Cccure 04. Communication and Network Security Cissp Practice Test With Answer and Explanation
Cccure 04. Communication and Network Security Cissp Practice Test With Answer and Explanation
Cccure 04. Communication and Network Security Cissp Practice Test With Answer and Explanation
Which of the following type of traffic can easily be filtered with a stateful packet filter by enforcing the
context or state of the request?
• ICMP
• TCP
• UDP
• IP
Details:
The question is explict in asking *easily*. With TCP connection establishment there is a distinct state or
sequence that can be expected. Consult the references for further details.
ICMP, IP and UDP don't have any concept of a session; i.e. each packet or datagram is handled
individually, with no reference to the contents of the previous one. With no sessions, these protocols
usually cannot be filtered on the state of the session.
Some newer firewalls, however, simulate the concept of state for these protocols, and filter out
unexpected packets based upon normal usage. Although these are commonly treated like normal
stateful filters, they are more complex to program, and hence more prone to errors.
A stateful packet filter or stateful inspection inspects each packet and only allows known connection
states through. So, if a SYN/ACK packet was recieved and there was not a prior SYN packet sent it would
filter that packet and not let it in. The correct sequence of steps are known and if the sequence or state
is incorrect then it is dropped.
ICMP. ICMP is basically stateless so you could not *easily* filter them based on the state or sequence.
UDP. UDP has no real state so you could only partially filter them based on the state or sequence. The
question was explicit in asking *easily*. While it is possible, UDP is not the best answer.
IP. IP would refer to the Internet Protocol and as such is stateless so you would not be able to filter it out
*easily*.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 14568
http://www.nwo.net/ipf/ipf-howto.pdf
Question 2
• Datagram Layer.
• Network Layer.
• Transport Layer.
Details:
The network layer contains the Internet Protocol (IP), the Internet Control Message Protocol (ICMP), and
the Internet Group Management Protocol (IGMP)
The Internet (network) layer defines how information the transport layer receives is sent over networks,
and how the network addresses, or references, other hosts. The network layer contains the Internet
Protocol (IP), the Internet Control Message Protocol (ICMP), and the Internet Group Management
Protocol (IGMP). Because it contains the IP module, the network layer is considered the heart of any
TCP/IP-based network. Within the network layer, the IP module performs most of the work. ICMP and
IGMP are IP-support protocols helping the IP handle special network messages such as error messages
and multicast messages (messages sent to two or more nodes). The network layer handles the delivery
of information from one computer to the other computers across networks. IP, ICMP, and IGMP all
operate at the Network Layer.
The following answers are incorrect:
Transport Layer. Is incorrect because it is used to deliver error-free data between applications and uses
the TCP and UDP protocols.
Data Link Layer. Is incorrect because this layer deals with addressing hardware.
CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh Edition
Page 433 or Kindle Location 11848
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 12338
Question 3
The IP header contains a protocol field. If this field contains the value of 6, what type of data is
contained within the ip datagram?
• TCP.
• ICMP.
• UDP.
• IGMP.
Details:
If the protocol field has a value of 6 then it would indicate it was TCP.
The protocol field of the IP packet dictates what protocol the IP packet is using.
TCP=6, ICMP=1, UDP=17, IGMP=2
UDP. Is incorrect because the value for an UDP protocol would be 17.
CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh Edition
Page 442 or Kindle Location 12063
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 12534
SANS http://www.sans.org/resources/tcpip.pdf?ref=3871
Question 4
The IP header contains a protocol field. If this field contains the value of 2, what type of data is
contained within the IP datagram?
• TCP
• ICMP
• UDP
• IGMP
Details:
If the protocol field has a value of 2 then it would indicate it was IGMP.
The protocol field of the IP packet dictates what protocol the IP packet is using.
TCP=6, ICMP=1, UDP=17, IGMP=2
UDP. Is incorrect because the value for an UDP protocol would be 17.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 447 or Kindle Location 12206
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 12350
SANS http://www.sans.org/resources/tcpip.pdf?ref=3871
Question 5
You are running a packet sniffer on a network and see a packet containing a long string of "0x90 0x90
0x90 0x90...." in the middle of it traveling to an x86-based machine as a target. This could be indicative
of what activity being attempted?
• A FIN scan.
Details:
The Intel x86 processors use the hexadecimal number 90 to represent NOP (no operation). Many buffer
overflow attacks use long strings of control characters and this is representative of that type of attack.
A buffer overflow takes place when too much data are accepted as input to a specific process. A buffer is
an allocated segment of memory. A buffer can be overflowed arbitrarily with too much data, but for it to
be of any use to an attacker, the code inserted into the buffer must be of a specific length, followed up
by commands the attacker wants executed. So, the purpose of a buffer overflow may be either to make
a mess, by shoving arbitrary data into various memory segments, or to accomplish a specific task, by
pushing into the memory segment a carefully crafted set of data that will accomplish a specific task. This
task could be to open a command shell with administrative privilege or execute malicious code.
Common threats to system availability, integrity, and confidentiality include hardware failure, misuse of
system privileges, buffer overflows and other memory attacks, denial of service, reverse engineering,
and system hacking.
Since many vulnerabilities result from insecure design and most threats are well known, it is the
responsibility of the security architect to ensure that their designs are addressing security requirements
appropriately while also ensuring that the system can continue to perform its intended function.
Over-subscription of the traffic on a backbone. Is incorrect because if there was Over-subscription of the
traffic on a backbone, that would typically result in not being able to send or receive any packets, more
commonly known as Denial of Service or DoS.
A source quench packet. This is incorrect because a source quench packet is an ICMP message that
contains the internet header plus 64 bits of the original datagram.
A FIN scan. This is incorrect because a FIN scan is when a packet with the FIN flag set is sent to a specific
port and the results are then analyzed.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 370-372 or Kindle Location 10422
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 26381
Wikipedia http://en.wikipedia.org/wiki/Port_scanner
ICMP http://security.maruhn.com/iptables-tutorial/x1078.html
Wikipedia http://en.wikipedia.org/wiki/Buffer_overflow
Question 6
A packet containing a long string of NOP's followed by a command is usually indicative of what?
• A syn scan.
• A half-port scan.
Details:
A series of the same control, hexidecimal, characters imbedded in the string is usually an indicator of a
buffer overflow attack. A NOP is a instruction which does nothing (No Operation - the hexadecimal
equivalent is 0x90)
A syn scan. This is incorrect because a SYN scan is when a SYN packet is sent to a specific port and the
results are then analyzed.
A half-port scan. This is incorrect because the port scanner generates a SYN packet. If the target port is
open, it will respond with a SYN-ACK packet. The scanner host responds with a RST packet, closing the
connection before the handshake is completed. Also known as a Half Open Port scan.
A packet destined for the network's broadcast address. This is incorrect because this type of packet
would not contain a long string of NOP characters.
Wikipedia http://en.wikipedia.org/wiki/Port_scanner
ICMP http://security.maruhn.com/iptables-tutorial/x1078.html
The Intel x86 processors use the hexadecimal number 90 to represent NOP (no operation). Many buffer
overflow attacks use long strings of control characters and this is representative of that type of attack.
Question 7
In the days before CIDR (Classless Internet Domain Routing), networks were commonly organized by
classes. Which of the following would have been true of a Class C network?
• The first bit of the IP address would be set to one and the second bit set to zero.
• The first two bits of the IP address would be set to one, and the third bit set to zero.
Correct Answer is: The first two bits of the IP address would be set to one, and the third bit set to zero.
Details:
The correct answer is: The first two bits of the IP address would be set to one, and the third bit set to
zero.
Each Class C network address has a 24-bit network prefix, with the three highest order bits set to 1-1-0
The first bit of the IP address would be set to zero. Is incorrect because, this would be a Class A network
address.
The first bit of the IP address would be set to one and the second bit set to zero. Is incorrect because,
this would be a Class B network address .
The first three bits of the IP address would be set to one. Is incorrect because, this is a distractor. Class D
& E have the first three bits set to 1. Class D the 4th bit is 0 and for Class E the 4th bit to 1.
For Class E, the addresses are 240.0.0.0 - 255.255.255.255 (Reserved for future usage)
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 12582
3Com http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf
Question 8
In the days before CIDR (Classless Internet Domain Routing), networks were commonly organized by
classes. Which of the following would have been true of a Class A network?
• The first bit of the IP address would be set to one and the second bit set to zero
• The first two bits of the IP address would be set to one, and the third bit set to zero
Correct Answer is: The first bit of the IP address would be set to zero
Details:
The correct answer is: The first bit of the IP address would be set to zero.
Each Class A network address has a 8-bit network prefix, with the first bit of the ipaddress set to zero.
See the diagram below for more details.
The first bit of the IP address would be set to one and the second bit set to zero. Is incorrect because
this would be a Class B network address.
The first two bits of the IP address would be set to one, and the third bit set to zero. Is incorrect
because, this would be a Class C network address.
The first three bits of the ipaddress would be set to one. Is incorrect because, this is a distractor.
See diagram below from the 3COM tutorial on everything you ever wanted to know about IP addressing:
Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and routing Internet
Protocolpackets. The Internet Engineering Task Force introduced CIDR in 1993 to replace the previous
addressing architecture of classful network design in the Internet. Their goal was to slow the growth of
routing tables on routers across the Internet, and to help slow the rapid exhaustion of IPv4 addresses.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 445 or Kindle Location 12130
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 12583 and 13186.
3Com http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf
and
and
https://secure.wikimedia.org/wikipedia/en/wiki/Classless_Inter-Domain_Routing
Question 9
Which of the following is an IP address that is private (i.e. reserved for internal networks, and not a valid
address to use on the Internet)?
• 10.0.42.5
• 11.0.42.5
• 12.0.42.5
• 13.0.42.5
Details:
This is a valid Class A reserved address. For Class A, the reserved addresses are 10.0.0.0 -
10.255.255.255.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 526 or Kindle Location 14198
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 12575
Question 10
Which of the following media is MOST resistant to tapping?
• microwave.
• twisted pair.
• coaxial cable.
• fiber optic.
Details:
Fiber Optic is the most resistant to tapping because Fiber Optic uses a light to transmit the signal. While
there are some technologies that will allow to monitor the line passively, it is very difficult to tap into
without detection so this technology would be the MOST resistent to tapping.
Tapping is when an unauthorized device is attached to a communications line. A fiber optic cable is a
physical medium that is capable of conducting modulated light trasmission. Fiber optic cable carries
signals as light waves, thus creating higher trasmission speeds and greater distances due to less
attenuation. This type of cabling is more difficult to tap than other cabling and is most resistant to
interference, especially EMI.
microwave. Is incorrect because microwave transmissions can be intercepted if in the path of the
broadcast without detection.
twisted pair. Is incorrect because it is easy to tap into a twisted pair line.
coaxial cable. Is incorrect because it is easy to tap into a coaxial cable line.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 477 or Kindle Location 13041.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 14488
Question 11
Organizations should consider which of the following first before allowing external access to their LANs
via the Internet?
• plan for providing the user with his account usage information.
Details:
The correct answer is: plan for considering proper authentication options.
Before a LAN is connected to the Internet, you need to determine what the access controls mechanisms
are to be used, this would include how you are going to authenticate individuals that may access your
network externally through access control.
plan for implementing workstation locking mechanisms. This is incorrect because locking the
workstations have no impact on the LAN or Internet access.
plan for protecting the modem pool. This is incorrect because protecting the modem pool has no impact
on the LAN or Internet access, it just protects the modem.
plan for providing the user with his account usage information. This is incorrect because the question
asks what should be done first. While important your primary concern should be focused on security.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press)
Which one of the following is usually not a benefit resulting from the use of firewalls?
Details:
This is not a benefit of a firewall. Most firewalls are limited when it comes to preventing the spread of
viruses.
This question is testing your knowledge of Malware and Firewalls. The keywords within the questions
are "usually " and "virus ". Once again to come up with the correct answer, you must stay within the
context of the question and really ask yourself which of the 4 choices is NOT usually done by a firewall.
Some of the latest Appliances such as Unified Threat Management (UTM) devices does have the ability
to do virus scanning but most first and second generation firewalls would not have such ability.
Remember, the questions is not asking about all possible scenarios that could exist but only about which
of the 4 choices presented is the BEST.
For the exam you must know your general classes of Malware. There are generally four major classes of
malicious code that fall under the general definition of malware:
1. Virus: Parasitic code that requires human action or insertion, or which attaches itself to another
program to facilitate replication and distribution. Virus-infected containers can range from e-mail,
documents, and data file macros to boot sectors, partitions, and memory fobs. Viruses were the first
iteration of malware and were typically transferred by floppy disks (also known as sneakernet ) and
injected into memory when the disk was accessed or infected files were transferred from system to
system.
2. Worm: Self-propagating code that exploits system or application vulnerabilities to replicate. Once on
a system, it may execute embedded routines to alter, destroy, or monitor the system on which it is
running, then move on to the next system. A worm is effectively a virus that does not require human
interaction or other programs to infect systems.
3. Trojan Horse: Named after the Trojan horse of Greek mythology (and serving a very similar function),
a Trojan horse is a general term referring to programs that appear desirable, but actually contain
something harmful. A Trojan horse purports to do one thing that the user wants while secretly
performing other potentially malicious actions. For example, a user may download a game file, install it,
and begin playing the game. Unbeknownst to the user, the application may also install a virus, launch a
worm, or install a utility allowing an attacker to gain unauthorized access to the system remotely, all
without the user s knowledge.
4. Spyware: Prior to its use in malicious activity, spyware was typically a hidden application injected
through poor browser security by companies seeking to gain more information about a user s Internet
activity. Today, those methods are used to deploy other malware, collect private data, send advertising
or commercial messages to a system, or monitor system input, such as keystrokes or mouse clicks.
reduces the risks of external threats from malicious hackers. This is incorrect because a firewall can
reduce the risks of external threats from malicious hackers.
reduces the threat level on internal system. This is incorrect because a firewall can reduce the threat
level on internal system.
allows centralized management and control of services. This is incorrect because a firewall can allow
centralize management and control of services.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 465 or Kindle Location 12703.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 14520
Question 13
Which of the following OSI layers provides routing and related services?
• Network Layer
• Presentation Layer
• Session Layer
• Physical Layer
Correct Answer is: Network Layer
Details:
Presentation Layer. Is incorrect because the Presentation Layer transforms the data to provide a
standard interface for the Application layer.
Session Layer. Is incorrect because the Session Layer controls the dialogues/connections (sessions)
between computers.
Physical Layer. is incorrect because the Physical Layer defines all the electrical and physical specifications
for devices.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 433 or Kindle Location 11848
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 122242
Wikipedia http://en.wikipedia.org/wiki/OSI_Model
Question 14
Frame relay and X.25 networks are part of which of the following?
• Circuit-switched services
• Cell-switched services
• Packet-switched services
• Dedicated digital services
Details:
Frame relay and X.25 are both examples of packet-switching technologies. In packet-switched networks
there are no dedicated connections between endpoints, and data is divided into packets and
reassembled on the receiving end.
• Variable-length packets
• Statistical multiplexing
Variable-length packets are used for more efficient and flexible data transfers. These packets are
switched between the various segments in the network until the destination is reached.
Statistical multiplexing techniques control network access in a packet-switched network. The advantage
of this technique is that it accommodates more flexibility and more efficient use of bandwidth. Most of
today's popular LANs, such as Ethernet and Token Ring, are packet-switched networks.
Frame Relay often is described as a streamlined version of X.25, offering fewer of the robust capabilities,
such as windowing and retransmission of last data that are offered in X.25. This is because Frame Relay
typically operates over WAN facilities that offer more reliable connection services and a higher degree of
reliability than the facilities available during the late 1970s and early 1980s that served as the common
platforms for X.25 WANs. As mentioned earlier, Frame Relay is strictly a Layer 2 protocol suite, whereas
X.25 provides services at Layer 3 (the network layer) as well. This enables Frame Relay to offer higher
performance and greater transmission efficiency than X.25, and makes Frame Relay suitable for current
WAN applications, such as LAN interconnection.
Dedicated digital services. A packet switched network is commonly via a digital method, but is not
dedicated. Examples of a Dedicated digital service might be a Permanent Virtual Circuit (PVC), which
does not use packet switching.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 535 or Kindle Location 14417.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 15476
Question 15
In the Open Systems Interconnect (OSI) Reference Model, at what level are TCP and UDP provided?
• Transport
• Network
• Presentation
• Application
Details:
The correct answer is: Transport. The Layer 4 Transport layer supports the TCP and UDP protocols in the
OSI Reference Model. This layer creates an end-to-end transportation between peer hosts. The
transmission can be connectionless and unreliable such as UDP, or connection-oriented and ensure
error-free delivery such as TCP.
Network. The Network layer moves information between hosts that are not physically connected. It
deals with routing of information. IP is a protocol that is used in Network Layer. TCP and UDP do not
reside at the Layer 3 Network Layer in the OSI Reference Model.
Presentation. The Presentation Layer is concerned with the formatting of data into a standard
presentation such as
ASCII. TCP and UDP do not reside at the Layer 6 Presentation Layer in the OSI Reference Model.
Application. The Application Layer is a service for applications and Operating Systems data transmission,
for example HTTP, FTP and SMTP. TCP and UDP do not reside at the Layer 7 Application Layer in the OSI
Reference Model.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 434 & 435 or Kindle Location 11905.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 12242
Question 16
FTP, TFTP, SNMP, and SMTP are provided at what level of the Open Systems Interconnect (OSI)
Reference Model?
• Application
• Network
• Presentation
• Transport
Details:
The correct answer is: Application. The Layer 7 Application Layer of the Open Systems Interconnect (OSI)
Reference Model is a service for applications and Operating Systems data transmission, for example FTP,
TFTP, SNMP, and SMTP.
Network. The Network layer moves information between hosts that are not physically connected. It
deals with routing of information. IP is a protocol that is used in Network Layer. FTP, TFTP, SNMP, and
SMTP do not reside at the Layer 3 Network Layer in the OSI Reference Model.
Presentation. The Presentation Layer is concerned with the formatting of data into a standard
presentation such as
ASCII. FTP, TFTP, SNMP, and SMTP do not reside at the Layer 6 Presentation Layer in the OSI Reference
Model.
Transport. The Transport Layer creates an end-to-end transportation between peer hosts. The
transmission can be connectionless and unreliable such as UDP, or connection-oriented and ensure
error-free delivery such as TCP. FTP, TFTP, SNMP, and SMTP do not reside at the Layer 4 Transportation
Layer in the OSI Reference Model.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 436 & 437 or Kindle Location 11937.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 12242
Question 17
Which of the following is TRUE regarding Transmission Control Protocol (TCP) and User Datagram
Protocol (UDP)?
Details:
Protocols represent certain rules and regulations that are essential in order to have data communication
between two entities. Internet Protocols work in sending and receiving data packets. This type of
communication may be either connection-less or connection-oriented.
On the other hand, UDP or User Datagram Protocol is of the connection-less type where no feedback is
being forwarded to the sender after delivery and the data transfer have taken place or not. Though, it's
not a guaranteed method, but, once a connection is established, UDP works much faster than TCP as
TCP has to rely on a feedback and accordingly, the entire 3-way handshaking takes place.
UDP provides for Error Correction, TCP does not: UDP does not provide for error correction, while TCP
does.
UDP is useful for longer messages, rather than TCP: UDP is useful for shorter messages due to its
connectionless nature.
TCP does not guarantee delivery of data, while UDP does guarantee data delivery: The opposite is true.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 439 or Kindle Location 11984.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 12242
Question 18
Which OSI/ISO layer is responsible for determining the best route for data to be transferred?
• Session layer
• Physical layer
• Network layer
• Transport layer
Details:
The main responsibility of the network layer is to insert information into the packet's header so that it
can be properly routed. The protocols at the network layer must determine the best path for the packet
to take.
Session layer. The session layer is responsible for establishing a connection between two applications.
Physical layer. The physical layer if responsible for converting electronic impulses into bits and vice-
versa.
Transport layer. The transport layer is responsible for data transmission and error detection.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 433 or Kindle Location 11848.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 12242
Question 19
• Sniffers alter the source address of a computer to disguise and exploit weak authentication
methods.
Correct Answer is: Sniffers allow an attacker to monitor data passing across a network.
Details:
The correct answer is: Sniffers allow an attacker to monitor data passing across a network . Sniffers
exploit characteristics of several data-link technologies, including Token Ring and especially Ethernet.
The following answers are incorrect: Sniffers alter the source address of a computer to disguise and
exploit weak authentication methods. IP Spoofing is a network-based attack, which involves altering the
source address of a computer to disguise the attacker and exploit weak authentication methods.
Sniffers take over network connections. Session Hijacking tools allow an attacker to take over network
connections, kicking off the legitimate user or sharing a login.
Sniffers send IP fragments to a system that overlap with each other. Malformed Packet attacks are a
type of DoS attack that involves one or two packets that are formatted in an unexpected way. Many
vendor product implementations do not take into account all variations of user entries or packet types.
If software handles such errors poorly, the system may crash when it receives such packets. A classic
example of this type of attack involves sending IP fragments to a system that overlap with each other
(the fragment offset values are incorrectly set. Some unpatched Windows and Linux systems will crash
when the encounter such packets.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 15885
Question 20
Which of the following is electromagnetic interference (EMI) that is noise from the radiation generated
by the difference between the hot and ground wires?
• traverse-mode noise
• common-mode noise
• crossover-mode noise
• transversal-mode noise
Details:
The correct answer is: Common-mode noise is electrical noise between the hot and ground wire and
between the neutral and ground wire.
Common mode noise will disrupt the memory logic of the processor. Noise between neutral and ground
creates problems since the theoretical zero voltage between neutral and ground is utilized by
microprocessors and digital logic control systems as zero voltage reference. A voltage on the ground
wire will disrupt the stored memory variables of today's fast microprocessors. Common mode noise can
be incorrectly interpreted as data.
This noise can cause what appears to be "software glitches ", erratic performance of the equipment and
partial or complete memory loss. Poor grounding also contributes significantly to common mode noise
and this dynamic situation can change with building age, material corrosion, soil conditions and
construction.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 14441
Question 21
Which of the following protocols that provide integrity and authentication for IPSec, can also provide
non-repudiation in IPSec?
Details:
As per the RFC in reference, the Authentication Header (AH) protocol is a mechanism for providing
strong integrity and authentication for IP datagrams. It might also provide non-repudiation, depending
on which cryptographic algorithm is used and how keying is performed. For example, use of an
asymmetric digital signature algorithm, such as RSA, could provide non-repudiation.
IPSec is a suite of protocols that was developed to specifically protect IP traffic. IPv4 does not have any
integrated security, so IPSec was developed to bolt onto IP and secure the data the protocol transmits.
Where PPTP and L2TP work at the data link layer, IPSec works at the network layer of the OSI model.
The main protocols that make up the IPSec suite and their basic functionality are as follows: A.
Authentication Header (AH) provides data integrity, data origin authentication, and protection from
replay attacks. B. Encapsulating Security Payload (ESP) provides confidentiality, data-origin
authentication, and data integrity. C. Internet Security Association and Key Management Protocol
(ISAKMP) provides a framework for security association creation and key exchange. D. Internet Key
Exchange (IKE) provides authenticated keying material for use with ISAKMP.
The following are incorrect answers:
ESP is a mechanism for providing integrity and confidentiality to IP datagrams. It may also provide
authentication, depending on which lgorithm and algorithm mode are used. Non-repudiation and
protection from traffic analysis are not provided by ESP (RFC 1827).
SSL is a secure protocol used for transmitting private information over the Internet. It works by using a
public key to encrypt data that is transferred of the SSL connection. OIG 2007, page 976
SSH-2 is a secure, efficient, and portable version of SSH (Secure Shell) which is a secure replacement for
telnet.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 256 or Kindle Location 7457.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 14868
Question 22
• Hybrid L2PP
• IPSec
• L2F
• L2TP
IPSEC is the Short form for IP Security, a set of protocols developed by the IETF to support secure
exchange of packets at the IP layer. IPsec has been deployed widely to implement Virtual Private
Networks (VPNs).
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications
by authenticating and encrypting each IP packet of a communication session.
Internet Protocol security (IPSec) is a framework of open standards for helping to ensure private, secure
communications over Internet Protocol (IP) networks through the use of cryptographic security services.
IPSec supports network-level data integrity, data confidentiality, data origin authentication, and replay
protection. Because IPSec is integrated at the Internet layer (layer 3), it provides security for almost all
protocols in the TCP/IP suite, and because IPSec is applied transparently to applications, there is no need
to configure separate security for each application that uses TCP/IP.
• Network-based attacks from untrusted computers, attacks that can result in the denial-of-
service of applications, services, or the network
• Data corruption
• Data theft
• User-credential theft
Transport mode encrypts only the data portion (payload) of each packet, but leaves the header
untouched.
The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an
IPSec-compliant device decrypts each packet.
For IPsec to work, the sending and receiving devices must share a public key. This is accomplished
through a protocol known as Internet Security Association and Key Management Protocol/Oakley
(ISAKMP/Oakley), which allows the receiver to obtain a public key and authenticate the sender using
digital certificate.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 255 or Kindle Location 7457.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 14869
Question 23
• It requires the authentic distribution of the new root CA certificate to all PKI participants
• It requires the collection of the old root CA certificates from all the users
Correct Answer is: It requires the authentic distribution of the new root CA certificate to all PKI
participants
Details:
The correct answer is: It requires the authentic distribution of the new root CA certificate to all PKI
participants.
The main task here is the authentic distribution of the new root CA certificate as new trust anchor to all
the PKI participants (e.g. the users).
In some of the rollover-scenarios there is no automatic way, often explicit assignment of trust from each
user is needed, which could be very costly.
Other methods make use of the old root CA certificate for automatic trust establishment (see PKIX-
reference), but these solutions works only well for scenarios with currently valid root CA certificates
(and not for emergency cases e.g. compromise of the current root CA certificate).
The rollover of the root CA certificate is a specific and delicate problem and therefore are often ignored
during PKI deployment.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 14148
Camphausen, I.; Petersen, H.; Stark, C.: Konzepte zum Root CA Zertifikatswechsel, conference Enterprise
Security 2002, March 26-27, 2002, Paderborn; RFC 2459 : Internet X.509 Public Key Infrastructure
Certificate and CRL Profile.
Question 24
• Tamper resistant, mobile storage and application of private keys of the users
Correct Answer is: Tamper resistant, mobile storage and application of private keys of the users
Details:
The correct answer is: tamper resistant, mobile storage and application of private keys of the users.
Security
Tamper-resistant microprocessors are used to store and process private or sensitive information, such
as private keysor electronic money credit. To prevent an attacker from retrieving or modifying the
information, the chips are designed so that the information is not accessible through external means
and can be accessed only by the embedded software, which should contain the appropriate security
measures.
Examples of tamper-resistant chips include all secure cryptoprocessors, such as the IBM 4758 and chips
used in smartcards, as well as the Clipper chip.
It has been argued that it is very difficult to make simple electronic devices secure against tampering,
because numerous attacks are possible, including:
• physical attack of various forms (microprobing, drills, files, solvents, etc.)
• measuring the precise time and power requirements of certain operations (see power analysis)
Tamper-resistant chips may be designed to zeroise their sensitive data (especially cryptographic keys) if
they detect penetration of their security encapsulation or out-of-specification environmental
parameters. A chip may even be rated for "cold zeroisation ", the ability to zeroise itself even after its
power supply has been crippled.
Nevertheless, the fact that an attacker may have the device in his possession for as long as he likes, and
perhaps obtain numerous other samples for testing and practice, means that it is practically impossible
to totally eliminate tampering by a sufficiently motivated opponent. Because of this, one of the most
important elements in protecting a system is overall system design. In particular, tamper-resistant
systems should "fail gracefully " by ensuring that compromise of one device does not compromise the
entire system. In this manner, the attacker can be practically restricted to attacks that cost less than the
expected return from compromising a single device (plus, perhaps, a little more for kudos). Since the
most sophisticated attacks have been estimated to cost several hundred thousand dollars to carry out,
carefully designed systems may be invulnerable in practice.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 566 & 567 or Kindle Location 15169 & 15200.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 17186
Question 1
• CSU/DSU.
• CSMA/CD.
• TCP/IP.
• FIFO.
Correct Answer is: CSMA/CD.
Details:
Ethernet uses Carrier Sense Multiple Access with Collision Detection (CSMA/CD) to minimize the effect
of broadcast collisions.
CSU/DSU Is incorrect because Channel Service Unit/Digital Service Unit(CSU/DSU) is a digital interface
normally used to connect a router to a digital circuit.
FIFO Is incorrect as it is a distractor. First In, First Out (FIFO) is typically a processing methodology in
which first come, first served.
CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh Edition
Page 489 or Kindle Location 13324
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 15189
Wikipedia http://en.wikipedia.org/wiki/FIFO
Question 2
When referring to the data structures of a packet, the term Protocol Data Unit (PDU) is used, what is the
proper term to refer to a single unit of TCP data at the transport layer?
• TCP packet.
• TCP datagram.
• TCP frame.
• TCP segment.
Details:
A TCP Segment is the group of TCP data tramsmitted at the Transport Layer. TCP is segment based
network technology.
The message is sent to the transport layer, where TCP does its magic on the data. The bundle of data is
now a segment. If the message is being transmitted over TCP, it is referred to as a segment.
TCP datagram. Is incorrect because a TCP datagram is only a distractor, IP datagram would be the proper
terminology. TCP is segment based network technology.
TCP frame. Is incorrect because a TCP frame is only a distractor, Ethernet Frame would be the proper
terminology. TCP is segment based network technology.
TCP packet. Is incorrect because a TCP packet is only a distractor. TCP is segment based network
technology.
CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh Edition
Page 430 or Kindle Location 11791
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 12384
Wikipedia http://en.wikipedia.org/wiki/Transport_layer
Wikipedia http://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure
http://www.infocellar.com/networks/osi-model.htm
Question 4
What is the proper term for the Protocol Data Unit used at the Network Layer of the OSI model?
• IP segment.
• IP fragment.
• IP frame.
• IP Packet.
Details:
PDUs are relevant in relation to layers of the OSI and DoD model as follows:
• The Layer 4 (Transport Layer) PDU is the segment for TCP or the datagram for UDP
• The Layer 5-6-7 (Application Layer) PDU is the data, which can be clear text, encrypted, or
compressed
Given a context pertaining to a specific OSI layer, PDU is sometimes used as a synonym for its
representation at that layer
See graphic below to see how the terms would be used in the DoD TCP model.
In general, the term packet applies to any message formatted as a packet, while the term datagram is
generally reserved for packets of an "unreliable " service.
A "reliable " service is one that notifies the user if delivery fails, while an "unreliable " one does not
notify the user if delivery fails. For example, IP provides an unreliable service.
Together, TCP and IP provide a reliable service, whereas UDP and IP provide an unreliable one. All these
protocols use packets, but UDP packets are generally called datagrams.
If a network does not guarantee packet delivery, then it becomes the host's responsibility to provide
reliability by detecting and retransmitting lost packets. Subsequent experience on the ARPANET
indicated that the network itself could not reliably detect all packet delivery failures, and this pushed
responsibility for error detection onto the sending host in any case. This led to the development of the
end-to-end principle, which is one of the Internet's fundamental design assumptions.
IP segment. Is incorrect because IP segment is a detractor, the correct terminology is TCP segment. IP is
a datagram based technology.
IP frame. Is incorrect because IP frame is a detractor, the correct terminology is Ethernet frame. IP is a
datagram based technology.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 430 or Kindle Location 11790
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 16113
Wikipedia http://en.wikipedia.org/wiki/Internet_Protocol
http://docwiki.cisco.com/wiki/Internetworking_Basics
Question 7
In the days before CIDR (Classless Internet Domain Routing), networks were commonly organized by
classes. Which of the following would have been true of a Class B network?
• The first two bits of the IP address would be set to one, and the third bit set to zero.
• The first bit of the IP address would be set to one and the second bit set to zero.
Correct Answer is: The first bit of the IP address would be set to one and the second bit set to zero.
Details:
The correct answer is: The first bit of the IP address would be set to one and the second bit set to zero.
Each Class B network address has a 16-bit network prefix, with the two highest order bits set to 1-0.
The first bit of the IP address would be set to zero. Is incorrect because, this would be a Class A network
address.
The first two bits of the IP address would be set to one, and the third bit set to zero. Is incorrect
because, this would be a Class C network address.
The first three bits of the IP address would be set to one. Is incorrect because, this is a distractor. Class D
& E have the first three bits set to 1. Class D the 4th bit is 0 and for Class E the 4th bit to 1.
For Class E, the addresses are 240.0.0.0 - 255.255.255.255 (Reserved for future usage)
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 445 or Kindle Location 12130
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 35791
3Com http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf
Question 12
• Smurfing
• Data diddling
• Sniffing
• IP Spoofing
Details:
Sniffers are typically devices that can collect information from a communication medium, such as a
network. These devices can range from specialized equipment to basic workstations with customized
software.
A sniffer can collect information about most, if not all, attributes of the communication. The most
common method of sniffing is to plug a sniffer into an existing network device like a hub or switch. A hub
(which is designed to relay all traffic passing through it to all of its ports) will automatically begin sending
all the traffic on that network segment to the sniffing device. On the other hand, a switch (which is
designed to limit what traffic gets sent to which port) will have to be specially configured to send all
traffic to the port where the sniffer is plugged in.
Another method for sniffing is to use a network tap a device that literally splits a network transmission
into two identical streams; one going to the original network destination and the other going to the
sniffing device. Each of these methods has its advantages and disadvantages, including cost, feasibility,
and the desire to maintain the secrecy of the sniffing activity.
The packets captured by sniffer are decoded and then displayed by the sniffer. Therfore, if the
username/password are contained in a packet or packets traversing the segment the sniffer is
connected to, it will capture and display that information (and any other information on that segment it
can see).
Of course, if the information is encrypted via a VPN, SSL, TLS, or similar technology, the information is
still captured and displayed, but it is in an unreadable format.
• Data diddling involves changing data before, as it is enterred into a computer, or after it is
extracted.
• Spoofing is forging an address and inserting it into a packet to disguise the origin of the
communication - or causing a system to respond to the wrong address.
• Smurfing would refer to the smurf attack, where an attacker sends spoofed packets to the
broadcast address on a gateway in order to cause a denial of service.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 15859
You should note that the term "sniffer " is a registered trademark of the company Network General.
A "network sniffer " is actually a slang term for what is properly known as a "protocol analyzer ". Most
people call them sniffers, but legally, only Network General can use that term.
Question 13
• Packet-switching technology
Details:
The correct answer is: Wireless network communications
The 802.11 standard outlines how wireless clients and APs communicate, lays out the specifications of
their interfaces, dictates how signal transmission should take place, and describes how authentication,
association, and security should be implemeted.
Public Key Infrastructure (PKI) Public Key Infrastructure is a supporting infrastructure to manage public
keys. It is not part of the IEEE 802 Working Group standard.
Packet-switching technology A packet-switching technology is not included in the IEEE 802 Working
Group standard. It is a technology where-in messages are broken up into packets, which then travel
along different routes to the destination.
The OSI/ISO model The Open System Interconnect model is a sevel-layer model defined as an
international standard describing network communications.
802.11 refers to a family of specifications developed by the IEEE for Wireless LAN technology. 802.11
specifies an over-the-air interface between a wireless client and a base station or between two wireless
clients. The IEEE accepted the specification in 1997. There are several specifications in the 802.11 family:
• 802.11 # applies to wireless LANs and provides 1 or 2 Mbps transmission in the 2.4 GHz band
using either frequency hopping spread spectrum (FHSS) or direct sequence spread spectrum (DSSS).
• 802.11a # an extension to 802.11 that applies to wireless LANs and provides up to 54 Mbps in
the 5GHz band. 802.11a uses an orthogonal frequency division multiplexing encoding scheme rather
than FHSS or DSSS.
• 802.11b (also referred to as 802.11 High Rate or Wi-Fi) # an extension to 802.11 that applies to
wireless LANS and provides 11 Mbps transmission (with a fallback to 5.5, 2 and 1 Mbps) in the 2.4 GHz
band. 802.11b uses only DSSS. 802.11b was a 1999 ratification to the original 802.11 standard, allowing
wireless functionality comparable to Ethernet.
• 802.11g # applies to wireless LANs and provides 20+ Mbps in the 2.4 GHz band.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 455 or Kindle Location 12426.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 13559
802.11 refers to a family of specifications developed by the IEEE for Wireless LAN technology. 802.11
specifies an over-the-air interface between a wireless client and a base station or between two wireless
clients. The IEEE accepted the specification in 1997. There are several specifications in the 802.11 family:
• 802.11 # applies to wireless LANs and provides 1 or 2 Mbps transmission in the 2.4 GHz band
using either frequency hopping spread spectrum (FHSS) or direct sequence spread spectrum (DSSS).
• 802.11a # an extension to 802.11 that applies to wireless LANs and provides up to 54 Mbps in
the 5GHz band. 802.11a uses an orthogonal frequency division multiplexing encoding scheme rather
than FHSS or DSSS.
• 802.11b (also referred to as 802.11 High Rate or Wi-Fi) # an extension to 802.11 that applies to
wireless LANS and provides 11 Mbps transmission (with a fallback to 5.5, 2 and 1 Mbps) in the 2.4 GHz
band. 802.11b uses only DSSS. 802.11b was a 1999 ratification to the original 802.11 standard, allowing
wireless functionality comparable to Ethernet.
• 802.11g # applies to wireless LANs and provides 20+ Mbps in the 2.4 GHz band.
Question 14
• It can work with Metropolitan area networks (MANS) or Wide area networks (WANS).
Details:
The correct answer is: It is unrestricted and publicly available. The concept of an Intranet is to limit
access and restrict information to only the desired individuals, such as corporate employees. Public
information would be posted on an external website on the Internet for public consumption. Although
an Intranet is designed for sharing of information within an organization, consideration should be given
to how the information could be misused for an insider attack.
It can work with Metropolitan area networks (MANS) or Wide area networks (WANS). Although
commonly assumed to be contained in a Local Area Network (LAN), an Intranet is not limited to local
networks only and can span MANS and WANS.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 463 or Kindle Location 12666.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 12622
Notice the use of the word "the " in front of Intranet. This is an intentionl method of misleading one into
thinking of the Internet. Pay close attention to how the questions are worded as one might assume the
meaning of the question.
Question 16
Within the OSI model, at what layer are some of the SLIP, CSLIP, PPP control functions provided?
• Application
• Presentation
• Transport
• Data Link
Details:
The correct answer is: The Data Link layer of the OSI/ISO model provides SLIP, CSLIP and PPP protocol.
RFC 1661 - The Point-to-Point Protocol (PPP) specifies that the Point-to-Point Protocol (PPP) provides a
standard method for transporting multi-protocol datagrams over point-to-point links. PPP is comprised
of three main components:
2 A Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection.
3 A family of Network Control Protocols (NCPs) for establishing and configuring different network-layer
protocols.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 431 or Kindle Location 11818.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 12242
Question 19
• El Gamal
• Buffer Overflow
• Teardrop
• Smurf
Details:
The correct answer is: El Gamal; El Gamal is a public-key cryptosystem while the others are types of DoS
attacks.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 706 or Kindle Location 18513.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 16852
Question 20
• data signature
• data encryption
Details:
The correct answer is: peer authentication and key exchange.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 14868
: RFC 2409: The Internet Key Exchange (IKE); DORASWAMY, Naganand & HARKINS, Dan, Ipsec: The New
Security Standard for the Internet, Intranets, and Virtual Private Networks, 1999, Prentice Hall PTR;
SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.
Question 21
In which phase of Internet Key Exchange (IKE) protocol is peer authentication performed?
• Phase 1
• Phase 2
Details:
The Internet Key Exchange (IKE) protocol is a key management protocol standard that is used in
conjunction with the IPSec standard. IKE enhances IPSec by providing additional features, flexibility, and
ease of configuration for the IPSec standard. IPSec can however, be configured without IKE by manually
configuring the gateways communicating with each other for example.
A security association (SA) is a relationship between two or more entities that describes how the entities
will use security services to communicate securely.
In phase 1 of this process, IKE creates an authenticated, secure channel between the two IKE peers,
called the IKE security association. The Diffie-Hellman key agreement is always performed in this phase.
In phase 2 IKE negotiates the IPSec security associations and generates the required key material for
IPSec. The sender offers one or more transform sets that are used to specify an allowed combination of
transforms with their respective settings.
Eliminates the need to manually specify all the IPSec security parameters in the crypto maps at both
peers.
Permits Certification Authority (CA) support for a manageable, scalable IPSec implementation.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 14868
DORASWAMY, Naganand & HARKINS, Dan, Ipsec: The New Security Standard for the Internet, Intranets,
and Virtual Private Networks, 1999, Prentice Hall PTR;
Reference: http://www.ciscopress.com/articles/article.asp?p=25474
Question 22
In SSL/TLS protocol, what kind of authentication is supported when you establish a secure session
between a client and a server?
• Peer-to-peer authentication
Details:
The correct answer is: server authentication (mandatory) and client authentication (optional)
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 13910
RESCORLA, Eric, SSL and TLS: Designing and Building Secure Systems, 2000, Addison Wesley Professional;
SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.
Question 23
In a hierarchical PKI the highest CA is regularly called Root CA, it is also referred to by which one of the
following term?
• Subordinate CA
• Big CA
• Master CA
• Top CA
Details:
Also note that sometimes other terms such as Certification Authority Anchor (CAA) might be used within
some government organization, Top level CA is another common term to indicate the top level CA, Top
Level Anchor could also be used.
Arsenault, Turner, Internet X.509 Public Key Infrastructure: Roadmap, Chapter "Terminology ".
Question 24
Details:
More and more organizations are setting up their own internal PKIs. When these independent PKIs need
to interconnect to allow for secure communication to take place (either between departments or
different companies), there must be a way for the two root CAs to trust each other.
These two CAs do not have a CA above them they can both trust, so they must carry out cross
certification. A cross certification is the process undertaken by CAs to establish a trust relationship in
which they rely upon each other's digital certificates and public keys as if they had issued them
themselves.
When this is set up, a CA for one company can validate digital certificates from the other company and
vice versa.
http://www.entrust.com/resources/pdf/cross_certification.pdf;
RFC 2459: Internet X.509 Public Key Infrastructure Certificate and CRL Profile; and
FORD, Warwick & BAUM, Michael S., Secure Electronic Commerce: Building the Infrastructure for Digital
Signatures and Encryption (2nd Edition), 2000, Prentice Hall PTR, Page 254.
Question 25
Which of the following choices is a valid Public Key Cryptography Standard (PKCS) addressing RSA?
• PKCS#11
• PKCS#1
• PKCS-RSA
• PKCS #17799
Details:
This document provides recommendations for the implementation of public-key cryptography based on
the RSA algorithm, covering the following aspects: cryptographic primitives; encryption schemes;
signature schemes with appendix; ASN.1 syntax for representing keys and for identifying the schemes.
Question 26
What does the directive of the European Union on Electronic Signatures deal with?
• Non repudiation
Details:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 9356
FORD, Warwick & BAUM, Michael S., Secure Electronic Commerce: Building the Infrastructure for Digital
Signatures and Encryption (2nd Edition), 2000, Prentice Hall PTR, Page 589; Directive 1999/93/EC of 13
December 1999 on a Community framework for electronic signatures.
Question 27
• Verification of the validity of all certificates of the certificate chain to the root certificate
Correct Answer is: Verification of the validity of all certificates of the certificate chain to the root
certificate
Details:
The correct answer is: Verification of the validity of all certificates of the certificate chain to the root
certificate
With the advent of public key cryptography (PKI), it is now possible to communicate securely with
untrusted parties over the Internet without prior arrangement. One of the necessities arising from such
communication is the ability to accurately verify someone's identity (i.e. whether the person you are
communicating with is indeed the person who he/she claims to be). In order to be able to perform
identity check for a given entity, there should be a fool-proof method of binding the entity's public key
to its unique domain name (DN).
A X.509 digital certificate issued by a well known certificate authority (CA), like Verisign, Entrust, Thawte,
etc., provides a way of positively identifying the entity by placing trust on the CA to have performed the
necessary verifications. A X.509 certificate is a cryptographically sealed data object that contains the
entity's unique DN, public key, serial number, validity period, and possibly other extensions.
The Windows Operating System offers a Certificate Viewer utility which allows you to double-click on
any certificate and review its attributes in a human-readable format. For instance, the "General " tab in
the Certificate Viewer Window (see below) shows who the certificate was issued to as well as the
certificate's issuer, validation period and usage functions.
The Certification Path tab contains the hierarchy for the chain of certificates. It allows you to select the
certificate issuer or a subordinate certificate and then click on View Certificate to open the certificate in
the Certificate Viewer.
Each end-user certificate is signed by its issuer, a trusted CA, by taking a hash value (MD5 or SHA-1) of
ASN.1 DER (Distinguished Encoding Rule) encoded object and then encrypting the resulting hash with
the issuer s private key (CA's Private Key) which is a digital signature. The encrypted data is stored in the
signatureValue attribute of the entity s (CA) public certificate.
Once the certificate is signed by the issuer, a party who wishes to communicate with this entity can then
take the entity s public certificate and find out who the issuer of the certificate is. Once the issuer s of
the certificate (CA) is identified, it would be possible to decrypt the value of the signatureValue attribute
in the entity's certificate using the issuer s public key to retrieve the hash value. This hash value will be
compared with the independently calculated hash on the entity's certificate. If the two hash values
match, then the information contained within the certificate must not have been altered and, therefore,
one must trust that the CA has done enough background check to ensure that all details in the entity s
certificate are accurate.
The process of cryptographically checking the signatures of all certificates in the certificate chain is
called key chaining . An additional check that is essential to key chaining is verifying that the value of the
"subjectKeyIdentifier extension in one certificate matches the same in the subsequent certificate.
Similarly, the process of comparing the subject field of the issuer certificate to the issuer field of the
subordinate certificate is called name chaining . In this process, these values must match for each pair of
adjacent certificates in the certification path in order to guarantee that the path represents unbroken
chain of entities relating directly to one another and that it has no missing links.
The two steps above are the steps to validate the Certification Path by ensuring the validity of all
certificates of the certificate chain to the root certificate as described in the two paragraphs above.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 244 or Kindle Location 7166.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 14171
Question 28
• Delta CRL
Details:
The correct answer is: CA revocation mailing list because it would not provide adequate information for
certificate revocation.
The following are incorrect answers because they are all suitable methods.
A Delta CRL is a CRL that only provides information about certificates whose statuses have changed since
the issuance of a specific, previously issued CRL.
The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation
status of an X.509 digital certificate.
A Distribution point CRL or CRL Distribution Point, a location specified in the CRL Distribution Point (CRL
DP) X.509, version 3, certificate extension when the certificate is issued.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 246 or Kindle Location 7728.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 14238
Question 29
What is the name of the transformation of a string of characters into a usually shorter fixed-length value
or key that represents the original string? Such a transformation cannot be reversed?
• DES
• One-way hash
• Transposition
• Substitution
Details:
The ideal hash function has three main properties - it is extremely easy to calculate a hash for any given
data, it is extremely difficult or almost impossible in a practical sense to calculate a text that has a given
hash, and it is extremely unlikely that two different messages, however close, will have the same hash.
Functions with these properties are used as hash functions for a variety of purposes, both within and
outside cryptography. Practical applications include message integrity checks, digital signatures,
authentication, and various information security applications. A hash can also act as a concise
representation of the message or document from which it was computed, and allows easy indexing of
duplicate or unique data files.
In various standards and applications, the two most commonly used hash functions are MD5 and SHA-1.
In 2005, security flaws were identified in both of these, namely that a possible mathematical weakness
might exist, indicating that a stronger hash function would be desirable. In 2007 the National Institute of
Standards and Technologyannounced a contest to design a hash function which will be given the name
SHA-3 and be the subject of a FIPSstandard.
A hash function takes a string of any length as input and produces a fixed length string which acts as a
kind of "signature " for the data provided. In this way, a person knowing the hash is unable to work out
the original message, but someone knowing the original message can prove the hash is created from
that message, and none other. A cryptographic hash function should behave as much as possible like a
random function while still being deterministic and efficiently computable.
A cryptographic hash function is considered "insecure " from a cryptographic point of view, if either of
the following is computationally feasible:
• finding "collisions ", wherein two different messages have the same message digest.
An attacker who can do either of these things might, for example, use them to substitute an authorized
message with an unauthorized one.
