Appendix C 716 A. Confidentiality B. Integrity C. Availability D. Authentication Correct answer and explanation: C. Availability under CIA has not been assured because the resource is not available to the user after they have authenticated. Incorrect answers and explanations: Answer A is incorrect because con- fidentiality has not been breached in this scenario. Answer B is incorrect because integrity has not been breached in this scenario. Although the resource may not be available, that does not mean that the integrity of the data has been violated. Answer D is incorrect because authentication is not a component of CIA and the scenario describes that authentication has com- pleted successfully. You are performing a security audit for a company to determine 3. their risk from various attack methods. As part of your audit, you work with one of the company’s employees to see what activities he performs during the day that could be at risk. As you work with the employee, you see him perform the following activities: Log in to the corporate network using Kerberos. Access files on a remote system through a Web browser using SSL. Log into a remote UNIX system using SSH. Connect to a POP3 server and retrieve e-mail. Which of these activities is most vulnerable to a sniffing attack? A. Logging in to the corporate network using Kerberos. B. Accessing files on a remote system through a Web browser using SSL C. Logging into a remote UNIX system using SSH D. Connecting to a POP3 server and retrieving e-mail Correct answer and explanation: D. Connecting to a POP3 server sends the ID and password over the network in a nonencrypted format due to the use of cleartext authentication. This data (in addition to the e-mail content itself) is consequently vulnerable to being collected when sniffing the network. Incorrect answers and explanations: A, B, and C. Answer A is incorrect because logging into a network using Kerberos is secure from sniffing attacks due to encryption and time stamps. Answer B is incorrect because using SSL encrypts the connection so that it cannot be viewed by sniffing. Answer C is incorrect because using SSH encrypts the connection to the remote UNIX system. Appendix C 717 You are reading a security article regarding penetration testing 4. of various authentication methods. One of the methods being described uses a time-stamped ticket as part of its methodology. Which authentication method would match this description? A. Certificates B. CHAP C. Kerberos D. Tokens Correct answer and explanation: C. Kerberos is the only access control method listed, which uses time-stamped tickets. Incorrect answers and explanations: Answer A is incorrect because certificates do not use tickets although they are time-stamped. Answer B is incorrect because CHAP does not use time-stamped tickets as part of its methodology. Answer D is incorrect because tokens do not use tickets, although their numerical algorithms may be based on times tamps. You are a security consultant for a large company that wants to 5. make its intranet available to its employees via the Internet. They want to ensure that the site is as secure as possible. To do this, they want to use multifactor authentication. The site uses an ID and password already but they want to add security features that ensure that the site is indeed their site, not a spoofed site, and that the user is an authorized user. Which authentication technology supports this? A. Certificates B. CHAP C. Kerberos D. Tokens Correct answer and explanation: A. Certificates can be used not only to ensure that the site is the company’s Web site but also that the user is an authorized user. The Web server can be configured to require client-side certificates. Incorrect answers and explanations: B, C, and D. Answer B is incor- rect because CHAP does not support two-way authentication in this manner. Answer C is incorrect because Kerberos can authenticate the user in a method similar to this but could not serve to authenticate the server. Answer D is incorrect because tokens are used for one-way authentication. Appendix C 718 You are developing a password policy for a company. As part of the 6. password policy, you define the required strength of the password. Because of the security requirements for the company, you have required a minimum length of 14 characters, the use of uppercase and lowercase alphabetic characters, the use of numbers, and the use of special characters. What else should you require? A. No dictionary words allowed in the password B. No portion of the username allowed in the password C. No personal identifiers allowed in the password D. All the above Correct answer and explanation: D. All the options listed are good require- ments for a strong password. Because the security requirements are stringent enough to require the use of a 14-character password, you should ensure that the policy is as restrictive as possible in the other elements of password strength. Incorrect answers and explanations: Answer A is incorrect because while this will help increase the strength of the password, it is not the strongest answer. Answer B is incorrect because while this will help increase the strength of the password, it is not the strongest answer. Answer C is incor- rect because while this will increase the strength of the password, it is not the strongest answer. It should also be noted that all the options except for this one can be enforced systematically whereas option C can only be enforced by policy. You have been asked to help a company implement multi-factor 7. authentication. They want to make sure that the environment is as secure as possible through the use of biometrics. Based on your knowledge of authentication, you understand