GIAC GSNA GIAC Systems and Network Auditor Exam Practice Test

The rdev commad is used to query/set an image root device, RAM disk size, or video mode. If a user executes the rdev commands with no arguments, it outputs a /etc/mtab line for the current root file system. The command syntax of the rdev command is as follows: rdev [ -Rrvh ] [ -o offset ] [ image [ value [ offset ] ] ] Answer: B is incorrect. In Unix, the rdump command is used to back up an ext2 filesystem. Answer: D is incorrect. In Unix, the mount command is used to mount a filesystem. Answer: C is incorrect. In Unix, the setfdprm command sets floppy drive parameters.

The encodeRedirectURL() method of the HttpServletResponse interface, returns a URL by including a session ID in it for use in the sendRedirect() method. If the encoding is not required, the URL is returned unchanged. If browser supports cookies, the encodeRedirectURL() method returns the input URL unchanged, since the session ID will be persisted as a cookie. This method is different from the encodeURL as this method redirects the request to a different URL in the same session. The syntax of the encodeRedirectURL() method is as follows: public String encodeRedirectURL(String urlstring) Here, urlstring is the URL to be encoded. Answer: C is incorrect. The encodeURL() method of the HttpServletResponse interface returns a URL by including the session ID in it. If the encoding is not required, the URL is returned unchanged. If cookies are supported by the browser, the encodeURL() method returns the input URL unchanged since the session ID will be persisted as a cookie. The syntax of the encodeURL() method is as follows: public String encodeURL(String urlstring) Here, urlstring is the URL to be encoded.

Axence nVision is an advanced solution for a comprehensive network management. It is used to monitor network infrastructure such as Windows, TCP/IP services, web and mail servers, URLs, and applications (MS Exchange, SQL, etc.). It is also used to monitor routers and switches such as network traffic, interface status, and connected computers. It collects the network inventory and audit license usage. It also gives alerts in case of a program installation or any configuration change on a remote node. With the agent, an administrator can easily monitor user activities and can access computers remotely. Answer: B is incorrect. CommandCenter NOC is a simple and effective tool that performs network monitoring with a powerful polling engine. It provides polling, Windows and UNIX/Linux server management, intrusion detection, vulnerability scanning, and traffic analysis in an integrated appliance. Answer: D is incorrect. Cymphonix Network Composer is a precise Web gateway appliance. It is used to monitor Internet traffic by user, application, and threat. It consists of controls to shape access to Internet resources by user, group, and/or time of day. It also supports anonymous proxy blocking, policy management, and real time monitoring. Answer: C is incorrect. Network Monitor (Netmon) is a protocol analyzer. It is used to analyze the network traffic. It is installed by default during the installation of the operating system. It can be installed by using Windows Components Wizard in the Add or Remove Programs tool in Control Panel. Network Monitor is used to perform the following tasks:

1. Capture frames directly from the network.

2. Display and filter captured frames immediately after capture or a later time.

3. Edit captured frames and transmit them on the network.

4. Capture frames from a remote computer.

In Unix, the lpc command is used to check the status of the printer and set its state. Answer: A is incorrect. In Unix, the banner command is used to print a large banner on the printer. Answer: D is incorrect. In Unix, the lpr command is used to submit a job to the printer.

Answer: B is incorrect. In Unix, the lpq command is used to show the contents of a spool directory for a given printer.

Brutus can be used to perform brute force attacks, dictionary attacks, or hybrid attacks.

The major advantage that a table-structured Web site has over a frame-structured Web site is that users can bookmark the pages of a table- structured Web site, whereas pages of a frame-structured Web site cannot be bookmarked or added to the Favorites folder. Non-frame Web sites also give better results with search engines. Better navigation: Web pages can be divided into multiple frames and each frame can display a separate Web page. It helps in providing better and consistent navigation. Easy maintenance: Fixed elements, such as a navigation link and company logo page, can be created once and used with all the other pages. Therefore, any change in these pages is required to be made only once.

In Unix, the hdparm command is used to get or set hard disk geometry parameters, cylinders, heads, and sectors. Answer: C is incorrect. In Unix, the mkfs command initializes a Unix filesystem. This is a front end that runs a separate program depending on the filesystem's type. Answer: A is incorrect. In Unix, the mke2fs command creates a Unix second extended filesystem. Answer: B is incorrect. In Unix, the mkswap command sets up a Unix swap area on a device or file.

According to the question, Windows Defender should scan the laptop for all the known spyware and other potentially unwanted software, including the latest one. Windows Defender uses definitions to scan the system. Definitions are files that include the information of known spyware and potentially unwanted software. To scan a computer for the latest spyware, Windows Defender requires the latest definition files available on the Internet. For this, you have to configure Windows Defender to check for the latest definitions and download them, if available, before scanning the computer. Furthermore, the question also states that the task must be performed automatically. In order to accomplish the task, you will have to select the Check for updated definitions before scanning check box in the Automatic Scanning section.