Ideally, it should not even be feasible to find two messages whose digests are substantially similar; nor
would one want an attacker to be able to learn anything useful about a message given only its digest. Of
course the attacker learns at least one piece of information, the digest itself, which for instance gives the
attacker the ability to recognise the same message should it occur again.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 199 or Kindle Location 6025.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 9998
Question 30
Which of the following reviews system and event logs to detect attacks on the host and determine if the
attack was successful?
• server-based IDS
• firewall-based IDS
• bastion-based IDS
• host-based IDS
Details:
A host-based IDS can review the system and event logs in order to detect an attack on the host and to
determine if the attack was successful.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 719 or Kindle Location 18872.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 35791
Question 31
Attributes that characterize an attack are stored for reference using which of the following Intrusion
Detection System (IDS) ?
• inferent-based IDS
• signature-based IDS
• event-based IDS
Details:
In a signature-based ID, signatures or attributes, which characterize an attack, are stored for reference.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 716 & 717 or Kindle Location 18812.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 16013
Question 32
• it may loosely detect a non-attack event that had caused a momentary anomaly in the system.
• It may falsely detect a non-attack event that had caused a momentary anomaly in the system.
• it may correctly detect a non-attack event that had caused a momentary anomaly in the
system.
• it may truly detect a non-attack event that had caused a momentary anomaly in the system.
Correct Answer is: It may falsely detect a non-attack event that had caused a momentary anomaly in the
system.
Details:
The Correct Answer is : It may falsely detect a non-attack event that had caused a momentary anomaly
in the system.
The primary drawback for a behavior-based IDS is that it often raises a high number of false alarms, also
called false alerts or false positives that had caused a momentary anomaly in the system.
A statistical anomaly based IDS is a behavioral-based system. Behavioral-based IDS products do not use
predefined signatures, but rather are put in a learning mode to build a profile of an environment s
normal activities. This profile is built by continually sampling the environment s activities. The longer the
IDS is put in a learning mode in most instances, the more accurate a profile it will build and the better
protection it will provide. After this profile is built, all future traffic and activities are compared to it. The
same type of sampling that was used to build the profile takes place, so the same type of data is being
compared. Anything that does not match the profile is seen as an attack, in response to which the IDS
sends an alert. With the use of complex statistical algorithms, the IDS looks for anomalies in the network
traffic or user activity. Each packet is given an anomaly score, which indicates its degree of irregularity. If
the score is higher than the established threshold of normal behavior, then the preconfigured action will
take place.
The benefit of using a statistical anomaly based IDS is that it can react to new attacks. It can detect 0 day
attacks, which means an attack is new to the world and no signature or fix has been developed yet.
These products are also capable of detecting the low and slow attacks, in which the attacker is trying to
stay under the radar by sending packets little by little over a long period of time. The IDS should be able
to detect these types of attacks because they are different enough from the contrasted profile. Now for
the bad news. Since the only thing that is normal about a network is that it is constantly changing,
developing the correct profile that will not provide an overwhelming number of false positives can be
difficult. Many IT staff members know all too well this dance of chasing down alerts that end up being
benign traffic or activity.
In fact, some environments end up turning off their IDS because of the amount of time these activities
take up. (Proper education on tuning and configuration will reduce the number of false positives.)
If an attacker detects there is an IDS on a network, she will then try to detect the type of IDS it is so she
can properly circumvent it. With a behavioral-based IDS, the attacker could attempt to integrate her
activities into the behavior pattern of the network traffic.
That way, her activities are seen as normal by the IDS and thus go undetected. It is a good idea to ensure
no attack activity is under way when the IDS is in learning mode. If this takes place, the IDS will never
alert you of this type of attack in the future because it sees this traffic as typical of the environment. If a
corporation decides to use a statistical anomaly based IDS, it must ensure that the staff members who
are implementing and maintaining it understand protocols and packet analysis. Because this type of an
IDS sends generic alerts, compared to other types of IDSs, it is up to the network engineer to figure out
what the actual issue is. For example, a signature-based IDS reports the type of attack that has been
identified, while a rule-based IDS identifies the actual rule the packet does not comply with. In a
statistical
anomaly based IDS, all the product really understands is that something abnormal has happened, which
just means the event does not match the profile.
For your exam you should know the information below:
• Protocol Anomaly-Based systems Examine network traffic to determine if what it sees conforms
to the defined standard for that protocol, for example, as it is defined in a Request for Comment or RFC.
• Statistical-Anomaly-Based systems Establish a baseline of normal traffic patterns over time and
detect any deviations from that baseline. Some also use heuristics to evaluate the intended behavior of
network traffic to determine if it intended to be malicious or not. Most modern systems combine two or
more of these techniques together to provide a more accurate analysis before it decides whether it sees
an attack or not.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 717 or Kindle Location 18812.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 21779
Question 33
• Physical layer
• Network layer
• Transport layer
Details:
Layer 2 (Data Link layer) transfers information to the other end of the physical link. It handles physical
addressing, network topology, error notification, delivery of frames and flow control.
The following reference(s) were used to create this question:
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 431 or Kindle Location 11818.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 12240
Question 34
The International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers are in which
of the following order (1 to 7) ?
• Physical Layer, Data Link Layer, Network Layer, Session Layer, Transport Layer, Presentation
Layer, Application Layer
• Physical Layer, Data Link Layer, Transport Layer, Session Layer, Presentation Layer, Network
Layer , Application Layer
• Physical Layer, Data Link Layer, Network Layer, Transport Layer, Session Layer, Presentation
Layer, Application Layer
• Physical Layer, Network Layer, Data Link Layer, Transport Layer, Session Layer, Presentation
Layer, Application Layer
Correct Answer is: Physical Layer, Data Link Layer, Network Layer, Transport Layer, Session Layer,
Presentation Layer, Application Layer
Details:
The correct answer is: Physical Layer, Data Link Layer, Network Layer, Transport Layer, Session Layer,
Presentation Layer, Application Layer
Applications Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Physical Layer
Mnemonics: Please Do Not Throw Sausage Pizza Away (bottom to top layer)
or
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 427 or Kindle Location 11743.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 12242
Question 35
The International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers 6 is which of
the following?
• Network Layer
• Presentation Layer
• Application Layer
Details:
Layers:
1. Physical Layer
3. Network Layer
4. Transport Layer
5. Session Layer
6. Presentation Layer
7. Applications Layer
Here's a great mnemonicfor the OSI model: "Please Do Not Throw Sausage Pizza Away ".
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 427 or Kindle Location 11743.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 12242
Question 36
• voice
From the published (ISC)2 goals for the Certified Information Systems Security Professional candidate:
The CISSP candidate should be familiar to communications and network security as it relates to voice,
data, multimedia, and facsimile transmissions in terms of local area, wide area, and remote access.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 545 or Kindle Location 14682.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press)
Question 38
The IP header contains a protocol field. If this field contains the value of 51, what type of data is
contained within the ip datagram?
Details:
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 442 or Kindle Location 12081.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 14892
Question 39
• Data Link
• Session
• Network
• Transport
Details:
As IPSec (IP Security) protocol allows setting up a secure channel for protected data exchange between
two devices. It offers strong encryption and authentication methods and operates at the Network layer.
Session : When two applications need to communicate , or transfer information , a connection session
may need to be set up between them.
Transport : IP Security does not work at transport layer.
Data Link : IP Security does not work at data link layer of the OSI model.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 255 & 256 or Kindle Location 7457.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14869
Here is a brief description of the OSI layers, taken from Shon Harris AIO Book:
The application layer, layer 7, works closest to the user and provides file transmissions, message
exchanges, terminal sessions, and much more. This layer does not include the actual applications but
includes the protocols that support the applications. Some examples of the protocols working at this
layer are the Simple Mail Transfer Protocol (SMTP), Hypertext Transfer Protocol (HTTP), Line Printer
Daemon (LPD),File Transfer Protocol (FTP), Telnet, and Trivial File Transfer Protocol (TFTP).
The presentation layer, layer 6, receives information from the application layer protocols and puts it in a
format that all computers following the OSI model can understand. This layer provides a common means
of representing data in a structure that can be properly processed by the end system. This means that
when a user constructs a Word document and sends it out to several people, it does not matter whether
the receiving computer has different word processing programs; each of these computers will be able to
receive this file and understand and present it to its user as a document.
When two applications need to communicate, or transfer information, a connection session may need
to be set up between them. The session layer, layer 5, is responsible for establishing a connection
between the two applications, maintaining it during the transfer of data, and controlling the release of
this connection. A good analogy for the functionality within this layer is a telephone conversation. When
Kandy wants to call a friend, she uses the telephone. The telephone network circuitry and protocols set
up the connection over the telephone lines and maintains that communication path, and when Kandy
hangs up, it releases all the resources it was using to keep that connection open.
When two computers are going to communicate through a connection-oriented protocol, they will first
agree on how much information each computer will send at a time, how to verify the integrity of the
data once it is received, and how to determine whether a packet was lost along the way. The two
computers agree on these parameters through a handshaking process at the transport layer, layer 4. The
agreement on these issues before transferring data helps provide more reliable data transfer, error
detection, correction, recovery, and flow control, and it optimizes the network services needed to
perform these tasks. The transport layer provides end-to-end data transport services and establishes the
logical connection between two communicating computers.
The main responsibilities of the network layer, layer 3, are to insert information into the packet s header
so that it can be properly addressed and routed, and then to actually route the packets to their proper
destination. In a network, many routes can lead to one destination. The protocols at the network layer
must determine the best path for the packet to take.
As we continue down the protocol stack, we are getting closer to the actual network wire over which all
this data will travel. The outer format of the data packet changes slightly at each layer, and it comes to a
point where it needs to be translated into local area network (LAN) or wide area network (WAN)
technology binary format for proper line transmission. This happens at the data link layer.
The physical layer, layer 1, converts bits into voltage for transmission. Signals and voltage schemes have
different meanings for different LAN and WAN technologies.
Question 40
Details:
The digital signature is used to achieve integrity, authenticity and non-repudiation. In a digital signature,
the sender's private key is used to encrypt the message digest of the message. Encrypting the message
digest is the act of Signing the message. The receiver will use the matching public key of the sender to
decrypt the Digital Signature using the sender's public key.
A digital signature (not to be confused with a digital certificate) is an electronic signature that can be
used to authenticate the identity of the sender of a message or the signer of a document, and possibly
to ensure that the original content of the message or document that has been sent is unchanged. Digital
signatures cannot be forged by someone else who does not possess the private key, it can also be
automatically time-stamped. The ability to ensure that the original signed message arrived means that
the sender cannot easily repudiate it later.
A digital signature can be used with any kind of message, whether it is encrypted or not, simply so that
the receiver can be sure of the sender's identity and that the message arrived intact. A digital certificate
contains the digital signature of the certificate-issuing authority so that anyone can verify that the
certificate is real and has not been modified since the day it was issued.
Assume you were going to send the draft of a contract to your lawyer in another town. You want to give
your lawyer the assurance that it was unchanged from what you sent and that it is really from you.
1. You copy-and-paste the contract (it's a short one!) into an e-mail note.
2. Using special software, you obtain a message hash (mathematical summary) of the contract.
3. You then use a private key that you have previously obtained from a public-private key authority
to encrypt the hash.
4. The encrypted hash becomes your digital signature of the message. (Note that it will be different
each time you send a message.)
1. To make sure it's intact and from you, your lawyer makes a hash of the received message.
2. Your lawyer then uses your public key to decrypt the message hash or summary.
Below are some common reasons for applying a digital signature to communications:
Authentication
Although messages may often include information about the entity sending a message, that information
may not be accurate. Digital signatures can be used to authenticate the source of messages. The
importance of high assurance in the sender authenticity is especially obvious in a financial context. For
example, suppose a bank's branch office sends instructions to the central office requesting a change in
the balance of an account. If the central office is not convinced that such a message is truly sent from an
authorized source, acting on such a request could be a serious mistake.
Integrity
In many scenarios, the sender and receiver of a message may have a need for confidence that the
message has not been altered during transmission. Although encryption hides the contents of a
message, it may be possible to change an encrypted message without understanding it. (Some
encryption algorithms, known as nonmalleable ones, prevent this, but others do not.) However, if a
message is digitally signed, any change in the message after the signature has been applied would
invalidates the signature. Furthermore, there is no efficient way to modify a message and its signature
to produce a new message with a valid signature, because this is still considered to be computationally
infeasible by most cryptographic hash functions (see collision resistance).
Non-repudiation
Note that authentication, non-repudiation, and other properties rely on the secret key not having been
revoked prior to its usage. Public revocation of a key-pair is a required ability, else leaked secret keys
would continue to implicate the claimed owner of the key-pair. Checking revocation status requires an
"online " check, e.g. checking a "Certificate Revocation List " or via the "Online Certificate Status
Protocol ". This is analogous to a vendor who receives credit-cards first checking online with the credit-
card issuer to find if a given card has been reported lost or stolen.
Digital Signature does not provide confidentiality. It provides only authenticity and integrity. The
sender's private key is used to encrypt the message digest to calculate the digital signature
Encryption provides only confidentiality. The receiver's public key or symmetric key is used for
encryption
• To indicate the encryption algorithm is incorrect as message digest is a hashing function and not
an encryption algorithm.
• To confirm the identity of the receiver is also incorrect as it does NOT confirm the identity of the
receiver.
• To enable transmission in a digital format is also incorrect as this is also not the reason why
digital signature contains message digests.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 236-237 or Kindle Location 6953.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 9530
A digital signature is a hash value that has been encrypted with the sender s private key. The act of
signing means encrypting the message s hash value with a private key.
The hashing function ensures the integrity of the message, and the signing of the hash value provides
authentication and nonrepudiation. The act of signing just means that the value was encrypted with a
private key.
A message can be encrypted and digitally signed, which provides confidentiality, authentication,
nonrepudiation, and integrity.
Question 41
• Repudiated
• Disclosed
• Forwarded
• Erased
Details:
As electronic signatures provide a receipt of the transaction in order to ensure that the entities that
participated in the transaction can not repudiate their commitments.
For your exam you should know the information below:
The digital signature is used to achieve integrity, authenticity and non-repudiation. In a digital signature,
the sender's private key is used to encrypt the message digest of the message. Encrypting the message
digest is the act of Signing the message. The receiver will use the matching public key of the sender to
decrypt the Digital Signature using the sender's public key.
A digital signature (not to be confused with a digital certificate) is an electronic signature that can be
used to authenticate the identity of the sender of a message or the signer of a document, and possibly
to ensure that the original content of the message or document that has been sent is unchanged. Digital
signatures cannot be forged by someone else who does not possess the private key, it can also be
automatically time-stamped. The ability to ensure that the original signed message arrived means that
the sender cannot easily repudiate it later.
A digital signature can be used with any kind of message, whether it is encrypted or not, simply so that
the receiver can be sure of the sender's identity and that the message arrived intact. A digital certificate
contains the digital signature of the certificate-issuing authority so that anyone can verify that the
certificate is real and has not been modified since the day it was issued.
Assume you were going to send the draft of a contract to your lawyer in another town. You want to give
your lawyer the assurance that it was unchanged from what you sent and that it is really from you.
1. You copy-and-paste the contract (it's a short one!) into an e-mail note.
2. Using special software, you obtain a message hash (mathematical summary) of the contract.
3. You then use a private key that you have previously obtained from a public-private key authority
to encrypt the hash.
4. The encrypted hash becomes your digital signature of the message. (Note that it will be different
each time you send a message.)
1. To make sure it's intact and from you, your lawyer makes a hash of the received message.
2. Your lawyer then uses your public key to decrypt the message hash or summary.
Authentication
Although messages may often include information about the entity sending a message, that information
may not be accurate. Digital signatures can be used to authenticate the source of messages. The
importance of high assurance in the sender authenticity is especially obvious in a financial context. For
example, suppose a bank's branch office sends instructions to the central office requesting a change in
the balance of an account. If the central office is not convinced that such a message is truly sent from an
authorized source, acting on such a request could be a serious mistake.
Integrity
In many scenarios, the sender and receiver of a message may have a need for confidence that the
message has not been altered during transmission. Although encryption hides the contents of a
message, it may be possible to change an encrypted message without understanding it. (Some
encryption algorithms, known as nonmalleable ones, prevent this, but others do not.) However, if a
message is digitally signed, any change in the message after the signature has been applied would
invalidates the signature. Furthermore, there is no efficient way to modify a message and its signature
to produce a new message with a valid signature, because this is still considered to be computationally
infeasible by most cryptographic hash functions (see collision resistance).
Non-repudiation
Note that authentication, non-repudiation, and other properties rely on the secret key not having been
revoked prior to its usage. Public revocation of a key-pair is a required ability, else leaked secret keys
would continue to implicate the claimed owner of the key-pair. Checking revocation status requires an
"online " check, e.g. checking a "Certificate Revocation List " or via the "Online Certificate Status
Protocol ". This is analogous to a vendor who receives credit-cards first checking online with the credit-
card issuer to find if a given card has been reported lost or stolen.
Tip for the exam
Digital Signature does not provide confidentiality. It provides only authenticity and integrity and non-
repudiation. The sender's private key is used to encrypt the message digest to calculate the digital
signature
Encryption provides only confidentiality. The receiver's public key or symmetric key is used for
encryption
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 240 or Kindle Location 7059.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 9530
Question 42
• Telnet
The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and
The Dynamic and/or Private Ports are those from 49152 through 65535.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 640 or Kindle Location 16991.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12795
For the purpose of the exam you DO NOT need to know all of the 65,535 ports but you must know the
one that are very commonly used.
Question 43
Which of the following are WELL KNOWN PORTS assigned by the IANA?
• Ports 0 to 1023
• Ports 0 to 1024
• Ports 0 to 255
• Ports 0 to 127
Details:
The correct answer is: Ports 0 to 1023
The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the
Dynamic and/or Private Ports. The range for assigned "Well Known " ports managed by the IANA
(Internet Assigned Numbers Authority) is 0-1023.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 439 or Kindle Location 12006.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12602
The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and
the Dynamic and/or Private Ports. The Well Known Ports are those from 0 through 1023.
The Registered Ports are those from 1024 through 49151. The Dynamic and/or Private Ports are those
Reference : http://www.iana.org/assignments/port-numbers
Question 44
Details:
A registered port is a network port (a sub-address defined within the Internet Protocol, in the range 1
65535) assigned by the Internet Assigned Numbers Authority (IANA) (or by Internet Corporation for
Assigned Names and Numbers (ICANN) before March 21, 2001) for use with a certain protocol or
application.
Ports with numbers lower than those of the registered ports are called well known ports; ports with
numbers greater than those of the registered ports are called dynamic and/or private ports.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 439 or Kindle Location 12006.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12602
The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the
Dynamic and/or Private Ports.
The Dynamic and/or Private Ports are those from 49152 through 65535.
Reference : http://www.iana.org/assignments/port-numbers
Question 45
Packet Filtering Firewalls examines both the source and destination address of the:
Details:
Packeting filtering firewalls are devices that enforce administrative security policies by filtering incoming
traffic as well as outgoing traffic based on rules that can include the source and/or destination
addresses.
"Outgoing data packets" is incorrect. Firewalls filter incoming as well as outgoing traffic. This is
sometimes called Egress and Ingress filtering.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14563
CBK, p. 464
Question 46
Proxies works by transferring a copy of each accepted data packet from one network to another,
thereby masking the:
• data's origin.
• data's owner.
• data's details.
• data's payload.
Details:
The application firewall (proxy) relays the traffic from a trusted host running a specific application to an
untrusted server. It will appear to the untrusted server as if the request originated from the proxy
server.
CBK, p. 467
Question 47
• Session-Level Proxy.
• Circuit-Level Proxy.
• Current-Level Proxy.
• Cache-Level Proxy.
Details:
A circuit-level proxy creates a conduit through which a trusted host can communicate with an untrusted
one. This type of proxy does not inspect any of the traffic that it forwards, which adds very little
overhead to the communication between the user and untrusted server. The lack of application
awareness also allows circuit-level proxies to forward any traffic to any TCP and UDP port. The
disadvantage is that traffic will not be analyzed for malicious content.
FIREWALL GENERATIONS
Screening Router
Proxy Server
Reduces Network performance since it has do analyze each packet and decide what to do with it.
Remembers all of the UDP packets that have crossed the network’s perimeter, and it decides whether
to enable packets to pass through the firewall.
Runs in NT Kernel
Uses dynamic and custom TCP/IP-based stacks to inspect the network packets and to enforce security
policies.
"Current level firewall" is incorrect. This is an amost-right-sounding distractor to confuse the unwary.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14857
(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (Kindle Locations
14588-14591). CRC Press. Kindle Edition.
For the exam, be sure you understand the types of firewalls and the differences between them. This will
allow you to work through any confusing uses of terms to choose the best answer.
Since the official CBK and AIO seem to have agreed on "proxy" as opposed to "application layer firewall,"
I would suggest this as the normative usage.
Question 48
• a firewall
•
the network segment between the Internet and a private network
Details:
The correct answer is: the network segment between the Internet and a private network
"A part of a network perfectly safe from hackers" is incorrect. There is no such thing.
"A militarized network segment" is incorrect. While the term DMZ originated in the Korean War, it has
nothing to do with the military.
"A firewall" is incorrect. Firewalls can play an important part in building a DMZ but a DMZ is much more
than a firewall.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14339
CBK, p. 850
AIO, p. 483
Question 49
• Passwords
Passwords are one of the multiple ways to authenticate (prove who you claim to be) an identity which
allows confidentiality controls to be enforced to assure the identity can only access the information for
which it is authorized. It is the authentication that assists assurance of confidentiality not the passwords.
"Network security protocols" is incorrect. Network security protocols are quite useful in assuring
confidentiality in network communications.
"Data encryption services" is incorrect. Data encryption services are quite useful in protecting the
confidentiality of information.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 16488
Question 50
• Network-based IDS
• Application-Based IDS
• Behavior-based IDS
• Host-based IDS
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 63.
Application-Based IDS - "a subset of HIDS that analyze what's going on in an application using the
transaction log files of the application." Source: Official ISC2 CISSP CBK Review Seminar Student Manual
Version 7.0 p. 87
Host-Based IDS - "an implementation of IDS capabilities at the host level. Its most significant difference
from NIDS is intrusion detection analysis, and related processes are limited to the boundaries of the
host." Source: Official ISC2 Guide to the CISSP CBK - p. 197
Network-Based IDS - "a network device, or dedicated system attached to the network, that monitors
traffic traversing the network segment for which it is integrated." Source: Official ISC2 Guide to the CISSP
CBK - p. 196
CISSP for dummies a book that we recommend for a quick overview of the 10 domains has nice and
concise coverage of the subject:
Intrusion detection is defined as real-time monitoring and analysis of network activity and data for
potential vulnerabilities and attacks in progress. One major limitation of current intrusion detection
system (IDS) technologies is the requirement to filter false alarms lest the operator (system or security
administrator) be overwhelmed with data. IDSes are classified in many different ways, including active
and passive, network-based and host-based, and knowledge-based and behavior-based:
An active IDS (now more commonly known as an intrusion prevention system — IPS) is a system that's
configured to automatically block suspected attacks in progress without any intervention required by an
operator. IPS has the advantage of providing real-time corrective action in response to an attack but has
many disadvantages as well. An IPS must be placed in-line along a network boundary; thus, the IPS itself
is susceptible to attack. Also, if false alarms and legitimate traffic haven't been properly identified and
filtered, authorized users and applications may be improperly denied access. Finally, the IPS itself may
be used to effect a Denial of Service (DoS) attack by intentionally flooding the system with alarms that
cause it to block connections until no connections or bandwidth are available.
A passive IDS is a system that's configured only to monitor and analyze network traffic activity and alert
an operator to potential vulnerabilities and attacks. It isn't capable of performing any protective or
corrective functions on its own. The major advantages of passive IDSes are that these systems can be
easily and rapidly deployed and are not normally susceptible to attack themselves.
Network-based and host-based IDS
A network-based IDS usually consists of a network appliance (or sensor) with a Network Interface Card
(NIC) operating in promiscuous mode and a separate management interface. The IDS is placed along a
network segment or boundary and monitors all traffic on that segment.
A host-based IDS requires small programs (or agents) to be installed on individual systems to be
monitored. The agents monitor the operating system and write data to log files and/or trigger alarms. A
host-based IDS can only monitor the individual host systems on which the agents are installed; it doesn't
monitor the entire network.
A knowledge-based (or signature-based) IDS references a database of previous attack profiles and
known system vulnerabilities to identify active intrusion attempts. Knowledge-based IDS is currently
more common than behavior-based IDS.
• Alarms are more standardized and more easily understood than behavior-based IDS.
• New, unique, or original attacks may not be detected or may be improperly classified.
A behavior-based (or statistical anomaly–based) IDS references a baseline or learned pattern of normal
system activity to identify active intrusion attempts. Deviations from this baseline or pattern cause an
alarm to be triggered.
• Usage patterns that may change often and may not be static enough to implement an effective
behavior-based IDS.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 21710
Question 51
A common way to create fault tolerance with leased lines is to group several T1s together with an
inverse multiplexer placed:
Details:
A common way to create fault tolerance with leased lines is to group several T1s together with an
inverse multiplexer placed at both ends of the connection.
In fact it would be a Multiplexer at one end and DeMultiplexer at other end or vice versa. Inverse
Multiplexer at both end.
In electronics, a multiplexer (or mux) is a device that selects one of several analog or digital input signals
and forwards the selected input into a single line. A multiplexer of 2n inputs has n select lines, which are
used to select which input line to send to the output. Multiplexers are mainly used to increase the
amount of data that can be sent over the network within a certain amount of time and bandwidth. A
multiplexer is also called a data selector.
An electronic multiplexer makes it possible for several signals to share one device or resource, for
example one A/D converter or one communication line, instead of having one device per input signal.
On the other hand, a demultiplexer (or demux) is a device taking a single input signal and selecting one
of many data-output-lines, which is connected to the single input. A multiplexer is often used with a
complementary demultiplexer on the receiving end.
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 72.
and
https://secure.wikimedia.org/wikipedia/en/wiki/Multiplexer
Question 52
Details:
Frame relay uses a public switched network to provide Wide Area Network (WAN) connectivity.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15476
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 73.
Question 53
Details:
Fiber optic is immune to the effects of electromagnetic interference, is very hard to tap and has a much
longer effective usable length than any other cable type. The primary drawbacks of this cable type are its
cost of installation and the high level of expertise needed to have it properly terminated.
• Single mode Small glass core, and are used for high-speed data transmission over long distances. They
are less susceptible to attenuation than multimode fibers.
• Multimode Large glass cores, and are able to carry more data than single-core fibers, though they are
best for shorter distances because of their higher attenuation levels.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 11745
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 72).
Question 54
What type of attack involves IP spoofing, ICMP ECHO and a bounce site?
• Smurf attack
• IP spoofing attack
• SYN attack
• Teardrop attack
Details:
A smurf attack occurs when an attacker sends a spoofed (IP spoofing) PING (ICMP ECHO) packet to the
broadcast address of a large network (the bounce site). The modified packet containing the address of
the target system, all devices on its local network respond with a ICMP REPLY to the target system,
which is then saturated with those replies. An IP spoofing attack is used to convince a system that it is
communication with a known entity that gives an intruder access. It involves modifying the source
address of a packet for a trusted source's address. A teardrop attack consists of modifying the length
and fragmentation offset fields in sequential IP packets so the target system becomes confused and
crashes after it receives contradictory instructions on how the fragments are offset on these packets. A
SYN attack is when an attacker floods a system with connection requests but does not respond when the
target system replies to those requests.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 16117
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 76).
Question 55
Which layer defines how packets are routed between end systems?
• Session layer
• Network layer
• Data link layer
• Transport layer
Details:
The network layer (layer 3) defines how packets are routed and relayed between end systems on the
same network or on interconnected networks. Message routing, error detection and control of node
traffic are managed at this level.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12242
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 82).
Question 56
• Transport layer
• Presentation layer
• Session layer
• Application layer
Details:
The correct answer is: Transport layer
TCP and UDP are implemented at the transport layer (layer 4).
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12242
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 82).
Question 57
Which OSI/ISO layer is the Media Access Control (MAC) sublayer part of?
• Physical layer
• Transport layer
• Network layer
Details:
The data link layer contains the Logical Link Control sublayer and the Media Access Control (MAC)
sublayer.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12242
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 83).
Question 58
Which layer of the DoD TCP/IP Model ensures error-free delivery and packet sequencing?
• Internet layer
• Application layer
• Host-to-host
Details:
This layer of the DoD Model is also sometimes called Transport in some books but the proper name is
Host-to-Host as per the RFC document.
The host-to-host layer provides for reliable end-to-end communications, ensures the data's error-free
delivery, handles the data's packet sequencing, and maintains the data's integrity.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12534
http://en.wikipedia.org/wiki/Internet_protocol_suite
and
http://technet.microsoft.com/en-us/library/cc786900%28v=ws.10%29.aspx
and
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 85).
Question 59
Which layer of the DoD TCP/IP model controls the communication flow between hosts?
• Application layer
• Internet layer
Details:
Whereas the host-to-host layer (equivalent to the OSI's transport layer) provides end-to-end data
delivery service, flow control, to the application layer.
The four layers in the DoD model, from top to bottom, are:
The Application Layer contains protocols that implement user-level functions, such as mail delivery, file
transfer and remote login.
The Host-to-Host Layer handles connection rendez vous, flow control, retransmission of lost data, and
other generic data flow management between hosts. The mutually exclusive TCP and UDP protocols are
this layer's most important members.
The Internet Layer is responsible for delivering data across a series of different physical networks that
interconnect a source and destination machine. Routing protocols are most closely associated with this
layer, as is the IP Protocol, the Internet's fundamental protocol.
The Network Access Layer is responsible for delivering data over the particular hardware media in use.
Different protocols are selected from this layer, depending on the type of physical network
The OSI model organizes communication services into seven groups called layers. The layers are as
follows:
• Layer 7, The Application Layer: The application layer serves as a window for users and
application processes to access network services. It handles issues such as network transparency,
resource allocation, etc. This layer is not an application in itself, although some applications may
perform application layer functions.
• Layer 6, The Presentation Layer: The presentation layer serves as the data translator for a
network. It is usually a part of an operating system and converts incoming and outgoing data from one
presentation format to another. This layer is also known as syntax layer.
• Layer 5, The Session Layer: The session layer establishes a communication session between
processes running on different communication entities in a network and can support a message-mode
data transfer. It deals with session and connection coordination.
• Layer 4, The Transport Layer: The transport layer ensures that messages are delivered in the
order in which they are sent and that there is no loss or duplication. It ensures complete data transfer.
This layer provides an additional connection below the Session layer and assists with managing some
data flow control between hosts. Data is divided into packets on the sending node, and the receiving
node's Transport layer reassembles the message from packets. This layer is also responsible for error
checking to guarantee error-free data delivery, and requests a retransmission if necessary. It is also
responsible for sending acknowledgments of successful transmissions back to the sending host. A
number of protocols run at the Transport layer, including TCP, UDP, Sequenced Packet Exchange (SPX),
and NWLink.
• Layer 3, The Network Layer: The network layer controls the operation of the subnet. It
determines the physical path that data takes on the basis of network conditions, priority of service, and
other factors. The network layer is responsible for routing and forwarding data packets.
• Layer 2, The Data-Link Layer: The data-link layer is responsible for error free transfer of data
frames. This layer provides synchronization for the physical layer. ARP and RARP would be found at this
layer.
• Layer 1, The Physical Layer: The physical layer is responsible for packaging and transmitting data
on the physical media. This layer conveys the bit stream through a network at the electrical and
mechanical level.
https://www.youtube.com/watch?v=-6Uoku-M6oY
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12534
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 85).
Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 7:
Telecommunications and Network Security (page 344).
Question 60
Which of the following protocols is NOT implemented at the Internet layer of the TCP/IP protocol
model?
Details:
The User Datagram Protocol (UDP) is implemented at the host-to-host transport layer, not at the
internet layer.
Ensure you are familiar with both the OSI model and the DoD TCP/IP model as well. You need to know
how to contrast the two side by side and what are the names being used on both side. Below you have a
graphic showing the two and how things maps between the two as well as some of the most common
protcolos found at each of the layers:
All of the other protocols sit at the Internet Layer of the TCP/IP model.
NOTE:
Some reference are calling the Transport layer on the DoD model Host-to-Host.
Except the IMAP protocol, there is about 98% of the protocol starting with the letter "I " located at layer
3
Question 61
• 32 bits
• 128 bits
• 96 bits
• 64 bits
The actual IP address (IPv4) is composed of 32 bits. An IPv6 address is composed of 128 bits.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12589
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 87).
Question 62
What protocol is used on the Local Area Network (LAN) to obtain an IP address from it's known MAC
address?
Details:
The reverse address resolution protocol (RARP) sends out a packet including a MAC address and a
request to be informed of the IP address that should be assigned to that MAC.
Diskless workstations do not have a full operating system but have just enough code to know how to
boot up and broadcast for an IP address, and they may have a pointer to the server that holds the
operating system. The diskless workstation knows its hardware address, so it broadcasts this
information so that a listening server can assign it the correct IP address.
As with ARP, Reverse Address Resolution Protocol (RARP) frames go to all systems on the subnet, but
only the RARP server responds. Once the RARP server receives this request, it looks in its table to see
which IP address matches the broadcast hardware address. The server then sends a message that
contains its IP address back to the requesting computer. The system now has an IP address and can
function on the network.
The Bootstrap Protocol (BOOTP) was created after RARP to enhance the functionality that RARP
provides for diskless workstations. The diskless workstation can receive its IP address, the name server
address for future name resolutions, and the default gateway address from the BOOTP server. BOOTP
usually provides more functionality to diskless workstations than does RARP.
The evolution of this protocol has unfolded as follows: RARP evolved into BOOTP, which evolved into
DHCP.
NAT is a tool that is used for masking true IP addresses by employing internal addresses.
ARP does the opposite of RARP, it finds the MAC address that maps with an existing IP address.
Data Link layer The Data Link layer is not a protocol; it is represented at layer 2 of the OSI model. In the
TCP/IP model, the Data Link and Physical layers are combined into the Network Access layer, which is
sometimes called the Link layer or the Network Interface layer.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15149
(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (p. 453). CRC Press.
Kindle Edition.
and
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition, Telecommunications and Network
Security, Page 584-585 and also 598. For Kindle users see Kindle Locations 12348-12357. McGraw-Hill.
and
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 87).
Question 63
• IP Security
Details:
CHAP is an authentication mechanism for point-to-point protocol connections that encrypt the user's
password. It is a protocol that uses a three-way handshake. The server sends the client a challenge,
which includes a random value (a nonce) to thwart replay attacks. The client responds with a MD5 hash
of the nonce and the password. The authentication is successful if the client’s response is the one that
the server expected.
The VPN communication protocol standards listed above are PPTP, L2TP and IPSec.
PPTP and L2TP operate at the data link layer (layer 2) of the OSI model and enable only a single point-to-
point connection per session.
PPTP uses native PPP authentication and encryption services. Point-to-Point Tunneling Protocol (PPTP)
is a VPN protocol that runs over other protocols. PPTP relies on generic routing encapsulation (GRE) to
build the tunnel between the endpoints. After the user authenticates, typically with Microsoft Challenge
Handshake Authentication Protocol version 2 (MSCHAPv2), a Point-to-Point Protocol (PPP) session
creates a tunnel using GRE.
L2TP is a combination of PPTP and the earlier Layer 2 Forwarding protocol (L2F). Layer 2 Tunneling
Protocol (L2TP) is a hybrid of Cisco’s Layer 2 Forwarding (L2F) and Microsoft’s PPTP. It allows callers over
a serial line using PPP to connect over the Internet to a remote network. A dial-up user connects to his
ISP’s L2TP access concentrator (LAC) with a PPP connection. The LAC encapsulates the PPP packets into
L2TP and forwards it to the remote network’s layer 2 network server (LNS). At this point, the LNS
authenticates the dial-up user. If authentication is successful, the dial-up user will have access to the
remote network.
IPSec operates at the network layer (layer 3) and enables multiple simultaneous tunnels. IP Security
(IPSec) is a suite of protocols for communicating securely with IP by providing mechanisms for
authenticating and encryption. Implementation of IPSec is mandatory in IPv6, and many organizations
are using it over IPv4. Further, IPSec can be implemented in two modes, one that is appropriate for end-
to-end protection and one that safeguards traffic between networks.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14941
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press)
(Kindle Locations 7067-7071). Auerbach Publications. Kindle Edition.
and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press)
(Kindle Locations 6987-6990). Auerbach Publications. Kindle Edition.
Question 64
Which of the following is a device that is used to regenerate or replicate the received signals?
• Router
• Repeater
• Brouter
• Bridge
Repeaters offer the simplest form of connectivity. They regenerate received electrical signals at their
original strength between cable segments. Bridges are devices used to connect similar or dissimilar LANs
together to form an extended LAN. Routers provide packet routing between network segments. Brouter
are devices that combine router and bridge functionality.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14376
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 7:
Telecommunications and Network Security (page 397).
Question 65
Which of the following networking devices allows the connection of two or more homogeneous LANs in
a simple way where they forward the traffic based on the MAC address ?
• Gateways
• Bridges
• Firewalls
• Routers
Details:
Bridges are simple, protocol-dependent networking devices that are used to connect two or more
homogeneous LANs to form an extended LAN.
A bridge does not change the contents of the frame being transmitted but acts as a relay.
A gateway is designed to reduce the problems of interfacing any combination of local networks that
employ different level protocols or local and long-haul networks.
A router connects two networks or network segments and may use IP to route messages.
Firewalls are methods of protecting a network against security threats from other systems or networks
by centralizing and controlling access to the protected network segment.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14385
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 7:
Telecommunications and Network Security (page 397).
Question 66
• RSA
• SET
• SSL
• PPP
Details:
The Secure Socket Layer (SSL) protocol is used between a web server and client and provides entire
session encryption, thus preventing from session hijacking. RSA is asymmetric encryption algorithm that
can be used in setting up a SSL session. SET is the Secure Electronic Transaction protocol that was
introduced by Visa and Mastercard to allow for more credit card transaction possibilities. PPP is a point-
to-point protocol.
The following reference(s) were used to create this question:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 16314
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 89).
Question 67
• Smurfing attack
• Sniffing attack
• Spamming attack
• Spoofing attack
Details:
A spoofing attack is when an attempt is made to gain access to a computer system by posing as an
authorized user or system. Spamming refers to sending out or posting junk advertising and unsolicited
mail. A smurf attack is a type of denial-of-service attack using PING and a spoofed address. Sniffing refers
to observing packets passing on a network.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 16314
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 77).
Question 68
Which of the following IEEE standards defines the token ring media access method?
• 802.2
• 802.5
• 802.11
• 802.3
Details:
The IEEE 802.5 standard defines the token ring media access method. 802.3 refers to Ethernet's
CSMA/CD, 802.11 refers to wireless communications and 802.2 refers to the logical link control.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15229
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 109).
Question 69
Which xDSL flavour, appropriate for home or small offices, delivers more bandwidth downstream than
upstream?
• SDSL
• ADSL
• HDSL
• VDSL
Correct Answer is: ADSL
Details:
Asymmetric digital subscriber line (ADSL) is designed to provide more bandwidth downstream (1 to 8
Mbps) than upstream (16 to 800Kb).
DSL (Digital Subscriber Line) is a modem technology for broadband data access over ordinary copper
telephone lines (POTS) from homes and businesses. xDSL refers collectively to all types of DSL, such as
ADSL (and G.Lite), HDSL, SDSL, IDSL and VDSL etc. They are sometimes referred to as last-mile (or first
mile) technologies because they are used only for connections from a telephone switching station to a
home or office, not between switching stations.
xDSL is similar to ISDN in as much as both operate over existing copper telephone lines (POTS) using
sophisticated modulation schemes and both require the short runs to a central telephone office
Single-line Digital Subscriber Line (SDSL) deliver 2.3 Mbps of bandwidth each way.
High-rate Digital Subscriber Line (HDSL) deliver 1.544 Mbps of bandwidth each way.
Very-high data-rate Digital Subscriber Line (VDSL) can deliver up to 52 Mbps downstream over a single
copper twisted pair over a relatively short distance (1000 to 4500 feet). It could have been another
choice but it is not the best choice. The key to VDSL is that the telephone companies are replacing
many of their main feeds with fiber-optic cable. In fact, many phone companies are planning Fiber to the
Curb (FTTC), which means that they will replace all existing copper lines right up to the point where your
phone line branches off at your house. At the least, most companies expect to implement Fiber to the
Neighborhood (FTTN). Instead of installing fiber-optic cable along each street, FTTN has fiber going to
the main junction box for a particular neighborhood.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15435
http://computer.howstuffworks.com/vdsl3.htm
http://www.javvin.com/protocolxDSL.html
http://computer.howstuffworks.com/vdsl2.htm
Question 70
• Accountability
• Integrity
• Authentication
• Availability
Details:
Secure RPC provides authentication services. Secure RPC (Remote Procedure Call) protects remote
procedures with an authentication mechanism. The Diffie-Hellman authentication mechanism
authenticates both the host and the user who is making a request for a service. The authentication
mechanism uses Data Encryption Standard (DES) encryption. Applications that use Secure RPC include
NFS and the naming services, NIS and NIS+.
WHAT IS RPC?
Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program
located in another computer in a network without having to understand network details. (A procedure
call is also sometimes known as a function call or a subroutine call.) RPC uses the client/server model.
The requesting program is a client and the service-providing program is the server. Like a regular or local
procedure call, an RPC is a synchronousoperation requiring the requesting program to be suspended
until the results of the remote procedure are returned. However, the use of lightweight processes or
threads that share the same address space allows multiple RPCs to be performed concurrently.
When program statements that use RPC are compiled into an executable program, a stub is included in
the compiled code that acts as the representative of the remote procedure code. When the program is
run and the procedure call is issued, the stub receives the request and forwards it to a client runtime
program in the local computer. The client runtime program has the knowledge of how to address the
remote computer and server application and sends the message across the network that requests the
remote procedure. Similarly, the server includes a runtime program and stub that interface with the
remote procedure itself. Results are returned the same way.
There are several RPC models and implementations. A popular model and implementation is the Open
Software Foundation's Distributed Computing Environment (DCE). The Institute of Electrical and
Electronics Engineers defines RPC in its ISO Remote Procedure Call Specification, ISO/IEC CD 11578
N6561, ISO/IEC, November 1991.
RPC spans the Transport layer and the Application layer in the Open Systems Interconnection (OSI)
model of network communication. RPC makes it easier to develop an application that includes multiple
programs distributed in a network.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12786
(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (p. 475). CRC Press.
Kindle
and
http://docs.sun.com/app/docs/doc/816-4883/6mb2joane?a=view
and
http://docs.oracle.com/cd/E23823_01/html/816-4557/auth-2.html
Question 71
Details:
Firewalls enforce a corporate security policy and limit an organization's security exposures by filtering
traffic passing to and from the Internet and the corporate network. It does log Internet activity but does
not usually protect against viruses.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14520
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security
and
John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 89).
Most firewall types will support virus detection through the usage of an additional module or using a
third party plugin. However out of the box, even today, only a few enterprise or larger size models have
full antivirus capability.
Question 72
• Application gateway
Details:
A static packet filtering firewall is the simplest and least expensive type of firewalls, offering minimum
security provisions to a low-risk computing environment.
A static packet filter firewall examines both the source and destination addresses of the incoming data
packet and applies ACL’s to them. They operates at either the Network or Transport layer. They are
known as the First generation of firewall.
Older firewalls that were only packet filters were essentially routing devices that provided access control
functionality for host addresses and communication sessions. These devices, also known as stateless
inspection firewalls, do not keep track of the state of each flow of traffic that passes though the firewall;
this means, for example, that they cannot associate multiple requests within a single session to each
other. Packet filtering is at the core of most modern firewalls, but there are few firewalls sold today that
only do stateless packet filtering. Unlike more advanced filters, packet filters are not concerned about
the content of packets. Their access control functionality is governed by a set of directives referred to as
a ruleset. Packet filtering capabilities are built into most operating systems and devices capable of
routing; the most common example of a pure packet filtering device is a network router that employs
access control lists.
There are many types of Firewall:
Application Level Firewalls – Often called a Proxy Server. It works by transferring a copy of each
accepted data packet from one network to another. They are known as the Second generation of
firewalls.
Stateful Inspection Firewall - Packets are captured by the inspection engine operating at the network
layer and then analyzed at all layers. They are known as the Third generation of firewalls.
Stateful inspection improves on the functions of packet filters by tracking the state of connections and
blocking packets that deviate from the expected state. This is accomplished by incorporating greater
awareness of the transport layer. As with packet filtering, stateful inspection intercepts packets at the
network layer and inspects them to see if they are permitted by an existing firewall rule, but unlike
packet filtering, stateful inspection keeps track of each connection in a state table. While the details of
state table entries vary by firewall product, they typically include source IP address, destination IP
address, port numbers, and connection state information.
Web Application Firewalls - The HTTP protocol used in web servers has been exploited by attackers in
many ways, such as to place malicious software on the computer of someone browsing the web, or to
fool a person into revealing private information that they might not have otherwise. Many of these
exploits can be detected by specialized application firewalls called web application firewalls that reside
in front of the web server.
Web application firewalls are a relatively new technology, as compared to other firewall technologies,
and the type of threats that they mitigate are still changing frequently. Because they are put in front of
web servers to prevent attacks on the server, they are often considered to be very different than
traditional firewalls.
Host-Based Firewalls and Personal Firewalls - Host-based firewalls for servers and personal firewalls for
desktop and laptop personal computers (PC) provide an additional layer of security against network-
based attacks. These firewalls are software-based, residing on the hosts they are protecting—each
monitors and controls the incoming and outgoing network traffic for a single host. They can provide
more granular protection than network firewalls to meet the needs of specific hosts.
Host-based firewalls are available as part of server operating systems such as Linux, Windows, Solaris,
BSD, and Mac OS X Server, and they can also be installed as third-party add-ons. Configuring a host-
based firewall to allow only necessary traffic to the server provides protection against malicious activity
from all hosts, including those on the same subnet or on other internal subnets not separated by a
network firewall. Limiting outgoing traffic from a server may also be helpful in preventing certain
malware that infects a host from spreading to other hosts.11 Host-based firewalls usually perform
logging, and can often be configured to perform address-based and application-based access controls
Dynamic Packet Filtering – Makes informed decisions on the ACL’s to apply. They are known as the
Fourth generation of firewalls.
Kernel Proxy - Very specialized architecture that provides modular kernel-based, multi-layer evaluation
and runs in the NT executive space. They are known as the Fifth generation of firewalls.
All of the other types of firewalls listed are more complex than the Packet Filtering Firewall.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14563
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 6th Edition, Telecommunications and Network
Security, Page 630.
and
NIST Guidelines on Firewalls and Firewalls policies, Special Publication 800-4 Revision 1
Question 73
• Shoulder surfing
• Smurfing
Details:
The correct answer is: Shoulder surfing
Shoulder surfing is a form of a passive attack involving stealing passwords, personal identification
numbers or other confidential information by looking over someone's shoulder. All other forms of attack
are active attacks, where a threat makes a modification to the system in an attempt to take advantage of
a vulnerability.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 13589
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 3:
Security Management Practices (page 63).
Question 74
• S-WAP
• WDP
• WSP
• WTLS
Details:
Wireless Transport Layer Security (WTLS) is a communication protocol that allows wireless devices to
send and receive encrypted information over the Internet. S-WAP is not defined. WSP (Wireless Session
Protocol) and WDP (Wireless Datagram Protocol) are part of Wireless Access Protocol (WAP).
The following reference(s) were used to create this question:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press)
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, John Wiley & Sons, 2001, Chapter 4: Cryptography (page 173).
Question 75
• Eavesdropping
• Scanning
• Wiretapping
• Traffic analysis
Details:
Scanning is definitively a very active attack. The attacker will make use of a scanner to perform the
attack, the scanner will send a very large quantity of packets to the target in order to illicit responses
that allows the attacker to find information about the operating system, vulnerabilities, misconfiguration
and more. The packets being sent are sometimes attempting to identify if a known vulnerability exist on
the remote hosts.
A passive attack is usually done in the footprinting phase of an attack. While doing your passive
reconnaissance you never send a single packet to the destination target. You gather information from
public databases such as the DNS servers, public information through search engines, financial
information from finance web sites, and technical infomation from mailing list archive or job posting for
example.
