ISC2: Cybersecurity Certifications Exam QA: Part4

Q1: What type of device filters network traffic in order to enhance overall security/performance?

1. Endpoint
2. MAC (Media Access Control)
3. Laptop
4. Firewall

Ans: The type of device that filters network traffic in order to enhance overall security and performance is a firewall.

Explanation:

• Firewall: A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and untrusted external networks (such as the Internet), filtering traffic to prevent unauthorized access, malware, and other threats from entering or exiting the network.
• Endpoint: An endpoint typically refers to a device such as a computer or mobile device that communicates with a network. While endpoint security solutions exist to protect these devices, they do not typically perform network traffic filtering.
• MAC (Media Access Control): A MAC address is a unique identifier assigned to network interfaces for communications at the data link layer of the OSI model. MAC addresses are used for local network communication and are not used for filtering network traffic for security or performance purposes.
• Laptop: A laptop is a portable computer device that can connect to a network, but it is not a dedicated network security device designed to filter network traffic.

Q2: What protocol should Barry use when he wants to upload a series of files to a web-based storage service?

1. SFTP (Secure File Transfer Protocol)
2. SMTP (Simple Mail Transfer Protocol)
3. SNMP (Simple Network Management Protocol)
4. FTP (File Transfer Protocol)

Ans: Barry should use FTP (File Transfer Protocol) when he wants to upload a series of files to a web-based storage service.

Explanation:

• FTP (File Transfer Protocol): FTP is a standard network protocol used for transferring files between a client and a server over a TCP/IP network, such as the Internet. It is commonly used for uploading and downloading files to and from a web server or web-based storage service. FTP allows Barry to transfer multiple files efficiently and manage them on the remote server.
• SFTP (Secure File Transfer Protocol): SFTP is also a file transfer protocol, but it operates over a secure channel using SSH (Secure Shell) encryption. It provides secure file transfers and remote file management capabilities, often used for secure file transfers between systems.
• SMTP (Simple Mail Transfer Protocol): SMTP is a protocol used for sending email messages between servers. It is not designed for file transfers or uploading files to a storage service.
• SNMP (Simple Network Management Protocol): SNMP is a protocol used for network management and monitoring. It is not used for file transfers or uploading files to storage services.

Q3: What type of device, typically accessed by multiple users and often intended for a single purpose, such as managing email or web pages, is referred to as?

1. Laptop
2. Server
3. Switch
4. Router

Ans: The type of device typically accessed by multiple users and often intended for a single purpose, such as managing email or web pages, is referred to as a server.

Explanation:

• Server: A server is a computer or device on a network that manages network resources. Servers are designed to handle specific tasks such as hosting websites, managing email services, storing files, or running applications. They are accessed by multiple users or client devices over the network to perform these centralized functions.
• Laptop: A laptop is a portable computer device designed for individual use, typically by a single user. It is not usually intended to serve network resources to multiple users.
• Switch: A switch is a networking device that connects devices within a local area network (LAN) and forwards data to the appropriate destination device based on the MAC address. Switches facilitate communication between devices within a network but do not typically provide server-like functionalities.
• Router: A router is a networking device that forwards data packets between computer networks. Routers connect different networks (such as a local network to the Internet) and determine the best path for data to travel. While routers are critical for network communication, they do not serve specific applications or resources in the same way servers do.

Q4: Carol is browsing the Web. Which of the following ports is she probably using?

1. 999
2. 80
3. 12
4. 247

Ans: Carol is probably using port 80.

Explanation:

• Port 80: Port 80 is the default port used for HTTP (Hypertext Transfer Protocol) traffic. When Carol browses the Web, she accesses websites using HTTP, which typically uses port 80 for communication between her web browser (client) and the web server (hosting the website).
• Port 999: Port 999 is not commonly associated with web browsing. It is typically used for various applications, such as distinct services or protocols, but not specifically for HTTP traffic.
• Port 12: Port 12 is not commonly associated with web browsing. It is less commonly used and typically reserved for specific applications or services that are not related to HTTP.
• Port 247: Port 247 is also not commonly associated with web browsing. Similar to port 12, it is used for specific services or applications that are not related to HTTP traffic.

Q5: Cyril wants to ensure all the devices on his company’s internal IT environment are properly synchronized. Which of the following protocols would aid in this effort?

