Endpoint Security (ESec) Final Exam Answers (Course Final)

Endpoint Security (ESec) Final Exam Answers (Course Final Exam)

1. Which two commands could be used to check if DNS name resolution is working properly on a Windows PC? (Choose two.)

ping cisco.com
net cisco.com
ipconfig /flushdns
nslookup cisco.com
nbtstat cisco.com

Explanation: The ping command tests the connection between two hosts. When ping uses a host domain name to test the connection, the resolver on the PC will first perform the name resolution to query the DNS server for the IP address of the host. If the ping command is unable to resolve the domain name to an IP address, an error will result.

Nslookup is a tool for testing and troubleshooting DNS servers.

2. A technician notices that an application is not responding to commands and that the computer seems to respond slowly when applications are opened. What is the best administrative tool to force the release of system resources from the unresponsive application?

Event Viewer
Add or Remove Programs
System Restore
Task Manager

Explanation: Use the Task Manager Performance tab to see a visual representation of CPU and RAM utilization. This is helpful in determining if more memory is needed. Use the Applications tab to halt an application that is not responding.

3. What is required in order to connect a Wi-Fi enabled laptop to a WPA secured wireless network?

a MAC address
a username and password
a security encryption key
an updated wireless driver

Explanation: Regardless of the levels of security configured on a WLAN, a WPA secured WLAN always requires the use of an encryption key. Without the proper key, a device cannot connect to the network.

4. Why would an attacker want to spoof a MAC address?

so that the attacker can launch another type of attack in order to gain access to the switch
so that the attacker can capture traffic from multiple VLANs rather than from just the VLAN that is assigned to the port to which the attacker device is attached
so that a switch on the LAN will start forwarding frames to the attacker instead of to the legitimate host
so that a switch on the LAN will start forwarding all frames toward the device that is under control of the attacker (that can then capture the LAN traffic)

Explanation: MAC address spoofing is used to bypass security measures by allowing an attacker to impersonate a legitimate host device, usually for the purpose of collecting network traffic.

5. What is a wireless security mode that requires a RADIUS server to authenticate wireless users?

personal
enterprise
shared key
WEP

Explanation: WPA and WPA2 come in two types: personal and enterprise. Personal is used in home and small office networks. Shared key allows three different authentication techniques: (1) WEP, (2) WPA, and (3) 802.11i/WPA2. WEP is an encryption method.

6. What are three functions provided by the syslog service? (Choose three.)

to select the type of logging information that is captured
to provide traffic analysis
to specify the destinations of captured messages
to provide statistics on packets that are flowing through a Cisco device
to gather logging information for monitoring and troubleshooting
to periodically poll agents for data

Explanation: There are three primary functions provided by the syslog service:
– gathering logging information
– selection of the type of information to be logged
– selection of the destination of the logged information

7. A network administrator is checking the system logs and notices unusual connectivity tests to multiple well-known ports on a server. What kind of potential network attack could this indicate?

access
denial of service
reconnaissance
information theft

Explanation: A reconnaissance attack is the unauthorized discovery and mapping of systems, services, or vulnerabilities. One of the most common reconnaissance attacks is performed by using utilities that automatically discover hosts on the networks and determine which ports are currently listening for connections.

8. A technician has installed a third party utility that is used to manage a Windows 7 computer. However, the utility does not automatically start whenever the computer is started. What can the technician do to resolve this problem?

Set the application registry key value to one.
Use the Add or Remove Programs utility to set program access and defaults.
Change the startup type for the utility to Automatic in Services.
Uninstall the program and then choose Add New Programs in the Add or Remove Programs utility to install the application.

Explanation: The Services console in Windows OS allows for the management of all the services on the local and remote computers. The setting of Automatic in the Services console enables the chosen service to start when the computer is started.

9. What is the motivation of a white hat attacker?

discovering weaknesses of networks and systems to improve the security level of these systems
studying operating systems of various platforms to develop a new system
fine tuning network devices to improve their performance and efficiency
taking advantage of any vulnerability for illegal personal gain

Explanation: White hat attackers break into networks or computer systems in order to discover weaknesses for the purpose of improving the security of these systems. These break-ins are done with permission from the owner or the organization. Any results are reported back to the owner or the organization.

10. Which two types of hackers are typically classified as grey hat hackers? (Choose two.)

hacktivists
cyber criminals
state-sponsored hackers
script kiddies
vulnerability brokers

Explanation: Grey hat hackers may do unethical or illegal things, but not for personal gain or to cause damage. Hacktivists use their hacking as a form of political or social protest, and vulnerability brokers hack to uncover weaknesses and report them to vendors. Depending on the perspective one possesses, state-sponsored hackers are either white hat or black hat operators. Script kiddies create hacking scripts to cause damage or disruption. Cyber criminals use hacking to obtain financial gain by illegal means.