The following are all incorrect answers because they are all passive attacks:
Traffic Analysis - Is the process of intercepting and examining messages in order to deduce information
from patterns in communication. It can be performed even when the messages are encrypted and
cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and
stored, the more can be inferred from the traffic. Traffic analysis can be performed in the context of
military intelligence or counter-intelligence, and is a concern in computer security.
Eavesdropping - Eavesdropping is another security risk posed to networks. Because of the way some
networks are built, anything that gets sent out is broadcast to everyone. Under normal circumstances,
only the computer that the data was meant for will process that information. However, hackers can set
up programs on their computers called "sniffers" that capture all data being broadcast over the network.
By carefully examining the data, hackers can often reconstruct real data that was never meant for them.
Some of the most damaging things that get sniffed include passwords and credit card information.
In the cryptographic context, Eavesdropping and sniffing data as it passes over a network are considered
passive attacks because the attacker is not affecting the protocol, algorithm, key, message, or any parts
of the encryption system. Passive attacks are hard to detect, so in most cases methods are put in place
to try to prevent them rather than to detect and stop them. Altering messages, modifying system files,
and masquerading as another individual are acts that are considered active attacks because the attacker
is actually doing something instead of sitting back and gathering data. Passive attacks are usually used to
gain information prior to carrying out an active attack."
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12691
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 6th Edition, Cryptography, Page 865
and
http://en.wikipedia.org/wiki/Attack_%28computing%29
and
http://www.wisegeek.com/what-is-wiretapping.htm
and
https://pangea.stanford.edu/computing/resources/network/security/risks.php
and
http://en.wikipedia.org/wiki/Traffic_analysis
Thanks to Neil Schworm for providing a new reference for this question.
I think there are two types of scanning which the question assumes.
"active" (1) Active Scanning Active scanners send transmissions to the network's nodes, examining the
responses they receive to evaluate whether a specific node represents a weak point within the network.
A network administrator can also use an active scanner to simulate an attack on the network,
uncovering weaknesses a potential hacker would spot, or examine a node following an attack to
determine how a hacker breached security.
"passive" (2) Passive Scanning: Passive scanners identify the active operating systems, applications and
ports throughout a network, monitoring activity to determine the network's vulnerabilities.
However, while passive scanners can provide information about weaknesses, they can't take action to
resolve security problems.
Question 76
A Wide Area Network (WAN) is basically everything outside of:
• the Internet.
Details:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 31234
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 99.
Question 77
Like an intranet, an extranet is a private network that uses which of the following?
• Internet packets.
• Internet patents.
• Internet ports.
• Internet protocols.
Like an intranet, an extranet is a private network that uses Internet protocols. The extranet normally
connect two companies utilizing the power of the Internet protocols. An example is sister companies,
partner companies, or clients of your organization can gain access to some of your data at your
discretion.
Extranet
An extranet differs from a DMZ (demilitarized network zone) in the following way: An extranet is made
available to authenticated connections that have been granted an access account to the resources in the
extranet. Conversely, a DMZ will host publicly available resources that must support unauthenticated
connections from just about any source, such as DNS servers and email servers.
Due to the need for companies to share large quantities of information, often in an automated fashion,
typically one company will grant the other controlled access to an isolated segment of its network to
exchange information through the use of an extranet.
Granting an external organization access to a network comes with significant risk. Both companies have
to be certain that the controls, both technical and nontechnical (e.g., operational and policy), effectively
minimize the risk of unauthorized access to information. Where access must be granted to external
organizations, additional controls such as deterministic routing can be applied upstream by service
providers. This sort of safeguard is relatively simple to employ and has significant advantages because
the ability for malicious entities to target an extranet for compromise leading to internal network
penetration is abbreviated. Companies that access extranets often treat the information within these
networks and their servers as “trusted:” confidential and possessing integrity (uncorrupted and valid).
However, these companies do not have control of each other’s security profile. Who knows what kind of
trouble a user can get into if he or she accesses supposedly trusted information through an extranet
from an organization whose network has been compromised? To mitigate this potential risk, security
architects and practitioners need to demand that certain security controls are in place before granting
access to an extranet.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press)
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 99.
Question 78
Which of the following Common Data Network Services is used to share data files and subdirectories on
file servers?
• File services.
• Print services.
• Mail services.
• Client/Server services.
Details:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 99.
Question 79
Which of the following Common Data Network Services is used to send and receive email internally or
externally through an email gateway device?
• Client/Server services.
• Mail services.
• Print services.
• File services.
Details:
Mail services send and receive email internally or externally through an email gateway device.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press)
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 99.
Question 80
Details:
Asynchronous communications rely on a stop and start delimiter bit to manage the transmission of data.
Because of the use of delimiter bits and the stop and start nature of its transmission, asynchronous
communication is best suited for smaller amounts of data. Public switched telephone network (PSTN)
modems are good examples of asynchronous communication devices.
In asynchronous transmission each character is transmitted separately, that is one character at a time.
The character is preceded by a start bit, which tells the receiving end where the character coding begins,
and is followed by a stop bit, which tells the receiver where the character coding ends. There will be
intervals of ideal time on the channel shown as gaps. Thus there can be gaps between two adjacent
characters in the asynchronous communication scheme. In this scheme, the bits within the character
frame (including start, parity and stop bits) are sent at the baud rate.
The START BIT and STOP BIT including gaps allow the receiving and sending computers to synchronise
the data transmission. Asynchronous communication is used when slow speed peripherals communicate
with the computer. The main disadvantage of asynchronous communication is slow speed transmission.
Asynchronous communication however, does not require the complex and costly hardware equipments
as is required for synchronous transmission.
Asynchronous communication is transmission of data without the use of an external clock signal. Any
timing required to recover data from the communication symbols is encoded within the symbols. The
most significant aspect of asynchronous communications is variable bit rate, or that the transmitter and
receiver clock generators do not have to be exactly synchronized.
The asynchronous communication technique is a physical layer transmission technique which is most
widely used for personal computers providing connectivity to printers, modems, fax machines, etc.
An asynchronous link communicates data as a series of characters of fixed size and format. Each
character is preceded by a start bit and followed by 1-2 stop bits.
Parity is often added to provide some limited protection against errors occurring on the link.
Most Wide Area Networks use synchronous links and a more sophisticated link protocol
Stewart , James M.; Chapple, Mike; Gibson, Darril (2015-09-11). CISSP (ISC)2 Certified Information
Systems Security Professional Official Study Guide (Kindle Locations 13277-13283). Wiley. Kindle Edition.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press)
http://en.wikipedia.org/wiki/Asynchronous_communication
http://www.erg.abdn.ac.uk/users/gorry/course/phy-pages/async.html
http://www.ligaturesoft.com/data_communications/async-data-transmission.html
Question 80
Details:
The correct answer is: bits of data sequentially in irregular patterns
Asynchronous communications rely on a stop and start delimiter bit to manage the transmission of data.
Because of the use of delimiter bits and the stop and start nature of its transmission, asynchronous
communication is best suited for smaller amounts of data. Public switched telephone network (PSTN)
modems are good examples of asynchronous communication devices.
In asynchronous transmission each character is transmitted separately, that is one character at a time.
The character is preceded by a start bit, which tells the receiving end where the character coding begins,
and is followed by a stop bit, which tells the receiver where the character coding ends. There will be
intervals of ideal time on the channel shown as gaps. Thus there can be gaps between two adjacent
characters in the asynchronous communication scheme. In this scheme, the bits within the character
frame (including start, parity and stop bits) are sent at the baud rate.
The START BIT and STOP BIT including gaps allow the receiving and sending computers to synchronise
the data transmission. Asynchronous communication is used when slow speed peripherals communicate
with the computer. The main disadvantage of asynchronous communication is slow speed transmission.
Asynchronous communication however, does not require the complex and costly hardware equipments
as is required for synchronous transmission.
Asynchronous communication is transmission of data without the use of an external clock signal. Any
timing required to recover data from the communication symbols is encoded within the symbols. The
most significant aspect of asynchronous communications is variable bit rate, or that the transmitter and
receiver clock generators do not have to be exactly synchronized.
The asynchronous communication technique is a physical layer transmission technique which is most
widely used for personal computers providing connectivity to printers, modems, fax machines, etc.
An asynchronous link communicates data as a series of characters of fixed size and format. Each
character is preceded by a start bit and followed by 1-2 stop bits.
Parity is often added to provide some limited protection against errors occurring on the link.
Most Wide Area Networks use synchronous links and a more sophisticated link protocol
The following reference(s) were used to create this question:
Stewart , James M.; Chapple, Mike; Gibson, Darril (2015-09-11). CISSP (ISC)2 Certified Information
Systems Security Professional Official Study Guide (Kindle Locations 13277-13283). Wiley. Kindle Edition.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press)
http://en.wikipedia.org/wiki/Asynchronous_communication
http://www.erg.abdn.ac.uk/users/gorry/course/phy-pages/async.html
http://www.ligaturesoft.com/data_communications/async-data-transmission.html
Question 81
Which communication method is characterized by very high speed transmission rates that are governed
by electronic clock timing signals?
• Synchronous Communication.
• Automatic Communication.
• Asynchronous Communication.
Details:
This question falls under the heading of Carrier networks or WAN connection technologies of which
there many protocols but before you can discuss any specific protocol the concept of synchronous and
asynchronous communication must be understood. Lets start with a medium like a wire, fiber or radio
waves to transport data:
Asynchronous communications rely on a stop and start delimiter bit to manage the transmission of data.
Because of the use of delimiter bits and the stop and start nature of its transmission, asynchronous
communication is best suited for smaller amounts of data. Public switched telephone network (PSTN)
modems are good examples of asynchronous communication devices
Automatic Communication spoof answer - not a form of communication with timing signals
Full duplex Communication - In a full duplex system, both parties can communicate with each other
simultaneously. An example of a full-duplex device is a telephone; the parties at both ends of a call can
speak and be heard by the other party simultaneously. The earphone reproduces the speech of the
remote party as the microphone transmits the speech of the local party, because there is a two-way
communication channel between them, or more strictly speaking, because there are two
communication paths/channels between them. https://en.wikipedia.org/wiki/Duplex_
%28telecommunications%29 a type of communication system that may use timing signals or may not.
The New Official ISC2 Guide to the CISSP CBK Seventh Edition
Synchronous Communication - 7th Edition Study book kindle location 13276 or page 487
Asynchronous Communication - 7th Edition Study book kindle location 13276 or page 487
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press)
Some connection technologies in the 7th Edition Study Guide are Wan-14408, DTE-14420, DCE-14420,
PPP-14471, SLIP- , X.25-14419, Frame Relay-14442, ATM-14443, SMDS-14443
Question 82
Which of the following Common Data Network Services is used to print documents to a shared printer
or a print queue/spooler?
• Client/Server services.
• Print services.
• Mail services.
Details:
Print services are used to print documents to a shared printer or a print queue/spooler.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press)
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 100.
Question 83
Communication products and services that ensure network components (devices, protocols, access
methods) work together is referred to as:
• WAN Architecture.
• Multiprotocol Architecture.
• Network Architecture.
• Netware Architecture.
Details:
A Network Architecture refers to the communications products and services, which ensure that the
various components of a network (such as devices, protocols, and access methods) work together.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15266
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 101.
Question 84
In this type of attack, the intruder re-routes data traffic from a network device to a personal machine.
This diversion allows an attacker to gain access to critical resources and user credentials, such as
passwords, and to gain unauthorized access to critical systems of an organization. Pick the best choice
below.
Details:
Network address hijacking allows an attacker to reroute data traffic from a network device to a personal
computer.
Also referred to as session hijacking, network address hijacking enables an attacker to capture and
analyze the data addressed to a target system. This allows an attacker to gain access to critical resources
and user credentials, such as passwords, and to gain unauthorized access to critical systems of an
organization.
Session hijacking involves assuming control of an existing connection after the user has successfully
created an authenticated session. Session hijacking is the act of unauthorized insertion of packets into a
data stream. It is normally based on sequence number attacks, where sequence numbers are either
guessed or intercepted.
Network Address Supernetting There is no such thing as Network Address Supernetting. However, a
supernetwork, or supernet, is an Internet Protocol (IP) network that is formed from the combination of
two or more networks (or subnets) with a common Classless Inter-Domain Routing (CIDR) prefix. The
new routing prefix for the combined network aggregates the prefixes of the constituent networks.
Network Address Sniffing This is another bogus choice that sound good but does not even exist.
However, sniffing is a common attack to capture cleartext password and information unencrypted over
the network. Sniffier is accomplished using a sniffer also called a Protocol Analyzer. A network sniffers
monitors data flowing over computer network links. It can be a self-contained software program or a
hardware device with the appropriate software or firmware programming. Also sometimes called
"network probes" or "snoops," sniffers examine network traffic, making a copy of the data but without
redirecting or altering it.
The following reference(s) were used to create this question:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 16314
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press )
(Kindle Locations 8641-8642). Auerbach Publications. Kindle Edition.
http://compnetworking.about.com/od/networksecurityprivacy/g/bldef_sniffer.htm
http://wiki.answers.com/Q/What_is_network_address_hijacking
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 239.
Question 85
What protocol in the list below is used as an email message transfer agent (MTA)?
• S/MIME
• S-RPC
• SMTP
• SNMP
Details:
A mail server (also known as a mail transfer agent or MTA, a mail transport agent, a mail router or an
Internet mailer) is an application that receives incoming e-mail from local users (people within the same
domain) and remote senders and forwards outgoing e-mail for delivery.
A computer dedicated to running such applications is also called a mail server. Microsoft Exchange,
qmail, Exim and sendmail are among the more common mail server programs.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12795
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page 821.
http://searchsoa.techtarget.com/definition/mail-server
Question 86
• It is a firewall.
Details:
A bastion host is a special purpose computer on a network specifically designed and configured to
withstand attack. The computer hosts a single application, for example a proxy server, and all other
services are removed or limited to reduce the threat to the computer. It is hardened in this manner
primarily due to its location and purpose, which is either on the outside of the firewall or in the DMZ and
usually involves access from untrusted networks or computers.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14339
http://en.wikipedia.org/wiki/Bastion_host
Question 87
Which of the following protocols' primary function is to send messages between network devices
regarding the health of the network?
Details:
Its primary function is to send messages between network devices regarding the health of the network.
ARP matches an IP address to an Ethernet address. RARP matches and Ethernet address to an IP
address. ICMP runs on top of IP.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12339
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 87.
Question 88
Which of the following is the protocol that provides for the collection of network information by polling
the devices on the network from a management station?
• File Transfer Protocol (FTP).
Details:
Simple Network Management Protocol (SNMP) is the protocol that provides for the collection of
network information by polling the devices on the network from a management station. FTP is the
protocol that is used to facilitate file transfer between two machines. SMTP is a protocol for sending e-
mail messages between servers. TFTP is a UDP-based file transfer program.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14973
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 88.
Question 89
Which of the following best describes the Secure Electronic Transaction (SET) protocol?
• Originated by VISA and MasterCard as an Internet credit card protocol using Message
Authentication Code.
• Originated by VISA and American Express as an Internet credit card protocol using SSL.
• Originated by VISA and MasterCard as an Internet credit card protocol using digital signatures.
• Originated by VISA and MasterCard as an Internet credit card protocol using the transport
layer.
Correct Answer is: Originated by VISA and MasterCard as an Internet credit card protocol using digital
signatures.
Details:
The correct answer is: Originated by VISA and MasterCard as an Internet credit card protocol using
digital signatures
Secure Electronic Transaction (SET). Originated by VISA and MasterCard as an Internet credit card
protocol using digital signatures. SET operates at the application layer which distinguishes it from SSL.
SSL operates at the Transport layer.
Secure Electronic Transaction (SET) is a system for ensuring the security of financial transactions on the
Internet. It was supported initially by Mastercard, Visa, Microsoft, Netscape, and others. With SET, a
user is given an electronic wallet (digital certificate) and a transaction is conducted and verified using a
combination of digital certificates and digital signatures among the purchaser, a merchant, and the
purchaser's bank in a way that ensures privacy and confidentiality. SET makes use of Netscape's Secure
Sockets Layer (SSL), Microsoft's Secure Transaction Technology (STT), and Terisa System's Secure
Hypertext Transfer Protocol (S-HTTP). SET uses some but not all aspects of a public key infrastructure
(PKI).
Assume that a customer has a SET-enabled browser such as Mozilla or Microsoft's Internet Explorer and
that the transaction provider (bank, store, etc.) has a SET-enabled server.
1. The customer opens a Mastercard or Visa bank account. Any issuer of a credit card is some kind
of bank.
2. The customer receives a digital certificate. This electronic file functions as a credit card for
online purchases or other transactions. It includes a public key with an expiration date. It has been
through a digital switch to the bank to ensure its validity.
3. Third-party merchants also receive certificates from the bank. These certificates include the
merchant's public key and the bank's public key.
4. The customer places an order over a Web page, by phone, or some other means.
5. The customer's browser receives and confirms from the merchant's certificate that the
merchant is valid.
6. The browser sends the order information. This message is encrypted with the merchant's public
key, the payment information, which is encrypted with the bank's public key (which can't be read by the
merchant), and information that ensures the payment can only be used with this particular order.
7. The merchant verifies the customer by checking the digital signature on the customer's
certificate. This may be done by referring the certificate to the bank or to a third-party verifier.
8. The merchant sends the order message along to the bank. This includes the bank's public key,
the customer's payment information (which the merchant can't decode), and the merchant's certificate.
9. The bank verifies the merchant and the message. The bank uses the digital signature on the
certificate with the message and verifies the payment part of the message.
10. The bank digitally signs and sends authorization to the merchant, who can then fill the order.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 31008
Mc Graw Hill, Shon Harris, CISSP All In One (AIO) Book, Sixth Edition, Pages 856-858
and
and
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Pages 89, 170.
Question 90
• Kerberos
Details:
The correct answer is: Secure HTTP (S-HTTP).
An early standard for encrypting HTTP documents, Secure HTTP (S-HTTP) is designed to send individual
messages securely. SSL is designed to establish a secure connection between two computers. SET was
originated by VISA and MasterCard as an Internet credit card protocol using digital signatures. Kerberos
is an authentication system.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 30666
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 89.
Question 91
Buffer overflow and boundary condition errors are subsets of which of the following?
Details:
In an input validation error, the input received by a system is not properly checked, resulting in a
vulnerability that can be exploited by sending a certain input sequence. There are two important types
of input validation errors: buffer overflows (input received is longer than expected input length) and
boundary condition error (where an input received causes the system to exceed an assumed boundary).
A race condition occurs when there is a delay between the time when a system checks to see if an
operation is allowed by the security model and the time when the system actually performs the
operation. In an access validation error, the system is vulnerable because the access control mechanism
is faulty. In an exceptional condition handling error, the system somehow becomes vulnerable due to an
exceptional condition that has arisen.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 25712
DUPUIS, Clement, Access Control Systems and Methodology CISSP Open Study Guide, version 1.0, march
2002 (page 105). Available at http://www.cccure.org.
Question 92
• SSL v2
• SSL v4
• SSL v3
• SSL v1
Details:
Secure Sockets Layer (SSL) is the technology used in most Web-based applications.
SSL version 2.0 supports strong authentication of the web server, but the authentication of the client
side only comes with version 3.0. SSL v4 is not a defined standard.
SSL 2.0 was the first publicly released version of SSL in 1995. This version of SSL contained a number of
security issues which lead to the introduction of SSL 3.0. Because of the issues presented in SSL2.0, the
protocol is unsafe to use and should be completely disabled.
SSL 3.0 was released in 1996 with a complete redesign of the protocol but was never approved by the
IETF due to security issues.
Due to the POODLE (Padding Oracle On Downgraded Legacy. Encryption) vulnerability, SSL 3.0 is also
unsafe to use and should be disabled in order to avoid the plaintext of secure connections to be
calculated by a network attacker. Furthermore, Elliptic Curve Cryptography cannot be used with SSL3.0.
While SSL 3.0 is an old encryption standard and has generally been replaced by TLS, most SSL/TLS
implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the
interest of a smooth user experience. Even if a client and server both support a version of TLS the
SSL/TLS protocol suite allows for protocol version negotiation (being referred to as the downgrade
dance in other reporting). The POODLE attack leverages the fact that when a secure connection attempt
fails, servers will fall back to older protocols such as SSL 3.0. An attacker who can trigger a connection
failure can then force the use of SSL 3.0 and attempt the new attack.
SSL 3.0 should be disabled as explained later on. If on the other-hand the support for legacy browsers is
required, it is highly recommended to support TLS_FALLBACK_SCSV. This mechanism prevents protocol
downgrade attacks on the TLS protocol and thus prevents attackers from inducing browsers to use SSL
3.0.
THE ONE THING YOU SHOULD TAKE AWAY FROM THIS: It is an historical concept, attacks forcing web
servers to fall back to older protocol that are insecure have been taken place over the past few years. In
short: Do not use it!
Although the SSL 3.0 protocol is a widely implemented protocol, a pioneer in secure communications
protocols, and the basis for Transport Layer Security (TLS), it was never formally published or approved
by the IETF, except in several expired Internet Drafts.
This allowed no easy referencing to the protocol. We believe a stable reference to the original document
should exist and for that reason, this document describes what is known as the last published version of
the SSL 3.0 protocol, that is, the November 18, 1996, version of the protocol.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14004
http://tools.ietf.org/html/rfc6101
http://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/
Question 93
In order to ensure the privacy and integrity of the data, connections between firewalls over public
networks should use:
• Encryption
• Digital certificates
• Screened subnets
Details:
Virtual Private Networks allow a trusted network to communicate with another trusted network over
untrusted networks such as the Internet.
Screened Subnet: A screened subnet is essentially the same as the screened host architecture, but adds
an extra strata of security by creating a network which the bastion host resides (often call perimeter
network) which is separated from the internal network. A screened subnet will be deployed by adding a
perimeter network in order to separate the internal network from the external. This assures that if there
is a successful attack on the bastion host, the attacker is restricted to the perimeter network by the
screening router that is connected between the internal and perimeter network.
Digital Certificates: Digital Certificates will be used in the intitial steps of establishing a VPN but they
would not provide the encryption and integrity by themselves.
Encryption: Even thou this seems like a choice that would include the other choices, encryption by itself
does not provide integrity mechanims. So encryption would satisfy only half of the requirements of the
question.
TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume
1), 2000, CRC Press, Chapter 3, Secured Connections to External Networks (page 65).
Thanks to Richard Sieber for sending the note about the fact that VPN does not always imply
Confidentiality
Thanks to Daniel Schatz for providing input to further improve this question
NOTE:
It is very important to realize that a VPN was the best choice in this case only because both Encryption
and Integrity had to be in place. Encryption by itself does not provide Integrity. However, that being
said, you could have a VPN link such as IPSEC that will only provide for Integrity using AH. So the word
VPN DOES NOT always imply confidentiality. Little nuances like this must be understood for the purpose
of the exam.
Question 94
Which layer of the TCP/IP protocol stack corresponds to the ISO/OSI Network layer (layer 3)?
• Session layer
• Internet layer
Details:
The Internet layer in the TCP/IP protocol stack corresponds to the network layer (layer 3) in the OSI/ISO
model. The host-to-host layer corresponds to the transport layer (layer 4) in the OSI/ISO model. The
Network access layer corresponds to the data link and physical layers (layers 2 and 1) in the OSI/ISO
model. The session layer is not defined in the TCP/IP protocol stack.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12285
WALLHOFF, John, CBK#2 Telecommunications and Network Security (CISSP Study Guide), April 2002
(page 1). Available at http://www.cccure.org.
Question 95
Of the given protocols which one is most closely associated with Best Effort packet delivery?
• IP
• TCP
• HTTP
• RSVP
Details:
The correct answer is: IP
This question is asking if you can choose from the given answers the one that has been labeled Best
Effort. So what does Best Effort mean?
The Internet Protocol (IP) is a data-oriented protocol used for communicating data across a packet-
switched internetwork. IP provides an unreliable service (i.e., best effort delivery). This means that the
network makes no guarantees about the packet. When datagrams are sent from device A to device B,
device A just sends each one and then moves on to the next. IP doesn't keep track of the ones it sent. It
does not provide reliability or service quality capabilities such as error protection for the data it sends
(though it does on the IP header), flow control or retransmission of lost datagrams
Since the TCP/IP & OSI models are suites of protocols the term Best Effort may be assumed to be the
default for packet routing.
TCP - can provide reliable delivery of data. Reliable delivery includes error checking and recovery from
error or loss of data and so is not considered Best Effort.
HTTP - HyperText Transport Protocol used to establish connections to a web server and thus one of the
higher level protocol using TCP to ensure delivery of all bytes between the client and the server. It was
not a good choice according to the question presented and so is not considered Best Effort.
RSVP - a process for a response from the invited person or people. It is an initialism derived from the
French phrase R pondez s'il vous pla t meaning "Please respond ". Maybe this is really Best Effort but is
not the intended answer as it does not have anything to do with packet delivery.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 438 or Kindle Location 11980 Section titled: TCP/IP Protocol Suite Overview
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12534
http://en.wikipedia.org/wiki/Best_effort_delivery
http://en.wikipedia.org/wiki/Internet_Protocol
Thanks to Doug Rike and Arthor Press for providing feedback to improve this question.
Special thanks to Rafis Garipov for sending feedback indicating that Best Effort was not properly
described within the explanations. Here is the description provided by Rafis:
Best effort is class of service and this is not dependent on the transport layer UDP or TCP. Transport for
voice is UDP protocol which uses TCP and we can change IP Precedence of IP datagram independent of
transport layer protocol.
http://www.techexams.net/forums/network/9131-tcp-vs-ip-question.html
IP carries TCP. I know the term TCP/IP term is confusing. Try not to compare them that way. They are on
two different levels of the networking model. TCP/IP does not refer to two protocols (tcp and ip). TCP/IP
represents a "suite " of protocols (arp, ip,tcp,udp,icmp etc.)
Here's an example of how tcp and ip work together: Say I am in the middle of a telnet session, and I type
"a. " Say "a " is one byte. "a " gets encapsulated by the transport layer. In this case, it's TCP since telnet
is designed to use this protocol (tcp) to communicate. Once the transport layer encapsulates it, it
becomes a segment. Just to re-state, it is so far at 21 bytes (20 byte tcp header plus 1 byte data).
The tcp header includes source and destination port number, options etc. the transport layer passes
down the "segment " to the network layer. the network layer receives the segment. It knows it has to
use IP to reach the other computer. How? It checks it's local routing table and does not see an entry for
the dest IP. It encapsulates it with it's own header. The header includes the source and dest IP address
etc and any options. Once the network layer adds it's own header, it becomes a datagram. The network
layer passes it off the ip datagram to the physical layer. Which "frames " the packet. This basically makes
it a complete "packet " at this point. It gets sent as electrical signals across the media (cat5 etc) note: If
your computer realizes that the computer is not on your network, it will send it to the gateway. The
gateway will re-frame the packet and send it to the next hop. So TCP is sometimes used (depending
upon the application you're using). And IP is pretty much always used nowadays. TCP basically is used
when you need to gurarantee delivery. It tracks each byte of data. If each byte isn't received within a
certain period of time, TCP will re-send it. Your best bet is to run a sniffer while you watch traffic cross
the wire.
Question 96
Which layer of the OSI/ISO model handles physical addressing, network topology, line discipline, error
notification, orderly delivery of frames, and optional flow control?
• Session
• Physical
• Network
• Data link
Details:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12242
ROTHKE, Ben, CISSP CBK Review presentation on domain 2, August 1999. Available at
http://www.cccure.org.
Question 97
• FTP
• DNS
• SMTP
• Telnet
Details:
DNS relies on connectionless UDP whereas services like FTP, Telnet and SMTP rely on TCP.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12714
ROTHKE, Ben, CISSP CBK Review presentation on domain 2, August 1999. Available at
http://www.cccure.org.
Question 98
How many bits of a MAC address uniquely identify a vendor, as provided by the IEEE?
• 16 bits
• 24 bits
• 6 bits
• 12 bits
Details:
The MAC address is 48 bits long, 24 of which identify the vendor, as provided by the IEEE. The other 24
bits are provided by the vendor.
A media access control address (MAC address) is a unique identifier assigned to network interfaces for
communications on the physical network segment. MAC addresses are used for numerous network
technologies and most IEEE 802 network technologies, including Ethernet. Logically, MAC addresses are
used in the media access control protocol sublayer of the OSI reference model.
MAC addresses are most often assigned by the manufacturer of a network interface card (NIC) and are
stored in its hardware, such as the card's read-only memory or some other firmware mechanism. If
assigned by the manufacturer, a MAC address usually encodes the manufacturer's registered
identification number and may be referred to as the burned-in address. It may also be known as an
Ethernet hardware address (EHA), hardware address or physical address. This is can be contrasted to a
programmed address, where the host device issues commands to the NIC to use an arbitrary address.
An example is many SOHO routers, where the ISPgrants access to only one MAC address (used
previously to inserting the router) so the router must use that MAC address on its Internet-facing NIC.
Therefore the router administrator configures a MAC address to override the burned-in one.
A network node may have multiple NICs and each must have one unique MAC address per NIC.
See diagram below from Wikipedia showing the format of a MAC address. :
The following reference(s) were used to create this question:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12283
http://en.wikipedia.org/wiki/MAC_address
Question 99
• Maximum of 15 hops
Details:
RIP is a distance vector routing protocol. It offers no security and is an Interior (not Exterior) Gateway
protocol. It is not the most efficient, with route broadcasts every 30 seconds. The lowest cost route is
always best and a cost of 16 is unreachable.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12302
ROTHKE, Ben, CISSP CBK Review presentation on domain 2, August 1999. Available at
http://www.cccure.org.
Question 100
• Vulnerability to IP spoofing.
Details:
An important point with packet filtering firewalls is their speed and flexibility, as well as capacity to block
some denial-of-service and related attacks, makes them ideal for placement at the outermost boundary
with an untrusted network.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14564
WACK, John et al., NIST Special publication 800-41, Guidelines on Firewalls and Firewall Policy, January
2002 (page 7).
and
Shon Harris All In One Book Version 6 Page 630-632 "Packet Filtering Firewalls"
Question 101
• Authentication
• Ability to automate
• Speed of negotiation
Details:
TFTP (Trivial File Transfer Protocol) is sometimes used to transfer configuration files from equipments
such as routers but the primary difference between FTP and TFTP is that TFTP does not require
authentication. Speed and ability to automate are not important.
Both of these protocols (FTP and TFTP) can be used for transferring files across the Internet. The
differences between the two protocols are explained below:
• FTP is a complete, session-oriented, general purpose file transfer protocol. TFTP is used as a
bare-bones special purpose file transfer protocol.
• FTP can be used interactively. TFTP allows only unidirectional transfer of files.
• FTP depends on TCP, is connection oriented, and provides reliable control. TFTP depends on
UDP, requires less overhead, and provides virtually no control.
• FTP uses well-known TCP port numbers: 20 for data and 21 for connection dialog. TFTP uses
UDP port number 69 for its file transfer activity.
• The Windows NT FTP server service does not support TFTP because TFTP does not support
authentication.
• Windows 95 and TCP/IP-32 for Windows for Workgroups do not include a TFTP client program.
The following reference(s) were used to create this question:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12852
2http://support.microsoft.com/kb/102737
Question 102
In a SSL session between a client and a server, who is responsible for generating the master secret that
will be used as a seed to generate the symmetric keys that will be used during the session?
Details:
Once the merchant server has been authenticated by the browser client, the browser generates a
master secret that is to be shared only between the server and client. This secret serves as a seed to
generate the session (private) keys. The master secret is then encrypted with the merchant's public key
and sent to the server. The fact that the master secret is generated by the client's browser provides the
client assurance that the server is not reusing keys that would have been used in a previous session with
another client.
See below SSL session step by step from the Microsoft website at: https://support.microsoft.com/en-
us/kb/257591
The steps involved in the SSL handshake are as follows (note that the following steps assume the use of
the cipher suites listed in Cipher Suites with RSA Key Exchange: Triple DES, RC4, RC2, DES):
1. The client sends the server the client's SSL version number, cipher settings, session-specific data,
and other information that the server needs to communicate with the client using SSL.
2. The server sends the client the server's SSL version number, cipher settings, session-specific
data, and other information that the client needs to communicate with the server over SSL. The server
also sends its own certificate, and if the client is requesting a server resource that requires client
authentication, the server requests the client's certificate.
3. The client uses the information sent by the server to authenticate the server (see Server
Authentication for details). If the server cannot be authenticated, the user is warned of the problem and
informed that an encrypted and authenticated connection cannot be established. If the server can be
successfully authenticated, the client proceeds to step 4.
4. Using all data generated in the handshake thus far, the client (with the cooperation of the
server, depending on the cipher being used) creates the pre-master secret for the session, encrypts it
with the server's public key (obtained from the server's certificate, sent in step 2), and then sends the
encrypted pre-master secret to the server.
5. If the server has requested client authentication (an optional step in the handshake), the client
also signs another piece of data that is unique to this handshake and known by both the client and
server. In this case, the client sends both the signed data and the client's own certificate to the server
along with the encrypted pre-master secret.
6. If the server has requested client authentication, the server attempts to authenticate the client
(see Client Authentication for details). If the client cannot be authenticated, the session ends. If the
client can be successfully authenticated, the server uses its private key to decrypt the pre-master secret,
and then performs a series of steps (which the client also performs, starting from the same pre-master
secret) to generate the master secret.
7. Both the client and the server use the master secret to generate the session keys, which are
symmetric keys used to encrypt and decrypt information exchanged during the SSL session and to verify
its integrity (that is, to detect any changes in the data between the time it was sent and the time it is
received over the SSL connection).
8. The client sends a message to the server informing it that future messages from the client will
be encrypted with the session key. It then sends a separate (encrypted) message indicating that the
client portion of the handshake is finished.
9. The server sends a message to the client informing it that future messages from the server will
be encrypted with the session key. It then sends a separate (encrypted) message indicating that the
server portion of the handshake is finished.
10. The SSL handshake is now complete and the session begins. The client and the server use the
session keys to encrypt and decrypt the data they send to each other and to validate its integrity.
11. This is the normal operation condition of the secure channel. At any time, due to internal or
external stimulus (either automation or user intervention), either side may renegotiate the connection,
in which case, the process repeats itself.
ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 6: Cryptography (page 112).
Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, page 569.
Question 103
During the initial stage of configuration of your firewall, which of the following rules appearing in an
Internet firewall policy is inappropriate?
• The firewall shall be configured to deny all services not expressly permitted.
• Appropriate firewall documentation and a copy of the rulebase shall be maintained on offline
storage at all times.
Correct Answer is: The firewall should be tested online first to validate proper configuration.
Details:
The correct answer is: The firewall should be tested online first to validate proper configuration.
New firewalls should be tested and evaluated before deployment to ensure that they are working
properly. Testing should be completed on a test network without connectivity to the production
network. This test network should attempt to replicate the production network as faithfully as possible,
including the network topology and network traffic that would travel through the firewall. Aspects of the
solution to evaluate include the following:
Connectivity
Ruleset
Traffic that is specifically allowed by the security policy is permitted. All traffic that is not allowed by the
security policy is blocked. Verification of the ruleset should include both reviewing it manually and
testing whether the rules work as expected.
Application Compatibility
Host-based or personal firewall solutions do not break or interfere with the use of existing software
applications. This includes network communications between application components. Network firewall
solutions do not interfere with applications that have components that interact through the firewall
(e.g., client and server software).
Management
Administrators can configure and manage the solution effectively and securely.
Logging
Logging and data management function in accordance with the organization’s policies and strategies.
Performance
Solutions provide adequate performance during normal and peak usage. In many cases, the best way to
test performance under the load of a prototype implementation is to use simulated traffic generators on
a live test network to mimic the actual characteristics of expected traffic as closely as possible.
Simulating the loads caused by DoS attacks can also be helpful in assessing firewall performance. Testing
should incorporate a variety of applications that will traverse the firewall, especially those that are most
likely to be affected by network throughput or latency issues.
The firewall implementation itself may contain vulnerabilities and weaknesses that attackers could
exploit. Organizations with high security needs may want to perform vulnerability assessments against
firewall components.
Question 104
• PVC
• Teflon
• Kevlar
• Glass fibers
Details:
The correct answer is: Glass fibers
Fiber optic cables have an outer insulating jacket made of Teflon or PVC, Kevlar fiber, which helps to
strengthen the cable and prevent breakage, plastic coatings, used to cushion the fiber center. The center
(core) of the cable is made of glass or plastic fibers.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 11747
ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 3: Telecommunications and Network
Security (page 31).
Component Interoperability
Components of the firewall solution must function together properly. This is of greatest concern when a
variety of components from different vendors are used.
Policy Synchronization
If there are multiple firewalls running synchronized policies or groups of rules, test that the
synchronization works in various scenarios (such as if one or more nodes are offline).
Additional Features
Additional features that will be used by the firewall—such as VPN and antimalware capabilities—should
be tested to ensure they are working properly.
If a firewall needs to be brought down for reconfiguration, Internet services should be disabled or a
secondary firewall should be made operational; internal systems should not be connected to the
Internet without a firewall.
After being reconfigured and tested, the firewall must be brought back into an operational and reliable
state.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14539
GUTTMAN, Barbara & BAGWILL, Robert, NIST Special Publication 800-xx, Internet Security Policy: A
Technical Guide, Draft Version, May 25, 2000 (pages 76-78).
and
NIST SP 800-41-Rev1, Guidelines on Firewalls and Firewall Policy
Exam Tip:
This is another negative question. So far I have receive about half a dozen messages telling me this
question is wrong. It is fine, just ensure that you do understand what they are looking for? In this case
they are looking at the one choice that would be wrong. You never test a firewall online, you always do
your testing offline.
Question 105
• SSL v2
• SSL v3
• SSL v4
• SSL v1
Details:
Secure Sockets Layer (SSL) is the technology used in most Web-based applications.
SSL version 2.0 supports strong authentication of the web server, but the authentication of the client
side only comes with version 3.0. SSL v4 is not a defined standard.
SSL 2.0 was the first publicly released version of SSL in 1995. This version of SSL contained a number of
security issues which lead to the introduction of SSL 3.0. Because of the issues presented in SSL2.0, the
protocol is unsafe to use and should be completely disabled.
SSL 3.0 was released in 1996 with a complete redesign of the protocol but was never approved by the
IETF due to security issues.
Due to the POODLE (Padding Oracle On Downgraded Legacy. Encryption) vulnerability, SSL 3.0 is also
unsafe to use and should be disabled in order to avoid the plaintext of secure connections to be
calculated by a network attacker. Furthermore, Elliptic Curve Cryptography cannot be used with SSL3.0.
While SSL 3.0 is an old encryption standard and has generally been replaced by TLS, most SSL/TLS
implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the
interest of a smooth user experience. Even if a client and server both support a version of TLS the
SSL/TLS protocol suite allows for protocol version negotiation (being referred to as the downgrade
dance in other reporting). The POODLE attack leverages the fact that when a secure connection attempt
fails, servers will fall back to older protocols such as SSL 3.0. An attacker who can trigger a connection
failure can then force the use of SSL 3.0 and attempt the new attack.
SSL 3.0 should be disabled as explained later on. If on the other-hand the support for legacy browsers is
required, it is highly recommended to support TLS_FALLBACK_SCSV. This mechanism prevents protocol
downgrade attacks on the TLS protocol and thus prevents attackers from inducing browsers to use SSL
3.0.
THE ONE THING YOU SHOULD TAKE AWAY FROM THIS: It is an historical concept, attacks forcing web
servers to fall back to older protocol that are insecure have been taken place over the past few years. In
short: Do not use it!
Although the SSL 3.0 protocol is a widely implemented protocol, a pioneer in secure communications
protocols, and the basis for Transport Layer Security (TLS), it was never formally published or approved
by the IETF, except in several expired Internet Drafts.
This allowed no easy referencing to the protocol. We believe a stable reference to the original document
should exist and for that reason, this document describes what is known as the last published version of
the SSL 3.0 protocol, that is, the November 18, 1996, version of the protocol.
http://tools.ietf.org/html/rfc6101
http://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/
Question 106
In order to ensure the privacy and integrity of the data, connections between firewalls over public
networks should use:
• Encryption
• Digital certificates
• Screened subnets
Details:
Virtual Private Networks allow a trusted network to communicate with another trusted network over
untrusted networks such as the Internet.
Screened Subnet: A screened subnet is essentially the same as the screened host architecture, but adds
an extra strata of security by creating a network which the bastion host resides (often call perimeter
network) which is separated from the internal network. A screened subnet will be deployed by adding a
perimeter network in order to separate the internal network from the external. This assures that if there
is a successful attack on the bastion host, the attacker is restricted to the perimeter network by the
screening router that is connected between the internal and perimeter network.
Digital Certificates: Digital Certificates will be used in the intitial steps of establishing a VPN but they
would not provide the encryption and integrity by themselves.
Encryption: Even thou this seems like a choice that would include the other choices, encryption by itself
does not provide integrity mechanims. So encryption would satisfy only half of the requirements of the
question.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14864
TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume
1), 2000, CRC Press, Chapter 3, Secured Connections to External Networks (page 65).
Thanks to Richard Sieber for sending the note about the fact that VPN does not always imply
Confidentiality
Thanks to Daniel Schatz for providing input to further improve this question
NOTE:
It is very important to realize that a VPN was the best choice in this case only because both Encryption
and Integrity had to be in place. Encryption by itself does not provide Integrity. However, that being
said, you could have a VPN link such as IPSEC that will only provide for Integrity using AH. So the word
VPN DOES NOT always imply confidentiality. Little nuances like this must be understood for the purpose
of the exam.
Question 107
Which of the following protocols does not operate at the data link layer (layer 2)?
• L2F
• ICMP
• PPP
• RARP
Details:
ICMP is the only of the mentioned protocols to operate at the network layer (layer 3). Other protocols
operate at layer 2.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12339
WALLHOFF, John, CBK#2 Telecommunications and Network Security (CISSP Study Guide), April 2002
(page 1). Available at http://www.cccure.org.
Thanks to Roger Fraumann for doing research about where things fit within the OSI model.
The answers selected within the quiz are as per the Official Study guide from ISC2 (referred to as the
OIG).
Roger Fraumann was kind enough to do lots of research on this topic, see a resume of his finding below:
=============
RARP (Layer 2)
Official (ISC)2 Guide to the CISSP CBK Second Edition, 2010, Harold F. Tipton
On Page 782, within the ISO oriented discussion of layers, Layer 2: Data-Link Layer refers to PPP and
ARP, at the tail end of the discussion of Layer 2 saying "Given a layer 3 IP Address of a device, ARP
determines the device's layer 2 MAC address." and is silent on RARP, which does the reverse.
The CISSP and CAP Prep Guide, Platinum Edition, 2007 Ronald L Kurtz and Russell Dean Vines
On page 102, examples of Data Link Layer protocols are: ARP, SLIP, PPP. However, on page 104
within the TCP/IP oriented discussion of layers, it refers to examples in the TCP/IP Internet Layer as: IP,
ARP, RARP, ICMP (For the purposes of the CISSP exam, it may be safer to assume RARP is considered
a Layer 2 protocol.
ALL IN ONE CISSP Exam Guide, Fifth Edition, 2010, Shon Harris
On page 498, Data Link Layer protocols are listed to include: ARP, RARP, PPP and SLIP
On page 534, Shon explains ARP as: "When the data link layer receives a frame, the network layer
has already attached the destination IP address to it, but the data link layer cannot understand the IP
address and this invokes ARP for help..." By the act of the network layer invoking ARP, it is viewed as
=============
PPP (Layer 2)
Official (ISC)2 Guide to the CISSP CBK Second Edition, 2010, Harold F. Tipton
On Page 782, within the ISO oriented discussion of layers, Layer 2: Data Link Layer refers to PPP and
ARP.
The CISSP and CAP Prep Guide, Platinum Edition, 2007 Ronald L Kurtz and Russell Dean Vines
On Page 102, examples of Data Link Layer protocols are: ARP, SLIP, PPP
ALL IN ONE CISSP Exam Guide, Fifth Edition, 2010, Shon Harris
On page 498, Data Link Layer protocols are listed to include: ARP, RARP, PPP and SLIP
=============
L2F (Layer 2)
Official (ISC)2 Guide to the CISSP CBK Second Edition, 2010, Harold F. Tipton
ALL IN ONE CISSP Exam Guide, Fifth Edition, 2010, Shon Harris
=============
ICMP (Layer 3)
Official (ISC)2 Guide to the CISSP CBK Second Edition, 2010, Harold F. Tipton
On page 809, Transport Layer "... relies on the correct addressing (routing) of information happening on
layer 3... "ICMP is mentioned specifically on page 809, but specific reference to where it is in the stack is
un-stated.
The CISSP and CAP Prep Guide, Platinum Edition, 2007 Ronald L Kurtz and Russell Dean Vines
On page 101, examples of Network Layer protocols are: IP, OSPF, ICMP, RIP
ALL IN ONE CISSP Exam Guide, Fifth Edition, 2010, Shon Harris
On page 497, Network Layer protocols are listed to include: IP, ICMP, IGMP, RIP, OSPF, IPX
Question 108
Details:
The OSI/ISO Data Link layer is made up of two sub-layers; (1) the Media Access Control layer refers
downward to lower layer hardware functions and (2) the Logical Link Control refers upward to higher
layer software functions. Other choices are distracters.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12242
ROTHKE, Ben, CISSP CBK Review presentation on domain 2, August 1999. Available at
http://www.cccure.org.
Question 109
How many bits of a MAC address uniquely identify a vendor, as provided by the IEEE?
• 24 bits
• 16 bits
• 6 bits
• 12 bits
Details:
The MAC address is 48 bits long, 24 of which identify the vendor, as provided by the IEEE. The other 24
bits are provided by the vendor.
A media access control address (MAC address) is a unique identifier assigned to network interfaces for
communications on the physical network segment. MAC addresses are used for numerous network
technologies and most IEEE 802 network technologies, including Ethernet. Logically, MAC addresses are
used in the media access control protocol sublayer of the OSI reference model.
MAC addresses are most often assigned by the manufacturer of a network interface card (NIC) and are
stored in its hardware, such as the card's read-only memory or some other firmware mechanism. If
assigned by the manufacturer, a MAC address usually encodes the manufacturer's registered
identification number and may be referred to as the burned-in address. It may also be known as an
Ethernet hardware address (EHA), hardware address or physical address. This is can be contrasted to a
programmed address, where the host device issues commands to the NIC to use an arbitrary address.
An example is many SOHO routers, where the ISP grants access to only one MAC address (used
previously to inserting the router) so the router must use that MAC address on its Internet-facing NIC.
Therefore the router administrator configures a MAC address to override the burned-in one.
A network node may have multiple NICs and each must have one unique MAC address per NIC.
See diagram below from Wikipedia showing the format of a MAC address. :
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12283
http://en.wikipedia.org/wiki/MAC_address
Question 110
Which of the following characteristics does not apply to RIP?
• Maximum of 15 hops
Details:
RIP is a distance vector routing protocol. It offers no security and is an Interior (not Exterior) Gateway
protocol. It is not the most efficient, with route broadcasts every 30 seconds. The lowest cost route is
always best and a cost of 16 is unreachable.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12302
ROTHKE, Ben, CISSP CBK Review presentation on domain 2, August 1999. Available at
http://www.cccure.org.
Question 111
• Vulnerability to IP spoofing.
Details:
An important point with packet filtering firewalls is their speed and flexibility, as well as capacity to block
some denial-of-service and related attacks, makes them ideal for placement at the outermost boundary
with an untrusted network.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14564
WACK, John et al., NIST Special publication 800-41, Guidelines on Firewalls and Firewall Policy, January
2002 (page 7).
and
Shon Harris All In One Book Version 6 Page 630-632 "Packet Filtering Firewalls"
Question 112
• Speed of negotiation
• Ability to automate
• Authentication
Correct Answer is: Authentication
Details:
TFTP (Trivial File Transfer Protocol) is sometimes used to transfer configuration files from equipments
such as routers but the primary difference between FTP and TFTP is that TFTP does not require
authentication. Speed and ability to automate are not important.
Both of these protocols (FTP and TFTP) can be used for transferring files across the Internet. The
differences between the two protocols are explained below:
• FTP is a complete, session-oriented, general purpose file transfer protocol. TFTP is used as a
bare-bones special purpose file transfer protocol.
• FTP can be used interactively. TFTP allows only unidirectional transfer of files.
