
Domain 2 Quiz
Domain 2 Quiz
-
Decide where things go.
DLP on firewall. In a later quiz I say DLP goes either at a perimeter firewall or on endpoints, or workstations. But we have just two. Putting DLP on just one or two workstations is wrong. The idea is really "On what type of place does this go?", it's all or none. I don't have two workstations, or two border firewalls, so I picked firewall and file server on the exam, and I think it was graded as correct.
DLP on file server.
3 802.1x on 3 switches.
ACL on router.
Rules on firewall.
RADIUS on spare server. -
The content management group is considering the use of
DNS Round Robin technology.
What benefit could this provide?
- Load balancing
- Transparent proxying
- Anti-spoofing
- Certificate sharing
As a practical example, at one time www.jpl.nasa.gov resolved to a list of IP addresses, one server at each major NASA facility in the US. The list you got was in an arbitrary order, and your browser used the first on in the list. It worked, you saw the images from the current mission, and all NASA web servers had roughly equal loads. -
Gina has been asked by her manager to set up wireless
connectivity for the new software development team.
They will be working in a small remote facility.
What would be the best choice?
Pick two.
- Fat
- Thin
- Controller-based
- Standalone
-
Users are reporting that they can't access the financial
department's secure web page.
The following command output is observed.
What is wrong?
$ netstat -an Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 10.138.0.3:22 184.16.205.240:50966 ESTABLISHED tcp4 0 0 127.0.0.1:9000 127.0.0.1:37632 TIME_WAIT tcp4 0 0 127.0.0.1:11628 127.0.0.1:9000 TIME_WAIT tcp4 0 0 127.0.0.1:12042 127.0.0.1:9000 TIME_WAIT tcp4 0 0 10.138.0.3:80 130.15.4.209:46944 TIME_WAIT tcp4 0 0 10.138.0.3:80 46.229.168.70:15234 TIME_WAIT tcp4 0 0 10.138.0.3:80 173.187.65.22:50598 ESTABLISHED tcp4 0 0 10.138.0.3:80 212.3.84.1:55989 ESTABLISHED tcp4 0 0 10.138.0.3:80 212.3.84.1:55987 ESTABLISHED tcp4 0 0 10.138.0.3:80 212.3.84.1:55988 TIME_WAIT tcp4 0 0 10.138.0.3:80 212.3.84.1:55986 TIME_WAIT tcp4 0 0 *:80 *.* LISTEN tcp4 0 0 127.0.0.1:9000 *.* LISTEN tcp4 0 0 *:22 *.* LISTEN tcp4 0 0 127.0.0.1:25 *.* LISTEN udp4 0 0 127.0.0.1:123 *.* udp4 0 0 10.138.0.3:123 *.* udp4 0 0 *:123 *.* udp4 0 0 *:514 *.*
- The web server is down
- The server is up but its web service isn't running
- The certificate is expired
- The certificate has been revoked
- HTTPS isn't enabled
- A firewall is blocking connections
This is real output, copy and paste from a connection to my web server, but with listening HTTPS removed and all instances of TCP/443 changed to TCP/80. My server is at Google, in a 10.38.0.0/24 VLAN. -
You observe this data.
11:43:57.293662 IP 192.168.1.1 > 192.168.1.7: ICMP echo request, id 5331, seq 1, length 64 11:43:57.294143 IP 192.168.1.7 > 192.168.1.1: ICMP echo reply, id 5331, seq 1, length 64 11:43:58.294308 IP 192.168.1.1 > 192.168.1.7: ICMP echo request, id 5331, seq 2, length 64 11:43:58.294730 IP 192.168.1.7 > 192.168.1.1: ICMP echo reply, id 5331, seq 2, length 64 11:43:59.322328 IP 192.168.1.1 > 192.168.1.7: ICMP echo request, id 5331, seq 3, length 64 11:43:59.322645 IP 192.168.1.7 > 192.168.1.1: ICMP echo reply, id 5331, seq 3, length 6
Which tool or defensive measure was involved? Select two.- Wireshark
- ping
- nmap
- tcpdump
- netstat
- arp
- ifconfig
tcpdump
, which you could also get by saving Wireshark output to a text file (or running the text-output version,tshark
). Yes, aping
command was running to generate this traffic, but its output is different. -
You observe this data.