11. What are two shared characteristics of the IDS and the IPS? (Choose two.)

Both have minimal impact on network performance.
Both analyze copies of network traffic.
Both are deployed as sensors.
Both rely on an additional network device to respond to malicious traffic.
Both use signatures to detect malicious traffic.

Explanation: Both the IDS and the IPS are deployed as sensors and use signatures to detect malicious traffic. The IDS analyzes copies of network traffic, which results in minimal impact on network performance. The IDS also relies on an IPS to stop malicious traffic.

12. An attacker is sitting in front of a store and wirelessly copies emails and contact lists from nearby unsuspecting user devices. What type of attack is this?

bluejacking
RF jamming
bluesnarfing
smishing

Explanation: Blusnarfing is the copying of user information through unauthorized Bluetooth transmissions.

13. An organization allows employees to work from home two days a week. Which technology should be implemented to ensure data confidentiality as data is transmitted?

SHS
VLANS
RAID
VPN

Explanation: Protecting data confidentiality requires an understanding of the technologies used to protect data in all three data states.

14. A new PC is taken out of the box, started up and connected to the Internet. Patches were downloaded and installed. Antivirus was updated. In order to further harden the operating system what can be done?

Turn off the firewall.
Remove unnecessary programs and services.
Disconnect the computer from the network.
Give the computer a nonroutable address.
Install a hardware firewall.
Remove the administrator account.

Explanation: When hardening an operating system, patching and antivirus are part of the process. Many extra components are added by the manufacturer that are not necessarily needed.

15. Which type of networks poses increasing challenges to cybersecurity specialists due to the growth of BYOD on campus?

wired networks
virtual networks
wireless networks
sneaker net

Explanation: A cybersecurity specialist must be familiar with the types of technologies used to store, transmit, and process data.

16. What are two types of attacks used on DNS open resolvers? (Choose two.)

ARP poisoning
resource utilization
cushioning
amplification and reflection
fast flux

Explanation: Three types of attacks used on DNS open resolvers are as follows:
* DNS cache poisoning – attacker sends spoofed falsified information to redirect users from legitimate sites to malicious sites
* DNS amplification and reflection attacks – attacker sends an increased volume of attacks to mask the true source of the attack
* DNS resource utilization attacks – a denial of service (DoS) attack that consumes server resources

17. What would be the target of an SQL injection attack?

database
email
DHCP
DNS

Explanation: SQL is the language used to query a relational database. Cybercriminals use SQL injections to get information, create fake or malicious queries, or to breach the database in some other way.

18. A security specialist is asked for advice on a security measure to prevent unauthorized hosts from accessing the home network of employees. Which measure would be most effective?

Implement a VLAN.
Implement intrusion detection systems.
Implement RAID.
Implement a firewall.

Explanation: Protecting data confidentiality requires an understanding of the technologies used to protect data in all three data states.

19. Match the network service with the description.

Endpoint Security (ESec) Final Exam Answers 19

Explanation: Place the options in the following order:

Notifies the administrator with detailed system messages	Syslog
Provides statistics on IP packets flowing through network devices	NetFlow
Synchronizes the time across all devices on the network	NTP
Allows administrators to manage network nodes	SNMP

20. Which method can be used to harden a device?

allow USB auto-detection
use SSH and disable the root account access over SSH
allow default services to remain enabled
maintain use of the same passwords

Explanation: The basic best practices for device hardening are as follows:
– Ensure physical security.
– Minimize installed packages.
– Disable unused services.
– Use SSH and disable the root account login over SSH.
– Keep the system updated.
– Disable USB auto-detection.
– Enforce strong passwords.
– Force periodic password changes.
– Keep users from re-using old passwords.
– Review logs regularly.

21. Which user can override file permissions on a Linux computer?

root user
any user that has ‘group’ permission to the file
only the creator of the file
any user that has ‘other’ permission to the file

Explanation: A user has as much rights to a file as the file permissions allow. The only user that can override file permission on a Linux computer is the root user. Because the root user has the power to override file permissions, the root user can write to any file.

22. Which wireless parameter is used by an access point to broadcast frames that include the SSID?

passive mode
channel setting
active mode
security mode

Explanation: The two scanning or probing modes an access point can be placed into are passive or active. In passive mode, the AP advertises the SSID, supported standards, and security settings in broadcast beacon frames. In active mode, the wireless client must be manually configured for the same wireless parameters as the AP has configured.