• FTP depends on TCP, is connection oriented, and provides reliable control. TFTP depends on
UDP, requires less overhead, and provides virtually no control.
• FTP uses well-known TCP port numbers: 20 for data and 21 for connection dialog. TFTP uses
UDP port number 69 for its file transfer activity.
• The Windows NT FTP server service does not support TFTP because TFTP does not support
authentication.
• Windows 95 and TCP/IP-32 for Windows for Workgroups do not include a TFTP client program.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12852
2http://support.microsoft.com/kb/102737
Question 113
In a SSL session between a client and a server, who is responsible for generating the master secret that
will be used as a seed to generate the symmetric keys that will be used during the session?
• The merchant's Certificate Server
Details:
Once the merchant server has been authenticated by the browser client, the browser generates a
master secret that is to be shared only between the server and client. This secret serves as a seed to
generate the session (private) keys. The master secret is then encrypted with the merchant's public key
and sent to the server. The fact that the master secret is generated by the client's browser provides the
client assurance that the server is not reusing keys that would have been used in a previous session with
another client.
See below SSL session step by step from the Microsoft website at: https://support.microsoft.com/en-
us/kb/257591
The steps involved in the SSL handshake are as follows (note that the following steps assume the use of
the cipher suites listed in Cipher Suites with RSA Key Exchange: Triple DES, RC4, RC2, DES):
1. The client sends the server the client's SSL version number, cipher settings, session-specific data,
and other information that the server needs to communicate with the client using SSL.
2. The server sends the client the server's SSL version number, cipher settings, session-specific
data, and other information that the client needs to communicate with the server over SSL. The server
also sends its own certificate, and if the client is requesting a server resource that requires client
authentication, the server requests the client's certificate.
3. The client uses the information sent by the server to authenticate the server (see Server
Authentication for details). If the server cannot be authenticated, the user is warned of the problem and
informed that an encrypted and authenticated connection cannot be established. If the server can be
successfully authenticated, the client proceeds to step 4.
4. Using all data generated in the handshake thus far, the client (with the cooperation of the
server, depending on the cipher being used) creates the pre-master secret for the session, encrypts it
with the server's public key (obtained from the server's certificate, sent in step 2), and then sends the
encrypted pre-master secret to the server.
5. If the server has requested client authentication (an optional step in the handshake), the client
also signs another piece of data that is unique to this handshake and known by both the client and
server. In this case, the client sends both the signed data and the client's own certificate to the server
along with the encrypted pre-master secret.
6. If the server has requested client authentication, the server attempts to authenticate the client
(see Client Authentication for details). If the client cannot be authenticated, the session ends. If the
client can be successfully authenticated, the server uses its private key to decrypt the pre-master secret,
and then performs a series of steps (which the client also performs, starting from the same pre-master
secret) to generate the master secret.
7. Both the client and the server use the master secret to generate the session keys, which are
symmetric keys used to encrypt and decrypt information exchanged during the SSL session and to verify
its integrity (that is, to detect any changes in the data between the time it was sent and the time it is
received over the SSL connection).
8. The client sends a message to the server informing it that future messages from the client will
be encrypted with the session key. It then sends a separate (encrypted) message indicating that the
client portion of the handshake is finished.
9. The server sends a message to the client informing it that future messages from the server will
be encrypted with the session key. It then sends a separate (encrypted) message indicating that the
server portion of the handshake is finished.
10. The SSL handshake is now complete and the session begins. The client and the server use the
session keys to encrypt and decrypt the data they send to each other and to validate its integrity.
11. This is the normal operation condition of the secure channel. At any time, due to internal or
external stimulus (either automation or user intervention), either side may renegotiate the connection,
in which case, the process repeats itself.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15286
ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 6: Cryptography (page 112).
Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, page 569.
Question 114
Which of the following is less likely to be used today in creating a Virtual Private Network?
• L2F
• IPSec
• PPTP
• L2TP
Details:
It is a Protocol that supports the creation of secure virtual private dial-up networks over the Internet.
Cisco developed its own VPN protocol called Layer 2 Forwarding (L2F), which is a mutual authentication
tunneling mechanism. However, L2F does not offer encryption. L2F was not widely deployed and was
soon replaced by L2TP.
As their names suggest, both operate at layer 2. Both can encapsulate any LAN protocol.
Layer 2 Tunneling Protocol (L2TP) was derived by combining elements from both PPTP and L2F. L2TP
creates a point-to-point tunnel between communication endpoints. It lacks a built-in encryption scheme,
but it typically relies on IPSec as its security mechanism. L2TP also supports TACACS + and RADIUS. IPSec
is commonly used as a security mechanism for L2TP.
At one point L2F was merged with PPTP to produce L2TP to be used on networks and not only on dial up
links.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 3991
Stewart , James M.; Chapple, Mike; Gibson, Darril (2015-09-11). CISSP (ISC)2 Certified Information
Systems Security Professional Official Study Guide (Kindle Locations 14057-14062). Wiley. Kindle Edition.
Question 115
• In case of a firewall failure, it should fail to a configuration that denies all services (Fail Closed),
and require a firewall administrator to re-enable services after a firewall has failed in such a way.
• Firewalls shall not accept traffic on its external interfaces that appear to be coming from
internal network addresses.
• Firewalls shall be configured to passively allow all outbound and inbound services.
Correct Answer is: Firewalls shall be configured to passively allow all outbound and inbound services.
Details:
The correct answer is: Firewalls shall be configured to passively allow all outbound and inbound services.
Unless approved by the Network Services manager, all in-bound services shall be intercepted and
processed by the firewall. Allowing unrestricted services inbound and outbound is certainly NOT
recommended and very dangerous.
All of the other choices presented are recommended practices for a firewall policy.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14539
GUTTMAN, Barbara & BAGWILL, Robert, NIST Special Publication 800-xx, Internet Security Policy: A
Technical Guide, Draft Version, May 25, 2000 (page 78).
Question 116
During the initial stage of configuration of your firewall, which of the following rules appearing in an
Internet firewall policy is inappropriate?
• Appropriate firewall documentation and a copy of the rulebase shall be maintained on offline
storage at all times.
• The firewall shall be configured to deny all services not expressly permitted.
Correct Answer is: The firewall should be tested online first to validate proper configuration.
Details:
The correct answer is: The firewall should be tested online first to validate proper configuration.
New firewalls should be tested and evaluated before deployment to ensure that they are working
properly. Testing should be completed on a test network without connectivity to the production
network. This test network should attempt to replicate the production network as faithfully as possible,
including the network topology and network traffic that would travel through the firewall. Aspects of the
solution to evaluate include the following:
Connectivity
Ruleset
Traffic that is specifically allowed by the security policy is permitted. All traffic that is not allowed by the
security policy is blocked. Verification of the ruleset should include both reviewing it manually and
testing whether the rules work as expected.
Application Compatibility
Host-based or personal firewall solutions do not break or interfere with the use of existing software
applications. This includes network communications between application components. Network firewall
solutions do not interfere with applications that have components that interact through the firewall
(e.g., client and server software).
Management
Administrators can configure and manage the solution effectively and securely.
Logging
Logging and data management function in accordance with the organization’s policies and strategies.
Performance
Solutions provide adequate performance during normal and peak usage. In many cases, the best way to
test performance under the load of a prototype implementation is to use simulated traffic generators on
a live test network to mimic the actual characteristics of expected traffic as closely as possible.
Simulating the loads caused by DoS attacks can also be helpful in assessing firewall performance. Testing
should incorporate a variety of applications that will traverse the firewall, especially those that are most
likely to be affected by network throughput or latency issues.
The firewall implementation itself may contain vulnerabilities and weaknesses that attackers could
exploit. Organizations with high security needs may want to perform vulnerability assessments against
firewall components.
Component Interoperability
Components of the firewall solution must function together properly. This is of greatest concern when a
variety of components from different vendors are used.
Policy Synchronization
If there are multiple firewalls running synchronized policies or groups of rules, test that the
synchronization works in various scenarios (such as if one or more nodes are offline).
Additional Features
Additional features that will be used by the firewall—such as VPN and antimalware capabilities—should
be tested to ensure they are working properly.
If a firewall needs to be brought down for reconfiguration, Internet services should be disabled or a
secondary firewall should be made operational; internal systems should not be connected to the
Internet without a firewall.
After being reconfigured and tested, the firewall must be brought back into an operational and reliable
state.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14539
GUTTMAN, Barbara & BAGWILL, Robert, NIST Special Publication 800-xx, Internet Security Policy: A
Technical Guide, Draft Version, May 25, 2000 (pages 76-78).
and
Exam Tip:
This is another negative question. So far I have receive about half a dozen messages telling me this
question is wrong. It is fine, just ensure that you do understand what they are looking for? In this case
they are looking at the one choice that would be wrong. You never test a firewall online, you always do
your testing offline.
Question 117
Details:
An automated login function for remote users would imply a weak authentication, thus certainly not a
security goal.
TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition, volume
2, 2001, CRC Press, Chapter 5: An Introduction to Secure Remote Access (page 100).
Question 118
Which of the following should be used as a replacement for Telnet for secure remote login over an
insecure network?
• SSH V2
• Rlogin
• S-Telnet
• SSL
Details:
SSH Version 2 is a protocol for secure remote login and other secure network services over an insecure
network.
• A user authentication protocol (authenticating the client-side user to the server), and
• A connection protocol (multiplexing the encrypted tunnel into several logical channels).
Public-key authentication is based on the use of digital signatures. Each user creates a public/private key
pair for authentication purposes. The server knows the user's public key, and only the user has the
private key.
The filenames of private keys that are used in authentication are set in $HOME/.ssh2/identification.
When the user tries to authenticate, the server checks $HOME/.ssh2/authorization for filenames of
matching public keys and sends a challenge to the user end.
The user is authenticated by signing the challenge with the private key.
If Public Keys are not used, then you can also use password. SSH V2 will prompt the user for a password.
Since all communication is encrypted, the password will not be available for eavesdroppers.
NOTE:
This is only true for SSH version 2 or higher, there are known vulnerability on version 1 and also
programs capable of MITM attacks against SSH version 1. Version 1 should no longer be used.
S-Telnet This is mostly sending Telnet data sover an SSL tunnel. It can be done but it is rarely done and
not the best answer.
SSL The SSL protocol is used mostly to secure web traffic and not for remote login sessions. It is not the
best replacement for Telnet.
RLogin This protocol is deprecated and should no longer be used. It offers no security.
https://support.ssh.com/manuals/server-zos-admin/55/ssh2.html
Question 119
Which of the following is NOT a defined ISO basic task related to network management?
• Fault management
• Communications management
• Security management
• Accounting resources
Details:
Fault management: Detects the devices that present some kind of fault.
Configuration management: Allows users to know, define and change remotely the configuration of any
device.
Accounting resources: Holds the records of the resource usage in the WAN.
Performance management: Monitors usage levels and sets alarms when a threshold has been
surpassed.
Security management: Detects suspicious traffic or users and generates alarms accordingly.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press)
Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review
manual, Chapter 3: Technical Infrastructure and Operational Practices (page 137).
Special Thanks to Tim Watkins for providing further explanations to this question.
Commonly referred to by the acronym FCAPS, each area relates to a high-level IT management process.
Fault Management Fault management is concerned with detecting network faults, logging this
information, contacting the appropriate person, and ultimately fixing a problem. A common fault
management technique is to implement an SNMP-based network management system - such as HP
OpenView or Sun Solstice (formerly Net Manager) - to collect information about network devices. In
turn, the management station can be configured to make a network administrator aware of problems
(by email, paging, or on-screen messages), allowing appropriate action to be taken. SNMP and its
functions will be looked at in more detail shortly. Configuration Management Configuration
management is concerned with monitoring system configuration information, and any changes that take
place. This area is especially important, since many network issues arise as a direct result of changes
made to configuration files, updated software versions, or changes to system [2] hardware. A proper
configuration management strategy involves tracking all changes made to network hardware and
software. Examples include altering the running configuration of a device, updating the IOS version of a
router or switch, or adding a new modular interface card. While it is possible to track these changes
manually, a more common approach is to gather this information using configuration management
software, such as CiscoWorks 2000. CiscoWorks 2000 will be looked at in more detail later in the
chapter. Accounting Management Accounting management is concerned with tracking network
utilization information, such that individual users, departments, or business units can be appropriately
billed or charged for accounting purposes. While this may not be applicable to all companies, in many
larger organizations the IT department is considered a cost center that accrues revenues according to
resource utilization by individual departments or business units. Performance Management
Performance management is focused on ensuring that network performance remains at acceptable
levels. This area is concerned with gathering regular network performance data such as network
response times, packet loss rates, link utilization, and so forth. This information is usually gathered
through the implementation of an SNMP management system, either actively monitored, or configured
to alert administrators when performance move above or below predefined thresholds. Actively
monitoring current network performance is an important step in identifying problems before they occur,
as part of a proactive network management strategy. Security Management Security management is
not only concerned with ensuring that a network environment is secure, but also that gathered security-
related information is analyzed regularly. Security management functions include managing network
authentication, authorization, and auditing, such that both internal and external users only have access
to appropriate network resources. Other common tasks include the configuration and management of
network firewalls, intrusion detection systems, and security policies such as access lists. Written by Dan
DiNicolo
Question 120
Which of the following statements pertaining to Secure Sockets Layer (SSL) is false?
• The SSL protocol's primary use is to authenticate the client to the server using public key
cryptography and digital certificates.
• SSL can be used with applications such as Telnet, FTP and email protocols.
• The SSL protocol was developed by Netscape to secure Internet client-server transactions.
Correct Answer is: The SSL protocol's primary use is to authenticate the client to the server using public
key cryptography and digital certificates.
Details:
The correct answer is: The SSL protocol's primary use is to authenticate the client to the server using
public key cryptography and digital certificates.
All of these statements pertaining to SSL are true except that it is primary use is to authenticate the
client to the server using public key cryptography and digital certificates. It is the opposite, its primary
use is to authenticate the server to the client.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15288
Question 121
Why is infrared generally considered to be more secure to eavesdropping than multidirectional radio
transmissions?
Details:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press)
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, John Wiley & Sons, 2001, Chapter 4: Cryptography (page 173).
Question 122
Authentication Headers (AH) and Encapsulating Security Payload (ESP) protocols are the driving force of
IPSec. AH provides the following service except:
• Authentication
• Confidentiality
• Integrity
Details:
AH provides integrity, authentication, and non-repudiation. AH does not provide encryption which
means that NO confidentiality is in place if only AH is being used. You must make use of the
Encasulating Security Payload if you wish to get confidentiality.
IPSec uses two basic security protocols: Authentication Header (AH) and Encapsulation Security Payload.
AH is the authenticating protocol and the ESP is the authenticating and encrypting protocol that uses
cryptographic mechanisms to provide source authentication, confidentiality and message integrity.
The modes of IPSEC, the protocols that have to be used are all negotiated using Security Association.
Security Associations (SAs) can be combined into bundles to provide authentication, confidentialility and
layered communication.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14867
TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume
2, 2001, CRC Press, NY, page 164.
also see:
Shon Harris, CISSP All In One Exam Guide, 5th Edition, Page 758
Question 123
Details:
Transport mode is established when the enpoint is a host. If the gateway in a gateway-to-host
communication was to use transport mode, it would act as a host system, which is acceptable for direct
protocols to that gateway. Otherwise, TUNNEL mode is required for gateway services... This is the most
common mode of operation and is required for gateway-to-gateway and host-to-gateway
communications.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14867
TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume
2, 2001, CRC Press, NY, page 167.
Question 124
Which of the following ports does NOT normally need to be open for a mail server to operate?
• Port 143
• Port 110
• Port 119
• Port 25
Correct Answer is: Port 119
Details:
Port 119 is normally used for the Network News Transfer Protocol, it has nothing to do with mail traffic.
It is thus not needed for a mail server, which would normally listen to ports 25 (SMTP), 110 (POP3) and
143 (IMAP). A few other ports may be needed as well if you run secure versions of the services above.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12795
STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 1: Understanding
Firewalls.
Question 125
Which of the following is an extension to Network Address Translation (NAT) that permits multiple
devices providing services on a Local Area Network (LAN) to be mapped to a single public Internet
Protocol (IP) address?
• IP Distribution
• IP subnetting
• IP Spoofing
Port Address Translation (PAT), is an extension to network address translation (NAT) that permits
multiple devices on a local area network (LAN) to be mapped to a single public IP address. The goal of
PAT is to conserve IP addresses or to publish multiple hosts with service to the internet while having
only one single IP assigned on the external side of your gateway.
Most home networks use PAT. In such a scenario, the Internet Service Provider (ISP) assigns a single IP
address to the home network's router. When Computer X logs on the Internet, the router assigns the
client a port number, which is appended to the internal IP address. This, in effect, gives Computer X a
unique address. If Computer Z logs on the Internet at the same time, the router assigns it the same local
IP address with a different port number. Although both computers are sharing the same public IP
address and accessing the Internet at the same time, the router knows exactly which computer to send
specific packets to because each computer has a unique internal address.
Port Address Translation is also called porting, port overloading, port-level multiplexed NAT and single
address NAT.
The company owns and uses only one public IP address for all systems that need to communicate
outside the internal network. How in the world could all computers use the exact same IP address?
Good question. Here’s an example: The NAT device has an IP address of 127.50.41.3. When computer A
needs to communicate with a system on the Internet, the NAT device documents this computer’s
private address and source port number (10.10.44.3; port 43,887). The NAT device changes the IP
address in the computer’s packet header to 127.50.41.3, with the source port 40,000. When computer B
also needs to communicate with a system on the Internet, the NAT device documents the private
address and source port number (10.10.44.15; port 23,398) and changes the header information to
127.50.41.3 with source port 40,001. So when a system responds to computer A, the packet first goes to
the NAT device, which looks up the port number 40,000 and sees that it maps to computer A’s real
information. So the NAT device changes the header information to address 10.10.44.3 and port 43,887
and sends it to computer A for processing. A company can save a lot more money by using PAT, because
the company needs to buy only a few public IP addresses, which are used by all systems in the network.
As mentioned on Wikipedia:
NAT is also known as Port Address Translation: is a feature of a network device that translate TCP or
UDP communications made between host on a private network and host on a public network. I allows a
single public IP address to be used by many host on private network which is usually a local area
network LAN
NAT effectively hides all TCP/IP-level information about internal hosts from the Internet.
The following were all incorrect answer:
IP Spoofing - In computer networking, the term IP address spoofing or IP spoofing refers to the creation
of Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of
concealing the identity of the sender or impersonating another computing system.
Subnetting - Subnetting is a network design strategy that segregates a larger network into smaller
components. While connected through the larger network, each subnetwork or subnet functions with a
unique IP address. All systems that are assigned to a particular subnet will share values that are common
for both the subnet and for the network as a whole.
IP Distribution - This is a generic term which could mean distribution of content over an IP network or
distribution of IP addresses within a Company. Sometimes people will refer to this as Internet Protocol
address management (IPAM) is a means of planning, tracking, and managing the Internet Protocol
address space used in a network. Most commonly, tools such as DNS and DHCP are used in conjunction
as integral functions of the IP address management function, and true IPAM glues these point services
together so that each is aware of changes in the other (for instance DNS knowing of the IP address taken
by a client via DHCP, and updating itself accordingly). Additional functionality, such as controlling
reservations in DHCP as well as other data aggregation and reporting capability, is also common. IPAM
tools are increasingly important as new IPv6 networks are deployed with larger address pools, different
subnetting techniques, and more complex 128-bit hexadecimal numbers which are not as easily human-
readable as IPv4 addresses.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14554
STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 1: Understanding
Firewalls.
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :
Telecommunications and Network Security, Page 350.
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 12765-12774).
Telecommunications and Network Security, Page 604-606
http://searchnetworking.techtarget.com/definition/Port-Address-Translation-PAT
http://en.wikipedia.org/wiki/IP_address_spoofing
http://www.wisegeek.com/what-is-subnetting.htm
http://en.wikipedia.org/wiki/IP_address_management
Question 126
Which of the following is the primary reason why a user would install a dial-up modem connection
allowing remote access on his desktop when the company offers faster, more secure Internet
connection through the organization's network using VPN's ?
Correct Answer is: To circumvent the organization's security policy and mechanisms.
Details:
The correct answer is: To circumvent the organization's security policy and mechanisms.
All the choices above represent examples of circumventing the organization's security policy, which is
the primary reason why a user would be using a dial-up Internet connection to connect remotely when a
secure connection is available through the organization's network.
This is a tricky question where the highest leve choice that includes all of the other choices is the BEST
answer.
The following reference(s) were used to create this question:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14952
STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 1: Understanding
Firewalls.
Question 127
Before the advent of classless addressing, the address 128.192.168.16 would have been considered part
of:
• a class A network.
• a class D network.
• a class B network.
• a class C network.
Details:
Before the advent of classless addressing, one could tell the size of a network by the first few bits of an
IP address. If the first bit was set to zero (the first byte being from 0 to 127), the address was a class A
network. Values from 128 to 191 were used for class B networks whereas values between 192 and 223
were used for class C networks. Class D, with values from 224 to 239 (the first three bits set to one and
the fourth to zero), was reserved for IP multicast.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12288
STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 3: TCP/IP from a
Security Viewpoint.
Question 128
What is an IP routing table?
Correct Answer is: A list of station and network addresses with corresponding gateway IP address.
Details:
The correct answer is: A list of station and network addresses with corresponding gateway IP address.
A routing table is used when a destination IP address is not located on the current LAN segment. It
consists of a list of station and network addresses and a corresponding gateway IP address further along
to which a routing equipment should send packets that match that station or network address.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12288
STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 3: TCP/IP from a
Security Viewpoint.
Thanks to Raj Khedkar for sending feedback to improve this question.
Question 129
Which of the following protocols SHOULD be allowed through a firewall to support easier
communication and usage by users?
• RIP
• IGRP
• DNS
• OSPF
Details:
DNS is a service that must be allowed through an organization's firewall because without it, network
users won't be able to find anything unless they remember IP addresses for any sites they wish to
connect to.The Domain Name Service (DNS) is a method of resolving hostnames to IP addresses so
names can be used instead of IP addresses within networked environments.
DNSSEC should be considered today as a more secure replacement for DNS. If you make use of DNS
you must ensure it is properly configured to allow only queries (UDP 53) and not zone transfer (TCP 53).
Else abuse could be attempted against your DNS.
RIP, IGRP and OSPF are interior IP routing protocols normally used to keep routing tables updated and
consistent inside an organization's network. Changes to an organization's routing tables should neither
be advertised to, or come from, outside of the organization's network. Those protocols should not
normally be allowed through the organization's firewall with an external network like the Internet.
The following reference(s) were used to create this question:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12714
STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 4: Sockets and Services
from a Security Viewpoint.
Question 130
• Having multiple clients on the same LAN having the same IP address.
• An intruder on the network impersonating a DHCP server and thereby misconfiguring the DHCP
clients.
Correct Answer is: An intruder on the network impersonating a DHCP server and thereby misconfiguring
the DHCP clients.
Details:
The greatest danger from BootP or DHCP (Dynamic Host Configuration Protocol) is from an intruder on
the network impersonating a DHCP server and thereby misconfiguring the DHCP clients. Other choices
are possible consequences of DHCP impersonation.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12644
STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 4: Sockets and Services
from a Security Viewpoint.
Thanks to Doug Rike for providing feedback to improve this question.
Question 131
Which of the following can be defined as an Internet protocol by which a client workstation can
dynamically access a mailbox on a server host to manipulate and retrieve mail messages that the server
has received and is holding for the client?
• IMAP
• MIME
• PEM
• SMTP
Details:
RFC 2828 (Internet Security Glossary) defines the Internet Message Access Protocol (IMAP4) as an
Internet protocol by which a client workstation can dynamically access a mailbox on a server host to
manipulate and retrieve mail messages that the server has received and is holding for the client.
IMAP4 has mechanisms for optionally authenticating a client to a server and providing other security
services.
MIME is the MultiPurpose Internet Mail Extension. MIME extends the format of Internet mail to allow
non-US-ASCII textual messages, non-textual messages, multipart message bodies, and non-US-ASCII
information in message headers.
Simple Mail Transfer Protocol (SMTP) is a TCP-based, application-layer, Internet Standard protocol for
moving electronic mail messages from one computer to another.
Privacy Enhanced Mail (PEM) is an Internet protocol to provide data confidentiality, data integrity, and
data origin authentication for electronic mail.
The following reference(s) were used to create this question:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12795
Question 132
Which of the following is defined as an Internet, IPsec, key-establishment protocol, partly based on
OAKLEY, that is intended for putting in place authenticated keying material for use with ISAKMP and for
other security associations?
Details:
RFC 2828 (Internet Security Glossary) defines IKE as an Internet, IPsec, key-establishment protocol
(partly based on OAKLEY) that is intended for putting in place authenticated keying material for use with
ISAKMP and for other security associations, such as in AH and ESP.
SKIP is a key distribution protocol that uses hybrid encryption to convey session keys that are used to
encrypt data in IP packets.
The Key Exchange Algorithm (KEA) is defined as a key agreement algorithm that is similar to the Diffie-
Hellman algorithm, uses 1024-bit asymmetric keys, and was developed and formerly classified at the
secret level by the NSA.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14868
Question 133
Which of the following NAT firewall translation modes is required to make internal hosts available for
connection from external hosts?
• Static translation
• Dynamic translation
Details:
With static translation (also called port forwarding), a specific internal network resource (usually a
server) has a fixed translation that never changes. Static NAT is required to make internal hosts available
for connection from external hosts. In dynamic translation (also called Automatic, Hide Mode, or IP
Masquerade), a large group of internal clients share a single or small group of internal IP addresses for
the purpose of hiding their identities or expanding the internal network address space. Load Balancing
Translation is used to translate a single IP address and port to a pool of identically configured servers so
that a single public address can be served by a number of servers. In Network Redundancy Translation,
multiple Internet connections are attached to a single NAT firewall that it chooses and uses based on
load and availability.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14554
STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 7: Network Address
Translation.
Question 134
• Content filtering
• Virus Detection
• Route blocking
• URL blocking
Details:
In many organizations, the HTTP proxy is used as a means to implement content filtering, for instance,
by logging or blocking traffic that has been defined as, or is assumed to be nonbusiness related for some
reason.
Although filtering on a proxy server or firewall as part of a layered defense can be quite effective to
prevent, for instance, virus infections (though it should never be the only protection against viruses), it
will be only moderately effective in preventing access to unauthorized services (such as certain remote-
access services or file sharing), as well as preventing the download of unwanted content. HTTP
Tunneling.
HTTP tunneling is technically a misuse of the protocol on the part of the designer of such tunneling
applications. It has become a popular feature with the rise of the first streaming video and audio
applications and has been implemented into many applications that have a market need to bypass user
policy restrictions.
Usually, HTTP tunneling is applied by encapsulating outgoing traffic from an application in an HTTP
request and incoming traffic in a response. This is usually not done to circumvent security, but rather, to
be compatible with existing firewall rules and allow an application to function through a firewall without
the need to apply special rules, or additional configurations.
The following are incorrect choices:
Virus Detection A proxy is not best at detection malware and viruses within content. A antivirus
product would be use for that purpose.
URL blocking This would be a subset of Proxying, based on the content some URL's may be blocked by
the proxy but it is not doing filtering based on URL addresses only. This is not the BEST answer.
Route blocking This is a function that would be done by Intrusion Detection and Intrusion prevention
system and not the proxy. This could be done by filtering devices such as Firewalls and Routers as well.
Again, not the best choice.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14554
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press)
(Kindle Locations 6195-6201). Auerbach Publications. Kindle Edition.
Question 135
Correct Answer is: Proxies provide a single point of access, control, and logging.
Details:
By ensuring that all content flows through a single point, proxies provide a checkpoint for network data,
which is an advantage rather than a liability, as are other choices.
STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 8: Application-Level
Proxies.
Question 136
In the context of network enumeration by an outside attacker and possible Distributed Denial of Service
(DDoS) attacks, which of the following firewall rules is not appropriate to protect an organization's
internal network?
Details:
Echo replies outbound should be dropped, not allowed. There is no reason for any internet users to
send ICMP ECHO Request to your interal hosts from the internet. If they wish to find out if a service is
available, they can use a browser to connect to your web server or simply send an email if they wish to
test your mail service.
Echo replies outbound could be used as part of the SMURF amplification attack where someone will
send ICMP echo requests to gateways broadcast addresses in order to amplify the request by X number
of users sitting behind the gateway.
By allowing inbound echo requests and outbound echo replies, it makes it easier for attackers to learn
about the internal network as well by performing a simply ping sweep. ICMP can also be used to find
out which host has been up and running the longest which would indicates which patches are missing on
the host if a critical patch required a reboot.
ICMP can also be use for DDoS attacks, so you should strictly limit what type of ICMP traffic would be
allowed to flow through your firewall.
On top of all this, tools such as LOKI could be use as a client-server application to transfer files back and
forward between the internat and some of your internal hosts. LOKI is a client/server program
published in the online publication Phrack . This program is a working proof-of-concept to demonstrate
that data can be transmitted somewhat secretly across a network by hiding it in traffic that normally
does not contain payloads. The example code can tunnel the equivalent of a Unix RCMD/RSH session in
either ICMP echo request (ping) packets or UDP traffic to the DNS port. This is used as a back door into a
Unix system after root access has been compromised. Presence of LOKI on a system is evidence that the
system has been compromised in the past.
The outbound echo request and inbound echo reply allow internal users to verify connectivity with
external hosts.
Allow echo request outbound The outbound echo request and inbound echo reply allow internal users
to verify connectivity with external hosts.
Drop echo request inbound There is no need for anyone on the internet to attempt pinging your
internal hosts.
Allow echo reply inbound The outbound echo request and inbound echo reply allow internal users to
verify connectivity with external hosts.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 20704
http://www.phrack.org/issues.html?issue=49&id=6
STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 10: The Perfect
Firewall.
Thanks to Jeff Hurst for providing feedback on how to improve this question.
Question 137
• tunnel
• one-time password
• pipeline
• bypass
Details:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14863
TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. Available at http://www.cccure.org.
Question 138
Details:
The correct answer is: It captures network traffic for later analysis.
TCP/ IP (as well as most protocols) is subject to passive attacks via monitoring or sniffing.
Network monitoring is the act of monitoring traffic patterns to obtain information about a network.
Packet sniffing is the act of capturing packets from the network in hopes of extracting useful information
from the packet contents.
Effective packet sniffers can extract usernames, passwords, email addresses, encryption keys, credit card
numbers, IP addresses, system names, and so on.
Stewart , James M.; Chapple, Mike; Gibson, Darril (2015-09-11). CISSP (ISC)2 Certified Information
Systems Security Professional Official Study Guide, 7th Edition, (Kindle Locations 12311-12316). Wiley.
Kindle Edition.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15885
TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. Available at http://www.cccure.org.
Question 139
This OSI layer has a service that negotiates transfer syntax and translates data to and from the transfer
syntax for users, which may represent data using different syntaxes. At which of the following layers
would you find such service?
• Presentation
• Application
• Session
• Transport
Details:
The correct answer is: Presentation
It is responsible for taking information from the "Application layer protocols" and putting it in a form
The presentation-layer implementation of the OSI protocol suite consists of a presentation protocol and
a presentation service. The presentation protocol allows presentation-service users (PS-users) to
communicate with the presentation service.
A PS-user is an entity that requests the services of the presentation layer. Such requests are made at
Presentation-Service Access Points (PSAPs). PS-users are uniquely identified by using PSAP addresses.
Presentation service negotiates transfer syntax and translates data to and from the transfer syntax for
PS-users, which represent data using different syntaxes. The presentation service is used by two PS-
users to agree upon the transfer syntax that will be used. When a transfer syntax is agreed upon,
presentation-service entities must translate the data from the PS-user to the correct transfer syntax.
The OSI presentation-layer service is defined in the ISO 8822 standard and in the ITU-T X.216
recommendation. The OSI presentation protocol is defined in the ISO 8823 standard and in the ITU-T
X.226 recommendation. A connectionless version of the presentation protocol is specified in the ISO
9576 standard.
To remember the OSI layers you can use the following Mnemonics:
The first one is from the bottom (Physical Layer - Layer 1) up (Application - Layer 7):
Transport: Responsible for providing end to end data transport services and establish the logical
connection between COMPUTERS for example TCP and UDP
Session: Responsible for maintaing the connection between two APPLICATIONS during the data transfer
for example NFS , RPC protocol
Application : Works closest to the application , it does not itself contain applications but rather the
protocols that support the applications. for example HTTP work at this layer but the application it
support is IE , Mozilla , opera , chrome ...
The following reference(s) were used to create this question:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12242
http://www.cisco.com/cpress/cc/td/cpress/fund/ith2nd/it2432.htm
and
http://en.wikipedia.org/wiki/List_of_network_protocols_%28OSI_model%29
Question 140
• Physical layer
• Network layer
• Transport layer
Details:
The Physical layer is responsible for the transmission of the data through the physical medium. This
includes such things as cables. Fiber optics is a cabling mechanism which works at Physical layer of OSI
model
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12242
Question 141
You wish to make use of "port knocking" technologies. How can you BEST explain this?
• This is where all the ports are open on the server and the connecting client scans the open port
to which he wants to connect to see if it's open and running.
• Port knocking is where the port sequence is encrypted with 3DES and only the server has the
other key to decrypt the port sequence.
• Port knocking is where the user calls the server operator to have him start the service he wants
to connect to.
• Port knocking is where the client will attempt to connect to a predefined set of ports to identify
him as an authorized client.
Correct Answer is: Port knocking is where the client will attempt to connect to a predefined set of ports
to identify him as an authorized client.
Details:
The correct answer is: Port knocking is where the client will attempt to connect to a predefined set of
ports to identify him as an authorized client. The port knocking sequence is used to identify the client as
a legitimate user.
http://www.portknocking.org/
Question 142
Tim is a network administrator of Acme inc. He is responsible for configuring the network devices. John
the new security manager reviews the configuration of the Firewall configured by Tim and identifies an
issue. This specific firewall is configured in failover mode with another firewall. A sniffer on a PC
connected to the same switch as the firewalls can decipher the credentials, used by Tim while
configuring the firewalls. Which of the following should be used by Tim to ensure that no one can
eavesdrop on the communication?
• RSH
• SFTP
• SSH
• SCP
Details:
The SSH protocol provides an encrypted terminal session to the remote firewalls. By encrypting the
data, it prevents sniffing attacks using a protocol analyzer also called a sniffer.
With more and more computers installed in networked environments, it often becomes necessary to
access hosts from a remote location. This normally means that a user sends login and password strings
for authentication purposes. As long as these strings are transmitted as plain text, they could be
intercepted and misused to gain access to that user account without the authorized user even knowing
about it.
Apart from the fact that this would open all the user's files to an attacker, the illegal account could be
used to obtain administrator or root access or to penetrate other systems. In the past, remote
connections were established with telnet, which offers no guards against eavesdropping in the form of
encryption or other security mechanisms. There are other unprotected communication channels, like
the traditional FTP protocol and some remote copying programs.
The SSH suite provides the necessary protection by encrypting the authentication strings (usually a login
name and a password) and all the other data exchanged between the hosts. With SSH, the data flow
could still be recorded by a third party, but the contents are encrypted and cannot be reverted to plain
text unless the encryption key is known. So SSH enables secure communications over insecure networks
such as the Internet.
The SCP protocol is a network protocol that supports file transfers. The SCP protocol, which runs on port
22, is based on the BSD RCP protocol which is tunneled through the Secure Shell (SSH) protocol to
provide encryption and authentication. SCP might not even be considered a protocol itself, but merely a
combination of RCP and SSH. The RCP protocol performs the file transfer and the SSH protocol performs
authentication and encryption. SCP protects the authenticity and confidentiality of the data in transit. It
hinders the ability for packet sniffers to extract usable information from the data packets.
The SCP protocol has been superseded by the more comprehensive SFTP protocol, which is also based
on SSH.
RSH
RSH© allows a user to execute commands on a remote system without having to log in to the system.
For example, RSH can be used to remotely examine the status of a number of access servers without
connecting to each communication server, executing the command, and then disconnecting from the
communication server.
As described in the rlogin article, the rsh protocol is not secure for network use, because it sends
unencrypted information over the network, among other things. Some implementations also
authenticate by sending unencrypted passwords over the network. rsh has largely been replaced by the
very similar SSH (secure shell) program on untrusted networks like the internet.
As an example of RSH use, the following executes the command mkdir testdir as user remote user on
the computer remote computer:
After the command has finished RSH terminates. If no command is specified then rsh will log in on the
remote system using rlogin.
http://www.novell.com/documentation/suse91/suselinux-adminguide/html/ch19s02.html
and
http://en.wikipedia.org/wiki/Remote_Shell
and
http://en.wikipedia.org/wiki/Secure_copy
Question 143
As described within your security policy, the CSO has implemented an e-mail package solution that
ensures integrity of messages sent using the SMIME standard. Which of the options below BEST
describes how it implements the enviroment to fulfill the policy´s requirement?
• Implementing MIME solutions and providing a footer within each message sent, referencing to
policy constraints related to e-mail usage.
• Implementing RSA standard for messages envelope and instructing users to sign all messages
using their public key from their PKI digital certificate.
• Implementing RSA standard for messages envelope and instructing users to sign all messages
using their private key from their PKI digital certificate.
• Implementing PGP and allowing for recipient to receive the private key used to sign e-mail
message.
Correct Answer is: Implementing RSA standard for messages envelope and instructing users to sign all
messages using their private key from their PKI digital certificate.
Details:
The correct answer is: Implementing RSA standard for messages envelope and instructing users to sign
all messages using their private key from his/her PKI digital certificate.
RSA e-mail standars stands for SMIME envelope. Using t s private key to sign messages, users will ensure
recipients of message integraty by using sender s public key for hash decription and content
comparison.
Exam candidates should be aware of e-mail solutions and technologies that addresses confidentiality,
integrity and non-repudiation.
The following answers are incorrect:
Implementing PGP and allowing for recipient to receive the private key used to sign e-mail message.
Implementing RSA standard for messages envelope and instructing users to sign all messages using their
public key from the PKI digital certificate.
Implementing MIME solutions and provideing a footer within each message sent, referencing to policy
constraints related to e-mail usage.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12795
Question 144
Attackers uses a technique called ______ to exploit the trust between systems by pretending to be
someone else IP address, or MAC address, or another trusted systems. They can use this technique to
send a malformed packet containing a bug to the target system in order to mask the real source of the
attack.
• Exploiting
• Spoofing
• Choeping
• Smurfing
Details:
The correct answer is: Spoofing
smurfing
Choeping
Exploiting
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 16246
Question 145
What would you call the process that takes advantages of the security provided by a transmission
protocol by carrying one protocol over another?
• Piggy Backing
• Concealing
• Tunneling
• Steganography
Details:
The correct answer is: Tunneling
Computer networks use a tunneling protocol when one network protocol (the delivery protocol)
encapsulates a different payload protocol. By using tunneling one can (for example) carry a payload over
an incompatible delivery-network, or provide a secure path through an untrusted network.
Tunneling typically contrasts with a layered protocol model such as those of OSI or TCP/IP. The delivery
protocol usually (but not always) operates at a higher level in the model than does the payload protocol,
or at the same level.
To understand a particular protocol stack, network engineers must understand both the payload and
delivery protocol sets.
As an example of network layer over network layer, Generic Routing Encapsulation (GRE), a protocol
running over IP (IP Protocol Number 47), often serves to carry IP packets, with RFC 1918 private
addresses, over the Internet using delivery packets with public IP addresses. In this case, the delivery
and payload protocols are compatible, but the payload addresses are incompatible with those of the
delivery network.
A Secure Shell (SSH) tunnel consists of an encrypted tunnel created through a SSH protocol connection.
Users may set up SSH tunnels to transfer unencrypted traffic over a network through an encrypted
channel. For example, Windows machines can share files using the Server Message Block (SMB)
protocol, a non-encrypted protocol. If one were to mount a Microsoft Windows file-system remotely
through the Internet, someone snooping on the connection could see transferred files. To mount the
Windows file-system securely, one can establish an SSH tunnel that routes all SMB traffic to the remote
fileserver through an encrypted channel. Even though the SMB protocol itself contains no encryption,
the encrypted SSH channel through which it travels offers security.
Users can also use tunneling to "sneak through" a firewall, using a protocol that the firewall would
normally block, but "wrapped" inside a protocol that the firewall does not block, such as HTTP. If the
firewall policy does not specifically exclude this kind of "wrapping", this trick can function to get around
the intended firewall policy.
Another HTTP-based tunneling method uses the HTTP CONNECT method/command. A client issues the
HTTP CONNECT command to a HTTP proxy. The proxy then makes a TCP connection to a particular
server:port, and relays data between that server:port and the client connection. Because this creates a
security hole, CONNECT-capable HTTP proxies commonly restrict access to the CONNECT method. The
proxy allows access only to a whitelist of specific authorized servers.
Piggy Backing
In security, piggybacking refers to when a person tags along with another person who is authorized to
gain entry into a restricted area, or pass a certain. The act may be legal or illegal, authorized or
unauthorized, depending on the circumstances. However, the term more often has the connotation of
being an illegal or unauthorized act.
To describe the act of an unauthorized person who follows someone to a restricted area without the
consent of the authorized person, the term tailgating is also used. "Tailgating" implies without consent
(similar to a car tailgating another vehicle on the freeway), while "piggybacking" usually implies consent
of the authorized person.
Piggybacking came to the public's attention particularly in 1999, when a series of weaknesses were
exposed in airport security. While a study showed that the majority of undercover agents attempting to
pass through checkpoints, bring banned items on planes, or board planes without tickets were
successful, piggybacking was revealed as one of the methods that was used in order to enter off-limits
areas.
Steganography
Steganography is the art and science of writing hidden messages in such a way that no one, apart from
the sender and intended recipient, suspects the existence of the message, a form of security through
obscurity. The word steganography is of Greek origin and means "concealed writing" from the Greek
words steganos (στεγανός) meaning "covered or protected", and graphein (γράφειν) meaning "to
write". The first recorded use of the term was in 1499 by Johannes Trithemius in his Steganographia, a
treatise on cryptography and steganography disguised as a book on magic. Generally, messages will
appear to be something else: images, articles, shopping lists, or some other covertext and, classically,
the hidden message may be in invisible ink between the visible lines of a private letter.
The advantage of steganography, over cryptography alone, is that messages do not attract attention to
themselves. Plainly visible encrypted messages—no matter how unbreakable—will arouse suspicion,
and may in themselves be incriminating in countries where encryption is illegal. Therefore, whereas
cryptography protects the contents of a message, steganography can be said to protect both messages
and communicating parties.
Steganography includes the concealment of information within computer files. In digital steganography,
electronic communications may include steganographic coding inside of a transport layer, such as a
document file, image file, program or protocol. Media files are ideal for steganographic transmission
because of their large size. As a simple example, a sender might start with an innocuous image file and
adjust the color of every 100th pixel to correspond to a letter in the alphabet, a change so subtle that
someone not specifically looking for it is unlikely to notice it.
Concealing
Concealment (also called abscondence or hiding) is obscuring something from view or rendering it
inconspicuous, the opposite of exposure. A military term is CCD: camouflage (object looks like its
surroundings), concealment (object cannot be seen), and deception (object looks like something else); in
a broad sense, all three are forms of concealment.
The objective of hiding is often to keep the presence of an object or person secret, but in other cases not
the presence is a secret, but only the location.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12892
http://en.wikipedia.org/wiki/Tunneling_protocol
http://en.wikipedia.org/wiki/Steganography
http://en.wikipedia.org/wiki/Piggybacking_%28security%29
Question 146
The Loki attack exploits a covert channel using which network protocol?
• SMTP
• ICMP
• PPP
• TCP
Details:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12339
Shon Harris, AIO, 5th Edition, Chapter 12: Operations Security, p. 1107
Question 147
Data which is properly secured and can be described with terms like "genuine" or "not corrupted from
the original" refers to data that has a high level of what?
• Availability
• Authorization
• Non-Repudiation
• Authenticity
Details:
Authenticity refers to the characteristic of a communication, document or any data that ensures the
quality of being genuine or not corrupted from the original.
Availability is wrong because this refers to systems which deliver data are accessible when and where
required by users.
Non-Repudiation is wrong because this is where a user cannot deny their actions on data they
processed. Classic example is a legal document you signed either manually with a pen or digitally with a
signing certificate. If it is signed then you cannot proclaim you did not send the document or do a
transaction.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14816
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, Volume 1, Module 1, Page.
11.
Question 148
If you were on a network and needed to get outbound connections using SSH but TCP Port 22 is being
blocked? How can you get your traffic out of that network without it being filtered by the firewalling
device that otherwise lets only TCP port 80 flow through the filtering device?
• IP Source Routing
• HTTP Tunneling
Details:
The correct answer is: HTTP Tunneling
A firewall device can drop or permit network traffic based on ports, content, destination, source IP
Address, basically any characteristic can be used to control the flow of information through the firewall
device.
When a single port like TCP/80 (And/or 443 for SSL) is permitted it is possible to use 3rd party
applications to tunnel traffic over permitted ports through the firewalling devices.
In this case, a HTTP Tunnel Tool would capture our SSH traffic and change the destination port to
TCP/80. The other end must be listening on TCP/80 for this to work but the SSH data is unwrapped at
the destination and the data passed to the intended application. In this case it would be the SSH
daemon and you'd have your SSH Connection end to end.
HTTP Tunnel creates a bidirectional virtual data connection tunneled in HTTP Requests.
IP Source Routing: This is incorrect. Most modern firewalling devices don't allow IP Source Routing and
wouldn't get your traffic out of a single router anyhow.
Bulk Network Encryption: Encryption is part of this answer's solution but only part. SSH uses encryption
to keep your network session secret but also stops content filtering devices from "seeing" your SSH
session inside the HTTP tunnel you're using.
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 3, Page 122
Question 149
What was the major security risk with SNMPv1 with regards to attackers using a network sniffers on
your network?
Correct Answer is: SNMPv1 only supports clear text community strings
Details:
The correct answer is: SNMPv1 only supports clear text authentication through community strings
SNMPv1 only supports clear text authentication using a community string as a password. When sniffer
software became common this became a real security threat because attackers or malicious users could
capture SNMP community strings as they traversed the network.
Unfortunately SNMPv1 is still widely used in many networking devices and operating systems. Switches,
routers, Windows, Unix, Linux, firewalls, IDSes all support SNMP and can be vulnerable to community
string sniffing.
Mitigation: In a switched environment sniffing is less of a risk but switches can be tricked into acting like
hubs with ARP floods and CAM table overflow attacks. It is recommended to upgrade to SNMPv3 where
possible. V3 is not compatible with V1 in message formats and protocol operations.
In a non-switched (Hubbed) network sniffers had free reign to capture ALL network traffic because it
was a single broadcast domain where all hosts "see" all traffic. Network cards placed into promiscuous
mode could capture all network traffic and dissect it for passwords, usernames, SNMP community
strings and so on.
CAM Table overflows: This is not the correct answer because CAM table overflows are a vulnerability of
a network switch, not SNMP.
MIB Database Overflows: This is incorrect because MIB databases aren't the target for overflow attacks.
Default Community Strings: This was not the intended answer because while default community strings
are a serious risk if unchanged by the network administrator the threat doesn't stem from network
sniffers but from attackers who use default community strings to attack devices or systems running
SNMPv1.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14976
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 3, Page 146
Question 150
Which network management protocol suite uses community strings as authentication mechanisms?
Details:
SNMP - Simple Network Management Protocol is a service that allows administrators to centrally
manage and monitor network hosts. SNMP runs on networking devices and computers. (Computers,
servers, UPS devices, switches, routers, printers etc.)
The SNMP MIB - Or SNMP Management Information Base is a data structure where values are read from
and written to by either the host or by the administrator.
You can read values from the MIB manually or they can be sent automatically from the device if a
threshold is met. (Example: A CPU utilization is greater than 50%, would send an alert to the
administrator.) These alert messages are called traps.
The administrator can also set values if he has the write community string.
If he only has the read community string he may only read values but not write them to the MIB. Values
are written to the MIB and the hosts reads them to make changes to the system.
Mitigation: SNMPv1 had weak authentication and passed credentials in clear text which can be sniffed
and used to gain access to devices. SNMPv2 and v3 added features and security but V3 is not
compatible with V1 devices.