www.google.com (172.217.6.4) 56(84) bytes of data. 64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=1 ttl=116 time=26.9 ms 64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=2 ttl=116 time=28.2 ms 64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=3 ttl=116 time=27.2 ms 64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=4 ttl=116 time=27.2 ms 64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=5 ttl=116 time=28.5 ms --- www.google.com statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4005ms rtt min/avg/max/mdev = 26.976/27.673/28.568/0.621 ms
Which tool or defensive measure was involved?- Wireshark
- ping
- nmap
- tcpdump
- netstat
- arp
- ifconfig
ping
output with its name removed. On the test you can go back, so if you realize that this isping
output while earlier that must have beentcpdump
capture of it, you can go back and change your answer. -
You observe this data.
enp9s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 2601:249:4300:cb:a62:66ff:fe2c:ab1c prefixlen 64 scopeid 0x0<global> inet6 fe80::a62:66ff:fe2c:ab1c prefixlen 64 scopeid 0x20<link> ether 08:62:66:2c:ab:1c txqueuelen 1000 (Ethernet) RX packets 16332198 bytes 4799272313 (4.7 GB) RX errors 0 dropped 3 overruns 0 frame 0 TX packets 27220877 bytes 32805346549 (32.8 GB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Which tool or defensive measure was involved?- Wireshark
- ping
- nmap
- tcpdump
- netstat
- arp
- ifconfig
ifconfig
output, the now outdated tool on Linux. If they showed you the up-to-dateip addr
command instead, it would look like this:2: enp9s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:62:66:2c:ab:1c brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 brd 192.168.1.255 scope global enp9s0 valid_lft forever preferred_lft forever inet 192.168.1.2/24 brd 192.168.1.255 scope global secondary enp9s0 valid_lft forever preferred_lft forever inet6 2601:249:4300:cb:a62:66ff:fe2c:ab1c/64 scope global dynamic mngtmpaddr valid_lft 345510sec preferred_lft 345510sec inet6 fe80::a62:66ff:fe2c:ab1c/64 scope link valid_lft forever preferred_lft forever
-
You observe this data.
Host is up (0.00031s latency). rDNS record for 192.168.1.40: hplj4250n.kc9rg.org Not shown: 993 closed ports PORT STATE SERVICE VERSION 80/tcp open http Virata-EmWeb 6.2.1 (HP LaserJet http config) 280/tcp open http Virata-EmWeb 6.2.1 (HP LaserJet http config) 443/tcp open ssl/https? 515/tcp open printer 7627/tcp open http HP-ChaiSOE 1.0 (HP LaserJet http config) 9100/tcp open jetdirect? 14000/tcp open tcpwrapped MAC Address: 00:12:79:DF:81:B1 (Hewlett Packard) Device type: printer Running: HP embedded OS details: HP LaserJet 4250 (JetDirect) printer Network Distance: 1 hop Service Info: Host: 192.168.1.40; Device: printer
Which tool or defensive measure was involved?- Wireshark
- ping
- nmap
- tcpdump
- netstat
- arp
- ifconfig
nmap
output, with the first and last lines showing its own name removed. I scanned my laser printer. -
You observe this data.
192.168.1.4 at dc:a6:32:36:a9:4e [ether] on enp9s0 192.168.1.218 at b8:27:eb:1f:f6:87 [ether] on enp9s0 192.168.1.20 at b8:27:eb:03:6b:37 [ether] on enp9s0 192.168.1.205 at b8:27:eb:f9:ea:4d [ether] on enp9s0 192.168.1.7 at b8:27:eb:95:25:5b [ether] on enp9s0 192.168.1.40 at 00:12:79:df:81:b1 [ether] on enp9s0 192.168.1.254 at 38:94:ed:fa:48:88 [ether] on enp9s0 192.168.1.42 at 00:1c:50:ac:72:1e [ether] on enp9s0 192.168.1.3 at dc:a6:32:36:a9:4e [ether] on enp9s0
Which tool or defensive measure was involved?- Wireshark
- ping
- nmap
- tcpdump
- netstat
- arp
- ifconfig
arp
output. -
You observe this data.
Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 www.http ec2-54-251-14-39.http SYN_RCVD tcp 0 0 www.http 97-127-152-158.c.http SYN_RCVD tcp 0 72 www.ssh c-67-162-124-176.57046 ESTABLISHED tcp 0 0 www.ssh c-67-162-124-176.56956 TIME_WAIT tcp 0 0 www.57694 metadata.google..http ESTABLISHED tcp 0 0 localhost.9000 localhost.45172 TIME_WAIT tcp 0 0 www.https cpe-184-153-88-7.45718 ESTABLISHED tcp 0 0 www.https ec2-54-90-33-176.40684 ESTABLISHED tcp 0 0 www.https petalbot-114-119.32762 TIME_WAIT tcp 0 0 www.https static.kpn.net.49168 ESTABLISHED tcp 0 0 www.https static.kpn.net.49169 ESTABLISHED tcp 0 0 www.https 185-97-201-166.n.1480 ESTABLISHED tcp 0 0 www.https 185-97-201-166.n.1478 ESTABLISHED tcp 0 0 www.https 185-97-201-166.n.1476 ESTABLISHED tcp 0 0 www.https crawl-66-249-79-.52368 TIME_WAIT tcp 0 0 www.https crawl-66-249-79-.35610 TIME_WAIT tcp 0 0 www.http crawl-66-249-68-.58406 TIME_WAIT tcp 0 0 www.https 84.93.94.244.56895 ESTABLISHED tcp 0 0 www.https ip-99-203-20-246.19011 ESTABLISHED tcp 0 0 www.https pool-96-252-105-.51616 TIME_WAIT tcp 0 63 www.https CPE589630c056fc-.59897 FIN_WAIT_1 tcp 0 0 www.http 200.46.45.114.50849 CLOSED tcp 0 0 www.http 201.130.137.117..44167 CLOSED tcp 0 0 *.https *.* LISTEN tcp 0 0 *.http *.* LISTEN tcp 0 0 localhost.9000 *.* LISTEN tcp 0 0 *.ssh *.* LISTEN tcp6 0 0 *.ssh *.* LISTEN tcp 0 0 localhost.smtp *.* LISTEN
Which tool or defensive measure was involved?- Wireshark
- ping
- nmap
- tcpdump
- netstat
- arp
- ifconfig
netstat -a
on my server, with some clients caught in the act of downloading pages.
A questions on an earlier quiz showed the command. Once in a while on the real test, one question tells you the answer to a different question. -
You observe this command output.
Server: 192.168.1.3 Address: 192.168.1.3#53 ** server can't find www.faasdfjh.com: NXDOMAIN
What is wrong?- DNS cache poisoning has happened
- Your workstation cannot contact the nameserver
- The domain faasdfjh.com does not exist
- There is no host named www.faasdfjh.com
-
You observe this command output.
;; connection timed out; no servers could be reached
What is wrong?- DNS cache poisoning has happened
- Your workstation cannot contact the nameserver
- The domain does not exist
- There is no host with the requested name
-
You observe this data.
[**] [122:1:0] (Web) Directory Traversal [**] [Priority: 2] 07/05-12:15:41.483293 192.168.3.7 -> 192.168.1.1:80 PROTO:255 TTL:0 TOS:0x0 ID:3253 IpLen:20 DgmLen:1501
Which tool or defensive measure was involved?- NIDS
- NIPS
- HIDS
- HIPS
Unless this triggered something else that we don't see here, there was no prevention, just detection of network traffic. -
You observe this data.
An unapproved executable attempted to run and was prevented. The action was stopped and logged. Location: c:\Program Files\Chromium Browser\Chrome.exe User: Elon Cause: Policy setting for unapproved software
Which tool or defensive measure was involved?- File integrity check
- Antivirus
- Blacklisting
- Whitelisting
- DLP
- DEP
-
Julie, a network engineer, has been informed by management
that they want to deploy network security technology that
uses OSI layers 4 through 7 to authenticate, authorize,
and audit Internet activity.
To reduce the load on help desk personnel, this must
require little to no browser or other application
reconfiguration.
What should she recommend?
- SIEM
- 802.1x
- Transparent proxy
- Load balancer
-
Jenny, a network engineer, has been tasked with auditing
network traffic to determine if any sensitive data is
being transmitted in cleartext form.
What tool could she use?
- Protocol analyzer
- Pen testing toolkit
- Compliance scanner
- Nmap
-
James, a programmer, is looking at the logs of his WAP
in his home.
He notices an unknown device that has been accessing it.
What countermeasure should he use?
- 802.1x
- NAC and certificates
- MAC filtering
- Faraday cage
- RADIUS and EAP
-
Which of these are appropriate defenses for a mobile device?
Select three.
- Remote wipe
- Cable lock
- FM-200
- Biometrics
- GPS tracking
- Transparent proxy
-
George's manager needs to give a presentation to the board
of directors, telling them about the most critical threat
to the organization.
What should George make sure is highlighted?
- Asset management
- Insider threat
- Social media
- Baseline deviations
- Performance
- Unauthorized software
-
Tony, a network engineer, has been tasked by his manager with
monitoring the more sensitive internal networks, to spot
and block attacks.
What should Tony use?
- SIEM
- HIDS
- HIPS
- NIDS
- NIPS
Exhibit with 10 items, then 19 regular questions
Passing = 82% of 29 = 23.8
Goal = 91% of 29 = 26.4