GSNA GIAC Systems and Network Auditor Questions and Answers

Removing the IPP printing capability from a server is a good countermeasure against an IIS buffer overflow attack. A Network Administrator should take the following steps to prevent a Web server from IIS buffer overflow attacks: Conduct frequent scans for server vulnerabilities. Install the upgrades of Microsoft service packs. Implement effective firewalls. Apply URLScan and IISLockdown utilities. Remove the IPP printing capability. Answer: B is incorrect. The following are the DNS zone transfer countermeasures: Do not allow DNS zone transfer using the DNS property sheet:

a. Open DNS.

b. Right-click a DNS zone and click Properties.

c. On the Zone Transfer tab, clear the Allow zone transfers check box.

Configure the master DNS server to allow zone transfers only from secondary DNS servers:

a. Open DNS.

b. Right-click a DNS zone and click Properties.

c. On the zone transfer tab, select the Allow zone transfers check box, and then do one of the following:

To allow zone transfers only to the DNS servers listed on the name servers tab, click on the Only to the servers listed on the Name Server tab. To allow zone transfers only to specific DNS servers, click Only to the following servers, and add the IP address of one or more servers. Deny all unauthorized inbound connections to TCP port 53. Implement DNS keys and encrypted DNS payloads. Answer: D is incorrect. The following are the countermeasures against SNMP enumeration:

1. Removing the SNMP agent or disabling the SNMP service

2. Changing the default PUBLIC community name when ' shutting off SNMP ' is not an option

3. Implementing the Group Policy security option called Additional restrictions for anonymous connections

4. Restricting access to NULL session pipes and NULL session shares

5. Upgrading SNMP Version 1 with the latest version 6.Implementing Access control list filtering to allow only access to the read-write community from approved stations or subnets Answer: A is incorrect.

NetBIOS NULL session vulnerabilities are hard to prevent, especially if NetBIOS is needed as part of the infrastructure. One or more of the following steps can be taken to limit NetBIOS NULL session vulnerabilities: 1.Removing the SNMP agent or disabling the SNMP service 2.Changing the default PUBLIC community name when ' shutting off SNMP ' is not an option 3.Implementing the Group Policy security option called Additional restrictions for anonymous connections 4.Restricting access to NULL session pipes and NULL session shares 5.Upgrading SNMP Version 1 with the latest version 6.Implementing Access control list filtering to allow only access to the read-write community from approved stations or subnets nswer option A is incorrect. NetBIOS NULL session vulnerabilities are hard to prevent, especially if NetBIOS is needed as part of the nfrastructure. One or more of the following steps can be taken to limit NetBIOS NULL session vulnerabilities:

1. Null sessions require access to the TCP 139 or TCP 445 port, which can be disabled by a Network Administrator.

2. A Network Administrator can also disable SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from the interface.

3. A Network Administrator can also restrict the anonymous user by editing the registry values:

a.Open regedit32, and go to HKLM\SYSTEM\CurrentControlSet\LSA. b.Choose edit > add value. Value name: RestrictAnonymous Data Type: REG_WORD Value: 2

Enum is a console-based Win32 information enumeration utility. It uses null sessions to retrieve user lists, machine lists, share lists, name lists, group and member lists, passwords, and LSA policy information. It is also capable of performing brute force and dictionary attacks on individual accounts. Since the Enum tool works on the NetBIOS NULL sessions, disabling the NetBIOS port can be a good countermeasure against the Enum tool.

The fdisk command is a menu-based command available with Unix for hard disk configuration. This command can perform the following tasks: Delete a partition on a hard disk. Create a partition on a hard disk. Change the partition type. Display the partition table. Answer: B is incorrect. In Unix, the exportfs command is used to set up filesystems to export for nfs (network file sharing). Answer: A is incorrect. In Unix, the fdformat command formats a floppy disk. Answer: C is incorrect. In Unix, the fsck command is used to add new blocks to a filesystem. This command must not be run on a mounted file system.

Corrective controls are used after a security breach. After security has been breached, corrective controls are intended to limit the extent of any damage caused by the incident, e.g. by recovering the organization to normal working status as efficiently as possible. Answer: D is incorrect. Before the event, preventive controls are intended to prevent an incident from occurring, e.g. by locking out unauthorized intruders. Answer: B is incorrect. During the event, detective controls are intended to identify and characterize an incident in progress, e.g. by sounding the intruder alarm and alerting the security guards or the police. Answer: A is incorrect. Safeguards are those controls that provide some amount of protection to an asset.