The default community strings are public for read access and private for write access. These must be
immediately changed when new devices are deployed hosting SNMP because they are the first
community strings an attacker uses to gain access.
NETMP - Network Management Protocol: This is not the correct answer. There is no known protocol
called NETMP.
SMTP - Simple Management Transfer Protocol: This is incorrect because SMTP is used for transferring
mail and messages between users and hosts. SMTP is the Simple Mail Transfer Protocol.
SAMP - Simple Administration Management Protocol: There is no known protocol named Simple Admin
Management Protocol.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14981
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 3, Page 158.
SNMP on Wikipedia
Question 151
What is the name of the database structure that resides on SNMP Managed devices and is responsible
for the organization of information gathered from the device for later retrieval?
Details:
SNMP Managed devices gather system information and store them in a hierarchical database structure
called the MIB - Management Information base.
MIB uses OID - Object ID - numbers to assign values to particular values written by the system. These
values could include CPU utilization, network performance, system temperature or any other value the
hardware can create that the system writes as a MIB value.
There are two ways messages can be retrieved from SNMP Managed devices:
1. SNMP Traps: These are sent automatically by the SNMP devices when a threshold is reached like
when a CPU runs at 100% for more than a few minutes. (Thus requiring human interaction)
2. SNMP Management Queries: These usually originate from the network administrators SNMP
Management station when he runs a report on his SNMP Devices to see how they're doing.
The risks associated with SNMP originated with the earliest of implementations but became a real
problem after the advent of network sniffers when credentials could be captures from the network.
SNMPv1 and v2 sent authentication messages in clear textf across the network which was easily picked
up by packet loggers (Sniffers). Security staff and hackers can use these captured credentials to log into
managed devices to gather information or disrupt the devices operation.
SNMP devices read configuration data from the MIB so if dangerous settings are written to the devices
by an attacker the device could be damaged or disabled interrupting network communications or
creating dangerous conditions.
Mitigation: It is recommended that SNMPv3 be deployed to all devices which can support it. Most
modern devices support SNMPv3 and it is a more secure option because
• Integrity - Message integrity to ensure that a packet has not been tampered with in transit
including an optional packet replay protection mechanism.
All of the choices above are made up and does not exists in real life.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14981
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 3, Page 146
ASN 1 on Wiki
OID - Object ID
MIB
Question 152
An attack that uses the processing power of distributed computers each assisting a little in the attack is
called what?
• Rainbow Attack
• Distributed Attack
• Centralized Attack
Details:
Cracking passwords takes time and a lot of CPU horsepower. If the attacker could spread the processing
load across multiple systems, it would be a lot faster. This is where DNA - Distributed Network Attacks
come into relevancy.
L0phtcrack (Pronounced like loft) can pass about 10,000 passwords in 4-6 hours depending on the
processer speed. Passing some of the processing load to distributed computers can decrease the time it
takes to crack the passwords. (See also ophcrack )
There are legitimate uses for distributed computing in science and technology research where people
agree to install software which responds to requests from the DNA Manager computer.
Basically, the client computer accepts the incoming processing request, executes it and returns the
results to the DNA Manager computer. In this attack the same technology is used to quicken the speed
of password cracking.
Mitigation: At best, after 3-5 attempts an account locks out and either a set period of time must pass
before the user may try again OR the account will remain locked until a security administrator can
investigate the reason for failed logon attempts. (Most secure solution)
IDS - Intrusion Detection Systems can detect floods of passwords and take actions to stop them like
automatically adding a firewall rule to block the source IP address. Requiring complex passwords,
training users, keeping your systems patched and updated can also help password attacks.
Home computer users can help mitigate this threat by using a home-based firewall, host-based firewalls,
antivirus software and turning their computers off when not in use.
Updated antivirus software would likely block the malware that makes your computer take part in the
operation. Also, NOT installing software from untrusted sources can help block the install of this
malware.
Internet service providers could do more to mitigate these threats but it is not in their financial interest
to do so. Only laws to enforce this activity would make this happen.
Rainbow Attack: This is not correct because rainbow tables are not mentioned in the question.
IDS Evasion Attack: This is an incorrect answer because it does not involve evading IDSes.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 16193
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 3, Page 174
Question 153
Of the following choices, which type of traffic is NOT at risk if it is sniffed?
• Telnet traffic
• POP Mail
Details:
SSH - Secure Shell traffic can be sniffed the network, since it is encrypted it is NOT a problem if it is
captured over the network. The attacker cannot make sense of the data.
SSH traffic is encrypted between the SSH server and client and is generally therefore not subject to
effective sniffing. The traffic can be captured and viewed but it's obviously scrambled and unusable.
It should be noted that since the advent of switching devices it has become slightly more difficult to sniff
network traffic because there is a virtual link setup between host and switch so not all hosts see ALL
network traffic like in the days of hubs.
Computers talk directly to switches which then aggregate traffic to pass to other switches or routers so
network traffic isn't "Seen " by all hosts as with hubs.
Mitigation: Always use secure protocols where possible so that even if traffic is captured it is not useful
to the attacker. Also, using full-duplex switches ensures that most traffic is segregated between
computer and switch and not broadcast to all hosts.
Telnet Traffic: Telnet traffic is clear text and can easily be sniffed off the wire.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15859
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 7, Page 351
Question 154
Of the following answers, which is BEST described by the act of transmitting specially crafted probe
packets to a host then sniffing the packets sent in response to your probes?
• Passive Sniffing
• Active Sniffing
• Direct Sniffing
• Packet Capturing
Details:
Certain responses can be elicited by the attacker. This means he can stimulate a remote host to emit
packets by sending packets himself then capture the results.
Such elicited traffic can reveal more information than plain packets passing on the network.
Mitigation:
- Use encrypted network protocols like 443/SSL, SSH - Secure Shell and avoid clear text
- Only installing Operating systems and software from known and trusted sources
Passive Sniffing: Passive sniffing involves simply running a promiscuous mode wireless card (Sniffer) and
gathering packets for later analysis. This is the opposite of active sniffing.
Packet Capturing: This is not the right answer but capturing packets is usually referred to as 'sniffing'.
The following reference(s) were used to create this question:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15859
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 7, Page 353.
Question 155
Which of the following terms BEST describes network protocols which are subject to being sniffed off a
network and examined by an attacker?
• HTTPS Traffic
• VPN Traffic
Details:
There are secure protocols for network use like SSH - Secure Shell and HTTPS/443/SSL traffic but there
are also protocols like the following which send traffic in clear/plain text which is easily captured and
read by attackers:
SMTP - Simple Mail Transfer Protocol used to retrieve mail from a mail server.
NNTP - Network News Protocol, an old-school way to read postings by other people.
POP - Post Office Protocol. An unsecure way to check email on a mail server.
FTP - File Transfer Protocol. Uses telnet as a control channel to retrieve files.
Telnet - A plain text terminal emulator for executing shell commands on a remote server.
When a sniffer is run on a network traffic can be 'seen' by the sniffing host when it accepts all packets in
its interface. Oridinarily network hosts only process packets with their IP Address on the destination.
Sniffers process ALL packets and can capture the traffic for later examination.
SSH - Secure Shell: SSH traffic is encrypted and thus NOT subject to being sniffed. Incorrect.
VPN Traffic: VPNs are encrypted and thus NOT subject to sniffer attack in most cases.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15859
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 7, Page
VPN
Question 156
If a host receives an ARP response from an IP Address that is already in the receiver's ARP Cache then
that cache entry is updated with the sender's specified hardware address. What security problem could
this lead to?
Details:
Because when a host receives an ARP response from a host that is already in its cache, even if the
hardware address is different it will update its ARP Cache to reflect the change. This is called Gratuitous
ARP replies. You get a reply but never asked for it in the first place.
This means that it is easy to trick a host into controlling the victim PC's ARP cache to make it think it is
talking to an otherwise trusted host when it may be talking to an attacker's machine.
This means that the attacker computer could intercept traffic from the Victim PC, keep a copy then
forward it out to the intended destination leaving the victim unaware.
Mitigation: Static ARP entries can be effective on some operating systems but not all
This would assign 10.5.1.1 to always use the AA:BB:CC:DD:EE:FF and disregard any incoming attempts to
modify that entry.
Nothing, this is a normal ARP Cache update: This is incorrect. While this may appear to be normal ARP
activity it leads directly to the conditions where ARP poisoning can occur.
MITM - Man In the Middle Attack: This is a man in the middle attack but more specifically it is a
condition vulnerable to ARP Poisoning. MITM encompasses a large variety of situations. ARP Poisoning
was a better response. ARP Poisoning is a form of MITM attack.
DHCP Server Resource Depletion: This is not correct. When an attacker sends a flood of DHCPDISCOVER
message it can deplete the pool of IP Addresses on the DHCP Server but that is not what is happening
here.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15319
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 8 Page 365.
ARP Spoofing
Question 157
What is the term generally described as how a computer tries to setup communications to another
computer only to drop the conversation when the other side responds to the initial request with a SYN-
ACK packet and the three way handshake is never completed by the computer initiating the request?
• SYN Flood
• FIN Attack
Details:
TCP Handshake
TCP must set up a virtual connection between two hosts before any data are sent. This means the two
hosts must agree on certain parameters, data flow, windowing, error detection, and options. These
issues are negotiated during the handshaking phase.
The host that initiates communication sends a synchronous (SYN) packet to the receiver. The receiver
acknowledges this request by sending a SYN/ACK packet. This packet translates into, “I have received
your request and am ready to communicate with you.” The sending host acknowledges this with an
acknowledgment (ACK) packet, which translates into, “I received your acknowledgment. Let’s start
transmitting our data.” This completes the handshaking phase, after which a virtual connection is set up,
and actual data can now be passed. The connection that has been set up at this point is considered full
duplex, which means transmission in both directions is possible using the same transmission line.
If an attacker sends a target system SYN packets with a spoofed address, then the victim system replies
to the spoofed address with SYN/ACK packets. Each time the victim system receives one of these SYN
packets it sets aside resources to manage the new connection. If the attacker floods the victim system
with SYN packets, eventually the
victim system allocates all of its available TCP connection resources and can no longer process new
requests. This is a type of DoS that is referred to as a SYN flood. To thwart this type of attack you can use
SYN proxies, which limit the number of open and abandoned network connections. The SYN proxy is a
piece of software that resides between
the sender and receiver and only sends on TCP traffic to the receiving system if the TCP handshake
process completes successfully.
• ICMP Flood Attack: This is not correct because ICMP messages aren't used to setup
communications between two computers. ICMP Flood attacks can exhaust ICMP protocol stacks but isn't
generally called a DOS attack.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 16218
CISSP All In one Exam Guide 6th Edition Page Number 539
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 10 Page 435
Question 158
Which of the following best describes the type of DOS attack that floods traffic to a high-speed internet
backbone router with the source address of the target thus eliciting massive responses to the intended
target?
Details:
- Internet backbone router receives the packets, sees the source address and sends his responses
dutifully back to the supposed source.
- Unsolicited responses return to the victim who is quickly overwhelmed by the high-speed internet
routers.
- These attacks are difficult to investigate because the packets are forged but they can't be followed back
to a source and blocked but it's not easy.
Mitigation:
- Prevent fraudulently address network traffic from being permitted out of the network
- Internet service providers have a responsibility to help mitigate these attacks since they often originate
at private internet service provider enclaves. (They resist helping because it would cost them money to
man a response section despite being better for the community at large.)
Direct DDoS Attack: This isn't correct because in this attack the attackers floods the target himself
directly.
ICMP Flood attack: This isn't the intended answer because Reflective DDoS attacks may be carried out
with ICMP packets but aren't limited to such.
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 10 Page 449.
Question 159
If I were to call my ex-wife and hang up when she answered the phone over and over to a degree that
she could not legitimately use her phone anymore: What attack in the computer networking world
would this be called?
• A Botnet Attack
• Denial of Service
Details:
When a service is abused to a degree that it becomes useless to the owner it is a common denial of
service.
In this case calling my ex-wife and hanging up might also be considered stalking but in computer
networking it is a denial of service or DOS Attack.
If, for example a web server is listening on TCP/80 and a malicious attacker floods the TCP Service with
connection attempts in the form of TCP SYN Packets, this can render the web server unable to process
normal connection requests from web browsing users.
Mitigation:
- Update kernels to the latest releases and keep system patches up to date
- Prevent fraudulently address network traffic from being permitted out of the network
A Distributed Denial of Service: This is incorrect. If I and a bunch of my friends called my ex-wife and she
was unable to use her phone because of it THIS answer would be correct. This is different from the
intended answer.
Reflective DDoS Attack: This is not the correct answer. It would have been correct if I had called a bunch
of people and spoofed my caller ID number and told them to call me back at this number, this answer
might have been more correct. A Reflective DDOS Attack floods traffic to a high-speed internet
backbone router with the source address of the target thus eliciting massive responses to the intended
target taking it offline. This is not the correct answer
A Botnet Attack: This is not correct. A botnet attack would otherwise be called a Distributed DOS attack
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 16852
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 10 Page 449
The questions refers to a SYN FLOOD attack where you send a very large number of SYN packets, then
you receive a large number of SYN-ACK as responses, and you never complete the connection with a
final acknowledgement.
The remote server would have all possible connections in what is called WAIT STATE and nobody else
can connect to that server because all possible connections are consumed.
Question 160
Which of the following answers best describes a system set up with a deliberately low security posture
to attract attackers away from more critical servers?
• Monkeypot
Honeypot
Honeypot
Details:
When attackers get into networks then root around looking for unsecured systems. Once they find one
they may spend time there giving forensic investigators more and more evidence like logfile entries
which can be used in legal proceedings against the interlopers.
Clever network administrators may even seed the honey pot with interesting looking files to keep the
attackers distracted and on that system.
Mitigation:
- Update kernels to the latest releases and keep system patches up to date
- Prevent fraudulently address network traffic from being permitted out of the network
- Only installing Operating systems and software from known and trusted sources
Monkeypot: This isn't the correct answer but it is by far the funniest.
LSS - Low Security System: This seems like a good answer but it is not correct although it does describe a
Honeypot.
HBSS - Host Based Security System: This isn't right but HBSSes are a common component in network and
system security.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 21900
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 10 Page 456.
Question 161
What sort of Denial of Service attack involves sending a flood of ICMP Echo Request packets with
spoofed source IP Addresses sent to a broadcast addresses on a gateway causing storms of traffic back
to the source IP address of those packets?
PING of Death
• Smurf Attack
Details:
Smurf attack is a type of DOS attack also but involves sending a flood of ICMP packets with spoofed
source IP Address sent to broadcast addresses causing a storm of traffic when systems respond.
You can disable ICMP on systems but that makes network troubleshooting more difficult and doesn't
eliminate other types of DOS attacks like SYN Floods. It could be a wise contribution to a defense in
depth strategy.
Mitigation:
- Update kernels to the latest releases and keep system patches up to date
- Prevent fraudulently address network traffic from being permitted out of the network
Trinoo DDoS Attack: Trinnoo or Trin00 attacks are similar to Smurf attacks but don't ordinarily involve
ICMP packets.
ARP Cache Timeouts: This is incorrect. ARC Cache timeouts are an important part of ARP - Address
Resolution Protocol cache maintenance. Systems usually flush the ARP Cache entry after between 2-20
minutes but later versions of Microsoft Windows lowered the timeout to a random timeout between 15-
45 seconds.
PING of Death: This is incorrect because a PING of Death attack involves (Historically) sending an
oversized PING (Packet INternet Groper) packet to an unpatched (and very old) operating system
causing it to possibly crash or hang.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12672
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 10 Page 441.
Question 162
Which of the following answers is the term used to describe an attack where IP Fragments are sent with
overlapping offset in the subsequent fragments?
• Teardrop Attack
• PING of Death
Details:
While modern computers aren't vulnerable to this sort of attack it is valuable to understand methods
attackers craft packets in ways that target systems aren't prepared to handle creating a situation where
system may become unstable.
When the value of the IP fragment offset is inconsistent or overlaps with other IP Frags the system (At
the time back in the 90s) didn't know how to reassemble the packets and caused issues with unpatched
systems.
Good firewalls can block these and Intrusion Detection - IDSes can notify when they're seen but these
items are really just Band-Aids on already vulnerable systems on internal networks. If vendors were
forced to really secure their systems we wouldn't need firewalls and IDSes to make up for their lack of
security.
Mitigation:
- Update kernels to the latest releases and keep system patches up to date
- Prevent fraudulently address network traffic from being permitted out of the network
Smurf attack: Smurf is a type of DOS attack also but involves sending a flood of ICMP packets with
spoofed source IP Address sent to broadcast addresses causing a storm of traffic when systems respond.
PING of Death: This is incorrect because a PING of Death attack involves (Historically) sending an
oversized PING (Packet INternet Groper) packet to an unpatched (and very old) operating system
causing it to possibly crash or hang.
Trinoo DDoS Attack: Trinnoo or Trin00 attacks are similar to Smurf attacks but don't ordinarily involve
ICMP packets.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 16013
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 3, Page 436.
Question 163
What is the very first condition or action in a DOS Attack, not including the actual attack?
•
End user infecting their system
Details:
The correct answer is: A computer being vulnerable to attack to begin with.
There is a philosophy in reasoning that revolves around going to the source of incidents or situations. It's
called the "Five Whys " and in this case, it's not the actual DOS attack, not the computer getting infected
it's that the computer was vulnerable to begin with.
- Why was it vulnerable? Because the software code was buggy or dangerously written.
- Why was he careless or inexperienced? He didn't care about his work enough or is a new programmer.
- Why doesn't he care about his work? He doesn't have a good work ethic or hasn't been programming
long. (Actually two Whys)
You can see this could go on a lot longer than five whys and tt some point we would reach the core of
the problem and it would likely be human error.
Realistically the software code was written probably as well as the coder or company could create at the
time. In the end the root cause really goes back to human fallibility which is what computer attackers
really take advantage: Human Error.
It is this sort of reasoning and thought that can help us understand problems and predict attacks and
plan accordingly.
Mitigation:
- Update kernels to the latest releases and keep system patches up to date
- Prevent fraudulently address network traffic from being permitted out of the network
- Only installing Operating systems and software from known and trusted sources
- Don't follow ANY links sent in emails, even from known sources
Attacker sending a stream of malicious packets: This is almost right but it isn't the first part of the attack.
The system must be vulnerable to attack to begin with.
End user infecting their system: This is almost right but since the system must be vulnerable to begin
with it isn't the correct answer.
System Antivirus doesn't detect the threat: This isn't right. Antivirus is good to have but it can't detect
ALL vulnerabilities on a system and if the malware has reached the computer it may be too late.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 540 or Kindle Location 14538.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 16852
Question 164
At which OSI layer does SSL reside in?
• Application
• Session
• Transport
• Network
Details:
Session - While SSL does straddle both the session and transport layers, for exam purposes, choose
transport.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15288
"Different references can place specific protocols at different layers. For example, many references
place the Secure Sockets Layer (SSL) protocol in the session layer, while other references place it in the
trasport layer. It is not that one is right or wrong. The OSI model tries to draw boxes around reality, but
some protocols straddle the different laters. SSL is made up of two protocols--one that works in the
lower portion of the session layer and the other works in the transport layer. For purposes of the CISSP
exam, SSL resides in the transport layer."
Note from Mike: As one who has spent a lot of time inside packet captures looking at SSL traffic, when I
first encountered this question I got it wrong, opting for session layer.
I've included the reference from Shon's book so that others understand that for the purpose of the
exam, SSL resides in the transport layer. In the off chance however, the exam allows you to choose 2
answers, choose both transport and session.
Question 165
Which of the following protocols might help defend against session hijacks?
• IPSec - IP Security
IPSec is an end-to-end security protocol suite for securing IP (Internet Protocol) communications
between hosts on the internet. It is an Host to Host virtual private network protocol.
IPSec: Is a protocol suite developed by the IETF for securing IP communications by authenticating and
encrypting each IP packet of a communication session.
IPSec Benefits:
- Replay protection.
- Data integrity.
- Data confidentiality.
It operates at the Internet layer (Like IP itself) and can either encrypt only the data (Payload) or the
entire packet then encapsulated into a new IP Packet for transport then de-encapsulated at the
receiving end.
The point of all this is that once the data leaves the terminal it is nearly impossible to be sniffed off the
wire in a usable format. Even if it is sniffed off the wire it will be useless to the attacker apart from some
unencrypted header information that is necessary to even move the data around the network.
You can't encrypt MAC and IP address or TCP header info as it's necessary to be available to
intermediary devices to reach the destination. (switches, routers or even other hosts)
Modes of IPSec:
- Transport Mode: Authenticates two connected computers. Has an option to encrypt data transfer.
Compatible with NAT.
- Tunnel Mode: Encapsulates packets being transferred. Has an option to encrypt data transfer. Not
compatible with NAT.
Mitigation:
- Use end to end encryption so that even if the session is hijacked the data is useless to the attacker.
- Use IPSec is a set of protocols developed by the IETF - Internet Engineering Task Force to harden
packets at the IP Layer.
- Enforce switch port security with 802.1X (Certificate Security) so that rogue devices aren't permitted to
talk on the LAN.
- Develop a comprehensive security plan to avoid the circumstances where attackers can access to the
local network to attack internal hosts.
ARP - Address Resolution Protocol: This isn't the right answer. ARP is a totally unauthenticated protocol
that operates at layer 2 of the OSI model. Essentially it lets hosts figure out how to talk on a switched
network by sharing unique MAC addresses. ARP doesn't enhance security at all, in fact since it's not
authenticated any host can come online saying that it has whatever MAC addresses it wants to so when
hosts come up looking for their file or email server at 10.5.1.10 IP Address, a rogue client can say "Yes,
that's me, send me your traffic" with an ARP Reply message that looks something like "10.5.1.10 is at
DE:EA:BE:EF:CA:FE or whatever MAC he wants to use and he now has whatever traffic you would
ordinarily send to that server. (Plus credentials) An appropriate mitigation to ARP insecurity is using
802.1X certificate security.
TCP/IP: This isn't correct, it's the TCP Protocol suite's vulnerabilities which open systems up to certain
kinds of session highjack attack. The suite is 63 separate protocols each of which has its own
vulnerability.
DHCP: This isn't right. DHCP Servers only give regular IP Addresses to DHCP hosts and doesn't really add
much security. In fact, you might say it presents a security risk because it can be manipulated to give out
all its IP Address leases by a rogue client pretending to be a bunch of hosts. Also, DHCP traffic gives away
much information about hosts on the network which can be sniffed like MAC Addresses, hostnames, IP
Addresses, default routers and whatever other information is configured by the DHCP Server. (Which
can be a lot, actually.)
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12339
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 11, Page
496.
Question 166
Of the following answers which would NOT help defend against Session Hijack Attacks?
ArpWatch
IPSec
• OpenSSH
Details:
Telnet is an deprecated application that sends data in clear text unless you're using network encryption
protocols like IPSec.
Don't forget that telnet apart from being an unencrypted shell for a remote system can also be used to
host applications on a remote server so it's not only the telnet shell program but telnet-supported
programs to be cautious with.
Without a network encryption protocol telnet (And FTP because it uses telnet as a control channel)
sends traffic in clear text over the network which is very easy to sniff off the wire.
If you want to carry out a practical exercise run snort on your wireless card and dump the sniffed
packets to a file. On another system FTP or Telnet into a computer and log on.
Then go to the packet capture file and grep for your username or password (grep MyPassword) and it
will pop right up.
The other answers are all ways to secure against session hijacking attacks.
Mitigation:
- Use end to end encryption so that even if the session is hijacked the data is useless to the attacker.
- Use IPSec is a set of protocols developed by the IETF - Internet Engineering Task Force to harden
packets at the IP Layer.
- Enforce switch port security with 802.1X (Certificate Security) so that rogue devices aren't permitted to
talk on the LAN.
- Develop a comprehensive security plan to avoid the circumstances where attackers can access to the
local network to attack internal hosts.
OpenSSH: SSH replaced telnet years ago so this is the wrong answer.
IPSec: IPSec is a great way to secure your network so this isn't the right answer.
ArpWatch: This is a good tool to run to monitor for people carrying out ARP-level mischief.
The following reference(s) were used to create this question:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 16311
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 11, Page
495.
Further Reading:
OpenSSH
IPSec
ArpWatch
Question 167
Of the following answers where is the best location on a physical corporate network for a publicly
accessible high-traffic web server to be positioned?
• DMZ - Area between outer packet filtering router but before the internal firewall
Correct Answer is: DMZ - Area between outer packet filtering router but before the internal firewall
Details:
The correct answer is: DMZ - Area between outer packet filtering router but before the internal firewall.
Any server exposed to the open internet is subject to attack and if an attack is successful it can lead to
the server becoming a launch pad for further attack.
For this reason it is important to position publicly accessible servers on untrusted areas of your network
like the area behind the external router/filtering device and the firewall protecting your internal
network.
Mitigation:
Ensure you are using a strong, well-configured filtering routing device at your border. Such devices can
filter bad packets, detect and filter attacks permitting only legitimate traffic to your DMZ servers.
Typically administrators use strong firewalls to protect internal networks and rfouting/filtering decices
to filter unnecessary traffic into the DMZ.
Further, it is common to use a server for only a single service like internet or email because each come
with their own sets of vulnerabilities. If one service on a server is compromised it can lead to the other
services on that server to be compromised OR the network on which the server resides. (Separation of
services)
- CIN - Corporate Internal Network: This is not correct. You wouldn't want to place a busy server hosting
public services on your internal network.
- CEN - Corporate External Network outside the DMZ: This isn't correct either. It is important to filter
inappropriate traffic hitting your public services.
- IIN - Isolated Internal Network: In this case no internet users could access the server so it would be
pointless to even have the server so this isn't correct.
** These acronyms are not known to be commonly used terms and were created to be potential
alternate answers to DMZ.
The following reference(s) was/were used to create this question:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14339
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 12, Page
528.
Question 168
Imagine you are looking at a packet capture of traffic from a client requesting access to the SSH daemon
on a server. You find the initial SYN packets from the client have seemingly random target ports and
finally TCP/22 at which point the client is granted access to the SSH Daemon by the firewall. What are
you seeing?
• Port Knocking
• Browser Cookies
• SYN Cookies
Details:
When TCP conversations occur between two hosts on a network, the traffic is directed between TCP
ports on the two hosts. Generally SSH servers listen on 22/TCP so that clients know which port should be
listening on the server.
Servers can use the process called port knocking where the service listens only to clients who
successfully send a series of packets to a required series of ports to meet the proper sequence.
After the proper sequence is seen the firewall rules are dynamically modified to permit that host's
source IP Address from accessing the desired service. There is a variant of this involving a single
encrypted TCP Packet.
- SYN Cookies: This isn't correct but it is used to resist SYN flood attacks.
- Browser Cookies: This is not correct. Browser cookies are usually used to track
- Dynamic Firewall Rules: This isn't correct but these rules are a part of the port knocking process.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press)
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 12, Page
500.
Reference:
Question 169
• Vulnerability Scanners
Tools like Nikto, Nessus, Retina, ISS, or queso can quickly scan thousands of servers looking for
vulnerabilities. Obscurity was never really security but when every reachable IP Address on the internet
can be scanned for vulnerabilities in minutes even obscure websites got attacked.
Vulnerability scanners can be programmed to scan a range of IP Addresses looking for vulnerable
systems and can launch automated attacks giving even the most novice of "hackers" access to
vulnerable systems.
Mitigation:
- Practice good patch management and apply software patches to all your systems
- Firewall your servers and limit only one service per server to limit damage should the server become
compromised.
- Nmap - Network Mapper: This isn't correct. NMap isn't usually a vulnerability scanner but it can
quickly determine which servers have TCP/80 open
- SSH - Secure Shell: This is incorrect. SSH is a secure shell replacement for telnet that uses PKI - Public
Key Infrastructure to secure sessions.
- SSL - Secure Sockets Layer: This also isn't correct. SSL is a means to protect web traffic data in transit.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 16083
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 12, Page 536
Nikto Site
Question 170
Which of the following protocols would BEST mitigate threats of sniffing attacks on web application
traffic?
• SSL or TLS
• 802.1X
Details:
While it traverses the network, without some sort of encryption of web application data is vulnerable to
sniffing and interception by attackers on the network. If we observe sniffer traffic on an unencrypted
network we can clearly see the contents of user interaction with the web server and its applications.
There are similarities between these two protocols but TLS 3.1 supersedes SSL 2.0 but they are not
interoperable. Today both protocols are commonly used on many web server. In either case SSL/TLS
encrypts network traffic as it traverses the wire and protects it from sniffing attacks.
802.1X: This wouldn't secure data in transit but it would help prevent unauthorized devices from
connecting to your network and sniffing data. Also Known As "Dot 1 X" or "The Extensible
Authentication Protocol (EAP)" it provides infrastructure protection by requiring certificates to connect.
ARP Cache Security: This wouldn't mitigate the threat of network sniffing of web app data.
SSH - Secure Shell: Incorrect. SSH is a TELNET replacement for that encrypts traffic to mitigate the threat
of network sniffers on SSH connections.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15286
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 13, Page
569.
Question 171
Why is it so easy to spoof MAC addresses on wireless AND regular copper LAN networks?
Details:
The correct answer is: Because Layer 2 MAC addresses are unauthenticated
MAC Addresses used in Layer 2 communications are completely unauthenticated so that any host on the
network can respond to ARP queries claiming to be whichever MAC addresses.
Recall that computers on a local subnet only really use layer 2 addresses to communicate. They acquire
the MAC address of the intended host by issuing an ARP Request which would look something like this in
wireshark:
Assuming all was normal the host with that MAC address would respond with:
10.5.1.1 IS AT 22:33:44:55:66:77
At that point the two hosts could talk using MAC addresses. IP Addresses are used but only to resolve
the MAC addresses they use.
Also, remember that MAC addresses are only relevant on local subnets and are not evident past the first
layer 3 device which replaces the source MAC Address with it's own as the packet makes its way through
the layer 3 device.
Mitigation: It is important to use 802.1x Certificate Security on both wireless and wired networks.
802.1X or simply Dot1X is where we assign certificates to each device and they cannot use the network if
they do not have a valid and trusted certificate.
Because MAC Addresses are sent in the clear: Technically this is usually true unless the packet were
enclosed in a VPN packet and encrypted. Otherwise MAC addresses are clearly observable to sniffers.
This is incorrect though because this is only a basic part of the real problem that Layer 2
communications are usually
You can't encrypt MAC Addresses: This is true but not the real reason it's easy to spoof MAC Addresses.
If you encrypted header portions of packets where MAC Addresses reside other devices on the network
wouldn't know where to send the packet so you can't encrypt headers. You could use VPN to encrypt
and enclose a packet in a VPN packet.
Because they're not copyrighted: MAC Addresses aren't copyrighted but they are unique to vendors
because the first half of a MAC address identifies the vendor. The second half is supposed to be unique.
They are sometimes pirated by foreign manufacturers so you could possible MAC conflicts.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 13772
Question 172
Which of the following authentication protocol encrypts only the password in the access-request packet,
from the client to the server versus the whole body of the packet?
• XTACACS
• TACACS+
• RADIUS
• TACACS
Details:
Remote Authentication Dial-In User Service (RADIUS) is a mechanism that allows authentication of
remote and other network connections. Once intended for use on dial-up connections, it has moved far
beyond that and has many modern features. It is used on both wired and wireless networks.
The RADIUS protocol is an IETF standard, and it has been implemented by most of the major operating
system manufacturers. A RADIUS server can be managed centrally, and the servers that allow access to a
network can verify with a RADIUS server whether an incoming caller is authorized. In a large network
with many connections, this allows a single server to perform all authentications.
The communication is encrypted using a fix key between the RADIUS Client and the RADIUS Server.
However, the information is NOT encrypted between the Supplicant and the RADIUS Client.
PACKET ENCRYPTION
RADIUS
RADIUS encrypts only the password in the access-request packet, from the client to the server. The
remainder of the packet is unencrypted. Other information, such as username, authorized services, and
accounting, can be captured by a third party.
TACACS+
TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the
header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful
to have the body of the packets unencrypted. However, during normal operation, the body of the packet
is fully encrypted for more secure communications.
TACACS
XTACACS
Extended TACACS (XTACACS) replaced the original and combined authentication and authorization with
logging to enable auditing.
TACACS+
The most current method or level of TACACS is TACACS+, and this replaces the previous two
incarnations. TACACS+ allows credentials to be accepted from multiple methods, including Kerberos.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14959
Dulaney, Emmett (2011-06-03). CompTIA Security+ Study Guide: Exam SY0-301 (p. 186-187). John Wiley
and Sons. Kindle Edition.
Question 173
Which of the following protocols directly supported within the browser makes using an open wireless
network safer for web browser traffic?
SSL
• DHCP
HTTPS
SSH
SSL
Details:
NOTE: Another correct answer and safer choice could have been TLS considering the many issues SSL
has suffered over the past couple years. However, TLS was NOT on the list and SSL is the best choice out
of the 4 choices presented.
Even on an untrusted wireless or any network the very last line of defense for secure web browser
connections is SSL/TLS. If you have nothing else like a VPN connections, password protected and
encrypted wireless the web browser with an SSL/TLS secured connection can be your best protection
against sniffing.
Technically TLS superseded SSL but the terms are used interchangeably despite being different.
NOTE FROM CLEMENT ABOUT THE NEVER ENDING SSL/TLS DEBATE
The old debate about the exact location of SSL and TLS within the OSI and DoD model has been ongoing
for years. Even the standard does not state exactly where SSL and TLS sits within the models. It is vague
and mostly applies to the DoD model.
"The primary goal of the SSL protocol is to provide privacy and reliability between two communicating
applications. The protocol is composed of two layers. At the lowest level, layered on top of some reliable
transport protocol (e.g., TCP [RFC 793]), is the SSL record protocol.
The SSL record protocol is used for encapsulation of various higher level protocols. One such
encapsulated protocol, the SSL handshake protocol, allows the server and client to authenticate each
other and to negotiate an encryption algorithm and cryptographic keys before the application protocol
transmits or receives its first byte of data. One advantage of SSL is that it is application protocol
independent. A higher level protocol can layer on top of the SSL protocol transparently "
As you can see from the latest RFC above for Version 3 of SSL, it sits on top of a reliable transport
protocol, TCP is at the transport layer, if you make use of the OSI Model it means SSL would be Session
Layer that is on top of Transport. However, if you make use of the DOD Model then it would be
application. See the graphic below showing where it would sit within the layers.
The HTTPS uniform resource identifier (URI) scheme has identical syntax to the standard HTTP scheme,
aside from its scheme token. However, HTTPS signals the browser to use an added encryption layer of
SSL/TLS to protect the traffic. SSL/TLS is especially suited for HTTP, since it can provide some protection
even if only one side of the communication is authenticated. This is the case with HTTP transactions over
the Internet, where typically only the server is authenticated (by the client examining the server's
certificate).
In information technology, a Uniform Resource Identifier (URI) is a string of characters used to identify a
resource. Such identification enables interaction with representations of the resource over a network,
typically the World Wide Web, using specific protocols. Schemes specifying a concrete syntax and
associated protocols define each URI. The most common form of URI is the Uniform Resource Locator
(URL), frequently referred to informally as a web address. More rarely seen in usage is the Uniform
Resource Name (URN), which was designed to complement URLs by providing a mechanism for the
identification of resources in particular namespaces.
However, in non-technical contexts and in software for the World Wide Web, the term URL remains
widely used. Additionally, the term web address (which has no formal definition) often occurs in non-
technical publications as a synonym for a URI that uses the http or https scheme. Such assumptions can
lead to confusion, for example in the case of XML namespaces, which have a visual similarity to
resolvable URIs.
While most URI schemes were originally designed to be used with a particular protocol, and often have
the same name (such as the http scheme, which is generally used for interacting with web resources
using HTTP), they should not be referred to as protocols. Some URI schemes are not associated with any
specific protocol (e.g. file) and many others do not use the name of a protocol as their prefix (e.g. news).
To make a long story short, the best answer is SSL, by using https:// you tell or signal the browser to
make use of SSL/TLS. As explained in the question most likely the best choice would be TLS today which
has superseded SSL. However, TLS was not one of the 4 choices. as mentioned in the paragraph above,
URI schemes such as HTTP or HTTPS should NOT be referred to as Protocols.
DHCP: Sorry: Incorrect. It is a Layer 7 protocol so you got that part right but DHCP makes networks less
secure because it can give attackers information about the network or even give him an IP Address
configuration. DHCP can also be subject to resource starvation by attackers flooding it with DHCP
requests.
HTTPS: Technically HTTPS isn't a protocol itself, rather it's a way of layering HTTP on top of SSL/TLS
adding security to standard HTTP communications. HTTPS (HTTP over SSL or HTTP Secure) is the use of
Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sublayer under regular HTTP application
layering. HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the
Web server. The use of HTTPS protects against eavesdropping and man-in-the-middle attacks. HTTPS
was developed by Netscape.
SSH: This isn't the right answer. Using SSH - Secure Shell to connect to a server is more secure than
telnet but it isn't normally a web protocol. Yes, you could tunnel your web traffic through SSH but it is
not directly supported inside the browser.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15288
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 13, Page
737.
Question 174
Which wireless encryption method uses the same key for encryption as it does for authentication of all
wireless clients?
• WEP
• WIFPA
• WEP Enterprise 2
• WEP2
Details:
Cited as a major weakness of WEP, using the same key for encryption as it does for client authentication
doomed WEP from the start.
- The IV is a 24-bit field, too small to be effective. It is also sent in the clear text portion of a message.
- Identical key streams are produced with the reuse of the same IP for data protection because the IV is
short and key streams are repeated after a short period of time.
- Uses RC4 which is a stream cipher and designed to be a one-time cipher not intended for multiple
message use. One-time ciphers are never supposed to be reused.
Overall the problems of WEP stem from it being developed out of view of the general public and
cryptologists who would have pointed out these weaknesses prior to release.
WPA2: WPA2 does not use the same key for encryption that it uses for authentication.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 13551
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 13, Page
692.
Question 175
Which type of Firewall typically operates at the session layer of the OSI model?
A host-based firewall
Details:
Circuit-Level gateway firewalls operate at the session layer of the OSI model or the TCP layer of the DoD
TCP/IP Model.
They monitor TCP handshake traffic between hosts to determine whether a request session is
legitimate.
Packets passed to the remote computer through this type of gateway appears to have originated from
the gateway firewall and not the internal host.
Packet Filtering Firewall: This is not correct because this sort of firewall simply filters out obviously
unwanted traffic either because it's from a known dangerous source, contains inappropriate packets or
other unwanted traffic.
Bastion Host Firewall: This isn't right because a bastion host is not a firewall but a server hosted in the
DMZ and hardened from attack. It hosts limited services to mitigate the threat of attack from
compromised software.
A host-based firewall: This isn't correct because it doesn't operate at the session layer of the OSI Model.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12253
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 16, Page
761.
Question 176
Which of the following answers BEST describes a type of firewall that can filter packets at the top layer
of the OSI Model?
• An ARP layer Firewall
Application-Level Firewall
Application-Level Firewall
Details:
An Application Firewall can control network traffic on any OSI Layer up to and including the Application
Layer.
Also known as third-generation firewall an application layer firewall can detect and understand
anomalies or pattern of attacks in certain applications and protocols such as FTP, DNS or web browsing
traffic.
It can also detect whether an unwanted protocol is being tunneled through another application or
whether a protocol is being abused in a dangerous manner. Using a protocol in a way it was not meant
to be used is referred to as a Covert Channel.
Packet Filtering Firewall: This is not correct because this sort of firewall simply filters out obviously
unwanted traffic either because it's from a known dangerous source, contains inappropriate packets or
other unwanted traffic.
Bastion Host Firewall: This isn't right because a bastion host is not a firewall but a server hosted in the
DMZ and hardened from attack. It hosts limited services to mitigate the threat of attack from
compromised software.
An ARP layer Firewall: This isn't correct because ARP operates at Layer 2 of the OSI and not the
Application Layer.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12253
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 16, Page
762.
Question 177
What attack becomes possible when your firewall or hosts do not reassemble incoming traffic prior to
being processed and examined for threats?
• Mod_rewrite attacks
• Fragmentation Attacks
Details:
When packets arrived they should be reassembled and examined for threats by the firewall prior to
being forwarded to a host. If they are not an attack could be snuck through the firewall because it is
possible to spread attacks across multiple packets so that the threat is not seen until packets are
reassembled and examined back in their unfragmented form.
Mitigation: It is important to configure your IPS, Intrusion Prevention System, routers, IDS - Intrusion
Detection System or Firewall so that they reassemble packets back into their original form THEN
examined for threats.
A common attack is the packet fragmentation attack where the actual attack code is intentionally
fragmented at the source and the packets travel separately to the target and if successful they might
sneak past the IDS/Router/IPS/Firewall device that is supposed to check the traffic.
IDS Buffer Overflow attacks: This isn't the correct answer. Buffer overflows aren't unique to IDS devices.
Router Offset attack: This isn't a valid answer. Such an attack is not currently known.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 16101
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 16, Page
793.
Question 178
Which type of attack involves the altering of a systems Address Resolution Protocol (ARP) table so that it
contains incorrect IP to MAC address mappings?
• Cache Poisoning
• ARP Poisoning
• Reverse ARP
Details:
ARP table poisoning, also referred to as ARP cache poisoning, or simply ARP Poisoning is the process of
altering a system's ARP table so that it contains incorrect IP to MAC address mappings. This allows
requests/packets to be sent to a different device instead of the one it is actually intended for.
It is an excellent way to fool systems into thinking that a certain device has a certain address so that
information can be sent to and captured on an attacker's computer. It is a form of MITM (Man In The
Middle) attack
"Reverse ARP" is the process of determining what an IP address is from a known MAC address
"Cache Poisoning" This is not the best answer. It is too generic, it could be DNS Cache Poisoning or
other types.
"Reverse ARP table poisoning" There is no attack that goes by that name.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15150
Question 179
What is the three way handshake sequence used to initiate TCP connections?
Details:
The correct answer is: SYN, SYN/ACK, ACK
1. First, the client sends a SYN segment. This is a request to the server to synchronize the sequence
numbers. It specifies its initial sequence number (ISN), which is incremented by 1, and that is sent to the
server. To initialize a connection, the client and server must synchronize each other’s sequence
numbers.
2. Second, the server sends an ACK and a SYN in order to acknowledge the request of the client for
synchronization. At the same time, the server is also sending its request to the client for synchronization
of its sequence numbers. There is one major difference in this transmission from the first one. The
server transmits an acknowledgement number to the client. The acknowledgement is just proof to the
client that the ACK is specific to the SYN the client initiated. The process of acknowledging the client’s
request allows the server to increment the client’s sequence number by one and uses it as its
acknowledgement number.
3. Third, the client sends an ACK in order to acknowledge the request from the server for
synchronization. The client uses the same algorithm the server implemented in providing an
acknowledgement number. The client’s acknowledgment of the server’s request for synchronization
completes the process of establishing a reliable connection.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12404
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press)
(Kindle Locations 5560-5573). Auerbach Publications. Kindle Edition.
Question 180
Which of the following answers would most closely be related to passive network mapping?
• Packet Sniffers
• Pinging a host
• Network scanners
• Calling the victim on the phone and asking for her IP Address
Details:
There are two basic ways of conducting network mapping: Passive and Active.
- Passive is where we just listen and form a picture of the target network based upon packets we
receive.
- Active network mapping is where we send packets to the target hoping for a response that we can
analyze.
Many firewall operators and router admins disable ICMP on their border devices to mitigate floods or
such network mapping.
If they're blocking ICMP you can do a multitude of other types of scans which do not rely on ICMP like
half-open TCP scans where you just send the TCP packet with the SYN flag set as part of the start of a
normal TCP conversation initiation. This is a good choice because most packet loggers do not log half-
open TCP conversations so you can scan without being logged. (Optimal)
You can also do UDP scans to see if UDP ports are open. nmap and other network scanners have a huge
variety of scans from which to choose.
The following answers are incorrect:
- Calling the victim on the phone and asking for her IP Address: This would probably work but it isn't very
passive.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12504
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 17, Page
878.
Question 181
Match up the following Protocols with the proper port numbers in order from left to right:
The correct answer is: 22, 88, 137, 389, 443, 636
SSH - 22
Kerberos - 88
NetBIOS - 137
LDAP - 389
HTTPS - 443
Servers which offer services do so on standard ports for UDP and TCP traffic. They 'listen' for traffic on
the wire and respond if it is addressed to them. (Compared to a sniffer that gladly accepts all packets for
examination)
Once the server accepts the traffic it processes it to do whatever the service is intended to do and
possibly returns information back to the requester.
- 22, 88, 136, 389, 443, 636: Sorry, NetBIOS doesn't run on 136 but it does run on UDP/137, 138 and
139.
- 22, 88, 137, 388, 443, 636: 388 is Incorrect. LDAP doesn't run on that port.
- 22, 88, 137, 389, 442, 636: 442 isn't the standard port for HTTPS traffic.
Question 182
You are using an open source packet analyzer called Wireshark and are sifting through the various
conversations to see if anything appears to be out of order.
You are observing a UDP conversation between a host and a router. It was a file transfer between the
two on port 69. What protocol was used here to conduct the file transfer?
• TFTP
• SCP
• FTP
• SFTP
Details:
Discussion: TFTP is a curious protocol that doesn't use authentication and is often used to transfer
configuration files between an administrator's computer and switch or router.
The admin's computer would have the TFTP server software installed on it and he would SSH into the
router and run a command that instructs the router to get its configuration from a TFTP server like this:
It is advisable that you use a more secure means to transfer router configuration files because of their
sensitive nature. SCP or Secure Copy can be used on most mainstream routing and switching devices.
- SFTP: This isn't correct because SFTP uses TCP and is on port 22.
- FTP: This is not the right answer because FTP uses TCP and ordinarily uses ports 20/21.
- SCP: Good guess but SCP doesn't use UDP or port 69 and even if you did 'see' a file transfer between
SCP hosts you wouldn't see the contents of the packets because they're encrypted. Sorry. Here's more
about SCP.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12852
TFTP
Question 183
Which of the following answers BEST describes why the WEP encryption process was so flawed?
• The IV uses 3DES encryption key
• Rotating IVs
Details:
WEP or Wired Equivalent Privacy was introduced in 1999 to meet or exceed security of a wired network
however it was quickly demonstrated that it was easy to break.
The main problem with WEP is it's IV or Initialization Vector and how it is only 24 bits long and
transmitted in plain text.
The 24-Bit IV plus a 40-Bit key forms the RC4 key for a total of 64-bit WEP key length. Unfortunately, the
reuse of the IV in a relatively small number of packets (50% probability in 5,000 packets) led to the
failure.
- Weak MD4 Algorithm: This isn't the right answer. MD4 is a hashing algorithm, not an encryption
protocol.
- Rotating IVs: This isn't correct. Initialization Vectors in WEP are static and reused AND sent in cleartext
so they're easy to sniff and use in an attack.
- The IV uses 3DES encryption key: Sorry, 3DES isn't involved in the IV in the WEP protocol.
The following reference(s) was/were used to create this question:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 13552
Question 184
Which of the following answers BEST describes functionality of the CHAP protocol?
• Uses PKI
Correct Answer is: Periodically re-authenticates the user to protect against man-in-the-middle attacks.
Details:
The correct answer is: Periodically re-authenticates the user to protect against man-in-the-middle
attacks.
CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity
of remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake.
This happens at the time of establishing the initial link, and may happen again at any time afterwards.
The verification is based on a shared secret (such as the client user's password).
1. After the completion of the link establishment phase, the authenticator sends a "challenge"
message to the peer.
2. The peer responds with a value calculated using a one-way hash function on the challenge and
the secret combined.
3. The authenticator checks the response against its own calculation of the expected hash value. If
the values match, the authenticator acknowledges the authentication; otherwise it should terminate the
connection.
4. At random intervals the authenticator sends a new challenge to the peer and repeats steps 1
through 3.
- Transmits user's passwords in clear text: Sorry, incorrect answer. This describes PAP - the Password
Authentication Protocol. CHAP uses a challenge mechanism and only hash values are sent over the
network. The password is not sent in clear text.
- Uses PKI: This isn't correct. CHAP doesn't use PKI cryptography.
- Used to prevent remote logon: This isn't right either. CHAP isn't used to prevent remote logon, rather
to control it.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14942
The CCCure Holistic Security+ Computer Based Tutorial, you can subscribe at: http://www.cccure.tv
and
http://en.wikipedia.org/wiki/Challenge-Handshake_Authentication_Protocol
Question 185
Which one of the following answers was the reason why WEP - Wired Equivalent Privacy failed to be an
effective wireless security protocol.