The Digest Authentication scheme is a replacement of the Basic Authentication scheme. This authentication scheme is based on the challenge response model. In Digest authentication, the password is never sent across the network in clear text format but is always transmitted as an MD5 digest of the user's password. In this way, the password cannot be determined with the help of a sniffer.

How does it work? In this authentication scheme, an optional header allows the server to specify the algorithm used to create the checksum or digest (by default, the MD5 algorithm). The Digest Authentication scheme provides the challenge using a randomly chosen value. This randomly chosen value is a server-specified data string which may be uniquely generated each time a 401 response is made. A valid response contains a checksum (by default, the MD5 checksum) of the username, the password, the given random value, the HTTP method, and the requested URL. In this way, the password is never sent in clear text format. Drawback: Although the password is not sent in clear text format, an attacker can gain access with the help of the digested password, since the digested password is really all the information needed to access the web site. Answer: B, C, D are incorrect. These statements are true about the Basic Authentication scheme.

You can use the following methods to investigate Cross-Site Scripting attack:

1. Look at the Web servers logs and normal traffic logging.

2. Use a Web proxy to view the Web server transactions in real time and investigate any communication with outside servers.

3. Review the source of any HTML-formatted e-mail messages for embedded scripts or links in the URL to the company's site. Answer: C is incorrect. This method is not used to investigate Cross-Site Scripting attack.

In order to take a snapshot of the router running configuration and archive running configuration of the router to persistent storage, you should secure the boot configuration of the router using the secure boot-config command. Answer: D is incorrect. You can enable the image resilience, if you want to secure the Cisco IOS image. Answer: C is incorrect. By verifying the security of bootset, you can examine whether or not the Cisco IOS Resilient Configuration is enabled and the files in the bootset are secured.

Answer: B is incorrect. By restoring an archived primary bootset, you can restore a primary bootset from a secure archive after an NVRAM has been erased or a disk has been formatted.

Removing the IPP printing capability from a server is a good countermeasure against an IIS buffer overflow attack. A Network Administrator should take the following steps to prevent a Web server from IIS buffer overflow attacks: Conduct frequent scans for server vulnerabilities. Install the upgrades of Microsoft service packs. Implement effective firewalls. Apply URLScan and IISLockdown utilities. Remove the IPP printing capability. Answer: B is incorrect. The following are the DNS zone transfer countermeasures: Do not allow DNS zone transfer using the DNS property sheet:

a. Open DNS.

b. Right-click a DNS zone and click Properties.

c. On the Zone Transfer tab, clear the Allow zone transfers check box.

Configure the master DNS server to allow zone transfers only from secondary DNS servers:

a. Open DNS.

b. Right-click a DNS zone and click Properties.

c. On the zone transfer tab, select the Allow zone transfers check box, and then do one of the following:

To allow zone transfers only to the DNS servers listed on the name servers tab, click on the Only to the servers listed on the Name Server tab. To allow zone transfers only to specific DNS servers, click Only to the following servers, and add the IP address of one or more servers. Deny all unauthorized inbound connections to TCP port 53. Implement DNS keys and encrypted DNS payloads. Answer: D is incorrect. The following are the countermeasures against SNMP enumeration:

1. Removing the SNMP agent or disabling the SNMP service

2. Changing the default PUBLIC community name when 'shutting off SNMP' is not an option

3. Implementing the Group Policy security option called Additional restrictions for anonymous connections

4. Restricting access to NULL session pipes and NULL session shares

5. Upgrading SNMP Version 1 with the latest version 6.Implementing Access control list filtering to allow only access to the read-write community from approved stations or subnets Answer: A is incorrect.

NetBIOS NULL session vulnerabilities are hard to prevent, especially if NetBIOS is needed as part of the infrastructure. One or more of the following steps can be taken to limit NetBIOS NULL session vulnerabilities: 1.Removing the SNMP agent or disabling the SNMP service 2.Changing the default PUBLIC community name when 'shutting off SNMP' is not an option 3.Implementing the Group Policy security option called Additional restrictions for anonymous connections 4.Restricting access to NULL session pipes and NULL session shares 5.Upgrading SNMP Version 1 with the latest version 6.Implementing Access control list filtering to allow only access to the read-write community from approved stations or subnets nswer option A is incorrect. NetBIOS NULL session vulnerabilities are hard to prevent, especially if NetBIOS is needed as part of the nfrastructure. One or more of the following steps can be taken to limit NetBIOS NULL session vulnerabilities:

1. Null sessions require access to the TCP 139 or TCP 445 port, which can be disabled by a Network Administrator.

2. A Network Administrator can also disable SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from the interface.

3. A Network Administrator can also restrict the anonymous user by editing the registry values:

a.Open regedit32, and go to HKLM\SYSTEM\CurrentControlSet\LSA. b.Choose edit > add value. Value name: RestrictAnonymous Data Type: REG_WORD Value: 2

COLSPAN attribute is used to span one column across many columns. COLSPAN is an attribute of and tags that allow a single column in a table to take space that is occupied by several columns. If the specified COLSPAN value is greater than the number of columns in the table, then a new column is created at the end of the row. Reference: MSDN, Contents: COLSPAN

In 1947, the American Institute of Certified Public Accountants (AICPA) adopted Generally Accepted Auditing Standards (GAAS) to establish standards for audits. The standards cover the following three categories: General Standards: They relate to professional and technical competence, independence, and professional due care. Field Work Standards: They relate to the planning of an audit, evaluation of internal control, and obtaining sufficient evidential matter upon which an opinion is based. Reporting Standards: They relate to the compliance of all auditing standards and adequacy of disclosure of opinion in the audit reports. If an opinion cannot be reached, the auditor is required to explicitly state their assertions. Answer: B is incorrect. There was no such category of standard established by GAAS.

Aggregate Network Manager is an enterprise-grade network/application/performance monitoring platform that tightly integrates with other smart building management systems, such as physical access control, HVAC, lighting, and time/attendance control. Answer: A is incorrect. Airwave Management Platform (AMP) is wireless network management software. It offers centralized control for Wi-Fi networks. Some of its common features are access point configuration management, reporting, user tracking, help desk views, and rogue AP discovery. Answer: C is incorrect. akk@da is a simple network monitoring system. It is designed for small and middle size computer networks. Its function is to quickly detect the system or network faults and display the information about detected faults to the administrators. The information is collected by it in every single minute (a user can decrease this period to 1 second). Approximately all the services of the monitored hosts are discovered automatically. Answer: B is incorrect. Andrisoft WANGuard Platform offers solutions for various network issues such as WAN links monitoring, DDoS detection and mitigation, traffic accounting, and graphing.

Packet filtering is a method that allows or restricts the flow of specific types of packets to provide security. It analyzes the incoming and outgoing packets and lets them pass or stops them at a network interface based on the source and destination addresses, ports, or protocols. Packet filtering provides a way to define precisely which type of IP traffic is allowed to cross the firewall of an intranet. IP packet filtering is important when users from private intranets connect to public networks, such as the Internet.

The Rhosts (rsh-style), TIS, and Kerberos user authentication methods are supported by the SSH-1 protocol but not by SSH-2 protocol. Answer: D is incorrect. Password-based authentication is supported by both the SSH-1 and SSH-2 protocols.

Disabling SSID broadcast will free up bandwidth in a WLAN environment. It is used to enhance security of a Wireless LAN (WLAN). It makes difficult for attackers to find the access point (AP). It is also used by enterprises to prevent curious people from trying to access the WLAN.

The /etc/profile file is used to configure and control system-wide default variables. It performs many operations, some of which are as follows: Exporting variables Setting the umask value Sending mail messages to indicate that new mail has arrived Exporting variables Setting the umask value Sending mail messages to indicate that new mail has arrived Only the root user can configure and change the /etc/profile file for all users on the system. Answer: A is incorrect. The /etc/skel file allows a system administrator to create a default home directory for all new users on a computer or network and thus to make certain that all users begin with the same settings. When a new account is created with a home directory, the entire contents of /etc/skel are copied into the new home directory location. The home directory and its entire contents are then set to the new account's UID and GID, making the new user owner of the initial files. The system administrator can create files in /etc/skel that will provide a nice default environment for users. For example, he might create a /etc/skel/.profile that sets the PATH environment variable for new users. Answer: B is incorrect. Only the root user can change the settings of the /etc/profile file.

Authorization is a process that verifies whether a user has permission to access a Web resource. A Web server can restrict access to some of its resources to only those clients that log in using a recognized username and password. To be authorized, a user must first be authenticated. Answer: B is incorrect. Authentication is the process of verifying the identity of a user. This is usually done using a user name and password. This process compares the provided user name and password with those stored in the database of an authentication server. Answer: C is incorrect. Confidentiality is a mechanism that ensures that only the intended and authorized recipients are able to read data. The data is so encrypted that even if an unauthorized user gets access to it, he will not get any meaning out of it. Answer: A is incorrect. Data integrity is a mechanism that ensures that the data is not modified during transmission from source to destination. This means that the data received at the destination should be exactly the same as that sent from the source.