1. FTP
2. NTP (Network Time Protocol)
3. HTTP (Hypertext Transfer Protocol)
4. SMTP (Simple Mail Transfer Protocol)

Ans: The protocol that would aid Cyril in ensuring all the devices on his company’s internal IT environment are properly synchronized is NTP (Network Time Protocol).

Explanation:

• NTP (Network Time Protocol): NTP is a protocol used to synchronize the clocks of computers and other devices on a network. It allows devices to synchronize their time with a designated time server, ensuring that all devices maintain accurate time. This is crucial for various IT operations, including logging, authentication, and ensuring consistency in distributed systems.
• FTP (File Transfer Protocol): FTP is used for transferring files between a client and a server over a network. It is not related to time synchronization and does not aid in ensuring devices are properly synchronized.
• HTTP (Hypertext Transfer Protocol): HTTP is used for transferring hypertext requests and responses between clients and servers. It is the foundation of data communication for the World Wide Web but does not deal with time synchronization.
• SMTP (Simple Mail Transfer Protocol): SMTP is used for sending email messages between servers. It is not related to time synchronization and does not assist in ensuring devices are synchronized with accurate time.

Q6: Ludwig is a security analyst at Triffid, Inc. Ludwig notices network traffic that might indicate an attack designed to affect the availability of the environment. Which of the following might be the attack Ludwig sees?

1. An insider sabotaging the power supply
2. Exfiltrating stolen data
3. Spoofing
4. DDOS (distributed denial of service)

Ans: The attack that Ludwig might be seeing, which is designed to affect the availability of the environment, is DDoS (distributed denial of service).

Explanation:

• DDoS (distributed denial of service): DDoS attacks are designed to overwhelm a target system, network, or service with a flood of internet traffic. This flood of traffic can consume available bandwidth, processing power, or other resources, causing the targeted system to become slow or unavailable to legitimate users. DDoS attacks are aimed at disrupting the availability of the targeted service or network.
• An insider sabotaging the power supply: This is a physical security threat rather than a network-based attack. While it can certainly affect availability, it is not typically associated with network traffic analysis by a security analyst.
• Exfiltrating stolen data: This refers to unauthorized extraction of data from a network or system, which compromises confidentiality rather than availability.
• Spoofing: Spoofing involves falsifying data or identities to impersonate another entity. While spoofing can be used as part of an attack, it does not necessarily indicate an attack aimed at affecting availability directly through network traffic analysis.

Q7: Gary is an attacker. Gary is able to get access to the communication wire between Dauphine’s machine and Linda’s machine and can then surveil the traffic between the two when they’re communicating. What kind of attack is this?

1. Side channel
2. Physical
3. On-path
4. DDOS

Ans: The kind of attack Gary is conducting is an on-path attack.

Explanation:

• On-path attack: In an on-path attack, the attacker gains access to the communication path between two communicating parties (Dauphine’s machine and Linda’s machine, in this case). By doing so, Gary can intercept and monitor the traffic flowing between them. This type of attack is also known as a man-in-the-middle (MitM) attack, where the attacker positions themselves between the communication flow to intercept, eavesdrop on, or modify the data exchanged between the two parties.
• Side channel attack: A side channel attack typically involves exploiting unintended information leakage from a system or device, such as monitoring electromagnetic emissions, power consumption, or timing information to gain information about the system’s operation. It’s not directly related to intercepting communication between two machines.
• Physical attack: A physical attack involves directly tampering with hardware components or physical infrastructure, such as gaining access to a machine by physically accessing it or its components. This does not typically involve intercepting communication wires.
• DDoS (distributed denial of service): DDoS attacks are aimed at overwhelming a target system or network with a flood of traffic to disrupt its availability, which is not the case described here where Gary is monitoring communication.

Q8: Bert wants to add a flashlight capability to a smartphone. Bert searches the internet for a free flashlight app, and downloads it to the phone. The app allows Bert to use the phone as a flashlight, but also steals Bert’s contacts list. What kind of app is this?

1. Side channel
2. Trojan
3. DDOS
4. On-path

Ans: The app that Bert downloaded, which allows him to use the phone as a flashlight but also steals Bert’s contacts list, is a Trojan.

