You work as a Network Consultant. A company named Tech Perfect Inc. hires you for security
reasons. The manager of the company tells you to establish connectivity between clients and servers
of the network which prevents eavesdropping and tampering of data on the Internet. Which of the
following will you configure on the network to perform the given task?
D
Explanation: In order to perform the given task, you will have to configure the SSL protocol on the
network. Secure Sockets Layer (SSL) is a protocol used
to transmit private documents via the Internet. SSL uses a combination of public key and symmetric
encryption to provide communication
privacy, authentication, and message integrity. Using the SSL protocol, clients and servers can
communicate in a way that prevents
eavesdropping and tampering of data on the Internet. Many Web sites use the SSL protocol to obtain
confidential user information, such as
credit card numbers. By convention, URLs that require an SSL connection start with https: instead of
http:. By default, SSL uses port 443 for
secured communication.
Answer option B is incorrect. Internet Protocol Security (IPSec) is a method of securing data. It
secures traffic by using encryption and digital
signing. It enhances the security of data as if an IPSec packet is captured, its contents cannot be read.
IPSec also provides sender verification
that ensures the certainty of the datagram's origin to the receiver.
Answer option A is incorrect. Wired Equivalent Privacy (WEP) is a security protocol for wireless local
area networks (WLANs). It has two
components, authentication and encryption. It provides security, which is equivalent to wired
networks, for wireless networks. WEP encrypts
data on a wireless network by using a fixed secret key. WEP incorporates a checksum in each frame
to provide protection against the attacks
that attempt to reveal the key stream.
Answer option C is incorrect. VPN stands for virtual private network. It allows users to use the
Internet as a secure pipeline to their corporate
local area networks (LANs). Remote users can dial-in to any local Internet Service Provider (ISP) and
initiate a VPN session to connect to their
corporate LAN over the Internet. Companies using VPNs significantly reduce long-distance dial-up
charges. VPNs also provide remote
employees with an inexpensive way of remaining connected to their company's LAN for extended
periods.
Which of the following is the most secure method of authentication?
D
Explanation: Biometrics is a method of authentication that uses physical characteristics, such as
fingerprints, scars, retinal patterns, and other forms of
biophysical qualities to identify a user. Nowadays, the usage of biometric devices such as hand
scanners and retinal scanners is becoming
more common in the business environment. It is the most secure method of authentication.
Answer option C is incorrect. Username and password is the least secure method of authentication
in comparison of smart card and biometrics
authentication. Username and password can be intercepted.
Answer option A is incorrect. Smart card authentication is not as reliable as biometrics
authentication.
Answer option B is incorrect. Anonymous authentication does not provide security as a user can log
on to the system anonymously and he is
not prompted for credentials.
Which of the following are the phases of the Certification and Accreditation (C&A) process?
Each correct answer represents a complete solution. Choose two.
C and B
Explanation: The Certification and Accreditation (C&A) process consists of four distinct phases:
1.Initiation
2.Security Certification
3.Security Accreditation
4.Continuous Monitoring
The C&A activities can be applied to an information system at appropriate phases in the system
development life cycle by selectively tailoring
the various tasks and subtasks.
Answer options D and A are incorrect. Auditing and detection are not phases of the Certification and
Accreditation process.
You are responsible for a Microsoft based network. Your servers are all clustered. Which of the
following are the likely reasons for the clustering?
Each correct answer represents a complete solution. Choose two.
B and A
Explanation: Clustering provides two advantages. The first is failover. Should one server fail, the
second in the cluster can continue working with no
interruption in service to customers. This is particularly important with database servers. If one fails,
in a clustered environment the customer
will not even know the main database server is down.
Clustering also provides load balancing. This is critical for Web servers in high volume e-commerce
situations. Clustering allows the load to be
distributed over many computers rather than focused on a single server.
Your customer is concerned about security. He wants to make certain no one in the outside world can
see the IP addresses inside his network. What feature of a router would accomplish this?
B
Explanation: One purpose of Network Address Translation (NAT) is to hide internal IP addresses, only
exposing the router's IP address to the outside
world.
You work as a CSO (Chief Security Officer) for Tech Perfect Inc. You have a disaster scenario and you
want to discuss it with your team members for getting appropriate responses of the disaster. In
which of the following disaster recovery tests can this task be performed?
C
Explanation: A simulation test is a method used to test the disaster recovery plans. It operates just
like a structured walk-through test. In the simulation
test, the members of a disaster recovery team present with a disaster scenario and then, discuss on
appropriate responses. These
suggested responses are measured and some of them are taken by the team. The range of the
simulation test should be defined carefully for
avoiding excessive disruption of normal business activities.