23. What is the outcome when a Linux administrator enters the man man command?

The man man command provides documentation about the man command
The man man command provides a list of commands available at the current prompt
The man man command opens the most recent log file
The man man command configures the network interface with a manual address

Explanation: The man command is short for manual and is used to obtain documentation about a Linux command. The command man man would provide documentation about how to use the manual.

24. Which technique could be used by security personnel to analyze a suspicious file in a safe environment?

whitelisting
baselining
blacklisting
sandboxing

Explanation: Sandboxing allows suspicious files to be executed and analyzed in a safe environment. There are free public sandboxes that allow for malware samples to be uploaded or submitted and analyzed.

25. What are three benefits of using symbolic links over hard links in Linux? (Choose three.)

Symbolic links can be exported.
They can be compressed.
They can link to a file in a different file system.
They can link to a directory.
They can be encrypted.
They can show the location of the original file.

Explanation: In Linux, a hard link is another file that points to the same location as the original file. A soft link (also called a symbolic link or a symlink) is a link to another file system name. Hard links are limited to the file system in which they are created and they cannot link to a directory; soft links are not limited to the same file system and they can link to a directory. To see the location of the original file for a symbolic link use the ls –l command.

26. Which field in the IPv6 header points to optional network layer information that is carried in the IPv6 packet?

traffic class
version
flow label
next header

Explanation: Optional Layer 3 information about fragmentation, security, and mobility is carried inside of extension headers in an IPv6 packet. The next header field of the IPv6 header acts as a pointer to these optional extension headers if they are present.

27. What is the term used when a malicious party sends a fraudulent email disguised as being from a legitimate, trusted source?

phishing
backdoor
Trojan
vishing

Explanation: Phishing is used by malicious parties who create fraudulent messages that attempt to trick a user into either sharing sensitive information or installing malware.

28. Which technology is used by Cisco Advanced Malware Protection (AMP) in defending and protecting against known and emerging threats?

website filtering and blacklisting
threat intelligence
network admission control
network profiling

Explanation: Cisco AMP uses threat intelligence along with known file signatures to identify and block policy-violating file types and exploitations.

29. After host A receives a web page from server B, host A terminates the connection with server B. Match each option to its correct step in the normal termination proccess for a TCP connection.

Explanation: Place the options in the following order:

Host A sends FIN to Server B	Step 1
Server B sends ACK to Host A	Step 2
Server B sends FIN to Host A	Step 3
Host A sends ACK to Server B	Step 4

30. A flood of packets with invalid source IP addresses requests a connection on the network. The server busily tries to respond, resulting in valid requests being ignored. What type of attack has occurred?

TCP session hijacking
TCP reset
TCP SYN flood
UDP flood

Explanation: The TCP SYN Flood attack exploits the TCP three-way handshake. The threat actor continually sends TCP SYN session request packets with a randomly spoofed source IP address to an intended target. The target device replies with a TCP SYN-ACK packet to the spoofed IP address and waits for a TCP ACK packet. Those responses never arrive. Eventually the target host is overwhelmed with half-open TCP connections and denies TCP services.

31. Which Windows tool can be used by a cybersecurity administrator to secure stand-alone computers that are not part of an active directory domain?

Windows Defender
Local Security Policy
Windows Firewall
PowerShell

Explanation: Windows systems that are not part of an Active Directory Domain can use the Windows Local Security Policy to enforce security settings on each stand-alone system.

32. Match the correct sequence of steps typically taken by a threat actor carrying out a domain shadowing attack.

Explanation: Place the options in the following order:

The website is compromised.	Step 1
HTTP 302 cushioning is used.	Step 2
Domain shadowing is used.	Step 3
An exploit kit landing page is created.	Step 4
Malware is spread through its payload.	Step 5

33. What is a feature of distributed firewalls?

They combine the feature of host-based firewalls with centralized management.
They all use an open sharing standard platform.
They use only TCP wrappers to configure rule-based access control and logging systems.
They use only iptables to configure network rules.

Explanation: Distributed firewalls combine features of host-based firewalls with centralized management, which pushes rules to the hosts.

34. What does the telemetry function provide in host-based security software?

It updates the heuristic antivirus signature database.
It enables host-based security programs to have comprehensive logging functions.
It blocks the passage of zero-day attacks.
It enables updates of malware signatures.

Explanation: The telemetry function allows for robust logging functionality that is essential to cybersecurity operations. Some host-based security programs will submit logs to a central location for analysis.

35. What is an attack vector as it relates to network security?

a path by which a threat actor can gain access to an internal network device
a defense-in-depth approach to security
a particular section of a network design where security is applied
a method of reverse engineering binary files

Explanation: An attack vector is a path used by a threat actor to gain access to a server, host, or network and can originate from within the company or from the outside.