Explanation:

• Trojan: A Trojan (short for Trojan horse) is a type of malicious software disguised as a legitimate program. In this scenario, the flashlight app appears to provide a useful function (acting as a flashlight), but it also includes malicious functionality to steal Bert’s contacts list without his knowledge or consent. Trojans often trick users into installing them by masquerading as harmless or beneficial software.
• Side channel attack: A side channel attack involves exploiting unintended information leakage from a system or device, such as monitoring electromagnetic emissions or timing information. It’s not applicable in the context of downloading and using a malicious app.
• DDoS (distributed denial of service): DDoS attacks are aimed at overwhelming a target system or network with a flood of traffic to disrupt its availability, which is not related to the behavior of the app described.
• On-path attack: An on-path attack involves intercepting and eavesdropping on communication between two parties, which is not applicable to this scenario of a malicious app stealing contacts.

Q9: Triffid, Inc., has many remote workers who use their own IT devices to process Triffid’s information. The Triffid security team wants to deploy some sort of sensor on user devices in order to recognize and identify potential security issues. Which of the following is probably most appropriate for this specific purpose?

1. LIDS (logistical intrusion-detection systems)
2. NIDS (network-based intrusion-detection systems)
3. HIDS (host-based intrusion-detection systems)
4. Firewalls

Ans: For Triffid, Inc.’s scenario where remote workers use their own devices (BYOD) to process company information, the most appropriate solution to deploy on user devices to recognize and identify potential security issues would be HIDS (host-based intrusion-detection systems).

Explanation:

• HIDS (host-based intrusion-detection systems): HIDS are software applications installed on individual devices (hosts) to monitor and analyze activity within that specific host. They examine events occurring on the device itself, such as file system changes, application activity, logins, and other behaviors that may indicate unauthorized access or malicious activity. HIDS are well-suited for detecting threats on devices used by remote workers because they provide visibility into activities that occur locally on each device.
• LIDS (logistical intrusion-detection systems): LIDS is not a standard term in cybersecurity. It seems to be a mistaken combination or misnomer. If referring to IDS systems generally, it could imply a focus on detection across a network or logistical environment, but this term is not widely recognized in cybersecurity.
• NIDS (network-based intrusion-detection systems): NIDS are deployed at strategic points within the network to monitor and analyze network traffic for suspicious patterns or anomalies. While NIDS are valuable for monitoring network-wide activities, they are not ideal for monitoring activities on individual user devices.
• Firewalls: Firewalls are network security devices that monitor and control incoming and outgoing network traffic based on predetermined security rules. They are crucial for protecting network boundaries but do not provide the detailed host-level monitoring required for individual device security.

Q10: Inbound traffic from an external source seems to indicate much higher rates of communication than normal, to the point where the internal systems might be overwhelmed. Which security solution can often identify and potentially counter this risk?

1. Firewall
2. Turnstile
3. Anti-malware
4. Badge system

Ans: The security solution that can often identify and potentially counter the risk of inbound traffic overwhelming internal systems is a Firewall.

Explanation:

• Firewall: Firewalls are network security devices that monitor and control incoming and outgoing network traffic based on predetermined security rules. They act as a barrier between a trusted internal network and untrusted external networks (such as the Internet). Firewalls can be configured to detect and block or mitigate malicious or unusually high volumes of incoming traffic, such as those indicative of a Distributed Denial of Service (DDoS) attack. By inspecting incoming traffic patterns, firewalls can identify anomalies and take actions to protect internal systems from being overwhelmed.
• Turnstile: A turnstile is a physical access control device used to manage passage through an entry point. It is not relevant to monitoring or mitigating network traffic.
• Anti-malware: Anti-malware software is designed to detect and remove malicious software, such as viruses, worms, and Trojans, from computer systems. While important for endpoint security, anti-malware is not specifically designed to handle network traffic monitoring or mitigate high volumes of incoming traffic.
• Badge system: A badge system is typically used for physical access control, where individuals use badges or credentials to gain entry to secure areas. It is unrelated to network security or mitigating high rates of inbound network traffic.

— — — — — — — — — — — — — — — — — — — — — — — — -

Read more

ISC2: Cybersecurity Certifications Exam QA: Part1

ISC2: Cybersecurity Certifications Exam QA: Part2

ISC2: Cybersecurity Certifications Exam QA: Part3

ISC2: Cybersecurity Certifications Exam QA: Part4