Answer option D is incorrect. The structured walk-through test is also known as the table-top
exercise. In structured walk-through test, the
team members walkthrough the plan to identify and correct weaknesses and how they will respond
to the emergency scenarios by stepping
in the course of the plan. It is the most effective and competent way to identify the areas of overlap
in the plan before conducting more
challenging training exercises.
Answer option A is incorrect. A full-interruption test includes the operations that shut down at the
primary site and are shifted to the recovery
site according to the disaster recovery plan. It operates just like a parallel test. The full-interruption
test is very expensive and difficult to
arrange. Sometimes, it causes a major disruption of operations if the test fails.
Answer option B is incorrect. A parallel test includes the next level in the testing procedure, and
relocates the employees to an alternate
recovery site and implements site activation procedures. These employees present with their
disaster recovery responsibilities as they would
for an actual disaster. The disaster recovery sites have full responsibilities to conduct the day-to-day
organization's business.
Perfect World Inc., provides its sales managers access to the company's network from remote
locations. The sales managers use laptops to
connect to the network. For security purposes, the company's management wants the sales
managers to log on to the network using smart
cards over a remote connection. Which of the following authentication protocols should be used to
accomplish this?
D
Explanation: According to the question, the sales managers of the company will connect to the
company's network from remote locations. Hence, it is
necessary to make the communication as secure as possible. Also, the sales managers will be using
laptops that are configured to read smart
cards. Therefore, they will use EAP, as it is highly secure and supports smart card authentication.
Which of the following authentication methods provides credentials that are only valid during a
single session?
D
Explanation: Token method of authentication provides credentials that are only valid during a single
session. Token is a unique identifier, which is
generated and sent from a server to a software client to identify an interaction session.
Answer option C is incorrect. A certificate is a set of data that completely identifies an entity. It is a
digitally signed statement that binds the
value of a public key to the identity of a person. It can be issued to perform a number of functions
such as Web server authentication, secure
e-mail, etc. A certificate is valid only for the period of time specified within it. Moreover, a user can
set the duration for a certificate's validity.
After the validity period, the certificate becomes invalid. A certificate also eliminates the need for
hosts to maintain a set of passwords for
individuals who are required to be authenticated.
Answer option B is incorrect. A smart card is a credit card-sized device used to securely store
personal information such as certificates, public
and private keys, passwords, etc. It is used in conjunction with a PIN number to authenticate users.
In Windows, smart cards are used to
enable certificate-based authentication. To use smart cards, Extensible Authentication Protocol (EAP)
must be configured in Windows.
Answer option A is incorrect. Kerberos v5 is an authentication method used by Windows operating
systems to authenticate users and
network services. Windows 2000/2003 and XP clients and servers use Kerberos v5 as the default
authentication method. Kerberos has
replaced the NT LAN Manager (NTLM) authentication method, which was less secure. Kerberos uses
mutual authentication to verify both the
identity of the user and network services. The Kerberos authentication process is transparent to the
users.
Note: Kerberos v5 is not supported on Windows XP Home clients or on any clients that are not
members of an Active Directory domain.
Which of the following password authentication schemes enables a user with a domain account to
log on to a network once, using a
password or smart card, and to gain access to multiple computers in the domain without being
prompted to log in again?
A. Single Sign-On
B. One-time password
C. Dynamic
D. Kerberos
A
Explanation: Single Sign-On (SSO) is a system capability that enables users to access a number of
applications without having to log on and/or provide a
password to each application. In SSO, a user can access all computer applications and systems where
he has access permission without
entering multiple passwords. This reduces human error and systems failure and is therefore highly
desirable. There are many commercial SSO
solutions available in the market. Some of them are as follows:
Central Authentication Service (CAS)
The Dutch NREN
CoSign
Enterprise Single Sign-On (E-SSO)
Web Single Sign-On (Web SSO)
Security Assertion Markup Language (SAML)
Direct SSO
Shibboleth
Answer option B is incorrect. A one-time password (OTP) is a password only valid for a single login
session or transaction. OTP avoids a
number of shortcomings that are associated with traditional passwords. The most important
shortcoming that is addressed by OTP is that OTP
is not vulnerable to replay attacks. If a potential intruder manages to record an OTP that was already
used to log into a service or to conduct
a transaction, he will not be able to abuse it since it will be no longer valid.
Answer option D is incorrect. Kerberos is a secure protocol that supports ticketing authentication. A
ticket is granted in response to a client
computer authentication request by the Kerberos authentication server, if the request contains valid
user credentials and a valid Service
Principal Name (SPN). The ticket is then used by the client computer to access network resources. To
enable Kerberos authentication, the
client and server computers must have a trusted connection to the domain Key Distribution Center
(KDC). The task of KDC is to distribute
shared secret keys to enable encryption.