that biometrics falls under the “something you are” category. Which other category should be used with the biometric device to provide the highest level of security? A. Something you know B. Something you have C. Something you do D. All the above Correct answer and explanation: D. All these options have their own ben- efits and detriments. A combination of all of them in a multifactor authen- tication system would provide the highest level of security although it would be quite an inconvenience to the user. Appendix C 719 Incorrect answers and explanations: Answer A is incorrect because while this is a valid solution for the multifactor authentication requirement, it is not the most secure solution. Answer B is incorrect because this too is not the most secure solution. Answer C is incorrect as well because any two-factor authen- tication method is not as secure as a four-factor authentication method. You are attempting to query an object in an LDAP directory using 8. the distinguished name of the object. The object has the following attributes: cn: 4321 givenName: John sn: Doe telephoneNumber: 905 555 1212 employeeID: 4321 mail: jdoe@nonexist.com objectClass: organizationalPerson Based on this information, which of the following would be the distin- guished name of the object? A. dc=nonexist, dc=com B. cn=4321 C. dn: cn=4321, dc=nonexist, dc=com D. jdoe@nonexist.com Correct answer and explanation: C. dn: cn=4321, dc=nonexist, dc=com. The distinguished name is a unique identifier for the object, and is made up of several attributes of the object. It consists of the relative distinguished name, which is constructed from some attribute(s) of the object, followed by the distinguished name of the parent object. Incorrect answers and explanations: Answer A is incorrect because this identifies the root of the tree. Answer B is incorrect because this identifies the common name of the object. Answer D is incorrect because this is the user account’s e-mail address. You are creating a new LDAP directory, in which you will need to 9. develop a hierarchy of organizational units and objects. To perform these tasks, on which of the following servers will you create the directory structure? A. DIT B. Tree server Appendix C 720 C. Root server D. Branch server Correct answer and explanation: C. The root server is used to create the structure of the directory, with organizational units and objects branching out from the root. Because LDAP directories are organized as tree structures, the top of the hierarchy is called the root. Incorrect answers and explanations: Answer A is incorrect because the DIT is the name given to the tree structure. Answers B and D are incorrect because there is no such thing as a branch server or tree server in LDAP. When using LDAP for authentication in an internetworking envi-10. ronment, what is the best way to ensure that the authentication data is secure from packet sniffing? A. Use LDAP to keep all passwords encrypted when transmitted to the server. B. Use LDAP over SSL/TLS to encrypt the authentication data. C. Require that the clients use strong passwords so that they can- not easily be guessed. D. Use LDAP over HTTP/S to encrypt the authentication data. Correct answer and explanation: B. Use LDAP over SSL/TLS to encrypt the authentication data. This will ensure that no LDAP authentication is performed unencrypted so that anyone capturing the packets on the network will be able to read it easily. Incorrect answers and explanations: Answer A is incorrect because LDAP doesn’t encrypt data transmitted between the client and server. Answer C is incorrect because even though it is important to use strong passwords, it does not protect the authentication data from being captured by a packet sniffer. Answer D is incorrect because HTTP/S is a protocol for transferring Web pages securely. Which password attack will take the longest to crack a password?11. A. Password guessing B. Brute force attack C. Dictionary attack D. All attacks are equally fast. Correct answer and explanation: B. Brute force tries most if not all combi- nations, so it takes the longest time. Incorrect answers and explanations: A. Password guessing can be the fastest if correct guesses are used. C. A dictionary attack, if successful, only uses a very finite amount of tries. D. Certainly, different methods have different speeds. Appendix C 721 The company you are working for has decided to do something to 12. make their workstations more secure. They have decided to give all users a Smart Card for use with system logins. Which factor of authentication is used with this new requirement? A. Something you know B. Something you have C. Something you are D. Something you do Correct answer and explanation: B. A Smart Card is something you have, so this is the appropriate authentication factor. Incorrect answers and explanations: A, C, and D. Answer A is incorrect because a Smart Card does not necessarily require a password so the “some- thing you know” factor does not apply. Answer C is incorrect because this factor relates to biometrics and therefore does not apply to Smart Cards. Answer D is incorrect because Smart Cards are a physical object, not an action, and therefore do not necessarily provide this factor. Choose the correct set of terms: when a wireless user, also known 13. as the ___________ wants to access a wireless network, 802.1x forces them to authenticate to a centralized authority called the ____________. A. Authenticator, supplicant B. Supplicant, authenticator C. Supplicant, negotiator D. Contact, authenticator Correct answer and explanation: B. Supplicant is the client that wants to access a wireless network and authenticator performs the authentication. Incorrect answers