• Larger IVs
• Dynamic Keys
Details:
Static keys and short IVs are two problems with WEP which limited its useful lifespan and level of
security.
Also, WEP keys are either 40 or 104, too short to be effective. Also, WPA uses TKIP - Temporal Key
Integrity Protocol that is a "wrapper" around existing WEP encryption only it uses a 128-bit key so it's
inherently more secure.
- Dynamic Keys: This is incorrect because WPA uses dynamic keys, not WEP.
Question 186
• Static Keys
Details:
Discussion: WPA2 implements IEEE 802.11i standards, uses AES encryption and is currently comes in two
versions:
WPA2 Enterprise: Requires a RADIUS Authentication Server and supports multiple accounts for each
user
Static keys was an unfortunate feature of WEP which was partly to blame for its relatively short lifespan
and quick replacement by WPA.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 13552
Question 187
• MAC Spoofing
• DNS Spoofing
• IP Address Spoofing
• Web Spoofing
Details:
Layer 2 attacks are usually easy because communications at this layer are not authenticated. Any host
can come online and pretend to be whatever MAC Addresses he wishes.
Such tools like ettercap can create these conditions. Known as MITM - Man in the Middle Attack,
ettercap leverages known weaknesses in the ARP protocol.
Assuming all was normal the host with that MAC address would respond with:
10.5.1.1 IS AT 22:33:44:55:66:77
At that point the two hosts could talk using MAC addresses. IP Addresses are used but only to resolve
the MAC addresses they use.
It is possible that a rogue system can respond to ANY request for an IP Address with its MAC Address
and fool the other into believing he is the legitimate MAC Address and intercept the traffic bound to the
legitimate host.
Mitigation:
- Switch port security can help (But not stop) unauthorized network devices from connecting to your
physical LAN and attacking devices.
- 802.1X Certificate Security uses certificates to identify all network hosts, others are disregarded and
thus not trusted.
- VMPS - VLAN Membership Policy Server (Deprecated in favor of 802.1X) is a centralized database of
known MAC Addresses which can talk on a server. Since MAC addresses can be spoofed (Faked) this
protocol has fell into disuse.
- DNS Spoofing: Sorry, DNS usually resides on layer 7 of the OSI model.
- IP Address Spoofing: Sorry, IP Address spoofing resides at layer 3, the network layer.
- Web Spoofing: Web spoofing is when an entire website is copied to a rogue server and a phishing email
is sent to the user requesting that he update his account information by logging. This isn't layer 2
spoofing, sorry.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 16246
Question 188
What attack would you be seeing if the offset bits in an IP Header overlapped with the value of
previously sent packets?
• Teardrop Attack
• LAND Attack
• Null Scan
Details:
The Teardrop attacks involve sending IP Fragments which have overlapping fragment offset numbers so
that when the victim's computer tries to reassemble the IP frags into the intended file the target
crashes. It doesn't know how to handle the improperly-numbered fragments.
This hasn't been a problem since Windows 95 and Windows NT but it is good for academic purposes to
understand the attack and how attackers think and devise new exploits for causing problems.
Mitigation:
- Install only software from trusted sources and don't let kids or other inexperienced people use your
computer with an administrative account; only an unprivileged user account.
- Actively check to be sure your operating system patches are being updated
- User system and network firewalls and an IDS if you know how to run one
- Harden your computer by installing a host-based firewall and maybe HIDS - Host-Based IDS.
- XMas Tree Scan: Sorry, XMas tree scans have little to do with TCP SYN packets having the same
destination IP as source IP Address.
- Null Scan: A null scan is port scan attempt with TCP packets using no session flags set. By RFC these are
illegal but that doesn't stop criminal hackers from doing them.
- LAND Attack: Sorry, not correct. A LAND attack is simply a series of packets sent to the target where
the source and destination IP Addresses are the same as the victim.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 16103
and
https://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfig-security/
understanding-teardrop-attacks.html
Question 189
What sort of attack is described by the following: An attacker has a list of broadcast addresses which it
stores into an array, the attacker sends a spoofed ICMP ECHO request to each of those addresses in
series and starts again. The spoofed IP address used by the attacker as the source of the packets is the
target/victim IP address.
• Replay Attack
• Fraggle Attack
• Smurf Attack
• LAND Attack
Details:
The Smurf Attack is a denial-of-service attack in which large numbers of Internet Control Message
Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer
network using an IP Broadcast address.
Most devices on a network will, in their default settings, respond to this by sending a reply to the source
IP address. If the number of machines on the network that receive and respond to these packets is very
large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the
point where it becomes impossible to work on.
The name Smurf comes from the file "smurf.c", the source code of the attack program, which was
released in 1997 by TFreak.
The `smurf' attack is quite simple. It has a list of broadcast addresses which it stores into an array, and
sends a spoofed icmp echo request to each of those addresses in series and starts again. The result is a
devistating attack upon the spoofed ip with, depending on the amount of broadcast addresses used,
many, many computers responding to the echo request.
Mitigation:
- Best method for mitigating this threat is to control access to the physical network infrastructure. If the
attacker can't send the attack, this attack will obviously not work.
- Currently the preferred method for controlling access to the network is by using 802.1X - Certificate
security.
- Also, modern operating systems don't usually permit a PING to a broadcast address and just returns an
error message if you try.
- Fraggle Attack: Close but not quite right. A Fraggle attack uses UDP rather than the ICMP that Smurf
Attack uses.
- LAND Attack: Sorry, not correct. A LAND attack is simply a series of packets sent to the target where
the source and destination IP Addresses are the same as the victim.
- Replay Attack: This isn't an attack that takes advantage of a system vulnerability so it isn't the correct
answer.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 16116
and
http://en.wikipedia.org/wiki/Smurf_attack
and
http://searchsecurity.techtarget.com/answer/What-is-a-land-attack
and
http://www.phreak.org/archives/exploits/denial/smurf.c
Question 190
Under normal circumstances, what are the only two parts of a packet which changes between sending
host and the receiving host while in transit?
Details:
1. TTL - Time to Live. It's that part of the IP Header that prevents packets from wandering around the
internet forever looking for the destination. When a packet crosses a layer 3 routing device its TTL field
(Byte Offset 8) is decremented by one and once that value reaches 0 a "TTL Expired in Transit" ICMP
error message is sent back to the originator alerting it that the packet could not find its destination.
2. MAC - Media Access Control Address: MAC Addresses are local only to the network you are on. The
moment it hits the first router or switch the Source and Destination MAC Addresses change to the next
hop in the path. This happens at each device it crosses. (See more about Ethernet.)
Exceptions: Under typical conditions this is the case but if you are behind a proxy or firewall device that
is configured to re-write these values, they will be changed.
That is to say, many firewall and proxy devices are configured specifically to hide internal values to
reduce the leak of operational details of the internal network to the outside world. (Or to mitigate
probes using TTL or other packet values.)
These devices can rewrite any value including the reset of TTL Values but MAC Addresses must change
in the process of devices passing off packets in the routing and switching process between host and
destination.
- TTL and Packet Expiration Counter: Sorry, TTL and Packet Expiration Counter are the same thing. While
there is no official term of Packet Expiration Counter, a TTL is in a sense is just that. It's the number of
hops the packet can take across a routing device (L3) before it expires in transit.
- MAC Address and Physical Media: MAC address is right so, good work there but while the Media
changes between host and destination, media isn't part of the packet. Sorry. Read the question a few
times and let it sink in before answering.
- Routing Protocol and TTL: Almost. TTL is right but the routing protocol isn't technically part of the
packet so this is not correct or the BEST choice.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press)
The CCCure Holistic Security+ Tutorial and CBT
and
https://en.wikipedia.org/wiki/Ethernet
Question 191
You are watching an active stream of your firewall logs and notice suspicious traffic from an IP Address
outside your country which is probing your network.
You, being a curious type try to PING the remote IP Address but receive no response, which is curious to
you. How can a remote host send traffic but not be PING-able?
Details:
Firewalls offer a huge number of ways of securing a system from network probing or attack by
controlling how it responds to network traffic. One possibility is silently dropping ICMP packets.
Ordinarily, devices should (By RFC) respond to ICMP packets but in today's security environment it is
prudent to silently drop unsolicited internet traffic.
In this case, a system can send packets but not respond to ANY traffic by blocking ALL incoming traffic,
including ICMP, TCP, UDP or any other protocol.
Bottom line: Hosts can send TCP or UDP traffic independent of whether or not it is configured to send or
receive ICMP which to a casual and inexperienced observer might make it look like it isn't there.
Consider trying a UDP or TCP probe to elicit a response, otherwise, it may be impossible to get a
response from the remote host if it is not configured to respond.
Mitigation:
- On a FreeBSD system with ipf (IP Filter) firewall one simple rule can block ALL network traffic without
responding to ANY probes:
- xl0 is the network interface ID and this string would make your system disappear on the network.
- A host in the path is blocking ICMP: This is a good answer but not quite correct. It could be that your
external firewall is blocking ICMP but that lays outside the scope of this question. If the choice would
have been that a gateway on the path is dropping ICMP then it could have been the right choice.
- Its interface is down: This can't be correct because you're receiving packets from it. However, don't
forget that it is possible to receive traffic which has a source IP Address that is invalid or points to
another host.
- Its firewall is misconfigured: This could be true but a firewall misconfiguration wouldn't likely result in
ICMP being blocked.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12339
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
Question 192
Which of the following is NOT a best practice when hardening systems or bastion hosts?
• Limit Services
• Apply Patches
• Deploy a NIDS
Details:
While deploying a NIDS - Network Intrusion Detection System is a good idea, it isn't targeted at
hardening a single system, but rather an entire network so this would be the correct answer because it
is not a standard way of hardening a host.
The other steps are critical in securing systems and networks against attack. Consider the mitigation
steps to harden your systems.
Effective bastion hosts are configured very differently from typical hosts. Each bastion host fulfills a
specific role, all unnecessary services, protocols, programs, and network ports are disabled or removed.
A bastion host is hardened to limit potential methods of attack. The specific steps to harden a particular
bastion host depend upon the intended role of that host as well as the operating system and software
that it will be running.
Access Control Lists (ACLs) will be modified on the file system and other system objects; all unnecessary
TCP and UDP ports will be disabled; all non-critical services and daemons will be removed; as many
utilities and system configuration tools as is practical will also be removed. All appropriate service packs,
hot fixes, and patches should be installed. Logging of all security related events need to be enabled and
steps need to be taken to ensure the integrity of the logs so that a successful intruder is unable to erase
evidence of their visit. Any local user account and password databases should be encrypted.
There are also such things as HIDS - Host Based IDS or HBSS - Host-Based Security Systems which can
identify and protect hosts from network attack but that wasn't an option in the question.
- Harden all networked devices by removing unnecessary services, fully patching and scanning them
periodically for vulnerabilities.
- Deploy an IDS - Intrusion Detection System to identify dangerous behavior on your network.
- Applying Patches: This is not a right answer because patching your systems with updates from the
vendor is vital to protecting your systems. It is part of hardening the host.
- Limiting Services: As with the other options, this is important to protecting your systems. Limiting
services to only those critical to your operations can greatly mitigate threats from attack.
- Change default passwords: This is a great way to secure a host, default password are well known and a
serious threat. So this is not the correct answer.
https://www.sans.org/security-resources/idfaq/bastion.php
Question 193
Of the following choices, which one is a type of firewall actively maintaining awareness of the status
conversations between internal and external hosts?
• Stateless
• Stateful Firewall
• Non-Passive Firewall
Details:
Also called Stateful Inspection Firewall, this type of modern firewalls are Stateful and maintain an active
table of the state of conversations between hosts on your internal network.
Previously, firewalls didn't maintain this awareness and were called stateless. In this case, the firewall
was only able to block protocols, source or destination IP Addresses or TCP/UDP Port destinations. (Plus
some other variables)
This proved to be inadequate when someone figured out that you could send traffic with the SYN/ACK
bits set in a attempt to fool the firewall into thinking the traffic originated from inside the protected
network. This permitted attackers to communicate with internal hosts and by pass firewall security.
Now, Stateful inspection firewalls maintain a so-called dynamic state table that maintains visibility of the
origination of the traffic. The benefit being that systems outside your network cannot simply send in
traffic with the TCP state bits set to make it appear like the traffic originated from inside your own
network, therefore bypassing the firewall.
bsdfirewall1#fwtable
If an external attacker were to try to send traffic to an internal host it would be blocked by the firewall
because no state table entry exists permitting the traffic back in. A stateful inspection firewall will
consult the state table first to see if the incoming packet is part of an established session. If there is no
entry in the state table then it will consult the rulebase to see if there is a rule allowing the traffic. If
there is no state table entry and there is no rule that matches, the packet will be dropped or rejected.
- Stateless: This is the opposite of the right answer so it is the wrong answer. Sorry. A stateless firewall
doesn't maintain awareness of the status of conversations between hosts in and outside your network.
- Active State Firewall: Sorry, this isn't a correct answer. This is not a valid term related to stateful or
stateless firewalls.
- Non-Passive Firewall: This isn't correct. There is no known firewall called this.
and
http://en.wikipedia.org/wiki/Stateful_firewall
Question 194
Which of the following sequence represents the DoD - Department of Defense TCP/IP Reference Model?
Details:
Similar to the OSI model, the DOD TCP/IP Model is in a similar order but more concise.
Mnemonic: ATIL is a great way to remember the layers from top down
TINA - Transport, Internet, Network Interface, Application: Sorry, this is the improper sequence.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12534
Question 195
• 62
• 128
• 32
• 64
Details:
Subnetting is a vital part of being a good IT Security administrator. If you cannot easily make sense of
what you are seeing with IP Addresses, subnet masks and network IDs, you will have difficulty being
effective in the cyber battlefield.
However, if you take enough time to become good at it, it will become second nature. Also, try to
identify the best way for YOU to do so because there are many methods and people learn and
understand differently. Here's a good study sheet for IPv4 Subnetting. And, here's a good video on
subnetting.
In the case of this question, we see a subnet of 255.255.255.192 which would give us 64 addresses but
don't forget to subtract the two bits, one for Network ID and one for the Broadcast address. This yields
only 62 usable host addresses.
1. Take the number of hosts you must accommodate and round up to the next possible net block.
Example: If you have 48 hosts, you must round up to a net block of 64 addresses with a subnet mask of
255.255.255.192.
2. To figure your network IDs subtract your mask number from 256. This will give you your net blocks to
work with:
So, in your router you would configure these as your routable networks and from there the switches
would "see" hosts by MAC and IP Addresses and send traffic to the switchports to the intended hosts.
This creates the path to the hosts on the subnet.
- 64 hosts: Almost correct but you forgot to subtract 2 addresses for net ID and broadcast.
- 128 hosts: Sorry, incorrect answer. This mask would be 255.255.255.128. Also, you appear to have
forgotten to subtract the two addresses you can't use, Subnet ID and broadcast addresses.
- 32 hosts: Also not correct. This subnet mask would be 255.255.255.224, AND you forgot to subtract 2
for the network ID and broadcast.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press)
Question 196
Which field in a TCP header is used to reassemble a file back into proper order to be presented to the
receiver?
• TCP Flags
• IP Sequence Number
Details:
TCP Sequence Numbers (Byte Offset 4-7) are, in part, used to reassemble packets back into original
order for presentation to the recipient.
Each TCP frame received has a sequence number in the TCP Header. It's a 32-bit number and during TCP
Session establishment, each station selects an ISN - Initial Sequence Number (Randomly generated at
best) as their first sequence number.
Sequence numbers also advise the recipient of missing packets so they may be re-requested from the
sender. If packets are lost due to network congestions or transmission problems the TCP Windows
(Number of packets which can be sent without an ACK of reception.) will be smaller and more ACKs
must be sent to see if packets are getting to the destination.
- TCP Flags: This one really isn't correct. TCP Flags are used to indicate the state a TCP connection is
desired to be in and control TCP state.
- TCP Urgent Pointer : Sorry, not correct. TCP header offset 18-19 (URG Pointer field) isn't used to
reassemble data.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15951
Question 197
Which of the following signaling methods is most closely associated with 802.11 wireless networks?
• Half Duplex
• Wireless Duplex
• Full Duplex
• Mega Duplex
Correct Answer is: Half Duplex
Details:
802.11 wireless networks are, by nature, half-duplex. Wired networks can be full-duplex if they make
use of two pairs of the Ethernet cabling. Each pair is a separate channel for transmitting or receiving.
Full Duplex networks are very much more efficient at moving data because no collisions exist on a truly
full duplex network and the CSMA/CD functionality is disabled.
- Full Duplex: This isn't correct because 802.11 networks are, by nature, half-duplex.
- Mega Duplex: This isn't a real computer term but it probably should be.
- Wireless Duplex: This isn't the answer. It looks like a valid answer though if you were not familiar with
this material.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12429
Question 198
Which answer BEST describes the process you are doing if you:
- Apply hotfixes, service packs and patches
• Network Hardening
• Application Hardening
OS Hardening
OS Hardening
Details:
When we 'harden' an operating system, this is a process of making the system more resilient to attack.
By default, computers are very insecure and are largely configured just to be functional without much
regard to security. Logging is minimal, updates may be turned off by default and many services are
running even if unused.
Hardening is the process of applying patches and service packs, disabling unnecessary services, locking
down or removing applications and other steps making the computer harder target to attack.
- Implementing Security Control: This is an important step to security but only a minor component.
Sorry.
The Official ISC2 Guide to the CISSP CBK Fourth Edition - CISSP 2015 CBK
Question 199
Which answer BEST describes a software suite that examines and identifies weaknesses in security of
your network devices and computers?
• Vulnerability Scanners
• Antivirus Scanners
Details:
Vulnerability Scanners can be used to scan your computers and networks for a set of known
vulnerabilities which should be addressed so that your security posture may be improved.
Essentially, you configure the scan software with a set of admin or root credentials for the systems you
are to scan. The scanner logs onto the systems with those credentials so that it may have full admin
privileges on the systems and therefore access to all system files and components for examination.
Results can usually be presented in varying degrees of complexity from technician level up to managerial
level with graphics and executive summaries about the results of the scan.
- Nessus for Mac OS X, OpenBSD, FreeBSD, Solaris and other Unix variants and Windows.
- Core Impact
- X-Scan (Freeware)
We take the results of these scans and address the vulnerabilities by patching the computers, removing
vulnerable services we don't need and locking down systems to be more attack resistant.
- Antivirus Scanner: Antivirus scanners generally don't identify weaknesses in your networks and
computers although they can point out malicious behavior or files on computers. In this case, it isn't the
right answer.
- IDS - Intrusion Detection System: IDS devices merely look at network traffic to see if a pattern of
network traffic matches a set of known signatures or behavior. If a match is found the IDS can trigger an
alarm for the admin to check out. In this question, the IDS doesn't identify weaknesses.
- IPS - Intrusion Prevention System: IPS systems go a step further than IDSes and can proactively stop
attacks but don't identify weaknesses in systems like a vulnerability scanner. Therefore this isn't correct
either. Sorry.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 16083
Question 200
Which of the following authentication method would avoid conditions where a replay attack would be
successful by making use of an authenticator.
• Kerberos
• Biometric Authentication
Details:
To protect against replay attacks, the Kerberos authentication protocol uses the concept of an
authenticator.
A Kerberos authenticator is embedded in the Kerberos protocol exchanges that occur between the
authenticating client and the authentication server (in Windows, the domain controller—DC). It holds
additional authentication data, such as the ticket lifetime, and most important, the client's timestamp.
When the Kerberos logic on a Domain Controller (DC) or resource server validates a Kerberos
authentication message, it will always check the authenticator's timestamp. If the timestamp is earlier or
the same as a previous authenticator, the server-side Kerberos logic will reject the packet because it
considers it part of a replay attack and user authentication will fail.
The Kerberos server-side logic also compares the timestamp in the authenticator to the local server
time. If the timestamp in the authenticator isn't within five minutes of the time on the server, it will also
reject the packet. These five minutes are referred to as the Kerberos time skew. In Windows, the time
skew defaults to five, but you can change this value if desired.
- Biometric Authentication Systems: This might be correct if you combined it with Kerberos for a SSO but
by itself a biometric authentication system doesn't provide SSO.
- CHAP - Challenge Handshake Authentication Protocol: This isn't the right answer because it usually only
authenticates a person to a single system. CHAP provides protection against replay attacks by the peer
through the use of an incrementally changing identifier and of a variable challenge-value. It does not
make use of an Authenticator.
- PAP - Password Authentication Protocol: Sorry, PAP doesn't permit access to multiple systems like a
SSO.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 11333
Question 201
Which of the following technologies help mitigate the exhaustion of IPV4 addresses AND allows
companies to have one external IP Address while using a RFC 1918 non-routable internal IP Addressing
scheme. Such a technique changes the source address so traffic going outbound to the internet can find
it's way back into the the internal network?
Details:
The correct answer is: Overloaded NAT - Overloaded Network Address Translation
NAT basically translates internal IP Address into a publicly addressable IP Address so that many internal
users can use that public IP Address but maintain their internal addressing scheme.
Network Address Translation (NAT) is designed for IP address conservation. It enables private IP
networks that use unregistered IP addresses to connect to the Internet. NAT operates on a router,
usually connecting two networks together, and translates the private (not globally unique) addresses in
the internal network into legal addresses, before packets are forwarded to another network.
As part of this capability, NAT can be configured to advertise only one address for the entire network to
the outside world. This provides additional security by effectively hiding the entire internal network
behind that address. NAT offers the dual functions of security and address conservation and is typically
implemented in remote-access environments.
RFC 1918 address are those non-routable network address ranges which include:
- 10.0.0.0
- 172.16.0.0
- 192.168.0.0
Basically, packets arrive from the internal hosts to the NAT server using these IP Addresses. The source
IP Address is replaced by that of the NAT Server's public IP Address so that the packets can return to the
network. The NAT Server maintains a table of which data originated from which machine so the packets
can return to the internal hosts.
There are security benefits because the NAT server is making requests on behalf of the internal clients
so that they're not directly exposed to possibly malicious web servers.
Also, network traffic can be scrubbed to avoid information leakage from internal hosts like TTLs which
could divulge information about operating system types.
NAT servers can also scrub unused data fields in an attempt to stop ADS - Alternate Data Streams from
your internal hosts. TCP ADS is where bits are applied to ordinarily unused TCP header fields in an
attempt to use it as a transport or signaling opportunity.
NOTE:
There is a lot of arguments between what is NAT and what is PAT. There is no easy answer.
Dynamic NAT with overload - Changes the SOURCE address so traffic going to the internet can find it's
way BACK.
Port address translation - Changes the DESTINATION address so traffic from the Internet to an internal
server can get to it.
- Static NAT - Static Network AddressTranslation: Static NAT is a one to one conversion and NOT a one to
many as specified in the question.
- PAT - Port Address Translation: This is incorrect but PAT is a real technology. Depending on the type of
NAT server you use PAT is included with the NAT server.
- VLAN - Virtual Local Area Network: Sorry, VLANs assist in networking but don't play a critical role in
mitigating IPV4 Address exhaustion.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14552
You have been asked by your senior executive staff to deploy a web server on your network but you are
worried about it being attacked and compromised. Where would you most likely want to deploy the
server so as to avoid exposing your internal network to the threat of a compromised server?
• DMZ
• Extranet
• Secure VLAN
Details:
A DMZ used to stand for Demarcation Zone because it is the cutoff point where the ISP ends having
technical responsibility and where the organization's IT staff was responsible for.
Popular media changed DMZ to mean Demilitarized Zone and the name stuck. Whatever the case, it is a
place outside your trusted corporate network but inside your network filtering devices like a router or
filtering firewall.
The external filtering router would filter out obvious inappropriate traffic and it might even normalize
the traffic to make it safer to be in the DMZ. You can even block certain countries by netblock if they
have no reason to visit your web server.
This can heavily mitigate attacks into your DMZ or further into your internal network but it is no perfect
solution because attackers can pivot from hostile countries via a compromised host in your own country.
In the DMZ you might place a web server or other server you need to permit access to. The firewall
device that protects your internal network would be heavily locked down and only allow enough traffic
to administer the external filtering router and web server.
The following answers are incorrect:
- Secure VLAN: This isn't the right answer because a "Secure VLAN" isn't a term used as a place we would
place servers to be internet accessible.
- Extranet: An extranet is similar to a DMZ in that you can provide access from an isolated area but in
most cases it is referred to as a DMZ.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14341
Question 204
- Data is encrypted and encapsulated into another packet for transmission across an untrusted medium.
- Permits networks to be geographically separate but appear as though they were on the same local
network.
• PPTP - Point-to-Point-Protocol
Details:
VPN - Virtual Private Networks are common in the enterprise because they allow separated networks to
function as if they are collocated.
Basically, a network packet is encrypted then encapsulated into another packet for transport across an
untrusted network.
- VPN - Virtual Public Network: This is incorrect because it's 'Private' not 'Public'. It wouldn't be very
secure if it were a 'Public' network.
- PPTP - Point to Point Protocol: Technically this is a method for VPN but it is no longer considered
secure because it is cryptographically easy to break.
- L2TP - Layer 2 Transport Protocol: Sorry, this isn't a valid answer because while L2TP is a tunnel
protocol developed jointly by Cisco and Microsoft the acronym stands for Layer 2 Tunneling Protocol.
Read the questions carefully.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14863
Question 205
Which of the following answers is a technology in newer Microsoft Windows computers that can encrypt
an entire drive volume?
• TruCrypt
• BitLocker
Details:
Bitlocker is a feature of modern Windows computers that encrypts all personal and system drives, fixed
data drives and removable data drives. It does not depend on the individual user account to decrypt the
files, it is either on or off for all users or groups.
Bitlocker uses the TPM - Trusted Platform Module to encrypt the operating system drive.
BitLocker Drive Encryption is a full disk encryption feature included with the Ultimate and Enterprise
editions of Microsoft's Windows Vista and Windows 7, and with the Pro and Enterprise editions of
Windows 8 desktop operating systems, as well as the server platforms, Windows Server 2008, Windows
Server 2008 R2 and Windows Server 2012. It is designed to protect data by providing encryption for
entire volumes. By default it uses the AES encryption algorithm in CBC mode with a 128-bit or 256-bit
key, combined with the ''Elephant'' diffuser for additional disk encryption-specific security not provided
by AES. CBC is not used over the whole disk, only for each individual disk sector.
- EFS - Encrypting File System: Sorry, EFS encrypts files and folders one at a time while Bitlocker encrypts
entire drives.
- NTFS - New Technology File System: This isn't correct because NTFS supports file encryption but isn't a
drive encryption technology.
- TruCrypt: This answer is incorrect because TruCrypt can't encrypt an operating system's drive and
decrypt it on the fly to host an operating system. It needs the operating system running to decrypt the
files stores. Plus it is not a Microsoft Technology.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 10251
http://en.wikipedia.org/wiki/Bitlocker
Question 206
Which transport layer encryption consists of two layers - the Record Protocol and the TLS Handshake
Protocol and encrypts communications between the client and server?
Details:
SSL was developed by Netscape in the middle 1990s and TLS came along in January 1999 in RFC 2246
and was developed to secure communications between client web browsers and web servers.
TLS was based on SSL 3.0 and superseded SSL but many web servers still rely on SSL for transport layer
security despite the known vulnerabilities.
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic
protocols which are designed to provide communication security over the Internet. They use X.509
certificates and hence asymmetric cryptography to assure the counterparty with whom they are
communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing
between the parties. This allows for data/message confidentiality, and message authentication codes for
message integrity and as a by-product, message authentication. An important property in this context is
forward secrecy, so the short term session key cannot be derived from the long term asymmetric secret
key.
TLS - TCP Layer Security: Sorry, the acronym isn't supposed to contain TCP so this is incorrect. If you got
this incorrect because you missed the TCP portion, use it as a learning experience to train yourself to
read the questions very carefully to avoid mistakes.
SSL - Secure Sockets Layer: This is almost correct but TLS uses two layers of encryption and SSL was the
predecessor of TLS.
WTLS - Wireless TCP Layer Security: Sorry, this is incorrect because TLS doesn't include TCP in the
acronym and it's the wrong answer.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15286
Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide
Authorized Courseware: Exam CAS-001 (p. 28). Wiley. Kindle Edition.
Question 207
Which answer BEST describes a technology that offers us the ability to segment network traffic and
allow segregation of network users and resources from each other logically using features on enterprise
switch?
• VLANs
• STP
• WLANS
• WANS
Details:
VLANs or Virtual LANs were a way to mitigate broadcast traffic when hubs were still common. Back then
with hubs, there was a single collision domain where all computers would 'see' all other traffic. This
caused network latency and was a security risk after the rise of network sniffers.
VLANs allow us to assign physical switch ports to a specific VLAN to mitigate collision traffic, increase
network performance, provide some level of security by isolating sensitive traffic.
Basically, the switch administrator assigns computers to a VLAN, often times by the department of the
user. E.g., finance, personnel, marketing etc. This is not a great security benefit but can limit access to
sensitive VLANs.
- STP: Spanning Tree Protocol is a way for Cisco switches to create a single path through a switched
network while eliminating switching loops. STP is used on VLANs but isn't the right answer.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15301
Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide
Authorized Courseware: Exam CAS-001 (p. 97). Wiley. Kindle Edition.
Question 208
Which of the following answers is BEST described as a SAN standard for connecting data storage
facilities to communicate over IP networks?
• iSCSI
• SCSI-SAN
• iSAN
• vSAN
Details:
By transmitting SCSI commands over IP networks, iSCSI is used to facilitate data transfers over intranets.
iSCSI data can be transmitted over the internet, WANs or LANs.
Unlike Fiber Channel that requires specific cabling, iSCSI just connects to your network and uses IP
Addresses as the interconnect mechanism.
- iSAN - Internet SAN: This isn't a real term for network storage, sorry.
- SCSI-SAN: This is also not a known term in the network storage subject.
- vSAN: Sorry, this isn't right. vSANs are systems of systems sharing their free disk space to create a SAN
on a network.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 13154
Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide
Authorized Courseware: Exam CAS-001 (p. 102). Wiley. Kindle Edition.
Question 209
Which answer is BEST described as a transport protocol similar to iSCSI that can operate of up to 10
GBps and rides on top of Ethernet but is not routable?
• FCOE
• iSCSI
• iSAN
• SCSI-SAN
Correct Answer is: FCOE
Details:
Fiber Channel over Ethernet - FCOE is a protocol that rides over Ethernet like iSCSI but is not itself
routable.
iSCSI by comparison operates higher in the OSI stack and uses UDP and TCP as the transport protocol for
the communications.
FCOE operates above Ethernet along with regular IP Traffic but FCOE is not itself routable and will not
work across routed IP Networks like iSCSI.
Memorization Aid:
iSCSI = routable
- iSCSI: Sorry, iSCSI is an IP-based storage networking standard for linking data storage facilities.
Basically, it's SCSI Drives attached by IP instead of cables. Specifically it is incorrect because iSCSI is
internet routable and rides on TCP/UDP transport protocols.
- iSAN - Internet SAN: This isn't a real term for network storage, sorry.
- SCSI-SAN: This is also not a known term in the network storage subject.
The following reference(s) was/were used to create this question:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 13102
Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide
Authorized Courseware: Exam CAS-001 (p. 102). Wiley. Kindle Edition.
Question 210
A ______ is a mechanism for providing secure, reliable transport over the Internet.
• RAS
• TCP
• VPN
• DIAMETER
Details:
A Virtual Private Network or VPN is used to provide remote users with a secure method to access
remote network resources while on untrusted networks.
The VPN can be found in workplaces and homes, where they allow employees to safely log into
company networks. Telecommuters and those who travel often find a VPN a more convenient way to
stay connected to the corporate intranet.
The key feature of a VPN, however, is its ability to use public networks like the Internet rather than rely
on private leased lines. VPN technologies implement restricted-access networks that utilize the same
cabling and routers as a public network, and they do so without sacrificing features or basic security.
The following answers are incorrect:
Diameter Applications extend the base protocol by adding new commands and/or attributes, such as
those for use of the Extensible Authentication Protocol (EAP). See the reference below for a full list of
features that DIAMETER provides but not RADIUS.
- TCP: This isn't the right answer because TCP might provide reliable transport, but by itself it does not
provide it in a secure manner.
- RAS: RAS - Remote Access Service is used to enable management of remote access connections
through phone modems so this isn't the right answer.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14863
Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide
Authorized Courseware: Exam CAS-001 (p. 3). Wiley. Kindle Edition.
http://compnetworking.about.com/od/vpn/a/vpn_tutorial.htm
http://en.wikipedia.org/wiki/Diameter_%28protocol%29
Question 211
Of the following answers, which would you want to have inside the DMZ?
Details:
Originally, the DMZ stood for DeMarcation Zone where the end of responsibility for the internet service
provider and where your area began. Popular media changed it to be Demilitarized Zone. Either way, it's
that area outside your trusted network where you would place your web servers, mail or application
servers.
The DMZ ordinarily resides behind a first level firewall or packet filtering router that blocks unwanted
traffic but permits access to those servers.
Another firewall on the trusted side of the DMZ strictly filters traffic entering the trusted internal LAN
thereby protecting internal network hosts.
- Sensitive Corporate computers: This isn't right because a DMZ is a semi-trusted area of your network
and no place for sensitive systems.
- Regular user computers: This also isn't right because regular user computers would need to be on the
internal trusted LAN, not in the DMZ.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14339
Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide
Authorized Courseware: Exam CAS-001 (p. 42). Wiley. Kindle Edition.
Question 212
You have deployed VOIP phones in your corporate network and you want to protect these
communications against sniffing by encrypting the traffic. You also want to provide message
authentication and integrity as well as defending against VOIP Spam and replay attacks.
• RTP
SIP
• SRTP
• AES
Details:
SRTP - Secure Real-time Transport Protocol provides protection against sniffing and replay attacks but
also provides message authentication and integrity.
AES - Advanced Encryption Standard: SRTP uses AES as the default encryption type but this doesn't
answer the question of how to secure VOIP communications.
RTP - Real-time Transport Protocol: Sorry, this isn't correct because RTP is a plaintext UDP protocol
designed to get packets from point to point as quickly as possible to support voice communications.
SIP - Session Initiation Protocol: This is incorrect because SIP was designed by the IETF as a process for
simply establishing phone calls by establishing a session between two hosts but doesn't provide for
security.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 13319
Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide
Authorized Courseware: Exam CAS-001 (p. 45-46). Wiley. Kindle Edition.
Ric Messier (2014). GSEC - GIAC Security Essentials Certification Exam Guide. (p. 487-488.) McGraw Hill.
Question 213
Which method of securing DNS involves the combination of PKI and DNS?
• PKI DNS
• DNSSEC
• SECDNS
• SDNS
DNSSEC is short for DNS Security Extensions and adds a level of security to DNS queries by digitally
signing responses to DNS queries using PKI - Public Key Infrastructure.
Originally there was no security considerations given to DNS but was designed to be a distributed and
scalable system.
All DNS query responses are digitally signed and by checking the digital signature on DNS query
responses, the client can be assured that the results can be trusted.
SDNS: SDNS isn't a valid answer because it isn't the right acronym.
SECDNS: This isn't the right answer because SECDNS isn't a manner of securing DNS queries. It does not
exist and it is only a distractor.
PKI DNS: This could have been another name for DNSSEC because PKI is used in DNSSEC but even thou it
sounds good that's not the name used so this is not a right answer.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 16280
Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide
Authorized Courseware: Exam CAS-001 (p. 63). Wiley. Kindle Edition.
Question 214
• ARPv6
• ICMPv6
• NDP
• RDP
Details:
With IPv4 ARP - the Address Resolution Protocol figured out which MAC Address an IP Address was
using by simply asking "ARP WHO HAS 10.0.1.1 TELL 10.0.1.20 ". The other station would reply with
something like "10.0.1.1 is at AA:BB:CC:DD:EE:FF ". At that point both stations could converse using MAC
Addresses.
With IPV6, ARP is known as Neighbor Discovery Protocol and is also a layer 2 protocol responsible for
auto-configuration of nodes on a link and how they find and communication with one another.
NDP uses a mix if ICMPv6 messages and multicast addresses to discover other nodes, manage duplicate
addresses, find available routers and DNS Servers and some other functions.
NDP defines five different ICMPv6 packet types like ICMP and ARP including:
1. Type 133: Router Solicitation to locate routers on the link
4. Type 136 Neighbor Advertisement for nodes to respond to Type 135 Neighbor Solicitation messages
5. Type 137 Redirect when routers inform hosts of a better first hop to the nearest router
NOTE: The Official Study Book 7th Edition is lacking when it comes to IPSEC. This is a topic you will need
to supplement your studies by using other resources such as the links below.
- RDP: RDP or Remote Desktop Protocol is not a correct answer and isn't involved in layer two
communications for IPv6. RDP is a Microsoft proprietary protocol that provides a graphical interface on
a remote computer. RDP is the protocol for doing so.
- ARPv6: Sorry, there is no ARPv6. As this scenario explains ARP was replaced with NDP in IPv6.
- ICMPv6: ICMPv6 plays a role in the NDP in that ICMPv6 messages are used as a replacement for ARP
messages and are explained in the discussion above. More explanation is available on the Cisco site
here.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press)
Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide
Authorized Courseware: Exam CAS-001 (p. 49). Wiley. Kindle Edition.
Question 215
How many bits is the address space reserved for the source IP address within an IPv6 header?
• 128
• 256
• 64
• 32
Details:
2128 = 340,282,366,920,938,463,463,374,607,431,768,211,456
An IPV6 address is 128bits so the source address will have to take up that much space in the header (as
will the destination address). The key is to distinguish between the size of an IPV6 address and the fact
that the source and destination addresses are part of the packet header.
When IPv4 was conceived in the late 1970s they thought that we would never need 4.3 Billion addresses
but we ran out of them years ago. It is not likely that we will ever run out of addresses any time soon
with numbers like those.
We've gotten by with IPv4 by using NAT - Network Address Translation where private IP Addresses are
used by a single or a few externally routable IP Addresses.
Unfortunately, early on companies were given huge blocks of address spaces like class A networks with
224 or 16,777,216 addresses even when only a small handful were used within the company. Also,
127.0.0.0 loopback wasted as many.
IPv6 addresses are written in 8 groups of 4 hexadecimal digits separated by colons like this:
2001:0db8:85a3:0000:0000:8a2e:0370:7334
Source address (128 bits) The 128-bit source address field contains the IPv6 address of the originating
node of the packet. It is the address of the originator of the IPv6 packet.
Destination address (128 bits) The 128-bit contains the destination address of the recipient node of the
IPv6 packet. It is the address of the intended recipient of the IPv6 packet.
Version/IP version (4-bits) The 4-bit version field contains the number 6. It indicates the version of the
IPv6 protocol. This field is the same size as the IPv4 version field that contains the number 4. However,
this field has a limited use because IPv4 and IPv6 packets are not distinguished based on the value in the
version field but by the protocol type present in the layer 2 envelope.
Packet priority/Traffic class (8 bits) The 8-bit Priority field in the IPv6 header can assume different values
to enable the source node to differentiate between the packets generated by it by associating different
delivery priorities to them. This field is subsequently used by the originating node and the routers to
identify the data packets that belong to the same traffic class and distinguish between packets with
different priorities.
Flow Label/QoS management (20 bits) The 20-bit flow label field in the IPv6 header can be used by a
source to label a set of packets belonging to the same flow. A flow is uniquely identified by the
combination of the source address and of a non-zero Flow label. Multiple active flows may exist from a
source to a destination as well as traffic that are not associated with any flow (Flow label = 0).
The IPv6 routers must handle the packets belonging to the same flow in a similar fashion. The
information on handling of IPv6 data packets belonging to a given flow may be specified within the data
packets themselves or it may be conveyed by a control protocol such as the RSVP (Resource reSerVation
Protocol).
When routers receive the first packet of a new flow, they can process the information carried by the
IPv6 header, Routing header, and Hop-by-Hop extension headers, and store the result (e.g. determining
the retransmission of specific IPv6 data packets) in a cache memory and use the result to route all other
packets belonging to the same flow (having the same source address and the same Flow Label), by using
the data stored in the cache memory.
Payload length in bytes(16 bits) The 16-bit payload length field contains the length of the data field in
octets/bits following the IPv6 packet header. The 16-bit Payload length field puts an upper limit on the
maximum packet payload to 64 kilobytes. In case a higher packet payload is required, a Jumbo payload
extension header is provided in the IPv6 protocol. A Jumbo payload (Jumbogram) is indicated by the
value zero in the Payload Length field. Jumbograms are frequently used in supercomputer
communication using the IPv6 protocol to transmit heavy data payload.
Next Header (8 bits) The 8-bit Next Header field identifies the type of header immediately following the
IPv6 header and located at the beginning of the data field (payload) of the IPv6 packet. This field usually
specifies the transport layer protocol used by a packet's payload. The two most common kinds of Next
Headers are TCP (6) and UDP (17), but many other headers are also possible. The format adopted for
this field is the one proposed for IPv4 by RFC 1700. In case of IPv6 protocol, the Next Header field is
similar to the IPv4 Protocol field.
Time To Live (TTL)/Hop Limit (8 bits) The 8-bit Hop Limit field is decremented by one, by each node
(typically a router) that forwards a packet. If the Hop Limit field is decremented to zero, the packet is
discarded. The main function of this field is to identify and to discard packets that are stuck in an
indefinite loop due to any routing information errors. The 8-bit field also puts an upper limit on the
maximum number of links between two IPv6 nodes. In this way, an IPv6 data packet is allowed a
maximum of 255 hops before it is eventually discarded. An IPv6 data packet can pas through a maximum
of 254 routers before being discarded.
In case of IPv6 protocol, the fields for handling fragmentation do not form a part of the basic header.
They are put into a separate extension header. Moreover, fragmentation is exclusively handled by the
sending host. Routers are not employed in the Fragmentation process.
For further details, please see RFC 2460 - Internet Protocol, Version 6 (IPv6) Specification.
- 32: This answer would be right if the question was about IPv4 but it isn't so the answer is wrong. 32
Bits yields 4,294,967,296 unique IP Address and considering the RFC for that was released in 1981, IPv4
has proven to have a remarkable lifespan. After more than 30 years and the huge growth the internet
it's no wonder its lifespan is coming to an end.
- 64: This is only half the size of an IPv6 header address space so this isn't correct. 64 Bits would yield a
huge number of addresses which probably would have been enough but designers wanted to be sure to
never ever run out of addresses on planet earth with 128-bit address spaces in IPv6.
- 256: This isn't correct because 256 is twice the size of an IPv6 address size, far to many addresses
necessary at this or any other point in time.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12591
Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide
Authorized Courseware: Exam CAS-001 (p. 53). Wiley. Kindle Edition.
Question 216
Which of the following answers presents the MOST significant threat to network based IDS or IPS
systems?
• Encrypted Traffic
• Segregated VLANs
Details:
Discussion: Encrypted network packets present the biggest threat to an effective IDS/IPS plan because
the network cannot easily (Or quickly) be decoded and examined.
Encrypted packets can't be examined by the IDS to determine if there is a threat there so in most cases
the traffic is just forwarded along with the potential threat.
There is an industry where a company provides examination services for your network traffic, acting like
a proxy server for all your network traffic.
You simply send them copies of your certificates so they can decode the traffic. This is common in the
financial industry where violating federal law or being sued by federal investigators for insider trading
can lead to business collapse.
The external company examines all the network traffic coming and going from your network for
potential liabilities.
- Complex IDS/IPS Signature syntax: IDS/IPS signatures can be complex but this isn't the MOST significant
threat to the functionality of an IDS/IPS system.
- Digitally Signed Network Packets: This is an incorrect answer because it isn't a threat to IDS/IPS
systems looking for dangerous network traffic. Foremost because we don't commonly digitally sign each
network packet we send.
- Segregated VLANs: This is not a correct answer but VLANs can present barriers to IDS/IPS systems
spotting dangerous traffic. There is an easy solution to VLANs and IDS/IPS systems and that would be
simply placing an IDS/IPS sensor on that VLAN and set it up to send its traffic to the IDS/IPS management
system.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 16016
Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide
Authorized Courseware: Exam CAS-001 (Pg. 138) Wiley. Kindle Edition.
Question 217
Which answer describes an application proxy that monitors and inspects all HTTP/HTTPS requests to
assess web application vulnerabilities?
• Web IDS
• Web Scarab
• HTTP Interceptor
Details:
Threats come from all directions these days including traffic to and from your servers and clients using
HTTP and HTTPS protocols.
HTTP Interceptors analyze applications which communicate using HTTP and HTTPS protocols for web
applications like browsers and other web-based apps.
Some examples of HTTP Interceptors are Burp Suite, Web Scarab and Paros Proxy.
- Web caching engine: Web caching engines don't always monitor HTTP messages for threatening
signatures. Caching engines usually just maintain current copies of web sites for users on a LAN to speed
up fetching of web sites. They also reduce internet traffic.
- Web IDS: This isn't a commonly used term so this is incorrect but an IDS can monitor HTTP
communications for threatening traffic. It can't usually watch HTTPS traffic because it is encrypted.
- Web Scarab: This is a framework for analyzing applications which use HTTP so it is an HTTP Interceptor
so this isn't a correct answer. Read more here about Web Scarab.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press)
Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide
Authorized Courseware: Exam CAS-001 (p. 181). Wiley. Kindle Edition.
Question 218
Which of the following statement correctly describes difference between packet filtering firewall and
stateful inspection firewall?
• Packet filtering firewall and Stateful firewall both maintain session of client.
• Packet filtering firewall do not maintain client session whereas Stateful firewall maintains client
session.
• Packet filtering firewall is a second generation firewall whereas Stateful is a first generation of
firewall.
• Packet filtering firewall and Stateful firewall do not maintain any session of client.
Correct Answer is: Packet filtering firewall do not maintain client session whereas Stateful firewall
maintains client session.
Details:
The correct answer is: Packet filtering firewall do not maintain client session whereas statefull firewall
maintains client session.
• The advantage of this type of firewall are simplicity and generally stable performance since the
filtering rules are performed at the network layer.
• Its simplicity is also disadvantage, because it is vulnerable to attack from improperly configured
filters and attack tunneled over permitted services.
• Some of the more common attack on packet filtering are IP Spoofing, Source Routing
specification, Miniature fragment attack.
• A stateful inspection firewall keep track of the destination IP address of each packet that leaves
the organization's internal network.
• The session tracking is done by mapping the source IP address of incoming packet with the list of
destination IP addresses that is maintained and updated
• The disadvantage includes stateful inspection firewall can be relatively complex to administer as
compare to other firewall.
Firewall
Firewalls are used to restrict access to one network from another network. Most companies use
firewalls to restrict access to their networks from the Internet. They may also use firewalls to restrict
one internal network segment from accessing another internal segment. For example, if the security
administrator wants to make sure employees
cannot access the research and development network, he would place a firewall between this network
and all other networks and configure the firewall to allow only the type of traffic he deems acceptable. A
firewall device supports and enforces the company’s network security policy. An organizational security
policy provides high-level directives on acceptable and unacceptable actions as they pertain to
protecting critical assets. The firewall has a more defined and granular security policy that dictates what
services are allowed to be accessed, what IP addresses and ranges are to be restricted, and what ports
can be accessed.
The firewall is described as a “choke point” in the network because all communication should flow
through it, and this is where traffic is inspected and restricted. A firewall may be a server running a
firewall software product or a specialized hardware appliance. It monitors packets coming into and out
of the network it is protecting. It can discard packets, repackage them, or redirect them, depending
upon the firewall configuration. Packets are filtered based on their source and destination addresses,
and ports by service, packet type, protocol type, header information, sequence bits, and
much more. Many times, companies set up firewalls to construct a demilitarized zone (DMZ), which is a
network segment located between the protected and unprotected networks. The DMZ provides a buffer
zone between the dangerous Internet and the goodies within the internal network that the company is
trying to protect. As shown in
Figure 6-46, two firewalls are usually installed to form the DMZ. The DMZ usually contains web, mail,
and DNS servers, which must be hardened systems because they would be the first in line for attacks.
Many DMZs also have an IDS sensor that listens for malicious and suspicious behavior.
Many different types of firewalls are available, because each environment may have unique
requirements and security goals. Firewalls have gone through an evolution of their own and have grown
in sophistication and functionality. The following sections describe the various types of firewalls.
