfjh.com does not exist
    4. There is no host named www.faasdfjh.com
    "NXDOMAIN" means "non-existent domain". There won't be a host within that domain, but the output is telling us that the entire domain does not exist.
  12. You observe this command output.
    ;; connection timed out; no servers could be reached 
    What is wrong?
    1. DNS cache poisoning has happened
    2. Your workstation cannot contact the nameserver
    3. The domain does not exist
    4. There is no host with the requested name
    The servers it's talking about are DNS nameservers.
  13. You observe this data.
    [**] [122:1:0] (Web) Directory Traversal [**] [Priority: 2] 07/05-12:15:41.483293 192.168.3.7 -> 192.168.1.1:80 PROTO:255 TTL:0 TOS:0x0 ID:3253 IpLen:20 DgmLen:1501
    
    Which tool or defensive measure was involved?
    1. NIDS
    2. NIPS
    3. HIDS
    4. HIPS
    This is Snort output, it has detected 192.168.3.7 attempting a directory traversal attack (asking for "../../../something") against the server 192.168.1.1 via HTTP on TCP/80.

    Unless this triggered something else that we don't see here, there was no prevention, just detection of network traffic.
  14. You observe this data.
    An unapproved executable attempted to run and was prevented.
    The action was stopped and logged.
    Location: c:\Program Files\Chromium Browser\Chrome.exe
        User: Elon
       Cause: Policy setting for unapproved software 
    Which tool or defensive measure was involved?
    1. File integrity check
    2. Antivirus
    3. Blacklisting
    4. Whitelisting
    5. DLP
    6. DEP
    It was not on the approved list, so it was blocked.
  15. Julie, a network engineer, has been informed by management that they want to deploy network security technology that uses OSI layers 4 through 7 to authenticate, authorize, and audit Internet activity. To reduce the load on help desk personnel, this must require little to no browser or other application reconfiguration. What should she recommend?
    1. SIEM
    2. 802.1x
    3. Transparent proxy
    4. Load balancer
  16. Jenny, a network engineer, has been tasked with auditing network traffic to determine if any sensitive data is being transmitted in cleartext form. What tool could she use?
    1. Protocol analyzer
    2. Pen testing toolkit
    3. Compliance scanner
    4. Nmap
    A protocol analyzer would surely be part of a pen-testing toolkit (e.g., Kali includes Wireshark), but she would be using the protocol analyzer. Nmap could discover which servers support cleartext protocols. But, for example, a web server should listen on port 80 in cleartext, just to redirect clients to the corresponding HTTPS URL.
  17. James, a programmer, is looking at the logs of his WAP in his home. He notices an unknown device that has been accessing it. What countermeasure should he use?
    1. 802.1x
    2. NAC and certificates
    3. MAC filtering
    4. Faraday cage
    5. RADIUS and EAP
    The first two and last are all aspects of the same thing, which you could do on a Raspberry Pi (assuming his home WAP has the capability). However, MAC filtering is the imperfect but reasonable answer. Yes, I got a question about WAP logs at home.
  18. Which of these are appropriate defenses for a mobile device? Select three.
    1. Remote wipe
    2. Cable lock
    3. FM-200
    4. Biometrics
    5. GPS tracking
    6. Transparent proxy
    When they say "mobile device" they mean a phone, maybe a tablet, but something too small for a cable lock. Fire suppression goes into the building, proxies are out in the network infrastructure, the other three can go into a mobile device. Note that GPS tracking is to recover the device, it does not protect the data. But the question askes about the device, now the data.
  19. George's manager needs to give a presentation to the board of directors, telling them about the most critical threat to the organization. What should George make sure is highlighted?
    1. Asset management
    2. Insider threat
    3. Social media
    4. Baseline deviations
    5. Performance
    6. Unauthorized software
    We have technical controls for everything else, and the insider threat is always the most threatening.
  20. Tony, a network engineer, has been tasked by his manager with monitoring the more sensitive internal networks, to spot and block attacks. What should Tony use?
    1. SIEM
    2. HIDS
    3. HIPS
    4. NIDS
    5. NIPS
    Tipoffs are monitoring... networks... and block.

Exhibit with 10 items, then 19 regular questions

Passing = 82% of 29 = 23.8

Goal = 91% of 29 = 26.4

To the Cybersecurity Page