and explanations: A, C, and D. Answer A is incorrect in order; Answer C is incorrect as there is no negotiator in the process. Answer D is incorrect as contact is not the right term used while defining authenti- cation process. You have been asked to use an existing router and use it as a 14. firewall. Management would like you to use it to perform address translation and block some known bad IP addresses that previous attacks have originated from. With this in mind, which of the fol- lowing statements are accurate? A. You have been asked to perform NAT services. B. You have been asked to set up a proxy. Appendix C 722 C. You have been asked to set up stateful inspection. D. You have been asked to set up a packet filter. Correct answers and explanations: D. Answer D is correct because a packet filter will evaluate each packet and either block or allow the traffic from reaching its destination based on the rules defined. In this case, the packet filter would examine the packets for the bad IP addresses and the action taken on the packets would be to drop or block them. Incorrect answers and explanations: A, B, and C. Answer A is incorrect because NAT is the process of mapping external to internal IP addresses, which is not being described here. Answer B is incorrect because a proxy server functions as a middle device that passes information from a request- ing client to a destination server, and then once a response is received from the server back to the proxy, the proxy passes the information back to the requesting client. Proxy servers can be used to speed up responses by caching content such as Web pages, and they can also be used for security purposes to keep the internal clients hidden from the external world. Answer C is incor- rect because stateful inspection is when a device, typically a firewall, keeps track of state of network connections. This allows the firewall to detect when packets have been modified or if they are not appropriate to be transmitted, but by only analyzing header information the firewall remains efficient. EAP is available in various forms, including:15. A. EAPoIP, EAP-TLS, EAP-TTLS, RADIUS, Cisco LEAPEAP-FAST B. EAPoIP, EAP-TLS, EAP-MPLS, RADIUS, EAP-FAST C. EAPoIP, EAP-TLS, EAP-TTLS, RADIUS, Cisco PEAP D. EAPoIP, EAP-TLS, EAP-TTLS, Kerberos, EAP-FAST Correct answer and explanation: A. EAP comes in several forms: EAP over IP (EAPoIP), Message Digest Algorithm/Challenge-Handshake Authentication Protocol (EAP-MD5-CHAP), EAP-TLS, EAP-TTLS, RADIUS and Cisco LEAP. Incorrect answers and explanations: B, C, and D. EAP-MPLS, Cisco PEAP, and Kerberos are not the EAP forms. ChApTEr 10: NETworK MANAGEMENT You have just been hired to Aplura Inc., a global ISP, as their first 1. junior network analyst. Bob, your supervisor, was late this morning and before he picked up his daily cup of coffee he asks you to begin troubleshooting the connectivity from your offices’ border router Appendix C 723 to the border router in your remote office in Sydney, Australia. You find the configuration management documentation but you are looking for the link speed of your router to determine if it is cor- rect. What piece of information is missing from this document? A. Physical Access Methods B. Service Protocols C. Hardware Devices D. Software Applications Correct answer and explanation: A. Physical Access Methods is the cor- rect answer. How does your network physically connect from one office to another? Are you sharing a Token Ring (802.5) fiber network, WiMAX (802.16) across the boulevard? These are the types of questions you will ask yourself to collect information on Physical Access Methods so you can understand your network configuration in case you need to troubleshoot physical network access errors. Incorrect answers and explanations: B, C, and D. Service Protocols is incor- rect because there is no physical access method information collected under this category. What protocols do you use on your servers, workstations, data- centers, routers, switches, and even your network printers? Some printers host configuration Web portals to allow administrators to remotely adminis- ter ink status and paper jams. Knowing what kind of service protocols are on your network and documenting them will help you determine what you need and what you can get rid of. Hardware Devices is incorrect because there is no physical access method information collected, only hardware device infor- mation such as how many routers, switches, hubs, rack mounted servers, workstations, laptops, personal data assistances (PDAs), thumb drives, power supplies, printers, networked digital pictures frames, wireless flat screens, and bluetooth-enabled devices you have on or off of your network at any given time. Now that you know how many of each device you have, do you know where they are physically located at any given point in time? Do you have the vendor service tags, serial numbers, and contact information mapped to each associated device so you can effectively respond to trouble tickets? This is a great configuration management piece to have documented, because you will always find that you need to locate some piece of equipment that needs repairing. Software Applications is incorrect because the information you col- lect for this category is legacy, third party, and proprietary software applica- tions. If you aren’t in control of your software and the associated updates you will be playing catch-up, and that’s no fun. What applications are installed on your hardware devices (workstations, servers, routers, switches, firewalls, and printers)? What applications communicate between your clients and servers? Appendix C 724 Do you store all of your software in one central repository? How do