The < auth-constraint > element is a sub-element of the < security-constraint > element. It defines the roles that are allowed to access the Web resources specified by the < web-resource-collection > sub-elements. The < auth-constraint > element is written in the deployment descriptor as follows: < security-constraint > < web-resource-collection > ---------------- < /web-resource-collection > < auth-constraint > < role-name > Administrator < /role-name > < /auth-constraint > < /security-constraint > Writing Administrator within the < role-name > element will allow only the administrator to have access to the resource defined within the < web-resource-collection > element.

A Cascading Style Sheet (CSS) is a separate text file that keeps track of design and formatting information, such as colors, fonts, font sizes, and margins, used in Web pages. CSS is used to provide Web site authors greater control on the appearance and presentation of their Web pages. It has codes that are interpreteA, Dpplied by the browser on to the Web pages and their elements. CSS files have .css extension.

There are three types of Cascading Style Sheets: External Style Sheet Embedded Style Sheet Inline Style Sheet

You will have to disable anonymous authentication. This will prevent unauthorized users from accessing the FTP server. Anonymous authentication (anonymous access) is a method of authentication for Websites. Using this method, a user can establish a Web connection to the IIS server without providing a username and password. Hence, this is an insecure method of authentication. This method is generally used to permit unknown users to access the Web or FTP server directories. Answer: D is incorrect. Enabling anonymous authentication will allow all the users to access the server. Answer: B is incorrect. Stopping the FTP service on the server will prevent all the users from accessing the FTP server. Answer: C is incorrect. Disabling the network adapter on the FTP server will disconnect the server from the network.

Ekahau is an easy-to-use powerful and comprehensive tool for network site surveys and optimization. It is an auditing tool that can be used to pinpoint the actual physical location of wireless devices in the network. This tool can be used to make a map of the office and then perform the survey of the office. In the process, if one finds an unknown node, ekahau can be used to locate that node. Answer: D is incorrect. AirSnort is a Linux-based WLAN WEP cracking tool that recovers encryption keys. AirSnort operates by passively monitoring transmissions. It uses Ciphertext Only Attack and captures approximately 5 to 10 million packets to decrypt the WEP keys.

Answer: A is incorrect. Kismet is a Linux-based 802.11 wireless network sniffer and intrusion detection system. It can work with any wireless card that supports raw monitoring (rfmon) mode. Kismet can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet can be used for the following tasks: To identify networks by passively collecting packets To detect standard named networks To detect masked networks To collect the presence of non-beaconing networks via data traffic Answer: C is incorrect. WEPcrack is a wireless network cracking tool that exploits the vulnerabilities in the RC4 Algorithm, which comprises the WEP security parameters. It mainly consists of three tools, which are as follows: WeakIVGen: It allows a user to emulate the encryption output of 802.11 networks to weaken the secret key used to encrypt the network traffic. Prism-getIV: It analyzes packets of information until ultimately matching patterns to the one known to decrypt the secret key. WEPcrack: It pulls the all beneficial data of WeakIVGen and Prism-getIV to decipher the network encryption.

Structure mining is used to examine data related to the structure of a particular Web site. Answer: D is incorrect. Usage mining is used to examine data related to a particular user ' s browser as well as data gathered by forms the user may have submitted during Web transactions.

In order to enable email communication, you will have to open ports 25 and 110. Port 25 is used by SMTP to send emails. Port 110 is used by POP3 to receive emails.

A multidimensional database (MDB) is a type of database that is optimized for data warehouse and Online Analytical Processing (OLAP) applications. Multidimensional databases are frequently created using input from existing relational databases. Whereas a relational database is typically accessed using a Structured Query Language (SQL) query, a multidimensional database allows a user to ask questions like " How many Aptivas have been sold in Nebraska so far this year? " and similar questions related to summarizing business operations and trends. An OLAP application that accesses data from a multidimensional database is known as a MOLAP (multidimensional OLAP) application. Answer: C is incorrect. A multidimensional database is frequently created using input from existing relational databases.

Using CAPTCHA or restricting the number of login attempts are good countermeasures against a brute force attack.

According to the scenario, John is a root user. Hence, the value of the environmental variables $USER and $UID will be root and 0, respectively.