An attacker can use Host, Dig, and NSLookup to perform a DNS zone transfer. Answer: A is incorrect. DSniff is a sniffer that can be used to record network traffic. Dsniff is a set of tools that are used for sniffing passwords, e-mail, and HTTP traffic. Some of the tools of Dsniff include dsniff, arpredirect, macof, tcpkill, tcpnice, filesnarf, and mailsnarf. Dsniff is highly effective for sniffing both switched and shared networks. It uses the arpredirect and macof tools for switching across switched networks. It can also be used to capture authentication information for FTP, telnet, SMTP, HTTP, POP, NNTP, IMAP, etc.

In information security, security risks are considered an indicator of threats coupled with vulnerability. In other words, security risk is a probabilistic function of a given threat agent exercising a particular vulnerability and the impact of that risk on the organization. Security risks can be mitigated by reviewing and taking responsible actions based on possible risks. These risks can be analyzed and measured by the risk analysis process. Answer: A is incorrect. Security risks can never be removed completely but can be mitigated by taking proper actions.

Firewall logs will show all incoming and outgoing traffic. By examining those logs, you can do port scans and use other penetration testing tools that have been used on your firewall.

Data integrity ensures that information has not been modified, altered, or destroyed by a third party while it is in transit. Data integrity ensures that the data received is same as the data that was sent. Moreover, no one can tamper with the data during transmission from source to destination.

It also ensures that a hacker cannot alter the contents of an HTTP message while it is in transit from the container to the client. This will be accomplished through the use of HTTPS. The HTTPS stands for Hypertext Transfer Protocol over Secure Socket Layer. The HTTPS encrypts and decrypts the page requests and page information between the client browser and the Web server using a Secure Socket Layer. Answer: D is incorrect. This answer option describes confidentiality. Answer: B is incorrect. This answer option also describes confidentiality.

In order to enable logging of both start and stop records for user terminal sessions on the router, the aaa accounting exec start-stop tacacs+ command should be used. The exec option performs accounting for EXEC shell sessions. Answer: B is incorrect. The aaa accounting system none tacacs+ command disables accounting services on a specific interface for all system-level events that are not related with users such as reload. Answer: C is incorrect. The aaa accounting connection start-stop tacacs+ command is used to enable logging of both start and stop records for all outbound connections that are established from the NAS (Network Access Server), such as Telnet, local-area transport (LAT), TN3270, packet assembler and disassembler (PAD), and rlogin. Answer: A is incorrect. The aaa accounting auth proxy start-stop tacacs+ command is used to enable logging of both start and stop records for all authenticated proxy user events.

Web ripping is a technique in which the attacker copies the whole structure of a Web site to the local disk and obtains all files of the Web site. Web ripping helps an attacker to trace the loopholes of the Web site. Answer: A is incorrect. Eavesdropping is the intentional interception of data (such as e-mail, username, password, credit card, or calling card number) as it passes from a user's computer to a server, or vice versa. There are high-tech methods of eavesdropping. It has been demonstrated that a laser can be bounced off a window and vibrations caused by the sounds inside the building can be collected and turned back into those sounds. The cost of high-tech surveillance has made such instruments available only to the professional information gatherer, however. But as with all high-tech electronics, falling prices are making these more affordable to a wider audience.

Answer: D is incorrect. In TCP FTP proxy (bounce attack) scanning, a scanner connects to an FTP server and requests it to start data transfer to a third system. The scanner uses the PORT FTP command to find out whether or not the data transfer process is listening to the target system at a certain port number. It then uses the LIST FTP command to list the current directory, and the result is sent over the server. If the data transfer is successful, it clearly indicates that the port is open. If the port is closed, the attacker receives the connection refused ICMP error message. Answer: B is incorrect. Fingerprinting is the easiest way to detect the Operating System (OS) of a remote system. OS detection is important because, after knowing the target system's OS, it becomes easier to hack into the system. The comparison of data packets that are sent by the target system is done by fingerprinting. The analysis of data packets gives the attacker a hint as to which operating system is being used by the remote system. There are two types of fingerprinting techniques as follows: 1.Active fingerprinting 2.Passive fingerprinting In active fingerprinting ICMP messages are sent to the target system and the response message of the target system shows which OS is being used by the remote system. In passive fingerprinting the number of hops reveals the OS of the remote system.

To be informed whenever an attribute is added, removed, or replaced in a session, a class must have a method with HttpSessionBindingEvent as its attribute. The HttpSessionBindingEvent class extends the HttpSessionEvent class. The HttpSessionBindingEvent class is used with the following listeners: HttpSessionBindingListener: It notifies the attribute when it is bound or unbound from a session. HttpSessionAttributeListener: It notifies the class when an attribute is bound, unbound, or replaced in a session. The session binds the object by a call to the HttpSession.setAttribute() method and unbinds the object by a call to the HttpSession.removeAttribute() method. Answer: C is incorrect. The HttpSessionEvent is associated with the HttpSessionListener interface and HttpSessionActivationListener.