your applications run? Are they server-based or client-based? How often does the software vendor release patches, upgrades, and security alerts? Do you know the current version of your applications? Asking these questions and docu- menting the responses can help you answer this type of question, “Are your routers IOS compatible with the upcoming network switch upgrade?” It is 2 a.m. (EST) on a Friday night. You are at work sweating 2. because you cannot find a piece of configuration management documentation that would resolve this crazy issue that got you out of bed four hours ago. You have looked in the server room and now you are trying to break into your boss’s office to see if he has what you are looking for. Just last week your company hired a consult- ing firm to install new switches that can be remotely managed by your chief information officer’s Blackberry. You didn’t care nor did you pay any mind to what configuration management changes have occurred; you were too busy fighting off users’ password issues. But now, 2 a.m., on a Friday, you are in a real need of that document that describes the login procedures for the new switches. What type of configuration management documentation are you looking for? A. Physical network diagram documentation B. Wiring schematics documentation C. Configuration updates documentation D. Change control documentation Correct answer and explanation: D. Change control documentation pro- vides a record of changes that have been made to a system, which can be used in troubleshooting problems and upgrading systems. When creating a change control document, you should begin by describing the change that was made and explaining why this change occurred. Changes should not appear to be for the sake of change, but have good reasons, such as fixing security vulner- abilities, due to hardware no longer being supported by vendors, new func- tionality, or any number of other reasons. The documentation should then outline how these changes were made, detailing the steps you performed. Incorrect answers and explanations: A, B, C. Physical network diagram documentation is incorrect because it only contains each physical device and physical connection inside your network. Doing this before and during a network deployment is critical to future network updates and troubleshoot- ing efforts. Wiring schematics documentation refers to simple sketches that are created before and during installation of the physical media used for computers to talk to each other. These schematics are also developed while Appendix C 725 troubleshooting and deploying new Open Systems Interconnection (OSI) Layer 1 technology. Some wiring schematics can be very complex and can be refined as your network architecture expands. Microsoft Visio, SmartDraw, and even computer-aided design software packages assist in creating your wir- ing schematics. Configuration updates documentation is incorrect because the switch was not updated; it was replaced. Your friend and coworker Mike just got approval to buy four new serv-3. ers that will increase your fault tolerance by 80 percent. You both plan to celebrate by making a dinner reservation at the finest restaurant in town. Thirty minutes before you get to leave for the day your supervi- sor says, “We need three segments of UTP cabling made, 19.5-feet long to connect their notebooks to the development lab.” There is no other way they can connect up and this is urgent now because they have just received a call from your company’s top customer who wants a demonstration of the new product. In order to execute this demo for the customer they need network connectivity now! But you forgot how to make UTP cables; where can you find this information? A. Physical network diagram B. Logical network diagram C. Wiring schematics D. Wiring network server rack schematics Correct answer and explanation: C. Wiring schematics are simple sketches that are created before and during installation of the physical media used for computers to talk to each other. These schematics are also developed while troubleshooting and deploying new OSI layer 1 technology. Some wiring schematics can be very complex and can be refined as your network architec- ture expands. Microsoft Visio, SmartDraw, and even computer-aided design software packages assist in creating your wiring schematics. The physical media such as coax cable, twisted-pair, and unshielded twisted-pair (UTP) pair used to connect your network are very common types to be included when creating wiring schematics. Figure 10.1 is a wiring schematic describing the pin number associated with each pair of colored wires. Figure 10.1 is Electronic Industries Associate/Telecommunications Industry Alliance EIA/TIA 568A/B standard for UTP cable termination. Incorrect answers and explanations: A, B, and D. Answer A is incorrect because a physical network diagram would show the layout and components in the network topology, but would not often contain information about cable creation. Answer B is incorrect because logical network diagrams would typi- cally contain information about the environment such as VLAN configuration . documentation B. Wiring schematics documentation C. Configuration updates documentation D. Change control documentation Correct answer and explanation: D. Change control documentation pro- vides a record. need of that document that describes the login procedures for the new switches. What type of configuration management documentation are you looking for? A. Physical network diagram documentation B.. configuration management documentation but you are looking for the link speed of your router to determine if it is cor- rect. What piece of information is missing from this document? A. Physical