All other choices presented were incorrect answers because they all had the proper definition.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14563
Question 219
Which of the following is the unique identifier within an IPSec packet that enables the sending host to
reference the security parameter to apply?
• SA (Security Association)
• AH (Authentication Header)
Details:
The Security Parameter Index (SPI) is the unique identifier that enables the sending host to reference
the security parameter to apply in order to decrypt the packet.
For you exam you should know the information below about the IPSec protocol:
The IP network layer packet security protocol establishes VPNs via transport and tunnel mode
encryption methods.
For the transport method, the data portion of each packet is encrypted, encryption within IPSEC is
referred to as the encapsulation security payload (ESP), it is ESP that provides confidentiality over the
process.
In the tunnel mode, the ESP payload and its header's are encrypted. To achieve non-repudiation, an
additional authentication header (AH) is applied.
In establishing IPSec sessions in either mode, Security Associations (SAs) are established. SAs defines
which security parameters should be applied between communicating parties as encryption algorithms,
key initialization vector, life span of keys, etc. Within either ESP or AH header, respectively. An SAs is
established when a 32 bit security parameter index (SPI) field is defined within the sending host. The SPI
is unique identifier that enables the sending host to reference the security parameter to apply, as
specified, on the receiving host.
IPSec can be made more secure by using asymmetric encryption through the use of Internet Security
Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows automated key
management, use of public keys, negotiation, establishment, modification and deletion of SAs and
attributes. For authentication, the sender uses digital certificates. The connection is made secure by
supporting the generation, authentication, distribution of the SAs and the cryptographic keys.
The following were incorrect answers:
• SA – Security Association (SA) defines which security parameters should be applied between
communicating parties as encryption algorithms, key initialization vector, life span of keys, etc.
• ESP – Encapsulation Security Payload (ESP) is used to support authentication of sender and
encryption of data
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14868
Question 220
Which of the following statements CORRECTLY describes the difference between IPSec and SSH
protocols?
• IPSec works at the transport layer and SSH works at the network layer of an OSI Model
• IPSec works at the network layer and SSH works at the transport layer of an OSI Model
• IPSec works at the network layer where as SSH works at the application layer of an OSI Model
• IPSec works at the transport layer and SSH works at the application layer of an OSI Model
Correct Answer is: IPSec works at the network layer where as SSH works at the application layer of an
OSI Model
Details:
The correct answer is: IPSec works at the network layer where as SSH works at the application layer of
an OSI Model
This question is testing your knowledge about not only the OSI layer that IPSec and SSH operate but to a
large degree the differences between them. There are many secure protocols SKIP, swipe, S-RPC,
SSL/TLS as well as IPSec and SSH. Both IPSec and SSH encrypt sensitive data before transmitting it on
internal networks.
• SSH - A client server program that opens a secure, encrypted command-line shell session from
the Internet for remote logon. Uses port 22 Secure Shell (SSH) protocol by default makes its connections
via TCP and allows encrypting data to be sent and received (in motion) securely between two networked
systems usage of Diffie-Hellman key exchange and integrity checking with message authentication codes
(MACs) and used to remotely administer Unix/Linux systems and network devices.
SSH uses strong cryptography to protect data, including password, binary files and administrative
commands, transmitted between systems on a network. SSH is typically implemented between two
parties by validating each other's credential via digital certificates. SSH is implemented at the application
layer.
• IPSec -The IP network layer packet security protocol transmits the actual packets of information
from one IP address to another which is described in the Shon Harris Blog below.
The Internet Protocol Security (IPSec) protocol suite provides a method of setting up a secure channel
for protected data exchange between two devices. The devices that share this secure channel can be
two servers, two routers, a workstation and a server, or two gateways between different networks.
IPSec is a widely accepted standard for providing network layer protection. It can be more flexible and
less expensive than end-to end and link encryption methods.
IPSec has strong encryption and authentication methods, and although it can be used to enable
tunneled communication between two computers, it is usually employed to establish virtual private
networks (VPNs) among networks across the Internet.
IPSec is not a strict protocol that dictates the type of algorithm, keys, and authentication method to use.
Rather, it is an open, modular framework that provides a lot of flexibility for companies when they
choose to use this type of technology. IPSec uses two basic security protocols: Authentication Header
(AH) and Encapsulating Security Payload (ESP). AH is the authenticating protocol, and ESP is an
authenticating and encrypting protocol that uses cryptographic mechanisms to provide source
authentication, confidentiality, and message integrity.
IPSec can work in one of two modes: transport mode, in which the payload of the message is protected,
and tunnel mode, in which the payload and the routing and header information are protected. ESP in
transport mode encrypts the actual message information so it cannot be sniffed and uncovered by an
unauthorized entity. Tunnel mode provides a higher level of protection by also protecting the header
and trailer data an attacker may find useful. Figure 8-26 shows the high-level view of the steps of setting
up an IPSec connection.
Each device will have at least one security association (SA) for each VPN it uses. The SA, which is critical
to the IPSec architecture, is a record of the configurations the device needs to support an IPSec
connection. When two devices complete their handshaking process, which means they have agreed
upon a long list of parameters they will use to communicate, these data must be recorded and stored
somewhere, which is in the SA.
The SA can contain the authentication and encryption keys, the agreed-upon algorithms, the key
lifetime, and the source IP address. When a device receives a packet via the IPSec protocol, it is the SA
that tells the device what to do with the packet. So if device B receives a packet from device C via IPSec,
device B will look to the corresponding SA to tell it how to decrypt the packet, how to properly
authenticate the source of the packet, which key to use, and how to reply to the message if necessary.
SAs are directional, so a device will have one SA for outbound traffic and a different SA for inbound
traffic for each individual communication channel. If a device is connecting to three devices, it will have
at least six SAs, one for each inbound and outbound connection per remote device. So how can a device
keep all of these SAs organized and ensure that the right SA is invoked for the right connection? With
the mighty secu rity parameter index (SPI), that s how. Each device has an SPI that keeps track of the
different SAs and tells the device which one is appropriate to invoke for the different packets it receives.
The SPI value is in the header of an IPSec packet, and the device reads this value to tell it which SA to
consult.
IPSec can authenticate the sending devices of the packet by using MAC (covered in the earlier section,
The One-Way Hash ). The ESP protocol can provide authentication, integrity, and confidentiality if the
devices are configured for this type of functionality.
So if a company just needs to make sure it knows the source of the sender and must be assured of the
integrity of the packets, it would choose to use AH. If the company would like to use these services and
also have confidentiality, it would use the ESP protocol because it provides encryption functionality. In
most cases, the reason ESP is employed is because the company must set up a secure VPN connection.
It may seem odd to have two different protocols that provide overlapping functionality. AH provides
authentication and integrity, and ESP can provide those two functions and confidentiality. Why even
bother with AH then? In most cases, the reason has to do with whether the environment is using
network address translation (NAT). IPSec will generate an integrity check value (ICV), which is really the
same thing as a MAC value, over a portion of the packet. Remember that the sender and receiver
generate their own values. In IPSec, it is called an ICV value. The receiver compares her ICV value with
the one sent by the sender. If the values match, the receiver can be assured the packet has not been
modified during transmission. If the values are different, the packet has been altered and the receiver
discards the packet.
The AH protocol calculates this ICV over the data payload, transport, and network headers. If the packet
then goes through a NAT device, the NAT device changes the IP address of the packet. That is its job.
This means a portion of the data (network header) that was included to calculate the ICV value has now
changed, and the receiver will generate an ICV value that is different from the one sent with the packet,
which means the packet will be discarded automatically.
The ESP protocol follows similar steps, except it does not include the network header portion when
calculating its ICV value. When the NAT device changes the IP address, it will not affect the receiver s ICV
value because it does not include the network header when calculating the ICV.
Because IPSec is a framework, it does not dictate which hashing and encryption algorithms are to be
used or how keys are to be exchanged between devices. Key management can be handled manually or
automated by a key management protocol. The de facto standard for IPSec is to use Internet Key
Exchange (IKE), which is a combination of the ISAKMP and OAKLEY protocols. The Internet Security
Association and Key Management Protocol (ISAKMP) is a key exchange architecture that is independent
of the type of keying mechanisms used. Basically, ISAKMP provides the framework of what can be
negotiated to set up an IPSec connection (algorithms, protocols, modes, keys). The OAKLEY protocol is
the one that carries out the negotiation process. You can think of ISAKMP as providing the playing field
(the infrastructure) and OAKLEY as the guy running up and down the playing field (carrying out the steps
of the negotiation).
IPSec is very complex with all of its components and possible configurations. This complexity is what
provides for a great degree of flexibility, because a company has many different configuration choices to
achieve just the right level of protection. If this is all new to you and still confusing, please review one or
more of the following references to help fill in the gray areas.
The following reference(s) was/were used to create this question:
7th Study Guide Chapter 5 Section: Protecting Data with Transport Encryption, kindle 5412, page 173
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14868
Question 221
Which of the following protocol is developed jointly by VISA and Master Card to secure payment
transactions among all parties involved in credit card transactions on behalf of cardholders and
merchants?
• S/HTTP
• SET
• S/MIME
• SSH
Details:
Secure Electronic Transaction(SET) is a protocol developed jointly by VISA and Master Card to secure
payment transaction among all parties involved in credit card transactions among all parties involved in
credit card transactions on behalf of cardholders and merchants. As an open system specification, SET is
a application-oriented protocol that uses trusted third party's encryption and digital-signature process,
via PKI infrastructure of trusted third party institutions, to address confidentiality of information,
integrity of data, cardholders authentication, merchant authentication and interoperability.
• SSH – A client server program that opens a secure, encrypted command-line shell session from
the Internet for remote logon. Similar to a VPN, SSH uses strong cryptography to protect data, including
password, binary files and administrative commands, transmitted between system on a network. SSH is
typically implemented between two parties by validating each other's credential via digital certificates.
SSH is useful in securing Telnet and FTP services, and is implemented at the application layer, as
opposed to operating at network layer (IPSec Implementation)
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 31008
Question 222
A Private Branch Exchange (PBX) environment involves many security risks, including people both
internal and external to an organization. Which of the following risks are NOT associated with a PBX?
1. Theft of service
2. Disclosure of information
3. Data Modifications
4. Denial of service
5. Traffic Analysis
• 4 and 5
• 3 and 4
Correct Answer is: They are ALL risks associated with PBX
Details:
The correct answer is: They are all risks associated with PBX
The NOT is a keyword used in the question. You need to find out the risks which are NOT associated with
PBX. All the risk listed within the options are associated with PBX.
The threat of the PBX telephone system are many, depending on the goals of these attackers, and
include:
• Theft of service - Toll fraud, probably the most common of motives motives for attacker.
• Data Modification - Data altered in some meaningful way by recording, deleting or modifying it.
For example, an intruder may change billing information or modify system table to gain additional
services.
• Unauthorized access – Actions that permit an unauthorized user to gain access to system
resources or privileges.
• Denial of service - Actions that prevent the system from functioning in accordance with its
intended purpose. A piece of equipment or entity may be rendered inoperable or forced to operate in a
degraded state; operations that depend on timeliness may be delayed.
• Traffic Analysis – A form of passive attack in which an intruder observes information about calls
and make inferences, e.g. from the source and destination number or frequency and length of
messages. For example an intruder observes a high volume of calls between a company's legal
department and patent office, and conclude that a patent is being filed.
All the risks presented in options are associated with PBX. So other options are not valid.
The following reference(s) was/were used to create this question:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14693
Question 223
Which of the following is a sophisticated computer based switch that can be thought of as essentially a
small in-house phone company for the organization?
• Voice over IP
• Dial-up connection
Details:
A Private Branch Exchange(PBX) is a sophisticated computer based switch that can be thought of as
essentially a small in-house phone company for the organization that operates it. Protection of PBX is
thus a hight priority. Failure to secure PBX can result in exposing the organization to toll fraud, theft of
propritary or confidential information, loss of revenue or legal entanglements.
PBX environment involves many security risks, presented by people both internal and external to an
organization. The threat of the PBX telephone system are many, depending on the goals of these
attackers, and include:
• Theft of service - Toll fraud, probably the most common of motives motives for attacker.
• Disclosure of Information - Data disclosed without authorization, either by deliberate action or
by accident. Examples includes eavesdropping on conversation and unauthorized access to routing and
address data.
• Data Modification - Data altered in some meaningful way by recording, deleting or modifying it.
For example, an intruder may change billing information or modify system table to gain additional
services.
• Unauthorized access – Actions that permit an unauthorized user to gain access to system
resources or privileges.
• Denial of service - Actions that prevent the system from functioning in accordance with its
intended purpose. A piece of equipment or entity may be rendered inoperable or forced to operate in a
degraded state; operations that depend on timeliness may be delayed.
• Traffic Analysis – A form of passive attack in which an intruder observes information about calls
and make inferences, e.g. from the source and destination number or frequency and length of
messages. For example an intruder observes a high volume of calls between a company's legal
department and patent office, and conclude that a patent is being filed.
• Virtual Local Area Network - A virtual local area network (VLAN) is a logical group of
workstations, servers and network devices that appear to be on the same LAN despite their geographical
distribution. A VLAN allows a network of computers and users to communicate in a simulated
environment as if they exist in a single LAN and are sharing a single broadcast and multicast domain.
VLANs are implemented to achieve scalability, security and ease of network management and can
quickly adapt to change in network requirements and relocation of workstations and server nodes.
• Voice over IP - VoIP is a technology where voice traffic is carried on top of existing data
infrastructure. Sounds are digitalized into IP packets and transferred through the network layer before
being decode back into the original voice.
• Dial-up connection - Dial-up refers to an Internet connection that is established using a modem.
The modem connects the computer to standard phone lines, which serve as the data transfer medium.
When a user initiates a dial-up connection, the modem dials a phone number of an Internet Service
Provider (ISP) that is designated to receive dial-up calls. The ISP then establishes the connection, which
usually takes about ten seconds and is accompanied by several beeping an buzzing sounds.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14693
CISA review manual 2014 Page number 356
Question 224
Which of the following PBX feature allows a PBX to be configured so that incoming calls are distributed
to the next available agent or placed on-hold until one become available?
• Voice mail
• Tenanting
• Call forwarding
Details:
Automatic Call distribution allows a PBX to be configured so that incoming calls are distributed to the
next available agent or placed on-hold until one become available
For your exam you should know below mentioned PBX features and Risks:
Automatic Call distribution Allows a PBX to be configured so that incoming calls are distributed to
the next available agent or placed on-hold until one become available Tapping and control of traffic
Call forwarding Allow specifying an alternate number to which calls will be forwarded based on certain
condition User tracking
- Track calls made by certain people or for certain projects for appropriate billing
- Dial-In system access(user dials from outside and gain access to normal feature of the PBX)
- Changing the user class of service so a user can access a different set of features (i.e. the override
feature) Fraud,user tracking, non authorized features
Access Codes Key for access to specific feature from the part of users with simple instruments, i.e.
traditional analog phones. Non-authorized features
override(intrude) Provides for the possibility to break into a busy line to inform another user an
important message Eavesdropping
Auto-answer Allows an instrument to automatically go when called usually gives an auditor or visible
warning which can easily turned off Gaining information not normally available, for various purpose
Tenanting Limits system user access to only those users who belong to the same tenant group –
useful when one company leases out part of its building to other companies and tenants share an
attendant, trunk lines,etc Illegal usage, fraud, eavesdropping
Voice mail Stores messages centrally and – by using a password – allows for retrieval from inside or
outside lines. Disclosure or destruction of all messages of a user when that user's password in known
or discovered by an intruder, disabling of the voice mail system and even the entire switch by lengthy
messages or embedded codes, illegal access to external lines.
Privacy release Supports shared extensions among several devices, ensuring that only one device at a
time can use an extension. Privacy release disables the security by allowing devices to connect to an
extension already in use. Eavesdropping
Nonbusy extension Allows calls to an in-use extension to be added to a conference when that
extension is on conference and already off-hook Eavesdropping a conference in progress
Diagnostics Allows for bypassing normal call restriction procedures. This kind of diagnostic is
sometimes available from any connected device. It is a separate feature, in addition to the normal
maintenance terminal or attendant diagnostics Fraud and illegal usage
Camp-on or call waiting When activated, sends a visual audible warning to an off-hook instrument that is
receiving another call. Another option of this feature is to conference with the camped-on or call waiting
Making the called individual a party to a conference without knowing it.
Dedicated connections Connections made through the PBX without using the normal dialing sequences.
It can be used to create hot-lines between devices i.e. one rings when the other goes off-hook. It is also
used for data connections between devices and the central processing facility Eavesdropping on a line
• Call forwarding - Allow specifying an alternate number to which calls will be forwarded based on
certain condition
• Tenanting - Limits system user access to only those users who belong to the same tenant group
– useful when one company leases out part of its building to other companies and tenants share an
attendant, trunk lines,etc
• Voice Mail - Stores messages centrally and – by using a password – allows for retrieval from
inside or outside lines.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14693
Question 225
Which of the following is an environmental issue caused by electric storms or noisy electric equipment
and may also cause computer system to hang or crash?
• Brownout
• Blackout
• Sag
• Electromagnetic Interference
Details:
The electromagnetic interference (EMI) caused by electrical storms or noisy electrical equipments. The
interference may cause computer system to hang or crash as well as damages similar to those caused by
sags, spike and surges.
Because Unshielded Twisted Pair cables does not have shielding like shielded twisted-pair cables, UTP is
susceptible to interference from external electrical sources, which could reduce the integrity of the
signal. Also, to intercept transmitted data, an intruder can install a tap on the cable or monitor the
radiation from the wire. Thus, UTP may not be a good choice when transmitting very sensitive data or
when installed in an environment with much electromagnetic interference (EMI) or radio frequency
interference (RFI). Despite its drawbacks, UTP is the most common cable type. UTP is inexpensive, can
be easily bent during installation, and, in most cases, the risk from the above drawbacks is not enough to
justify more expensive cables.
For your exam you should know below information about power failure
• Total Failure (Blackout) – A complete loss of electric power, which may span from a single
building to an entire geographical are and is often caused by weather conditions or inability of an
electric utility company to meet user demands
• Severely reduced voltage (brownout) – The failure of an electric utility company to supply power
withing acceptable range. Such a failure places a strain on electronic equipment and may limit their
operational life or even cause permanent damage.
• Sags, spike and surge – Temporary and rapid decreases (sag) or increases(spike and surges) in a
voltage levels. These anomalies can cause loss of data, data corruption, network transmission errors or
physical damage to hardware devices.
• Total Failure (Blackout) – A complete loss of electric power, which may span from a single
building to an entire geographical are and is often caused by weather conditions or inability of an
electric utility company to meet user demands
• Severely reduced voltage (brownout) – The failure of an electric utility company to supply power
withing acceptable range. Such a failure places a strain on electronic equipment and may limit their
operational life or even cause permanent damage.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 1441
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press)
(Kindle Locations 6507-6512). Auerbach Publications. Kindle Edition.
Question 226
• PAN
• LAN
• SAN
• MAN
Details:
MAN - A metropolitan area network (MAN) is a computer network in which two or more computers or
communicating devices or networks which are geographically separated but in same metropolitan city
and are connected to each other are said to be connected on MAN. Metropolitan limits are determined
by local municipal corporations; the larger the city, the bigger the MAN, the smaller a metro city, smaller
the MAN.
For your exam you should know below information about computer networks:
A local area network (LAN) is a computer network that interconnects computers within a limited area
such as a home, school, computer laboratory, or office building using network media.
Click HERE for original source of image
A wide area network (WAN) is a network that covers a broad area (i.e., any telecommunications network
that links across metropolitan, regional, national or international boundaries) using leased
telecommunication lines.
A metropolitan area network (MAN) is a computer network in which two or more computers or
communicating devices or networks which are geographically separated but in same metropolitan city
and are connected to each other are said to be connected on MAN. Metropolitan limits are determined
by local municipal corporations; the larger the city, the bigger the MAN, the smaller a metro city, smaller
the MAN
A personal area network (PAN) is a computer network used for data transmission among devices such as
computers, telephones and personal digital assistants. PANs can be used for communication among the
personal devices themselves (intrapersonal communication), or for connecting to a higher level network
and the Internet (an uplink).
A storage area network (SAN) is a dedicated network that provides access to consolidated, block level
data storage. SANs are primarily used to enhance storage devices, such as disk arrays, tape libraries, and
optical jukeboxes, accessible to servers so that the devices appear like locally attached devices to the
operating system. A SAN typically has its own network of storage devices that are generally not
accessible through the local area network (LAN) by other devices.
• PAN - A personal area network (PAN) is a computer network used for data transmission among
devices such as computers, telephones and personal digital assistants. PANs can be used for
communication among the personal devices themselves (intrapersonal communication), or for
connecting to a higher level network and the Internet (an uplink).
• LAN - A local area network (LAN) is a computer network that interconnects computers within a
limited area such as a home, school, computer laboratory, or office building using network media.
• SAN - A storage area network (SAN) is a dedicated network that provides access to consolidated,
block level data storage. SANs are primarily used to enhance storage devices, such as disk arrays, tape
libraries, and optical jukeboxes, accessible to servers so that the devices appear like locally attached
devices to the operating system. A SAN typically has its own network of storage devices that are
generally not accessible through the local area network (LAN) by other devices.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 30779
Question 227
Which of the following type of a computer network are variation of LAN and are dedicated to connecting
storage devices to servers and other computing devices?
• MAN
• SAN
• PAN
• LAN
Details:
A storage area network (SAN) is a dedicated network that provides access to consolidated, block level
data storage. SANs are primarily used to enhance storage devices, such as disk arrays, tape libraries, and
optical jukeboxes, accessible to servers so that the devices appear like locally attached devices to the
operating system. A SAN typically has its own network of storage devices that are generally not
accessible through the local area network (LAN) by other devices.
For your exam you should know below information about computer networks:
A local area network (LAN) is a computer network that interconnects computers within a limited area
such as a home, school, computer laboratory, or office building using network media.
A wide area network (WAN) is a network that covers a broad area (i.e., any telecommunications network
that links across metropolitan, regional, national or international boundaries) using leased
telecommunication lines.
Source of image: http://www.netprivateer.com/images/lanwan.gif
A metropolitan area network (MAN) is a computer network in which two or more computers or
communicating devices or networks which are geographically separated but in same metropolitan city
and are connected to each other are said to be connected on MAN. Metropolitan limits are determined
by local municipal corporations; the larger the city, the bigger the MAN, the smaller a metro city, smaller
the MAN
A personal area network (PAN) is a computer network used for data transmission among devices such as
computers, telephones and personal digital assistants. PANs can be used for communication among the
personal devices themselves (intrapersonal communication), or for connecting to a higher level network
and the Internet (an uplink).
A storage area network (SAN) is a dedicated network that provides access to consolidated, block level
data storage. SANs are primarily used to enhance storage devices, such as disk arrays, tape libraries, and
optical jukeboxes, accessible to servers so that the devices appear like locally attached devices to the
operating system. A SAN typically has its own network of storage devices that are generally not
accessible through the local area network (LAN) by other devices.
• LAN - A local area network (LAN) is a computer network that interconnects computers within a
limited area such as a home, school, computer laboratory, or office building using network media.
• MAN - A metropolitan area network (MAN) is a computer network in which two or more
computers or communicating devices or networks which are geographically separated but in same
metropolitan city and are connected to each other are said to be connected on MAN. Metropolitan
limits are determined by local municipal corporations; the larger the city, the bigger the MAN, the
smaller a metro city, smaller the MAN
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 21387
Question 228
Which of the following types of network service is used by network computer to obtain an IP addresses
and other parameters such as default gateway,subnet mask?
• Network Management
• DHCP
• DNS
• Directory Service
Details:
The correct answer is: DHCP
Dynamic Host Configuration Protocol (DHCP) - The Dynamic Host Configuration Protocol (DHCP) is a
standardized networking protocol used on Internet Protocol (IP) networks for dynamically distributing
network configuration parameters, such as IP addresses for interfaces and services. With DHCP,
computers request IP addresses and networking parameters automatically from a DHCP server, reducing
the need for a network administrator or a user to configure these settings manually.
For your exam you should know below information about network services:
In computer networking, a network service is an application running at the network application layer
and above, that provides data storage, manipulation, presentation, communication or other capability
which is often implemented using a client-server or peer-to-peer architecture based on application layer
network protocols.
Each service is usually provided by a server component running on one or more computers (often a
dedicated server computer offering multiple services) and accessed via a network by client components
running on other devices. However, the client and server components can both be run on the same
machine.
Clients and servers will often have a user interface, and sometimes other hardware associated with
them.
• Network File System - Network File System (NFS) is a distributed file system protocol originally
developed by Sun Microsystems in 1984,allowing a user on a client computer to access files over a
network much like local storage is accessed.
• Remote Access Service - Remote Access Services (RAS) refers to any combination of hardware
and software to enable the remote access tools or information that typically reside on a network of IT
devices.
• Directory Services - A directory service is the software system that stores, organizes and
provides access to information in a directory. In software engineering, a directory is a map between
names and values. It allows the lookup of values given a name, similar to a dictionary. As a word in a
dictionary may have multiple definitions, in a directory, a name may be associated with multiple,
different pieces of information. Likewise, as a word may have different parts of speech and different
definitions, a name in a directory may have many different types of data.
• Print Services - Provide the ability, typically through a print server on a network, to manage and
execute print request services from other devices on the network
• Domain Name System(DNS) - Translates the names of network nodes into network IP address.
• Directory Service - A directory service is the software system that stores, organizes and provides
access to information in a directory. In software engineering, a directory is a map between names and
values. It allows the lookup of values given a name, similar to a dictionary. As a word in a dictionary may
have multiple definitions, in a directory, a name may be associated with multiple, different pieces of
information. Likewise, as a word may have different parts of speech and different definitions, a name in
a directory may have many different types of data.
• Domain Name System(DNS) - Translates the names of network nodes into network IP address.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12461
Question 229
Which of the following layer of the OSI model provides a standard interface for applications to
communicate with devices on a network?
• Application layer
• Presentation layer
• Session layer
• Transport layer
Details:
The application layer serves as the window for users and application processes to access network
services. This layer contains a variety of commonly needed functions:
• Inter-process communication
• Network management
• Directory services
For your exam you should know below information about OSI model:
The Open Systems Interconnection model (OSI) is a conceptual model that characterizes and
standardizes the internal functions of a communication system by partitioning it into abstraction layers.
The model is a product of the Open Systems Interconnection project at the International Organization
for Standardization (ISO), maintained by the identification ISO/IEC 7498-1.
The model groups communication functions into seven logical layers. A layer serves the layer above it
and is served by the layer below it. For example, a layer that provides error-free communications across
a network provides the path needed by applications above it, while it calls the next lower layer to send
and receive packets that make up the contents of that path. Two instances at one layer are connected
by a horizontal.
PHYSICAL LAYER
The physical layer, the lowest layer of the OSI model, is concerned with the transmission and reception
of the unstructured raw bit stream over a physical medium. It describes the electrical/optical,
mechanical, and functional interfaces to the physical medium, and carries the signals for all of the higher
layers. It provides:
Data encoding: modifies the simple digital signal pattern (1s and 0s) used by the PC to better
accommodate the characteristics of the physical medium, and to aid in bit and frame synchronization. It
determines:
The data link layer provides error-free transfer of data frames from one node to another over the
physical layer, allowing layers above it to assume virtually error-free transmission over the link. To do
this, the data link layer provides:
• Link establishment and termination: establishes and terminates the logical link between two
nodes.
• Frame traffic control: tells the transmitting node to "back-off" when no frame buffers are
available.
• Media access management: determines when the node "has the right" to use the physical
medium.
NETWORK LAYER
The network layer controls the operation of the subnet, deciding which physical path the data should
take based on network conditions, priority of service, and other factors. It provides:
• Subnet traffic control: routers (network layer intermediate systems) can instruct a sending
station to "throttle back" its frame transmission when the router's buffer fills up.
• Subnet usage accounting: has accounting functions to keep track of frames forwarded by
subnet intermediate systems, to produce billing information.
Communications Subnet
The network layer software must build headers so that the network layer software residing in the subnet
intermediate systems can recognize them and use them to route data to the destination address.
This layer relieves the upper layers of the need to know anything about the data transmission and
intermediate switching technologies used to connect systems. It establishes, maintains and terminates
connections across the intervening communications facility (one or several intermediate systems in the
communication subnet).
In the network layer and the layers below, peer protocols exist between a node and its immediate
neighbor, but the neighbor may be a node through which data is routed, not the destination station. The
source and destination stations may be separated by many intermediate systems.
TRANSPORT LAYER
The transport layer ensures that messages are delivered error-free, in sequence, and with no losses or
duplications. It relieves the higher layer protocols from any concern with the transfer of data between
them and their peers.
The size and complexity of a transport protocol depends on the type of service it can get from the
network layer. For a reliable network layer with virtual circuit capability, a minimal transport layer is
required. If the network layer is unreliable and/or only supports datagrams, the transport protocol
should include extensive error detection and recovery.
• Message segmentation: accepts a message from the (session) layer above it, splits the
message into smaller units (if not already small enough), and passes the smaller units down to the
network layer. The transport layer at the destination station reassembles the message.
• Message traffic control: tells the transmitting station to "back-off" when no message buffers
are available.
• Session multiplexing: multiplexes several message streams, or sessions onto one logical link
and keeps track of which messages belong to which sessions (see session layer).
Typically, the transport layer can accept relatively large messages, but there are strict message size
limits imposed by the network (or lower) layer. Consequently, the transport layer must break up the
messages into smaller units, or frames, prepending a header to each frame.
The transport layer header information must then include control information, such as message start
and message end flags, to enable the transport layer on the other end to recognize message boundaries.
In addition, if the lower layers do not maintain sequence, the transport header must contain sequence
information to enable the transport layer on the receiving end to get the pieces back together in the
right order before handing the received message up to the layer above.
End-to-end layers
Unlike the lower "subnet" layers whose protocol is between immediately adjacent nodes, the transport
layer and the layers above are true "source to destination" or end-to-end layers, and are not concerned
with the details of the underlying communications facility. Transport layer software (and software above
it) on the source station carries on a conversation with similar software on the destination station by
using message headers and control messages.
SESSION LAYER
The session layer allows session establishment between processes running on different stations. It
provides:
• Session support: performs the functions that allow these processes to communicate over the
network, performing security, name recognition, logging, and so on.
PRESENTATION LAYER
The presentation layer formats the data to be presented to the application layer. It can be viewed as the
translator for the network. This layer may translate data from a format used by the application layer into
a common format at the sending station, then translate the common format to a format known to the
application layer at the receiving station.
• Data compression: reduces the number of bits that need to be transmitted on the network.
• Data encryption: encrypt data for security purposes. For example, password encryption.
APPLICATION LAYER
The application layer serves as the window for users and application processes to access network
services. This layer contains a variety of commonly needed functions:
• Inter-process communication
• Network management
• Directory services
• Presentation layer - The presentation layer formats the data to be presented to the application
layer. It can be viewed as the translator for the network. This layer may translate data from a format
used by the application layer into a common format at the sending station, then translate the common
format to a format known to the application layer at the receiving station.
• Session layer - The session layer allows session establishment between processes running on
different stations.
• Transport layer - The transport layer ensures that messages are delivered error-free, in
sequence, and with no losses or duplications. It relieves the higher layer protocols from any concern
with the transfer of data between them and their peers.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12242
Question 230
Which of the following layer of an OSI model ensures that messages are delivered error-free, in
sequence, and with no losses or duplications?
• Transport layer
• Session layer
• Presentation layer
• Application layer
Details:
The transport layer ensures that messages are delivered error-free, in sequence, and with no losses or
duplications. It relieves the higher layer protocols from any concern with the transfer of data between
them and their peers.
The size and complexity of a transport protocol depends on the type of service it can get from the
network layer. For a reliable network layer with virtual circuit capability, a minimal transport layer is
required. If the network layer is unreliable and/or only supports datagrams, the transport protocol
should include extensive error detection and recovery.
• Message segmentation: accepts a message from the (session) layer above it, splits the message
into smaller units (if not already small enough), and passes the smaller units down to the network layer.
The transport layer at the destination station reassembles the message.
• Message traffic control: tells the transmitting station to "back-off" when no message buffers are
available.
• Session multiplexing: multiplexes several message streams, or sessions onto one logical link and
keeps track of which messages belong to which sessions (see session layer).
For your exam you should know below information about OSI model:
The Open Systems Interconnection model (OSI) is a conceptual model that characterizes and
standardizes the internal functions of a communication system by partitioning it into abstraction layers.
The model is a product of the Open Systems Interconnection project at the International Organization
for Standardization (ISO), maintained by the identification ISO/IEC 7498-1.
The model groups communication functions into seven logical layers. A layer serves the layer above it
and is served by the layer below it. For example, a layer that provides error-free communications across
a network provides the path needed by applications above it, while it calls the next lower layer to send
and receive packets that make up the contents of that path. Two instances at one layer are connected
by a horizontal.
PHYSICAL LAYER
The physical layer, the lowest layer of the OSI model, is concerned with the transmission and reception
of the unstructured raw bit stream over a physical medium. It describes the electrical/optical,
mechanical, and functional interfaces to the physical medium, and carries the signals for all of the higher
layers. It provides:
Data encoding: modifies the simple digital signal pattern (1s and 0s) used by the PC to better
accommodate the characteristics of the physical medium, and to aid in bit and frame synchronization. It
determines:
The data link layer provides error-free transfer of data frames from one node to another over the
physical layer, allowing layers above it to assume virtually error-free transmission over the link. To do
this, the data link layer provides:
• Link establishment and termination: establishes and terminates the logical link between two
nodes.
• Frame traffic control: tells the transmitting node to "back-off" when no frame buffers are
available.
• Media access management: determines when the node "has the right" to use the physical
medium.
NETWORK LAYER
The network layer controls the operation of the subnet, deciding which physical path the data should
take based on network conditions, priority of service, and other factors. It provides:
• Subnet traffic control: routers (network layer intermediate systems) can instruct a sending
station to "throttle back" its frame transmission when the router's buffer fills up.
• Subnet usage accounting: has accounting functions to keep track of frames forwarded by
subnet intermediate systems, to produce billing information.
Communications Subnet
The network layer software must build headers so that the network layer software residing in the subnet
intermediate systems can recognize them and use them to route data to the destination address.
This layer relieves the upper layers of the need to know anything about the data transmission and
intermediate switching technologies used to connect systems. It establishes, maintains and terminates
connections across the intervening communications facility (one or several intermediate systems in the
communication subnet).
In the network layer and the layers below, peer protocols exist between a node and its immediate
neighbor, but the neighbor may be a node through which data is routed, not the destination station. The
source and destination stations may be separated by many intermediate systems.
TRANSPORT LAYER
The transport layer ensures that messages are delivered error-free, in sequence, and with no losses or
duplications. It relieves the higher layer protocols from any concern with the transfer of data between
them and their peers.
The size and complexity of a transport protocol depends on the type of service it can get from the
network layer. For a reliable network layer with virtual circuit capability, a minimal transport layer is
required. If the network layer is unreliable and/or only supports datagrams, the transport protocol
should include extensive error detection and recovery.
• Message segmentation: accepts a message from the (session) layer above it, splits the
message into smaller units (if not already small enough), and passes the smaller units down to the
network layer. The transport layer at the destination station reassembles the message.
• Message traffic control: tells the transmitting station to "back-off" when no message buffers
are available.
• Session multiplexing: multiplexes several message streams, or sessions onto one logical link
and keeps track of which messages belong to which sessions (see session layer).
Typically, the transport layer can accept relatively large messages, but there are strict message size
limits imposed by the network (or lower) layer. Consequently, the transport layer must break up the
messages into smaller units, or frames, prepending a header to each frame.
The transport layer header information must then include control information, such as message start
and message end flags, to enable the transport layer on the other end to recognize message boundaries.
In addition, if the lower layers do not maintain sequence, the transport header must contain sequence
information to enable the transport layer on the receiving end to get the pieces back together in the
right order before handing the received message up to the layer above.
End-to-end layers
Unlike the lower "subnet" layers whose protocol is between immediately adjacent nodes, the transport
layer and the layers above are true "source to destination" or end-to-end layers, and are not concerned
with the details of the underlying communications facility. Transport layer software (and software above
it) on the source station carries on a conversation with similar software on the destination station by
using message headers and control messages.
SESSION LAYER
The session layer allows session establishment between processes running on different stations. It
provides:
• Session support: performs the functions that allow these processes to communicate over the
network, performing security, name recognition, logging, and so on.
PRESENTATION LAYER
The presentation layer formats the data to be presented to the application layer. It can be viewed as the
translator for the network. This layer may translate data from a format used by the application layer into
a common format at the sending station, then translate the common format to a format known to the
application layer at the receiving station.
• Data compression: reduces the number of bits that need to be transmitted on the network.
• Data encryption: encrypt data for security purposes. For example, password encryption.
APPLICATION LAYER
The application layer serves as the window for users and application processes to access network
services. This layer contains a variety of commonly needed functions:
• Inter-process communication
• Network management
• Directory services
• Application Layer - The application layer serves as the window for users and application
processes to access network services.
• Presentation layer - The presentation layer formats the data to be presented to the application
layer. It can be viewed as the translator for the network. This layer may translate data from a format
used by the application layer into a common format at the sending station, then translate the common
format to a format known to the application layer at the receiving station.
• Session layer - The session layer allows session establishment between processes running on
different stations.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12242
Question 231
Which of the following layer of an OSI model transmits and receives the bit stream as electrical, optical
or radio signals over an appropriate medium or carrier?
• Physical Layer
• Transport Layer
• Network Layer
Details:
The physical layer, the lowest layer of the OSI model, is concerned with the transmission and reception
of the unstructured raw bit stream over a physical medium. It describes the electrical/optical,
mechanical, and functional interfaces to the physical medium, and carries the signals for all of the higher
layers.
For your exam you should know below information about OSI model:
The Open Systems Interconnection model (OSI) is a conceptual model that characterizes and
standardizes the internal functions of a communication system by partitioning it into abstraction layers.
The model is a product of the Open Systems Interconnection project at the International Organization
for Standardization (ISO), maintained by the identification ISO/IEC 7498-1.
The model groups communication functions into seven logical layers. A layer serves the layer above it
and is served by the layer below it. For example, a layer that provides error-free communications across
a network provides the path needed by applications above it, while it calls the next lower layer to send
and receive packets that make up the contents of that path. Two instances at one layer are connected
by a horizontal.
The physical layer, the lowest layer of the OSI model, is concerned with the transmission and reception
of the unstructured raw bit stream over a physical medium. It describes the electrical/optical,
mechanical, and functional interfaces to the physical medium, and carries the signals for all of the higher
layers. It provides:
Data encoding: modifies the simple digital signal pattern (1s and 0s) used by the PC to better
accommodate the characteristics of the physical medium, and to aid in bit and frame synchronization. It
determines:
The data link layer provides error-free transfer of data frames from one node to another over the
physical layer, allowing layers above it to assume virtually error-free transmission over the link. To do
this, the data link layer provides:
• Link establishment and termination: establishes and terminates the logical link between two
nodes.
• Frame traffic control: tells the transmitting node to "back-off" when no frame buffers are
available.
• Media access management: determines when the node "has the right" to use the physical
medium.
NETWORK LAYER
The network layer controls the operation of the subnet, deciding which physical path the data should
take based on network conditions, priority of service, and other factors. It provides:
• Subnet traffic control: routers (network layer intermediate systems) can instruct a sending
station to "throttle back" its frame transmission when the router's buffer fills up.
• Subnet usage accounting: has accounting functions to keep track of frames forwarded by
subnet intermediate systems, to produce billing information.
Communications Subnet
The network layer software must build headers so that the network layer software residing in the subnet
intermediate systems can recognize them and use them to route data to the destination address.
This layer relieves the upper layers of the need to know anything about the data transmission and
intermediate switching technologies used to connect systems. It establishes, maintains and terminates
connections across the intervening communications facility (one or several intermediate systems in the
communication subnet).
In the network layer and the layers below, peer protocols exist between a node and its immediate
neighbor, but the neighbor may be a node through which data is routed, not the destination station. The
source and destination stations may be separated by many intermediate systems.
TRANSPORT LAYER
The transport layer ensures that messages are delivered error-free, in sequence, and with no losses or
duplications. It relieves the higher layer protocols from any concern with the transfer of data between
them and their peers.
The size and complexity of a transport protocol depends on the type of service it can get from the
network layer. For a reliable network layer with virtual circuit capability, a minimal transport layer is
required. If the network layer is unreliable and/or only supports datagrams, the transport protocol
should include extensive error detection and recovery.
• Message segmentation: accepts a message from the (session) layer above it, splits the
message into smaller units (if not already small enough), and passes the smaller units down to the
network layer. The transport layer at the destination station reassembles the message.
• Message traffic control: tells the transmitting station to "back-off" when no message buffers
are available.
• Session multiplexing: multiplexes several message streams, or sessions onto one logical link
and keeps track of which messages belong to which sessions (see session layer).
Typically, the transport layer can accept relatively large messages, but there are strict message size
limits imposed by the network (or lower) layer. Consequently, the transport layer must break up the
messages into smaller units, or frames, prepending a header to each frame.
The transport layer header information must then include control information, such as message start
and message end flags, to enable the transport layer on the other end to recognize message boundaries.
In addition, if the lower layers do not maintain sequence, the transport header must contain sequence
information to enable the transport layer on the receiving end to get the pieces back together in the
right order before handing the received message up to the layer above.
End-to-end layers
Unlike the lower "subnet" layers whose protocol is between immediately adjacent nodes, the transport
layer and the layers above are true "source to destination" or end-to-end layers, and are not concerned
with the details of the underlying communications facility. Transport layer software (and software above
it) on the source station carries on a conversation with similar software on the destination station by
using message headers and control messages.
SESSION LAYER
The session layer allows session establishment between processes running on different stations. It
provides:
• Session support: performs the functions that allow these processes to communicate over the
network, performing security, name recognition, logging, and so on.
PRESENTATION LAYER
The presentation layer formats the data to be presented to the application layer. It can be viewed as the
translator for the network. This layer may translate data from a format used by the application layer into
a common format at the sending station, then translate the common format to a format known to the
application layer at the receiving station.
• Data compression: reduces the number of bits that need to be transmitted on the network.
• Data encryption: encrypt data for security purposes. For example, password encryption.
APPLICATION LAYER
The application layer serves as the window for users and application processes to access network
services. This layer contains a variety of commonly needed functions:
• Inter-process communication
• Network management
• Directory services
• Transport layer - The transport layer ensures that messages are delivered error-free, in
sequence, and with no losses or duplications. It relieves the higher layer protocols from any concern
with the transfer of data between them and their peers.
• Network layer - The network layer controls the operation of the subnet, deciding which physical
path the data should take based on network conditions, priority of service, and other factors.
• Data link layer - The data link layer provides error-free transfer of data frames from one node to
another over the physical layer, allowing layers above it to assume virtually error-free transmission over
the link.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12242
Question 232
In Which of the following media access technology devices are not allowed to send data over the
network until the device/station is in possession of a token?
• CSMA/CD
• Token ring
• CSMA/CA
• CSMA
Details:
The correct answer is: Token ring
Token Ring Media Access Technology is a protocol which resides at the data link layer (DLL) of the OSI
model.
It uses a special three-byte frame called a token that travels around the ring.
Token-possession grants the possessor permission to transmit on the medium. Token ring frames travel
completely around the loop also called ring.
For CISA exam you should know below information about Media Access Technologies :
Carrier sense multiple access (CSMA) is a probabilistic media access control (MAC) protocol in which a
node verifies the absence of other traffic before transmitting on a shared transmission medium, such as
an electrical bus, or a band of the electromagnetic spectrum.
Carrier sense means that a transmitter uses feedback from a receiver to determine whether another
transmission is in progress before initiating a transmission. That is, it tries to detect the presence of a
carrier wave from another station before attempting to transmit. If a carrier is sensed, the station waits
for the transmission in progress to finish before initiating its own transmission. In other words, CSMA is
based on the principle "sense before transmit" or "listen before talk".
Multiple access means that multiple stations send and receive on the medium. Transmissions by one
node are generally received by all other stations connected to the medium.
Carrier Sense Multiple Access With Collision Detection (CSMA/CD) is a media access control method
used most notably in local area networking using early Ethernet technology. It uses a carrier sensing
scheme in which a transmitting data station detects other signals while transmitting a frame, and stops
transmitting that frame, transmits a jam signal, and then waits for a random time interval before trying
to resend the frame.
CSMA/CD is a modification of pure carrier sense multiple access (CSMA). CSMA/CD is used to improve
CSMA performance by terminating transmission as soon as a collision is detected, thus shortening the
time required before a retry can be attempted.
Carrier sense multiple access with collision avoidance (CSMA/CA) in computer networking, is a network
multiple access method in which carrier sensing is used, but nodes attempt to avoid collisions by
transmitting only when the channel is sensed to be "idle".[1][2] When they do transmit, nodes transmit
their packet data in its entirety.
It is particularly important for wireless networks, where the collision detection of the alternative
CSMA/CD is unreliable due to the hidden node problem.
CSMA/CA is a protocol that operates in the Data Link Layer (Layer 2) of the OSI model.
Token Ring
Token ring local area network (LAN) technology is a protocol which resides at the data link layer (DLL) of
the OSI model. It used a special three-byte frame called a token that travels around the ring. Token-
possession grants the possessor permission to transmit on the medium. Token ring frames travel
completely around the loop.
Initially used only in IBM computers, it was eventually standardized with protocol IEEE 802.5.
• When a computer has a message to send, it seizes the token. The computer will then be able to
send the frame.
• The frame is then examined by each successive workstation. The workstation that identifies
itself to be the destination for the message copies it from the frame and changes the token back to 0.
• When the frame gets back to the originator, it sees that the token has been changed to 0 and
that the message has been copied and received. It removes the message from the frame.
• The frame continues to circulate as an "empty" frame, ready to be taken by a workstation when
it has a message to send.
The token scheme can also be used with bus topology LANs.
Fiber Distributed Data Interface (FDDI) technology, developed by the American National Standards
Institute (ANSI), is a high-speed, token-passing, media access technology. FDDI has a data transmission
speed of up to 100 Mbps and is usually used as a backbone network using fiber-optic cabling. FDDI also
provides fault tolerance by offering a second counter-rotating fiber ring. The primary ring has data
traveling clock- wise and is used for regular data transmission. The second ring transmits data in a
counterclockwise fashion and is invoked only if the primary ring goes down. Sensors watch the primary
ring and, if it goes down, invoke a ring wrap so the data will be diverted to the second ring. Each node
on the FDDI network has relays that are connected to both rings, so if a break in the ring occurs, the two
rings can be joined.
The following were incorrect answers:
• CSMA - Carrier sense multiple access (CSMA) is a probabilistic media access control (MAC)
protocol in which a node verifies the absence of other traffic before transmitting on a shared
transmission medium, such as an electrical bus, or a band of the electromagnetic spectrum.
• CSMA/CD - Carrier sense means that a transmitter uses feedback from a receiver to determine
whether another transmission is in progress before initiating a transmission. That is, it tries to detect the
presence of a carrier wave from another station before attempting to transmit. If a carrier is sensed, the
station waits for the transmission in progress to finish before initiating its own transmission. In other
words, CSMA is based on the principle "sense before transmit" or "listen before talk".
• CSMA/CA - Carrier sense multiple access with collision avoidance (CSMA/CA) in computer
networking, is a network multiple access method in which carrier sensing is used, but nodes attempt to
avoid collisions by transmitting only when the channel is sensed to be "idle".When they do transmit,
nodes transmit their packet data in its entirety.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15214
Question 233
In Which of the following media access technology device can not put the data on the network wire
without having possession of a token and provide fault tolerance by offering second counter ring?
• CSMA/CD
• Token ring
• FDDI
• CSMA/CA
Correct Answer is: FDDI
Details:
Fiber Distributed Data Interface (FDDI) technology, developed by the American National Standards
Institute (ANSI), is a high-speed, token-passing, media access technology. FDDI has a data transmission
speed of up to 100 Mbps and is usually used as a backbone network using fiber-optic cabling. FDDI also
provides fault tolerance by offering a second counter-rotating fiber ring. The primary ring has data
traveling clock- wise and is used for regular data transmission. The second ring transmits data in a
counterclockwise fashion and is invoked only if the primary ring goes down.