Audit trail or audit log comes under detective controls. Detective controls are the audit controls that are not needed to be restricted. Any control that performs a monitoring activity can likely be defined as a Detective Control. For example, it is possible that mistakes, either intentional or unintentional, can be made. Therefore, an additional Protective control is that these companies must have their financial results audited by an independent Certified Public Accountant. The role of this accountant is to act as an auditor. In fact, any auditor acts as a Detective control. If the organization in question has not properly followed the rules, a diligent auditor should be able to detect the deficiency which indicates that some control somewhere has failed. Answer: B is incorrect. Reactive or corrective controls typically work in response to a detective control, responding in such a way as to alert or otherwise correct an unacceptable condition. Using the example of account rules, either the internal Audit Committee or the SEC itself, based on the report generated by the external auditor, will take some corrective action. In this way, they are acting as a Corrective or Reactive control. Answer: A, D are incorrect. Protective or preventative controls serve to proactively define and possibly enforce acceptable behaviors. As an example, a set of common accounting rules are defined and must be followed by any publicly traded company. Each quarter, any particular company must publicly state its current financial standing and accounting as reflected by an application of these rules. These accounting rules and the SEC requirements serve as protective or preventative controls.

The getCreationTime() method returns the time when the session was created. The time is measured in milliseconds since midnight January 1, 1970. This method throws an IllegalStateException if it is called on an invalidated session.

Switches differ from hubs in that they break up Collision Domains. Each port on a switch equals one Collision Domain. Therefore, a switch will lower the number of collisions within the infrastructure. Managed switches typically offer the ability to create Virtual LANs. Virtual LANs allow the switch to create multiple LANs/network segments that are Virtual. This allows the switch to create additional environments where needed.

To ensure fault tolerance among the servers and to get the highest possible level of security and encryption for OWA clients, you must install two front-end Exchange 2000 servers. Place the new servers on the perimeter network and configure load balancing between them. To enhance security, you should also configure Certificate Services and create a rule on the firewall to redirect port 443 to the servers. The most secure firewall configuration is placing a firewall on either side of the front-end servers. This isolates the front-end servers in a perimeter network, commonly referred to as a demilitarized zone (DMZ). It is always better to configure more than one front-end server to get fault tolerance.

According to the network diagram, the IP address range used on the network is from the class C private address range. The class C IP address uses the following default subnet mask: 255.255.255.0 The question specifies that the subnet mask used in Host B is 255.255.0.0, which is an incorrect subnet mask.

A proxy server is a very important element for firewall applications. The services that it provides are as follows: Hide network resources: Proxy replaces the network IP address with a single IP address. Multiple systems can use a single IP address. Logging: A proxy server can log incoming and outgoing access, allowing a user to see every possible details of successful and failed connections. Cache: A proxy server can save information obtained from the Internet. It regularly updates these copies and automatically shows these pages, and will thus not need to access the Internet to view them.

NetStumbler, a war driving tool, uses an organizationally unique identifier (OID) of 0x00601A, D protocol identifier (PID) of 0x0001. Each version has a typical payload string. For example, NetStumbler 3.2.3 has a payload string: 'All your 802.11b are belong to us'. Therefore, when you see the OID and PID values, you discover that the attacker is using NetStumbler, and when you see the payload string, you are able to ascertain that the attacker is using NetStumbler 3.2.3.

Open Vulnerability Assessment Language (OVAL) is a common language for security professionals to use when checking for the presence of vulnerabilities on computer systems. OVAL provides a baseline method for performing vulnerability assessments on local computer systems. Answer: D is incorrect. While Microsoft security standards will be appropriate for many of your clients, they won't help clients using Linux, Macintosh, or Unix. They also won't give you insight into checking your firewalls or routers. Answer: C is incorrect. This would not fulfill the requirement of having a standardized approach applicable to all clients. B is incorrect. This would not be the best way. You should use common industry standards, like OVAL.

MAC filtering is a security access control technique that allows specific network devices to access, or prevents them from accessing, the network. MAC filtering can also be used on a wireless network to prevent certain network devices from accessing the wireless network. MAC addresses are allocated only to hardware devices, not to persons.

By not broadcasting your SSID some simple war driving tools won't detect your network. However you should be aware that there are tools that will still detect networks that are not broadcasting their SSID across your network. Answer: D is incorrect. While MAC filtering may help prevent a hacker from accessing your network, it won't keep him or her from finding your network.

A demilitarized zone (DMZ) is the most secure place to host a server that will be accessed publicly through the Internet. Demilitarized zone (DMZ) or perimeter network is a small network that lies in between the Internet and a private network. It is the boundary between the Internet and an internal network, usually a combination of firewalls and bastion hosts that are gateways between inside networks and outside networks. DMZ provides a large enterprise network or corporate network the ability to use the Internet while still maintaining its security. Answer: B is incorrect. Hosting a server on the intranet for public access will not be good from a security point of view.

