Tough Questions 31-40

Posted byChrisPosted inUncategorized
  1. Crime Prevention Through Environmental Design (CPTED) seeks to deter criminal/inappropriate activity through techniques of environmental design. Which of the following are components of CPTED’s strategy? (Choose three)
     
    (a) Natural access control
    (b) End-user security awareness training
    (c) Building code security reviews
    (d) Community activism
    (e) Natural territorial reinforcement
    (f) Environmental inconveniences
    (g) Natural surveillance
     
    Answers:
    (a), (e), (g)
     
    Explanation:
    (a) Natural access control endeavours to clearly delineate the difference between public & private areas, e.g. through landscaping as well as lighting, fencing etc.
    (e) Natural territorial reinforcement tries to create a situation where people feel a sense of ownership of their physical environment, which makes them protective of that environment.
    (g) Natural surveillance breeds the idea that if someone does something, they will be seen doing it. 
     
    There is also a fourth element to CPTED not listed here: maintenance & activity support. Well-maintained areas are less attractive to attackers, and more likely to be occupied by legitimate people.
     
  2.  Fires are typically broken down into types identified by the fuels that start and/or support them. Which of the following is associated with fires caused by flammable liquids like gasoline, petroleum oil or propane?
     
    (a) Class A
    (b) Class B
    (c) Class C
    (d) Class D
    (e) Class K
     
    Answer:
    (b)
     
    Explanation:
    (A)sh – common combustibles
    (B)oil – flammable liquids
    (C)urrent – electrical
    (D)ent – metal
    (K)itchen
     
  3. At what layer of the OSI model does IPsec operate?
     
    (a) Physical
    (b) Data Link
    (c) Network
    (d) Transport
    (e) Session
    (f) Presentation
    (g) Application
     
    Answer:
    (c)
     
  4. For convenience & cost savings, you wish to connect two sites across the public Internet. Once connected, the users & resources at each site will be able to securly communicate with each other, unaware of the location of the resources they are accessing. Of the following options, which is the most appropriate way to allow multiple users/services this type of site-to-site access?
     
    (a) An SSL VPN
    (b) TLS-encrypted desktop sharing
    (c) An IPsec VPN tunnel between the two sites
    (d) A GRE tunnel from the firewall at each site
    (e) VRF routing with a protocol that supports strong authentication
     
    Answer:
    (c)
     
    Explanation:
    (d) is possible but GRE does not provide any confidentiality services natively so does not meet the “seamlessly & securely” qualification
    (e) is a distractor (VRF is about having multiple routing tables on a router)
  5. Packet filtering firewalls have several limitations that make them less appropriate than more modern solutions when protecting internal resources from Internet threats. Which of the following are shortcomings of packet filtering firewalls? (choose two)
     
    (a) They control access based on source IP address and cannot verify if the address is being spoofed
    (b) They use reverse path forwarding lookups
    (c) They are stateless
    (d) They do not support logging packets that match firewall rules
    (e) They are stateful
    (f) They defend against TCP SYN floods, which reduces their effective throughput
     
    Answers:
    (a), (c)
     
    Explanation:
    (b) is a distractor – reverse path forwarding lookups relate to multicast, not firewalls
    (c) stateless means that the firewall looks at each packet as a free-standing entity, and is the reason why (a) is also true – there is no context to decide whether a single packet has a spoofed source address or not.
      
  6. Which of the following services/protocols are UDP based? (choose six)
     
    (a) HTTP
    (b) RADIUS
    (c) SMB
    (d) IMAP4
    (e) SNMP
    (f) NTP
    (g) TFTP
    (h) DNS (name resolution)
    (i) SMTP
    (j) Secure LDAP
    (k) BGP
    (l) DHCP
     
    Answers:
    (b), (e), (f), (g), (h), (l)
     
    Explanation:
    (b) RADIUS typically operates on UDP ports 1812 & 1813 (alternatively 1645 & 1646)
    (c) SMB uses TCP port 445
    (d) IMAP uses TCP port 143 (or 993 with TLS)
    (e) SNMP is normally UDP based, on port 161 (port 162 for SNMP traps) – can optionally run on TCP but UDP is much more common
    (f) NTP uses UDP port 123
    (g) TFTP starts communication on UDP port 69
    (h) DNS operates most commonly on UDP port 53 for name resolution, and TCP port 53 for zone transfers
    (i) SMTP operates on TCP port 25, or TCP ports 587/465 for SSL/TLS implementations
    (j) TLS-based secure LDAP uses TCP port 636
    (k) BGP operates on TCP port 179
    (l) DHCP typically runs on UDP port 67
     
  7. In 2001, NIST selected a replacement for DES (the Data Encryption Standard). The new specification is specified in the Advanced Encryption Standard. It operates on 128-bit blocks of data with key lengths of 128, 192 or 256 bits. What is the name of the family of algorithms selected by NIST?
     