Answer option C is incorrect. In the dynamic password authentication scheme, passwords are
changed after a specified time or time interval.
Which of the following cables provides maximum security against electronic eavesdropping on a
network?
A
Explanation: A fibre optic cable provides maximum security against electronic eavesdropping on a
network. A fibre optic cable is an optical media. Signals
traveling in fibre optic cables are not electrical signals. Therefore, they do not emit electromagnetic
radiation and cannot be eavesdropped by
electromagnetic eavesdropping devices.
Answer options C and B are incorrect. In UTP and STP cables, the signals travel in electronic form and
emit electromagnetic radiation.
Therefore, these cables are not secure against electronic eavesdropping.
Answer option D is incorrect. There is no cable such as NTP.
The OSI reference model is divided into layers and each layer has a specific task to perform. At which
layer of OSI model is the File and Print service performed?
D
Explanation: The File and Print service is performed at the application layer. This layer also provides a
variety of commonly required functions:
Resource sharing and device redirection
Remote file access
Remote printer access
Inter-process communication
Network management
Directory services
Electronic messaging (such as mail)
Network virtual terminals
Which of the following methods of encryption uses a single key to encrypt and decrypt data?
B
Explanation: Symmetric encryption is a type of encryption that uses a single key to encrypt and
decrypt data. Symmetric encryption algorithms are faster
than public key encryption. Therefore, it is commonly used when a message sender needs to encrypt
a large amount of data. Data Encryption
Standard (DES) uses symmetric encryption key algorithm to encrypt data.
Answer option A is incorrect. Asymmetric encryption is a type of encryption that uses two keys - a
public key and a private key pair for data
encryption. The public key is available to everyone, while the private or secret key is available only to
the recipient of the message. For
example, when a user sends a message or data to another user, the sender uses a public key to
encrypt the data. The receiver uses his
private key to decrypt the data.
Answer options C and D are incorrect. Secure Multipart Internet Mail Extensions (S/MIME) and
Pretty Good Privacy (PGP) are types of
asymmetric encryption. Both are based on public key cryptography where each user has two keys, a
public key for encrypting and a private
key for decrypting messages.
Which of the following security architectures defines how to integrate widely disparate applications
for a world that is Web-based and uses
multiple implementation platforms?
D
Explanation: In computing, a service-oriented architecture (SOA) is a flexible set of design principles
used during the phases of systems development and
integration. A deployed SOA-based architecture will provide a loosely-integrated suite of services
that can be used within multiple business
domains.
SOA also generally provides a way for consumers of services, such as web-based applications, to be
aware of available SOA-based services.
For example, several disparate departments within a company may develop and deploy SOA services
in different implementation languages;
their respective clients will benefit from a well understood, well defined interface to access them.
XML is commonly used for interfacing with
SOA services, though this is not required.
SOA defines how to integrate widely disparate applications for a world that is Web-based and uses
multiple implementation platforms. Rather
than defining an API, SOA defines the interface in terms of protocols and functionality. An endpoint is
the entry point for such an SOA
implementation.
You are responsible for security at a building that has a lot of traffic. There are even a significant
number of non-employees coming in and out of the building. You are concerned about being able to
find out who is in the building at a particular time. What is the simplest way to accomplish this?
A
Explanation: A sign in sheet is very cost effective and can be implemented immediately. Put at a
receptionist's desk, it adds almost no cost yet allows you
to find out who is in the building at a given time.
Answer option B is incorrect. To begin with this solution would entail significant costs. Furthermore,
it would be difficult to implement for non-
employees entering the building.
Answer option D is incorrect. This might work well, but would not be the simplest way to accomplish
the goal. It also would be moderately
expensive.
Answer option C is incorrect. This would be neither simple, nor cost effective. And it would be
difficult to coordinate with the non employees
entering the building.
The service-oriented modeling framework (SOMF) introduces five major life cycle modeling activities
that drive a service evolution during design-time and run-time. Which of the following activities
integrates SOA software assets and establishes SOA logical environment dependencies?
D
Explanation: The service-oriented logical architecture modeling integrates SOA software assets and
establishes SOA logical environment dependencies. It
also offers foster service reuse, loose coupling and consolidation.
Answer option C is incorrect. The service-oriented discovery and analysis modeling discovers and
analyzes services for granularity, reusability,
interoperability, loose-coupling, and identifies consolidation opportunities.
Answer option A is incorrect. The service-oriented business integration modeling identifies service
integration and alignment opportunities
with business domains' processes.
Answer option B is incorrect. The service-oriented logical design modeling establishes service
relationships and message exchange paths.