Publishing rules are applied on SMTP servers to accept inbound mail delivery. There are three basic rules of ISA Server, which are as follows: Access rules: These rules determine what network traffic from the internal network is allowed to access the external network. Publishing rules: These rules are used for controlling access requests from the external network for the internal resources. These types of rules are usually applied to Web servers that are used for providing public access. These are also applied on SMTP servers to accept inbound mail delivery. Network rules: These rules define the traffic source, traffic destination, and the network relationship. Answer: D is incorrect. These rules are set for controlling outbound traffic. Answer: B is incorrect. These rules define how to handle the traffic. Answer: C is incorrect. There are no such ISA Server rule sets.

The routing table displays various RIP and Connected routes. There is no routing entry for 10.10.100.0/24, but there is a default route in the routing table using 172.18.1.1 as the next hop router. Given that 10.10.100.0/24 does not have a direct entry in the routing table, RouterA will forward traffic to the default route next hop address of 172.18.1.1. Answer: A is incorrect. The address does not appear in the routing table as a next hop router, in addition to being an actual subnet number for 192.168.10.0/24. Answer: C is incorrect. 172.18.50.1 is the next hop for reaching 192.168.11.0. Answer: B is incorrect. 172.18.60.1 is the next hop for reaching 192.168.12.0.

David system is a network management system that allows a user to manage the resources and services through both Intranet and Internet. It provides auto-discovering and network topology building features to facilitate in keeping an intuitive view of the IT infrastructure. The resources, real-time monitoring, and accessibility of historical data facilitate reaction to failures. Configured interfaces for monitored devices permit a user to focus on the most important aspects of their work. Answer: B is incorrect. dopplerVUe is a network management tool that facilitates network discovery, mapping, alerts and alarm management, and bandwidth management system. It enables monitoring of Ping, SNMP, syslog, and WMI performance metrics. It can also be used to monitor IPv6 devices, as well as services such as DNS, http, and email. Answer: A is incorrect. eBox is an open source distribution and web development framework. This framework is used to manage server application configuration. It is based on Ubuntu Linux. It is projected to manage services in a computer network. The modular design of eBox allows a user to pick and choose the services. Answer: D is incorrect. EM7 is a network monitoring system that is used to measure IT infrastructure health and performance. It is an NMS integrated system. It is designed to help in optimizing the performance and availability of the networks, systems, and applications. It facilitates trouble-ticketing, event management, reporting, IP management, DNS, and monitoring.

The routing algorithm uses certain variables to create a metric of a path. It is the metric that is actually used for path determination. Variables that are used to create a metric of a path are as follows: Hop count: It is the total number of routers that a data packet goes through to reach its destination. Cost: It is determined by the administrator or calculated by the router. Bandwidth: It is defined as the bandwidth that the link provides. Maximum transmission unit (MTU): It is the largest message size that a link can route. Load: It states the amount of work the CPU has to perform and the number of packets the CPU needs to analyze and make calculations on.

The above configuration fragment will disable the following services from the router: The BootP service The DNS function The Network Time Protocol The Simple Network Management Protocol Hyper Text Transfer Protocol

John is performing cookie poisoning. In cookie poisoning, an attacker modifies the value of cookies before sending them back to the server. On modifying the cookie values, an attacker can log in to any other user account and can perform identity theft. The following figure explains how cookie poisoning occurs:

C:\Documents and Settings\user-nwz\Desktop\1.JPG

For example: The attacker visits an online shop that stores the IDs and prices of the items to buy in a cookie. After selecting the items that he wants to buy, the attacker changes the price of the item to 1. Original cookie values: ItemID1= 2 ItemPrice1=900 ItemID2=1 ItemPrice2=200 Modified cookie values: ItemID1= 2 ItemPrice1=1 ItemID2=1 ItemPrice2=1 Now, the attacker clicks the Buy button and the prices are sent to the server that calculates the total price. Another use of a Cookie Poisoning attack is to pretend to be another user after changing the username in the cookie values: Original cookie values: LoggedIn= True Username = Mark Modified cookie values: LoggedIn= True Username = Admin Now, after modifying the cookie values, the attacker can do the admin login.

Answer: A is incorrect. A cross site scripting attack is one in which an attacker enters malicious data into a Website. For example, the attacker posts a message that contains malicious code to any newsgroup site. When another user views this message, the browser interprets this code and executes it and, as a result, the attacker is able to take control of the user's system. Cross site scripting attacks require the execution of client-side languages such as JavaScript, Java, VBScript, ActiveX, Flash, etc. within a user's Web environment. With the help of a cross site scripting attack, the attacker can perform cookie stealing, sessions hijacking, etc.