For CISA exam you should know below information about Media Access Technologies :
Carrier sense multiple access (CSMA) is a probabilistic media access control (MAC) protocol in which a
node verifies the absence of other traffic before transmitting on a shared transmission medium, such as
an electrical bus, or a band of the electromagnetic spectrum.
Carrier sense means that a transmitter uses feedback from a receiver to determine whether another
transmission is in progress before initiating a transmission. That is, it tries to detect the presence of a
carrier wave from another station before attempting to transmit. If a carrier is sensed, the station waits
for the transmission in progress to finish before initiating its own transmission. In other words, CSMA is
based on the principle "sense before transmit" or "listen before talk".
Multiple access means that multiple stations send and receive on the medium. Transmissions by one
node are generally received by all other stations connected to the medium.
Carrier Sense Multiple Access With Collision Detection (CSMA/CD) is a media access control method
used most notably in local area networking using early Ethernet technology. It uses a carrier sensing
scheme in which a transmitting data station detects other signals while transmitting a frame, and stops
transmitting that frame, transmits a jam signal, and then waits for a random time interval before trying
to resend the frame.
CSMA/CD is a modification of pure carrier sense multiple access (CSMA). CSMA/CD is used to improve
CSMA performance by terminating transmission as soon as a collision is detected, thus shortening the
time required before a retry can be attempted.
Carrier sense multiple access with collision avoidance (CSMA/CA) in computer networking, is a network
multiple access method in which carrier sensing is used, but nodes attempt to avoid collisions by
transmitting only when the channel is sensed to be "idle".[1][2] When they do transmit, nodes transmit
their packet data in its entirety.
It is particularly important for wireless networks, where the collision detection of the alternative
CSMA/CD is unreliable due to the hidden node problem.
CSMA/CA is a protocol that operates in the Data Link Layer (Layer 2) of the OSI model.
Token Ring
Token ring local area network (LAN) technology is a protocol which resides at the data link layer (DLL) of
the OSI model. It used a special three-byte frame called a token that travels around the ring. Token-
possession grants the possessor permission to transmit on the medium. Token ring frames travel
completely around the loop.
Initially used only in IBM computers, it was eventually standardized with protocol IEEE 802.5.
• When a computer has a message to send, it seizes the token. The computer will then be able to
send the frame.
• The frame is then examined by each successive workstation. The workstation that identifies
itself to be the destination for the message copies it from the frame and changes the token back to 0.
• When the frame gets back to the originator, it sees that the token has been changed to 0 and
that the message has been copied and received. It removes the message from the frame.
• The frame continues to circulate as an "empty" frame, ready to be taken by a workstation when
it has a message to send.
The token scheme can also be used with bus topology LANs.
Fiber Distributed Data Interface (FDDI) technology, developed by the American National Standards
Institute (ANSI), is a high-speed, token-passing, media access technology. FDDI has a data transmission
speed of up to 100 Mbps and is usually used as a backbone network using fiber-optic cabling. FDDI also
provides fault tolerance by offering a second counter-rotating fiber ring. The primary ring has data
traveling clock- wise and is used for regular data transmission. The second ring transmits data in a
counterclockwise fashion and is invoked only if the primary ring goes down. Sensors watch the primary
ring and, if it goes down, invoke a ring wrap so the data will be diverted to the second ring. Each node
on the FDDI network has relays that are connected to both rings, so if a break in the ring occurs, the two
rings can be joined.
Image From http://www.mcmcse.com/glossary/images/fddi.jpg
• CSMA/CD - Carrier sense means that a transmitter uses feedback from a receiver to determine
whether another transmission is in progress before initiating a transmission. That is, it tries to detect the
presence of a carrier wave from another station before attempting to transmit. If a carrier is sensed, the
station waits for the transmission in progress to finish before initiating its own transmission. In other
words, CSMA is based on the principle "sense before transmit" or "listen before talk".
• CSMA/CA - Carrier sense multiple access with collision avoidance (CSMA/CA) in computer
networking, is a network multiple access method in which carrier sensing is used, but nodes attempt to
avoid collisions by transmitting only when the channel is sensed to be "idle".When they do transmit,
nodes transmit their packet data in its entirety.
• Token Ring - Token ring local area network (LAN) technology is a protocol which resides at the
data link layer (DLL) of the OSI model. It used a special three-byte frame called a token that travels
around the ring. Token-possession grants the possessor permission to transmit on the medium. Token
ring frames travel completely around the loop.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15237
Question 234
• Bus
• Mesh
• Ring
• Star
Network topology refers to the physical or logical layout of a network. It defines the way different nodes
are placed and interconnected with each other. Alternately, network topology may describe how the
data is transferred between these nodes.
Physical topology emphasizes the physical layout of the connected devices and nodes, while the logical
topology focuses on the pattern of data transfer between network nodes.
For your exam you should know the information below related to LAN topologies:
LAN Topologies
Network topology is the physical arrangement of the various elements (links, nodes, etc.) of a computer
network.
Essentially, it is the topological structure of a network, and may be depicted physically or logically.
Physical topology refers to the placement of the network's various components, including device
location and cable installation, while logical topology shows how data flows within a network, regardless
of its physical design.
Distances between nodes, physical interconnections, transmission rates, and/or signal types may differ
between two networks, yet their topologies may be identical.
Bus
In local area networks where bus topology is used, each node is connected to a single cable. Each
computer or server is connected to the single bus cable. A signal from the source travels in both
directions to all machines connected on the bus cable until it finds the intended recipient. If the machine
address does not match the intended address for the data, the machine ignores the data. Alternatively,
if the data matches the machine address, the data is accepted. Since the bus topology consists of only
one wire, it is rather inexpensive to implement when compared to other topologies. However, the low
cost of implementing the technology is offset by the high cost of managing the network. Additionally,
since only one cable is utilized, it can be the single point of failure. If the network cable is terminated on
both ends and when without termination data transfer stop and when cable breaks, the entire network
will be down.
Linear bus
The type of network topology in which all of the nodes of the network are connected to a common
transmission medium which has exactly two endpoints (this is the 'bus', which is also commonly referred
to as the backbone, or trunk) all data that is transmitted between nodes in the network is transmitted
over this common transmission medium and is able to be received by all nodes in the network
simultaneously.
Distributed bus
The type of network topology in which all of the nodes of the network are connected to a common
transmission medium which has more than two endpoints that are created by adding branches to the
main section of the transmission medium the physical distributed bus topology functions in exactly the
same fashion as the physical linear bus topology (i.e., all nodes share a common transmission medium).
Star
In local area networks with a star topology, each network host is connected to a central point with a
point-to-point connection. In Star topology every node (computer workstation or any other peripheral)
is connected to central node called hub or switch.
The switch is the server and the peripherals are the clients. The network does not necessarily have to
resemble a star to be classified as a star network, but all of the nodes on the network must be
connected to one central device.
All traffic that traverses the network passes through the central point. The central point acts as a signal
repeater.
The star topology is considered the easiest topology to design and implement. An advantage of the star
topology is the simplicity of adding additional nodes. The primary disadvantage of the star topology is
that the central point represents a single point of failure.
Ring
A network topology that is set up in a circular fashion in which data travels around the ring in one
direction and each device on the ring acts as a repeater to keep the signal strong as it travels. Each
device incorporates a receiver for the incoming signal and a transmitter to send the data on to the next
device in the ring.
The network is dependent on the ability of the signal to travel around the ring. When a device sends
data, it must travel through each device on the ring until it reaches its destination. Every node is a
critical link. If one node goes down the whole link would be affected.
Mesh
The value of a fully meshed networks is proportional to the exponent of the number of subscribers,
assuming that communicating groups of any two endpoints, up to and including all the endpoints, is
approximated by Reed's Law.
A mesh network provides for high availability and redundancy. However the cost of such network could
be very expensive if dozens of devices are in the mesh.
A fully connected network is a communication network in which each of the nodes is connected to each
other. In graph theory it known as a complete graph. A fully connected network doesn't need to use
switching nor broadcasting. However, its major disadvantage is that the number of connections grows
quadratically with the number of nodes, so it is extremely impractical for large networks. A two-node
network is technically a fully connected network.
The type of network topology in which some of the nodes of the network are connected to more than
one other node in the network with a point-to-point link this makes it possible to take advantage of
some of the redundancy that is provided by a physical fully connected mesh topology without the
expense and complexity required for a connection between every node in the network.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15082
http://www.bayt.com/en/specialties/q/29596/what-are-network-topologies/
Question 235
• Bus
• Star
• Ring
• Mesh
Correct Answer is: Mesh
Details:
For your exam you should know the information below related to LAN topologies:
LAN Topologies
Network topology is the physical arrangement of the various elements (links, nodes, etc.) of a computer
network.
Essentially, it is the topological structure of a network, and may be depicted physically or logically.
Physical topology refers to the placement of the network's various components, including device
location and cable installation, while logical topology shows how data flows within a network, regardless
of its physical design.
Distances between nodes, physical interconnections, transmission rates, and/or signal types may differ
between two networks, yet their topologies may be identical.
Bus
In local area networks where bus topology is used, each node is connected to a single cable. Each
computer or server is connected to the single bus cable. A signal from the source travels in both
directions to all machines connected on the bus cable until it finds the intended recipient. If the machine
address does not match the intended address for the data, the machine ignores the data. Alternatively,
if the data matches the machine address, the data is accepted. Since the bus topology consists of only
one wire, it is rather inexpensive to implement when compared to other topologies. However, the low
cost of implementing the technology is offset by the high cost of managing the network. Additionally,
since only one cable is utilized, it can be the single point of failure. If the network cable is terminated on
both ends and when without termination data transfer stop and when cable breaks, the entire network
will be down.
Linear bus
The type of network topology in which all of the nodes of the network are connected to a common
transmission medium which has exactly two endpoints (this is the 'bus', which is also commonly referred
to as the backbone, or trunk) – all data that is transmitted between nodes in the network is transmitted
over this common transmission medium and is able to be received by all nodes in the network
simultaneously.
Distributed bus
The type of network topology in which all of the nodes of the network are connected to a common
transmission medium which has more than two endpoints that are created by adding branches to the
main section of the transmission medium – the physical distributed bus topology functions in exactly the
same fashion as the physical linear bus topology (i.e., all nodes share a common transmission medium).
Star
In local area networks with a star topology, each network host is connected to a central point with a
point-to-point connection. In Star topology every node (computer workstation or any other peripheral)
is connected to central node called hub or switch.
The switch is the server and the peripherals are the clients. The network does not necessarily have to
resemble a star to be classified as a star network, but all of the nodes on the network must be
connected to one central device.
All traffic that traverses the network passes through the central point. The central point acts as a signal
repeater.
The star topology is considered the easiest topology to design and implement. An advantage of the star
topology is the simplicity of adding additional nodes. The primary disadvantage of the star topology is
that the central point represents a single point of failure.
Ring
A network topology that is set up in a circular fashion in which data travels around the ring in one
direction and each device on the ring acts as a repeater to keep the signal strong as it travels. Each
device incorporates a receiver for the incoming signal and a transmitter to send the data on to the next
device in the ring.
The network is dependent on the ability of the signal to travel around the ring. When a device sends
data, it must travel through each device on the ring until it reaches its destination. Every node is a
critical link. If one node goes down the whole link would be affected.
Mesh
The value of a fully meshed networks is proportional to the exponent of the number of subscribers,
assuming that communicating groups of any two endpoints, up to and including all the endpoints, is
approximated by Reed's Law.
A mesh network provides for high availability and redundancy. However the cost of such network could
be very expensive if dozens of devices are in the mesh.
A fully connected network is a communication network in which each of the nodes is connected to each
other. In graph theory it known as a complete graph. A fully connected network doesn't need to use
switching nor broadcasting. However, its major disadvantage is that the number of connections grows
quadratically with the number of nodes, so it is extremely impractical for large networks. A two-node
network is technically a fully connected network.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15082
Question 236
Which of the following device in Frame Relay WAN technique is a service provider device that does the
actual data transmission and switching in the frame relay cloud?
• DLE
• DME
• DCE
• DTE
Details:
For your exam you should know below information about WAN Technologies:
Point-to-point protocol
PPP (Point-to-Point Protocol) is a protocol for communication between two computers using a serial
interface, typically a personal computer connected by phone line to a server. For example, your Internet
server provider may provide you with a PPP connection so that the provider's server can respond to
your requests, pass them on to the Internet, and forward your requested Internet responses back to
you. PPP uses the Internet protocol (IP) (and is designed to handle others). It is sometimes considered a
member of the TCP/IP suite of protocols. Relative to the Open Systems Interconnection (OSI) reference
model, PPP provides layer 2 (data-link layer) service. Essentially, it packages your computer's TCP/IP
packets and forwards them to the server where they can actually be put on the Internet.
PPP is a full-duplex protocol that can be used on various physical media, including twisted pair or fiber
optic lines or satellite transmission. It uses a variation of High Speed Data Link Control (HDLC) for packet
encapsulation.
PPP is usually preferred over the earlier de facto standard Serial Line Internet Protocol (SLIP) because it
can handle synchronous as well as asynchronous communication. PPP can share a line with other users
and it has error detection that SLIP lacks. Where a choice is possible, PPP is preferred.
X.25
• X.25 is an ITU-T standard protocol suite for packet switched wide area network (WAN)
communication.
• X.25 is a packet switching technology which uses carrier switch to provide connectivity for many
different networks.
• Subscribers are charged based on amount of bandwidth they use. Data are divided into 128
bytes and encapsulated in High Level Data Link Control (HDLC).
• Companies that pay more to ensure that a higher level of bandwidth will always be available,
pay a committed information rate or CIR
1. Data Terminal Equipment (DTE) - Usually a customer owned device that provides a connectivity
between company's own network and the frame relay's network.
2. Data Circuit Terminal Equipment (DCE) - Service provider device that does the actual data
transmission and switching in the frame relay cloud.
The Frame relay cloud is the collection of DCE that provides that provides switching and data
communication functionality. Frame relay is any to any service.
Enables data,voice and other types of traffic to travel over a medium in a digital manner previously used
only for analog voice transmission.
• High speed network technology used for LAN, MAN and WAN
• Like a frame relay it is connection oriented technology which creates and uses fixed channel
• DTE - Data Terminal Equipment (DTE) is usually a customer owned device that provides a
connectivity between company's own network and the frame relay's network.
• DME – Not a valid frame relay technique
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15486
Question 237
An IS auditor or Information System Security Professional should know information about different
network transmission media. Which of the following transmission media is used for short distance
transmission?
• HF Radio Link
• Fiber Optics
• Copper cable
Details:
Copper cable is very simple to install and easy to tap. It is used mostly for short distance and supports
voice and data.
For your exam you should know below information about transmission media:
Copper Cable
Copper cable is very simple to install and easy to tap. It is used mostly for short distance and supports
voice and data.
Copper has been used in electric wiring since the invention of the electromagnet and the telegraph in
the 1820s.The invention of the telephone in 1876 created further demand for copper wire as an
electrical conductor.
Copper is the electrical conductor in many categories of electrical wiring. Copper wire is used in power
generation, power transmission, power distribution, telecommunications, electronics circuitry, and
countless types of electrical equipment. Copper and its alloys are also used to make electrical contacts.
Electrical wiring in buildings is the most important market for the copper industry. Roughly half of all
copper mined is used to manufacture electrical wire and cable conductors.
Satellite radio link uses transponder to send information and easy to intercept.
• Fiber optics - Fiber optics cables are used for long distance, hard to splice, not vulnerable to
cross talk and difficult to tap. It supports voice data, image and video.
• Satellite Radio Link - Satellite radio link uses transponder to send information and easy to tap.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 15402
Question 238
• Copper cable
• Coaxial cable
• Fiber Optics
Details:
Satellite radio link uses transponder to send information and are easy to intercept.
For your exam you should know below information about transmission media:
Copper Cable
Copper cable is very simple to install and easy to tap. It is used mostly for short distance and supports
voice and data.
Copper has been used in electric wiring since the invention of the electromagnet and the telegraph in
the 1820s.The invention of the telephone in 1876 created further demand for copper wire as an
electrical conductor.
Copper is the electrical conductor in many categories of electrical wiring. Copper wire is used in power
generation, power transmission, power distribution, telecommunications, electronics circuitry, and
countless types of electrical equipment. Copper and its alloys are also used to make electrical contacts.
Electrical wiring in buildings is the most important market for the copper industry. Roughly half of all
copper mined is used to manufacture electrical wire and cable conductors.
Coaxial cable
Coaxial cable, or coax (pronounced 'ko.aks), is a type of cable that has an inner conductor surrounded by
a tubular insulating layer, surrounded by a tubular conducting shield. Many coaxial cables also have an
insulating outer sheath or jacket. The term coaxial comes from the inner conductor and the outer shield
sharing a geometric axis. Coaxial cable was invented by English engineer and mathematician Oliver
Heaviside, who patented the design in 1880.Coaxial cable differs from other shielded cable used for
carrying lower-frequency signals, such as audio signals, in that the dimensions of the cable are
controlled to give a precise, constant conductor spacing, which is needed for it to function efficiently as
a radio frequency transmission line.
Coaxial cable are expensive and does not support many LAN's. It supports data and video.
Fiber optics
An optical fiber cable is a cable containing one or more optical fibers that are used to carry light. The
optical fiber elements are typically individually coated with plastic layers and contained in a protective
tube suitable for the environment where the cable will be deployed. Different types of cable are used
for different applications, for example long distance telecommunication, or providing a high-speed data
connection between different parts of a building.
Fiber optics used for long distance, hard to splice, not vulnerable to cross talk and difficult to tap. It
supports voice data, image and video.
Microwaves are widely used for point-to-point communications because their small wavelength allows
conveniently-sized antennas to direct them in narrow beams, which can be pointed directly at the
receiving antenna. This allows nearby microwave equipment to use the same frequencies without
interfering with each other, as lower frequency radio waves do. Another advantage is that the high
frequency of microwaves gives the microwave band a very large information-carrying capacity; the
microwave band has a bandwidth 30 times that of all the rest of the radio spectrum below it. A
disadvantage is that microwaves are limited to line of sight propagation; they cannot pass around hills or
mountains as lower frequency radio waves can.
Microwave radio systems are carriers for voice data signal, cheap and easy to tap.
Satellite radio is a radio service broadcast from satellites primarily to cars, with the signal broadcast
nationwide, across a much wider geographical area than terrestrial radio stations. It is available by
subscription, mostly commercial free, and offers subscribers more stations and a wider variety of
programming options than terrestrial radio.
Satellite radio link uses transponder to send information and easy to intercept.
Radio System
Radio systems are used for short distance,cheap and easy to intercept.
Radio is the radiation (wireless transmission) of electromagnetic signals through the atmosphere or free
space.
Information, such as sound, is carried by systematically changing (modulating) some property of the
radiated waves, such as their amplitude, frequency, phase, or pulse width. When radio waves strike an
electrical conductor, the oscillating fields induce an alternating current in the conductor. The
information in the waves can be extracted and transformed back into its original form.
• Copper Cable - Copper cable is very simple to install and easy to tap. It is used mostly for short
distance and supports voice and data.
• Fiber optics - Fiber optics cables are used for long distance, hard to splice, not vulnerable to
cross talk and difficult to tap. It supports voice data, image and video.
• Coaxial cable - Coaxial cable are expensive and does not support many LAN's. It supports data
and video
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press)
Question 239
• Fiber Optics
• Copper cable
• Coaxial cable
Correct Answer is: Fiber Optics
Details:
Fiber optics cables are used for long distance, hard to splice, not vulnerable to cross talk and difficult to
tap. It supports voice data, image and video.
For your exam you should know below information about transmission media:
Copper Cable
Copper cable is very simple to install and easy to tap. It is used mostly for short distance and supports
voice and data.
Copper has been used in electric wiring since the invention of the electromagnet and the telegraph in
the 1820s.The invention of the telephone in 1876 created further demand for copper wire as an
electrical conductor.
Copper is the electrical conductor in many categories of electrical wiring. Copper wire is used in power
generation, power transmission, power distribution, telecommunications, electronics circuitry, and
countless types of electrical equipment. Copper and its alloys are also used to make electrical contacts.
Electrical wiring in buildings is the most important market for the copper industry. Roughly half of all
copper mined is used to manufacture electrical wire and cable conductors.
Coaxial cable
Coaxial cable, or coax (pronounced 'ko.aks), is a type of cable that has an inner conductor surrounded by
a tubular insulating layer, surrounded by a tubular conducting shield. Many coaxial cables also have an
insulating outer sheath or jacket. The term coaxial comes from the inner conductor and the outer shield
sharing a geometric axis. Coaxial cable was invented by English engineer and mathematician Oliver
Heaviside, who patented the design in 1880.Coaxial cable differs from other shielded cable used for
carrying lower-frequency signals, such as audio signals, in that the dimensions of the cable are
controlled to give a precise, constant conductor spacing, which is needed for it to function efficiently as
a radio frequency transmission line.
Coaxial cable are expensive and does not support many LAN's. It supports data and video.
Fiber optics
An optical fiber cable is a cable containing one or more optical fibers that are used to carry light. The
optical fiber elements are typically individually coated with plastic layers and contained in a protective
tube suitable for the environment where the cable will be deployed. Different types of cable are used
for different applications, for example long distance telecommunication, or providing a high-speed data
connection between different parts of a building.
Fiber optics used for long distance, hard to splice, not vulnerable to cross talk and difficult to tap. It
supports voice data, image and video.
Microwave transmission refers to the technology of transmitting information or energy by the use of
radio waves whose wavelengths are conveniently measured in small numbers of centimetre; these are
called microwaves.
Microwaves are widely used for point-to-point communications because their small wavelength allows
conveniently-sized antennas to direct them in narrow beams, which can be pointed directly at the
receiving antenna. This allows nearby microwave equipment to use the same frequencies without
interfering with each other, as lower frequency radio waves do. Another advantage is that the high
frequency of microwaves gives the microwave band a very large information-carrying capacity; the
microwave band has a bandwidth 30 times that of all the rest of the radio spectrum below it. A
disadvantage is that microwaves are limited to line of sight propagation; they cannot pass around hills or
mountains as lower frequency radio waves can.
Microwave radio systems are carriers for voice data signal, cheap and easy to intercept.
Satellite radio is a radio service broadcast from satellites primarily to cars, with the signal broadcast
nationwide, across a much wider geographical area than terrestrial radio stations. It is available by
subscription, mostly commercial free, and offers subscribers more stations and a wider variety of
programming options than terrestrial radio.
Satellite radio link uses transponder to send information and easy to intercept.
Radio System
Radio systems are used for short distance,cheap and easy to tap.
Radio is the radiation (wireless transmission) of electromagnetic signals through the atmosphere or free
space.
Information, such as sound, is carried by systematically changing (modulating) some property of the
radiated waves, such as their amplitude, frequency, phase, or pulse width. When radio waves strike an
electrical conductor, the oscillating fields induce an alternating current in the conductor. The
information in the waves can be extracted and transformed back into its original form.
• Copper Cable - Copper cable is very simple to install and easy to tap. It is used mostly for short
distance and supports voice and data.
• Satellite Radio Link - Satellite radio link uses transponder to send information and easy to tap.
• Coaxial cable - Coaxial cable are expensive and does not support many LAN's. It supports data
and video
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14488
Question 240
Which of the following is the INCORRECT Layer to Protocol mapping used in the DOD TCP/IP model?
• Internet layer – IP
Details:
The keyword INCORRECT is used within the question. You need to find out the incorrect Layer to
Protocol mapping.
The ICMP protocol works at Internet layer of the DoD TCP/IP model, not at the Transport Layer.
For your exam you should know below information about the TCP/IP models:
Layer 4. Application Layer
Application layer is the top most layer of four layer TCP/IP model. Application layer is present on the top
of the Transport layer. Application layer defines TCP/IP application protocols and how host programs
interface with Transport layer services to use the network.
Application layer includes all the higher-level protocols like DNS (Domain Naming System), HTTP
(Hypertext Transfer Protocol), Telnet, SSH, FTP (File Transfer Protocol), TFTP (Trivial File Transfer
Protocol), SNMP (Simple Network Management Protocol), SMTP (Simple Mail Transfer Protocol) , DHCP
(Dynamic Host Configuration Protocol), X Windows, RDP (Remote Desktop Protocol) etc.
Transport Layer is the third layer of the four layer TCP/IP model. The position of the Transport layer is
between Application layer and Internet layer. The purpose of Transport layer is to permit devices on the
source and destination hosts to carry on a conversation. Transport layer defines the level of service and
status of the connection used when transporting data.
The main protocols included at Transport layer are TCP (Transmission Control Protocol) and UDP (User
Datagram Protocol).
Internet Layer is the second layer of the four layer TCP/IP model. The position of Internet layer is
between Network Access Layer and Transport layer. Internet layer pack data into data packets known as
IP datagrams, which contain source and destination address (logical address or IP address) information
that is used to forward the datagrams between hosts and across networks. The Internet layer is also
responsible for routing of IP datagrams.
Packet switching network depends upon a connectionless internetwork layer. This layer is known as
Internet layer. Its job is to allow hosts to insert packets into any network and have them to deliver
independently to the destination. At the destination side data packets may appear in a different order
than they were sent. It is the job of the higher layers to rearrange them in order to deliver them to
proper network applications operating at the Application layer.
The main protocols included at Internet layer are IP (Internet Protocol), ICMP (Internet Control Message
Protocol), ARP (Address Resolution Protocol), RARP (Reverse Address Resolution Protocol) and IGMP
(Internet Group Management Protocol).
Network Access Layer is the first layer of the four layer TCP/IP model. Network Access Layer defines
details of how data is physically sent through the network, including how bits are electrically or optically
signaled by hardware devices that interface directly with a network medium, such as coaxial cable,
optical fiber, or twisted pair copper wire.
The protocols included in Network Access Layer are Ethernet, Token Ring, FDDI, X.25, Frame Relay etc.
The most popular LAN architecture among those listed above is Ethernet. Ethernet uses an Access
Method called CSMA/CD (Carrier Sense Multiple Access/Collision Detection) to access the media, when
Ethernet operates in a shared media. An Access Method determines how a host will place data on the
medium.
IN CSMA/CD Access Method, every host has equal access to the medium and can place data on the wire
when the wire is free from network traffic. When a host wants to place data on the wire, it will check the
wire to find whether another host is already using the medium. If there is traffic already in the medium,
the host will wait and if there is no traffic, it will place the data in the medium. But, if two systems place
data on the medium at the same instance, they will collide with each other, destroying the data. If the
data is destroyed during transmission, the data will need to be retransmitted. After collision, each host
will wait for a small interval of time and again the data will be retransmitted.
The other options correctly describes the Layer to Protocol mapping of the DoD TCP/IP model protocols.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12241
Question 241
Which of the following is the protocol data unit (PDU) of application layer in TCP/IP model?
• Packet
• Frame
• Segment
• Data
Details:
For your exam you should know below information about TCP/IP model:
Application layer includes all the higher-level protocols like DNS (Domain Naming System), HTTP
(Hypertext Transfer Protocol), Telnet, SSH, FTP (File Transfer Protocol), TFTP (Trivial File Transfer
Protocol), SNMP (Simple Network Management Protocol), SMTP (Simple Mail Transfer Protocol) , DHCP
(Dynamic Host Configuration Protocol), X Windows, RDP (Remote Desktop Protocol) etc.
Transport Layer is the third layer of the four layer TCP/IP model. The position of the Transport layer is
between Application layer and Internet layer. The purpose of Transport layer is to permit devices on the
source and destination hosts to carry on a conversation. Transport layer defines the level of service and
status of the connection used when transporting data.
The main protocols included at Transport layer are TCP (Transmission Control Protocol) and UDP (User
Datagram Protocol).
Internet Layer is the second layer of the four layer TCP/IP model. The position of Internet layer is
between Network Access Layer and Transport layer. Internet layer pack data into data packets known as
IP datagrams, which contain source and destination address (logical address or IP address) information
that is used to forward the datagrams between hosts and across networks. The Internet layer is also
responsible for routing of IP datagrams.
Packet switching network depends upon a connectionless internetwork layer. This layer is known as
Internet layer. Its job is to allow hosts to insert packets into any network and have them to deliver
independently to the destination. At the destination side data packets may appear in a different order
than they were sent. It is the job of the higher layers to rearrange them in order to deliver them to
proper network applications operating at the Application layer.
The main protocols included at Internet layer are IP (Internet Protocol), ICMP (Internet Control Message
Protocol), ARP (Address Resolution Protocol), RARP (Reverse Address Resolution Protocol) and IGMP
(Internet Group Management Protocol).
Network Access Layer is the first layer of the four layer TCP/IP model. Network Access Layer defines
details of how data is physically sent through the network, including how bits are electrically or optically
signaled by hardware devices that interface directly with a network medium, such as coaxial cable,
optical fiber, or twisted pair copper wire.
The protocols included in Network Access Layer are Ethernet, Token Ring, FDDI, X.25, Frame Relay etc.
The most popular LAN architecture among those listed above is Ethernet. Ethernet uses an Access
Method called CSMA/CD (Carrier Sense Multiple Access/Collision Detection) to access the media, when
Ethernet operates in a shared media. An Access Method determines how a host will place data on the
medium.
IN CSMA/CD Access Method, every host has equal access to the medium and can place data on the wire
when the wire is free from network traffic. When a host wants to place data on the wire, it will check the
wire to find whether another host is already using the medium. If there is traffic already in the medium,
the host will wait and if there is no traffic, it will place the data in the medium. But, if two systems place
data on the medium at the same instance, they will collide with each other, destroying the data. If the
data is destroyed during transmission, the data will need to be retransmitted. After collision, each host
will wait for a small interval of time and again the data will be retransmitted.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12249
Question 242
Which of the following is protocol data unit (PDU) of transport layer in TCP/IP model?
• Frame
• Data
• Packet
• Segment
Details:
For your exam you should know below information about TCP/IP model:
Application layer includes all the higher-level protocols like DNS (Domain Naming System), HTTP
(Hypertext Transfer Protocol), Telnet, SSH, FTP (File Transfer Protocol), TFTP (Trivial File Transfer
Protocol), SNMP (Simple Network Management Protocol), SMTP (Simple Mail Transfer Protocol) , DHCP
(Dynamic Host Configuration Protocol), X Windows, RDP (Remote Desktop Protocol) etc.
Transport Layer is the third layer of the four layer TCP/IP model. The position of the Transport layer is
between Application layer and Internet layer. The purpose of Transport layer is to permit devices on the
source and destination hosts to carry on a conversation. Transport layer defines the level of service and
status of the connection used when transporting data.
The main protocols included at Transport layer are TCP (Transmission Control Protocol) and UDP (User
Datagram Protocol).
Internet Layer is the second layer of the four layer TCP/IP model. The position of Internet layer is
between Network Access Layer and Transport layer. Internet layer pack data into data packets known as
IP datagrams, which contain source and destination address (logical address or IP address) information
that is used to forward the datagrams between hosts and across networks. The Internet layer is also
responsible for routing of IP datagrams.
Packet switching network depends upon a connectionless internetwork layer. This layer is known as
Internet layer. Its job is to allow hosts to insert packets into any network and have them to deliver
independently to the destination. At the destination side data packets may appear in a different order
than they were sent. It is the job of the higher layers to rearrange them in order to deliver them to
proper network applications operating at the Application layer.
The main protocols included at Internet layer are IP (Internet Protocol), ICMP (Internet Control Message
Protocol), ARP (Address Resolution Protocol), RARP (Reverse Address Resolution Protocol) and IGMP
(Internet Group Management Protocol).
Network Access Layer is the first layer of the four layer TCP/IP model. Network Access Layer defines
details of how data is physically sent through the network, including how bits are electrically or optically
signaled by hardware devices that interface directly with a network medium, such as coaxial cable,
optical fiber, or twisted pair copper wire.
The protocols included in Network Access Layer are Ethernet, Token Ring, FDDI, X.25, Frame Relay etc.
The most popular LAN architecture among those listed above is Ethernet. Ethernet uses an Access
Method called CSMA/CD (Carrier Sense Multiple Access/Collision Detection) to access the media, when
Ethernet operates in a shared media. An Access Method determines how a host will place data on the
medium.
IN CSMA/CD Access Method, every host has equal access to the medium and can place data on the wire
when the wire is free from network traffic. When a host wants to place data on the wire, it will check the
wire to find whether another host is already using the medium. If there is traffic already in the medium,
the host will wait and if there is no traffic, it will place the data in the medium. But, if two systems place
data on the medium at the same instance, they will collide with each other, destroying the data. If the
data is destroyed during transmission, the data will need to be retransmitted. After collision, each host
will wait for a small interval of time and again the data will be retransmitted.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12249
Question 243
Which of the following is protocol data unit (PDU) of network layer in OSI model?
• Data
• Frame
• Segment
• Packet
Details:
For your exam you should know below information about TCP/IP model:
Application layer is the top most layer of four layer TCP/IP model. Application layer is present on the top
of the Transport layer. Application layer defines TCP/IP application protocols and how host programs
interface with Transport layer services to use the network.
Application layer includes all the higher-level protocols like DNS (Domain Naming System), HTTP
(Hypertext Transfer Protocol), Telnet, SSH, FTP (File Transfer Protocol), TFTP (Trivial File Transfer
Protocol), SNMP (Simple Network Management Protocol), SMTP (Simple Mail Transfer Protocol) , DHCP
(Dynamic Host Configuration Protocol), X Windows, RDP (Remote Desktop Protocol) etc.
Transport Layer is the third layer of the four layer TCP/IP model. The position of the Transport layer is
between Application layer and Internet layer. The purpose of Transport layer is to permit devices on the
source and destination hosts to carry on a conversation. Transport layer defines the level of service and
status of the connection used when transporting data.
The main protocols included at Transport layer are TCP (Transmission Control Protocol) and UDP (User
Datagram Protocol).
Internet Layer is the second layer of the four layer TCP/IP model. The position of Internet layer is
between Network Access Layer and Transport layer. Internet layer pack data into data packets known as
IP datagrams, which contain source and destination address (logical address or IP address) information
that is used to forward the datagrams between hosts and across networks. The Internet layer is also
responsible for routing of IP datagrams.
Packet switching network depends upon a connectionless internetwork layer. This layer is known as
Internet layer. Its job is to allow hosts to insert packets into any network and have them to deliver
independently to the destination. At the destination side data packets may appear in a different order
than they were sent. It is the job of the higher layers to rearrange them in order to deliver them to
proper network applications operating at the Application layer.
The main protocols included at Internet layer are IP (Internet Protocol), ICMP (Internet Control Message
Protocol), ARP (Address Resolution Protocol), RARP (Reverse Address Resolution Protocol) and IGMP
(Internet Group Management Protocol).
The protocols included in Network Access Layer are Ethernet, Token Ring, FDDI, X.25, Frame Relay etc.
The most popular LAN architecture among those listed above is Ethernet. Ethernet uses an Access
Method called CSMA/CD (Carrier Sense Multiple Access/Collision Detection) to access the media, when
Ethernet operates in a shared media. An Access Method determines how a host will place data on the
medium.
IN CSMA/CD Access Method, every host has equal access to the medium and can place data on the wire
when the wire is free from network traffic. When a host wants to place data on the wire, it will check the
wire to find whether another host is already using the medium. If there is traffic already in the medium,
the host will wait and if there is no traffic, it will place the data in the medium. But, if two systems place
data on the medium at the same instance, they will collide with each other, destroying the data. If the
data is destroyed during transmission, the data will need to be retransmitted. After collision, each host
will wait for a small interval of time and again the data will be retransmitted.
Protocol Data Unit (PDU) within the OSI model - Notice the names are different:
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 12249
Which of the following is the INCORRECT "layer - protocol data unit (PDU)" mapping within the DOD
TCP model?
Details:
The word INCORRECT is the keyword used in the question. You need to find out incorrect layer-protocol
mapping from give options.
For your exam you should know below information about TCP/IP model:
Application layer includes all the higher-level protocols like DNS (Domain Naming System), HTTP
(Hypertext Transfer Protocol), Telnet, SSH, FTP (File Transfer Protocol), TFTP (Trivial File Transfer
Protocol), SNMP (Simple Network Management Protocol), SMTP (Simple Mail Transfer Protocol) , DHCP
(Dynamic Host Configuration Protocol), X Windows, RDP (Remote Desktop Protocol) etc.
Transport Layer is the third layer of the four layer TCP/IP model. The position of the Transport layer is
between Application layer and Internet layer. The purpose of Transport layer is to permit devices on the
source and destination hosts to carry on a conversation. Transport layer defines the level of service and
status of the connection used when transporting data.
The main protocols included at Transport layer are TCP (Transmission Control Protocol) and UDP (User
Datagram Protocol).
Internet Layer is the second layer of the four layer TCP/IP model. The position of Internet layer is
between Network Access Layer and Transport layer. Internet layer pack data into data packets known as
IP datagrams, which contain source and destination address (logical address or IP address) information
that is used to forward the datagrams between hosts and across networks. The Internet layer is also
responsible for routing of IP datagrams.
Packet switching network depends upon a connectionless internetwork layer. This layer is known as
Internet layer. Its job is to allow hosts to insert packets into any network and have them to deliver
independently to the destination. At the destination side data packets may appear in a different order
than they were sent. It is the job of the higher layers to rearrange them in order to deliver them to
proper network applications operating at the Application layer.
The main protocols included at Internet layer are IP (Internet Protocol), ICMP (Internet Control Message
Protocol), ARP (Address Resolution Protocol), RARP (Reverse Address Resolution Protocol) and IGMP
(Internet Group Management Protocol).
Network Access Layer is the first layer of the four layer TCP/IP model. Network Access Layer defines
details of how data is physically sent through the network, including how bits are electrically or optically
signaled by hardware devices that interface directly with a network medium, such as coaxial cable,
optical fiber, or twisted pair copper wire.
The protocols included in Network Access Layer are Ethernet, Token Ring, FDDI, X.25, Frame Relay etc.
The most popular LAN architecture among those listed above is Ethernet. Ethernet uses an Access
Method called CSMA/CD (Carrier Sense Multiple Access/Collision Detection) to access the media, when
Ethernet operates in a shared media. An Access Method determines how a host will place data on the
medium.
IN CSMA/CD Access Method, every host has equal access to the medium and can place data on the wire
when the wire is free from network traffic. When a host wants to place data on the wire, it will check the
wire to find whether another host is already using the medium. If there is traffic already in the medium,
the host will wait and if there is no traffic, it will place the data in the medium. But, if two systems place
data on the medium at the same instance, they will collide with each other, destroying the data. If the
data is destroyed during transmission, the data will need to be retransmitted. After collision, each host
will wait for a small interval of time and again the data will be retransmitted.
Question 245
• S/MIME
• Social Engineering
• Sniffing
Details:
When we have a need to send data from one location to another, the networks over which the data
travels is not always trusted. Data can be subjected to sniffing or eavesdropping where attackers capture
data in transit.
It is possible to do so using various forms of commonly available tools like network sniffers, packet
loggers, Ethernet taps or many other technologies. (Download and try out a good, free sniffer here to
see how it works.)
Data in Transit, if sensitive must be secured using encryption technologies which protect the data no
matter which type of network it crosses.
TLS and SSL, for instance, uses asymmetric cryptography to encrypt the data so that even if sniffed from
a network it is useless to the attackers unless he can get a copy of the encryption key used to secure the
SSL/TLS session.
The following answers are incorrect:
- S/MIME: This answer is incorrect because it is a secure method of encrypting electronic mail for transit
over untrusted networks. It relies on PKI - Public Key Infrastructure for key management. It protects data
in transit. More about S/MIME.
- Social Engineering: This is the wrong answer because data in transit is not generally affected by social
engineering. Once data is passing over any network, social engineering doesn't make the data more
possible. Social Engineering is when a human is tricked by another human into somehow divulging or
making the information accessible by the attacker.
- HTTPS, SSL or TLS: This isn't the correct answer because those technologies secure data in transit using
encryption. More about TLS and SSL. HTTPS isn't specifically a secure protocol it self, rather, it is the use
of HTTP in combination with TLS/SSL.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14827
Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide
Authorized Courseware: Exam CAS-001 (p. 205-206). Wiley. Kindle Edition.
Question 246
Which of the following term related to network performance refers to the delay that a packet may
experience on its way to reach the destination from the source?
• Jitter
• Bandwidth
• Latency
• Throughput
Correct Answer is: Latency
Details:
Latency the delay between the sender and the receiver decoding it, this is mainly a function of the
signals travel time, and processing time at any nodes the information traverses.
In a network, latency, a synonym for delay, is an expression of how much time it takes for a packet of
data to get from one designated point to another. In some usages (for example, AT&T), latency is
measured by sending a packet that is returned to the sender and the round-trip time is considered the
latency.
The latency assumption seems to be that data should be transmitted instantly between one point and
another (that is, with no delay at all). The contributors to network latency include:
• Propagation: This is simply the time it takes for a packet to travel between one place and
another at the speed of light.
• Transmission: The medium itself (whether optical fiber, wireless, or some other) introduces
some delay. The size of the packet introduces delay in a round trip since a larger packet will take longer
to receive and return than a short one.
• Router and other processing: Each gateway node takes time to examine and possibly change the
header in a packet (for example, changing the hop count in the time-to-live field).
• Other computer and storage delays: Within networks at each end of the journey, a packet may
be subject to storage and hard disk access delays at intermediate devices such as switches and bridges.
(In backbone statistics, however, this kind of latency is probably not considered.)
For your exam you should know below information about Network performance:
The following list gives examples of network performance measures for a circuit-switched network and
one type of packet-switched network (ATM):
Circuit-switched networks: In circuit switched networks, network performance is synonymous with the
grade of service. The number of rejected calls is a measure of how well the network is performing under
heavy traffic loads. Other types of performance measures can include noise, echo and so on.
ATM: In an Asynchronous Transfer Mode (ATM) network, performance can be measured by line rate,
quality of service (QoS), data throughput, connect time, stability, technology, modulation technique and
modem enhancements.
There are many different ways to measure the performance of a network, as each network is different in
nature and design. Performance can also be modelled instead of measured; one example of this is using
state transition diagrams to model queuing performance in a circuit-switched network. These diagrams
allow the network planner to analyze how the network will perform in each state, ensuring that the
network will be optimally designed.
• Latency - Latency is the delay between the sender and the receiver decoding it, this is mainly a
function of the signals travel time, and processing time at any nodes the information traverses
• Jitter - Jitter is the variation in the time of arrival at the receiver of the information
• Error Rate - Error rate is the number of corrupted bits expressed as a percentage or fraction of
the total sen
• Jitter - Jitter is the variation in the time of arrival at the receiver of the information
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14445
Which of the following term related to network performance refers to the variation in the time of arrival
of packets on the receiver of the information?
• Bandwidth
• Latency
• Throughput
• Jitter
Details:
Simply said, the time difference in packet inter-arrival time to their destination can be called jitter. Jitter
is specific issue that normally exists in packet switched networks and this phenomenon is usually not
causing any communication problems. TCP/IP is responsible for dealing with the jitter impact on
communication.
On the other hand, in VoIP network environment, or better say in any bigger environment today where
we use IP phones on our network this can be a bigger problem. When someone is sending VoIP
communication at a normal interval (let’s say one frame every 10 ms) those packets can stuck
somewhere in between inside the packet network and not arrive at expected regular peace to the
destined station. That’s the whole jitter phenomenon all about so we can say that the anomaly in tempo
with which packet is expected and when it is in reality received is jitter.
In this image above, you can notice that the time it takes for packets to be send is not the same as the
period in which the will arrive on the receiver side. One of the packets encounters some delay on his
way and it is received little later than it was asumed. Here are the jitter buffers entering the story. They
will mitigate packet delay if required. VoIP packets in networks have very changeable packet inter-
arrival intervals because they are usually smaller than normal data packets and are therefore more
numerous with bigger chance to get some delay along the way.
For your exam you should know below information about Network performance:
The following list gives examples of network performance measures for a circuit-switched network and
one type of packet-switched network (ATM):
Circuit-switched networks: In circuit switched networks, network performance is synonymous with the
grade of service. The number of rejected calls is a measure of how well the network is performing under
heavy traffic loads. Other types of performance measures can include noise, echo and so on.
ATM: In an Asynchronous Transfer Mode (ATM) network, performance can be measured by line rate,
quality of service (QoS), data throughput, connect time, stability, technology, modulation technique and
modem enhancements.
There are many different ways to measure the performance of a network, as each network is different in
nature and design. Performance can also be modelled instead of measured; one example of this is using
state transition diagrams to model queuing performance in a circuit-switched network. These diagrams
allow the network planner to analyze how the network will perform in each state, ensuring that the
network will be optimally designed.
• Latency - Latency is the delay between the sender and the receiver decoding it, this is mainly a
function of the signals travel time, and processing time at any nodes the information traverses
• Jitter - Jitter is the variation in the time of arrival at the receiver of the information
• Error Rate - Error rate is the number of corrupted bits expressed as a percentage or fraction of
the total sen
The following answers are incorrect:
• Latency - Latency is the delay between the sender and the receiver decoding it, this is mainly a
function of the signals travel time, and processing time at any nodes the information traverses
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 13366
and
http://howdoesinternetwork.com/2013/jitter
Question 248
A forensic investigation in a cloud computing environment involves at least which two entities?
Correct Answer is: The Cloud Service Provider and Cloud Customer
Details:
The correct answer is: The Cloud Service Provider and Cloud Customer
Discussion: Cloud Computing forensic investigations are unique and somewhat different from traditional
network investigations due to the unique nature of Cloud Computing.
Two individuals involved with Cloud Computing forensic investigations would be at least the CSP - Cloud
Service Provider and the Cloud Customer.
Apart from these two, other roles in the Cloud Enterprise would be Investigators, IT Professionals,
Incident Handlers and Legal Advisors.
- The investigator and Cloud Service Provider representative: These aren't two primary parties in a Cloud
Computing forensic investigation so this isn't the right answer.
- Incident Handler and Cloud Customer: These two aren't generally involved in a forensic investigation so
this also isn't the correct answer.
- Legal Advisor and External Assistance: The CSP and Cloud Customer are the two who would be involved
in a Cloud forensic investigation so this answer isn't correct.
Official (ISC)2 Guide to the CCFP CBK ((ISC)2 Press) (p. 262). CRC Press. Kindle Edition.
Question 249
Which answer describes an IPv4 conversation between host A at 10.5.1.10 to Host B at 10.5.1.20?
• Unicast address
• Broadcast address
• Desiccant address
• Multicast address
Discussion: Computers talking to each other are considered unicast traffic because it's one to another.
There are other types explained in the incorrect answer section but they're all manners we use to talk to
one or multiple computers.
- Multicast address: This isn't correct because multicast addresses us 224.0.0.0 to 239.255.255.255.
Multicast addresses are used to send traffic to multiple computers in one stream of data, a bit like a
television program.
- Broadcast address: This isn't a right answer because Broadcast addresses have a 255 in them at the far
right. Broadcast addresses are used when we want to send traffic to all computers on a network. Try
this: open a command shell and ping your local subnet's broadcast address then check your ARP cache
(Arp -a) and view all the hosts which are now in your ARP cache. Not all hosts reply to ping packets if
they're sent to broadcast but you should see a few hosts in there.
- Desiccant address: Technically, this is a hygroscopic substance used as a drying agent but that's not
really related to IPV4 Networking so this isn't the right answer. (Don't forget to never eat those
desiccant packets that come in things we buy.)
Lammle, Todd. CCNA Routing and Switching Study Guide: Exams 100-101, 200-101, and 200-120 (p. 328,
491). Wiley. Hardback Edition.
Question 250
• ICMP
• ARP
• NNTP
• IGMP
Details:
The Network News Transfer Protocol (NNTP) is an application protocol used for transporting Usenet
news articles (netnews) between news servers and for reading and posting articles by end user client
applications.
NNTP is associated with port number 119, the other three options ICMP, IGMP and ARP are not
associated with any port number and belongs to layer 2 & 3
IGMP: The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts
and adjacent routers on IPv4 networks to establish multicast group memberships. IGMP is an integral
part of IP multicast
ICMP: The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol
suite. It is used by network devices, like routers, to send error messages and operational information
indicating, for example, that a requested service is not available or that a host or router could not be
reached.
ARP: The address resolution protocol (arp) is a protocol used by the Internet Protocol (IP) [RFC826],
specifically IPv4, to map IP network addresses to the hardware addresses used by a data link protocol.
The protocol operates below the network layer as a part of the interface between the OSI network and
OSI link layer