    (a) Twofish
    (b) Blowfish
    (c) Serpent
    (d) Whirlpool
    (e) Rijndael
    (f) RC6
    (g) IDEA
    (h) MARS
     
    Answer:
    (e)
      
    Explanation:
    (a) was one of the five AES finalists, symmetric algorithm operating on 128-bits blocks of data using 128, 192 or 256 bit keys, and is patent- & royalty-free
    (b) operates on 64-bit blocks – not an AES finalist, but wildly popular and also patent- & royalty free
    (c) second place AES finalist, same block & key size as Twofish & Rijndael – more secure but slower than Rijndael
    (d) is actually a 512-bit hashing algorithm available in three versions, most modern implementations use v3
    (f) RC6 was an AES finalist, same block & key size again – would have been royalty-free if selected as winner, but is now not necessarily so, so other royalty-free algorithms are generally preferred
    (g) operates on 64-bit blocks using a 128-bit key – originally positioned as a replacement for DES, not particularly prominent these days
    (h) also an AES contender, variable key size & 128-bits of data, not often seen
     
  8. Which of the following are valid implementations of 3DES? (choose two)
     
    (a) DES-EEE: All 3 keys are unique. Key is effectively 168 bits in length.
    (b) DES-EDE: Key1 = Key2. Key3 is unique from Key1. Key is effectively 112 bits in length.
    (c) DES-EDE: Key1 = Key 3. Key2 is is unique from Key1. Key is effectively 112 bits in length.
    (d) DES-EED: Key1 = Key2. Key3 is unique from Key1. Key is effectively 112 bits in length.
    (e) DES-EEE: All 3 keys are the same. Key is effectively 168 bits in length.
     
    Answer:
    (a), (c)
     
    Explanation:
    (a) EEE means 3 round of encryption. Key is effectively 3*56 = 168 bits.
    (b) EDE means encrypt-decrypt-encrypt. Uses the same encryption key (Key1 and Key3) and a different decryption key (Key2). Key is effectively 2*56 = 112 bits.
     
  9. IPv6 introduces lots of new rules for address structure. Which of the following addresses are valid destination IPv6 addresses used for sending data to another node or nodes on the Internet? (choose all that apply)
     
    (a) fe80::46c9:db66:2002
    (b) 2002:46a8:8:722:d740:9be1:6f61:d864
    (c) fda7:4967:fe1c:1::200
    (d) 2620:0000:1234:cfg9:afc4:1:a:1100
    (e) 3000:2341:5621:1:a84c::23::1
    (f) ff1e:40:2002:abcd:dead:beef:1:11ee
    (g) ff02::5
     
    Answers:
    (b), (f)
     
    Explanation:
    (a) “fe” prefix denotes a link-local IPv6 address
    (b) 2 is a globally-routable prefix (as well as 3) and has 8 16-bit blocks for a total of 128 bits, so is a valid routable IPv6 address
    (c) “fd” prefix denotes an IP that is part of the “unique local” address space
    (d) the “g” is not a valid hexadecimal (0-9, a-f) character!
    (e) double-colon notation can only be used (to represent a run of zeroes) ONCE in an IPv6 address
    (f) “ff” means a multicast address, followed by a “1” meaning a transient/temporary address, followed by an “e” meaning globally routable (question states “nodes” as well as “node”, so multicast addresses are allowed)
    (g) “ff” means a multicast address, followed by a “0” meaning link-local (this particular address is reserved for OSPF router communication)
     
  10. You have been given a 2TB ATA hard drive that spins at 15,000 RPM. Your task is to erase the data it contains in such a way that the erased data cannot be recovered using readily available “keyboard recovery” tools. As a minimum, what must you do?
     
    (a) Use a data purging tool
    (b) Physically destroy the drive
    (c) Use a data clearing tool
    (d) Format the drive using a different file system than was previously used
     
    Answer:
    (c)

    Explanation:
    Purging is erasing a medium in such a way that the data cannot be recovered using advanced laboratory techniques. Clearing will erase the medium in such a way that standard data recovery tools will not be able to successfully retrieve the data. So in this case, clearing meets the minimum requirement.

Leave a comment

Design a site like this with WordPress.com
Get started