Hypertext Transfer Protocol (HTTP) is a client/server TCP/IP protocol used on the World Wide Web (WWW) to display Hypertext Markup Language (HTML) pages. HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. For example, when a client application or browser sends a request to the server using HTTP commands, the server responds with a message containing the protocol version, success or failure code, server information, and body content, depending on the request. HTTP uses TCP port 80 as the default port. Answer: B is incorrect. Port 443 is the default port for Hypertext Transfer Protocol Secure (HTTPS) and Secure Socket Layer (SSL). Answer: A, D are incorrect. By default, FTP server uses TCP port 20 for data transfer and TCP port 21 for session control.

According to the scenario, John will use Kismet. Kismet is a Linux-based 802.11 wireless network sniffer and intrusion detection system. It can work with any wireless card that supports raw monitoring (rfmon) mode. Kismet can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet can be used for the following tasks: To identify networks by passively collecting packets To detect standard named networks To detect masked networks

To collect the presence of non-beaconing networks via data traffic Answer: D is incorrect. NetStumbler is a Windows-based tool that is used for the detection of wireless LANs using the IEEE 802.11a, 802.11b, and 802.11g standards. It detects wireless networks and marks their relative position with a GPS. Answer: A is incorrect. WEPCrack is an open source tool that breaks IEEE 802.11 WEP secret keys. Answer: C is incorrect. Snadboy's Revelation is not a sniffer. It is used to see the actual password behind the asterisks.

Either IP spoofing or MAC spoofing attacks can be performed to hide the identity in the network. MAC spoofing is a hacking technique of changing an assigned Media Access Control (MAC) address of a networked device to a different one. The changing of the assigned MAC address may allow the bypassing of access control lists on servers or routers, either hiding a computer on a network or allowing it to impersonate another computer. MAC spoofing is the activity of altering the MAC address of a network card. Answer: A is incorrect. DNS cache poisoning is a maliciously created or unintended situation that provides data to a caching name server that did not originate from authoritative Domain Name System (DNS) sources. Once a DNS server has received such non-authentic datA, Caches it for future performance increase, it is considered poisoned, supplying the non-authentic data to the clients of the server. To perform a cache poisoning attack, the attacker exploits a flaw in the DNS software. If the server does not correctly validate DNS responses to ensure that they are from an authoritative source, the server will end up caching the incorrect entries locally and serve them to other users that make the same request. Answer: B is incorrect. In a distributed denial of service (DDOS) attack, an attacker uses multiple computers throughout the network that has been previously infected. Such computers act as zombies and work together to send out bogus messages, thereby increasing the amount of phony traffic. The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track down and shut down. TFN, TRIN00, etc. are tools used for a DDoS attack.

Pervasive IS controls are a subset of general controls that contains some extra definitions focusing on the management of monitoring a specific technology. A pervasive order or control determines the direction and behavior required for technology to function properly. The pervasive control permeates the area by using a greater depth of control integration over a wide area of influence. Answer: B is incorrect. General controls are the parent class of controls that governs all areas of a business. An example of general controls includes the separation duties that prevent employees from writing their own paychecks and creating accurate job descriptions. General controls define the structure of an organization, establish HR policies, monitor workers and the work environment, as well as support budgeting, auditing, and reporting. Answer: A is incorrect. Detailed IS controls are controls used for manipulating the on-going tasks in an organization. Some of the specific tasks require additional detailed controls to ensure that the workers perform their job correctly. These controls refer to some specific tasks or steps to be performed such as: The way system security parameters are set. How input data is verified before being accepted into an application. How to lock a user account after unsuccessful logon attempts. How the department handles acquisitions, security, delivery, implementation, and support of IS services. Answer: C is incorrect. Application controls are embedded in programs. It constitutes the lowest subset in the control family. An activity should be filtered through the general controls, then the pervasive controls and detailed controls, before reaching the application controls level. Controls in the higher level category help in protecting the integrity of the applications and their data. The management is responsible to get applications tested prior to production through a recognized test method. The goal of this test is to provide a technical certificate that each system meets the requirement.

A screened host provides added security by using Internet access to deny or permit certain traffic from the Bastion Host. Answer: D is incorrect. A network interface card provides a physical connection between computers within a network.

Answer: B is incorrect. Demilitarized zone (DMZ) or perimeter network is a small network that lies in between the Internet and a private network. It is the boundary between the Internet and an internal network, usually a combination of firewalls and bastion hosts that are gateways between inside networks and outside networks. DMZ provides a large enterprise network or corporate network the ability to use the Internet while still maintaining its security. Answer: A is incorrect. A proxy server facilitates a more efficient use of the Internet connection bandwidth and hides the real IP addresses of computers located behind the proxy.

Software Explorer is used to remove, enable, or disable a program running on a computer. Answer: A is incorrect. Allowed items contains a list of all the programs that a user has chosen not to monitor with Windows Defender. Answer: C is incorrect. Options is used to choose how Windows Defender should monitor all the programs running on a computer. Answer: B is incorrect. Quarantined items is used to remove or restore a program blocked by Windows Defender.

Audit account management is one of the nine audit settings that can be configured on a Windows computer. This option is enabled to audit each event that is related to a user managing an account in the user database on the computer where the auditing is configured. These events include the following: Creating a user account Adding a user account to a group Renaming a user account Changing password for a user account This option is also used to audit the changes to the domain account of the domain controllers.

HTTP 1.1 allows the use of multiple virtual servers, all using different DNS names resolved by the same IP address. The WWW service supports a concept called virtual server. A virtual server can be used to host multiple domain names on the same physical Web server. Using virtual servers, multiple FTP sites and Web sites can be hosted on a single computer. It means that there is no need to allocate different computers and software packages for each site. Answer: D is incorrect. VPN stands for virtual private network. It allows users to use the Internet as a secure pipeline to their corporate local area networks (LANs). Remote users can dial-in to any local Internet Service Provider (ISP) and initiate a VPN session to connect to their corporate LAN over the Internet. Companies using VPNs significantly reduce long-distance dial-up charges. VPNs also provide remote employees with an inexpensive way of remaining connected to their company's LAN for extended periods.

Answer: B is incorrect. Java is an object oriented programming language developed by Sun Microsystems. It allows the creation of platform independent executables. Java source code files are compiled into a format known as bytecode (files with .class extension). Java supports programming for the Internet in the form of Java applets. Java applets can be executed on a computer having a Java interpreter and a run-time environment known as Java Virtual Machine (JVM). Java Virtual Machines (JVMs) are available for most operating systems, including UNIX, Macintosh OS, and Windows. Answer: C is incorrect. HTML stands for Hypertext Markup Language. It is a set of markup symbols or codes used to create Web pages and define formatting specifications. The markup tells the Web browser how to display the content of the Web page.

A proxy server exists between a client's Web-browsing program and a real Internet server. The purpose of the proxy server is to enhance the performance of user requests and filter requests. A proxy server has a database called cache where the most frequently accessed Web pages are stored. The next time such pages are requested, the proxy server is able to suffice the request locally, thereby greatly reducing the access time. Only when a proxy server is unable to fulfill a request locally does it forward the request to a real Internet server. The proxy server can also be used for filtering user requests. This may be done in order to prevent the users from visiting non-genuine sites. Answer: D is incorrect. Transmission Control Protocol/Internet Protocol (TCP/IP) is a suite of standard protocols that govern how data passes between networks. It can be used to provide communication between the basic operating systems on local and wide-area networks (WANs). TCP/IP is the basic communication language or protocol of the Internet. It can also be used as a communications protocol in a private network (either an intranet or an extranet). It is considered the primary protocol of the Internet and the World Wide Web. Answer: B is incorrect. IP packet filters allow or block packets from passing through specified ports. They can filter packets based on service type, port number, source computer name, or destination computer name. When packet filtering is enabled, all packets on the external interface are dropped unless they are explicitly allowed, either statically by IP packet filters or dynamically by access policy or publishing rules. Answer: C is incorrect. A router is a device that routes data packets between computers in different networks. It is used to connect multiple networks, and it determines the path to be taken by each data packet to its destination computer. A router maintains a routing table of the available routes and their conditions. By using this information, along with distance and cost algorithms, the router determines the best path to be taken by the data packets to the destination computer. A router can connect dissimilar networks, such as Ethernet, FDDI, and Token Ring, and route data packets among them. Routers operate at the network layer (layer 3) of the Open Systems Interconnection (OSI) model.

Default shares should be disabled, unless they are absolutely needed. They pose a significant security risk by providing a way for an intruder to enter your machine. Answer: A is incorrect. Whether this is a domain server, a DHCP server, a file server, or database server does not change the issue with shared drives/folders. Answer: C is incorrect. They cannot be hidden. Shared folders are, by definition, not hidden but rather available to users on the network. Answer: D is incorrect. These are not necessary for Windows Server operations.

Whenever the nohup command is added in front of any command or process, it makes the command or process run even after the terminal is shut down or session is closed. All processes, except the 'at' and batch requests, are killed when a user logs out. If a user wants a background process to continue running even after he logs out, he must use the nohup command to submit that background command. To nohup running processes, press ctrl+z, enter "bg" and enter "disown". The other way to accomplish the task is to run the command/process inside a GNU Screen-style screen multiplexer, and then detach the screen. GNU Screen maintains the illusion that the user is always logged in, and allows the user to reattach at any time. This has the advantage of being able to continue to interact with the program once reattached (which is impossible with nohup alone). Answer: C is incorrect. The nohup command works when it is added in front of a command. Answer: A is incorrect. The bg command cannot run the command or process after the terminal is shut down or session is closed.