NetBIOS NULL session vulnerabilities are hard to prevent, especially if NetBIOS is needed as part of the infrastructure. One or more of the following steps can be taken to limit NetBIOS NULL session vulnerabilities: 1.Null sessions require access to the TCP 139 or TCP 445 port, which can be disabled by a Network Administrator. 2. A Network Administrator can also disable SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from the interface. 3. A Network Administrator can also restrict the anonymous user by editing the registry values: a.Open regedit32, and go to HKLM\SYSTEM\CurrentControlSet\LSA. b.Choose edit > add value. Value name: RestrictAnonymous Data Type: REG_WORD Value: 2 Answer: A is incorrect. TCP port 53 is the default port for DNS zone transfer. Although disabling it can help restrict DNS zone transfer enumeration, it is not useful as a countermeasure against the NetBIOS NULL session enumeration.

WPA with 802.1X authentication provides best wireless security mechanism. 802.1X authentication, also known as WPA-Enterprise, is a security mechanism for wireless networks. 802.1X provides port-based authentication, which involves communications between a supplicant, authenticator, and authentication server. The supplicant is often software on a client device, the authenticator is a wired Ethernet switch or wireless access point, and an authentication server is generally a RADIUS database. The authenticator acts like a security guard to a protected network. The supplicant (client device) is not allowed access through the authenticator to the protected side of the network until the supplicant ' s identity is authorized. With 802.1X port-based authentication, the supplicant provides credentials, such as user name/password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network.

C:\Documents and Settings\user-nwz\Desktop\1.JPG

Answer: A is incorrect. Wired equivalent privacy (WEP) uses the stream cipher RC4 (Rivest Cipher). WEP uses the Shared Key Authentication, since both the access point and the wireless device possess the same key. Attacker with enough Initialization Vectors can crack the key used and gain full access to the network. Answer: D is incorrect. WPA-PSK is a strong encryption where encryption keys are automatically changed (called rekeying) and authenticated between devices after a fixed period of time, or after a fixed number of packets has been transmitted. Answer: C is incorrect. WAP uses TKIP (Temporal Key Integrity Protocol) to enhance data encryption, but still vulnerable to different password cracking attacks.

There are several denial of service (DoS) attacks that specifically use broadcast traffic to flood a targeted computer. Seeing an unexplained spike in broadcast traffic could be an indicator of an attempted denial of service attack. Answer: D is incorrect. Viruses can cause an increase in network traffic, and it is possible for that to be broadcast traffic. However, a DoS attack is more likely than a virus to cause this particular problem. Answer: C is incorrect. A syn flood does not cause increased broadcast traffic. Answer: A is incorrect. A misconfigured router could possibly cause an increase in broadcast traffic. However, this a recent problem, the router is unlikely to be the issue.

xplanation: Anonymizers have the following limitations: 1.HTTPS: Secure protocols such as ' https: ' cannot be properly anonymized, as the browser needs to access the site directly to properly maintain the secure encryption. 2.Plugins: If an accessed site invokes a third-party plugin, there is no guarantee of an established independent direct connection from the user computer to a remote site. 3.Java: Any Java application accessed through an anonymizer will not be able to bypass the Java security wall. 4.ActiveX: ActiveX applications have almost unlimited access to the user ' s computer system. 5.JavaScript: The JavaScript scripting language is disabled with URL-based anonymizers.

A stateful firewall is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall; others will be rejected. Answer: B is incorrect. A host-based application firewall can monitor any application input, output, and/or system service calls made from, to, or by an application. This is done by examining information passed through system calls instead of, or in addition to, a network stack. A host-based application firewall can only provide protection to the applications running on the same host. An example of a host-based application firewall that controls system service calls by an application is AppArmor or the Mac OS X application firewall. Host-based application firewalls may also provide network-based application firewalling. Answer: A is incorrect. A network-based application layer firewall, also known as a proxy-based or reverse-proxy firewall, is a computer networking firewall that operates at the application layer of a protocol stack. Application firewalls specific to a particular kind of network traffic may be titled with the service name, such as a Web application firewall. They may be implemented through software running on a host or a stand-alone piece of network hardware. Often, it is a host using various forms of proxy servers to proxy traffic before passing it on to the client or server. Because it acts on the application layer, it may inspect the contents of the traffic, blocking specified content, such as certain websites, viruses, and attempts to exploit known logical flaws in client software. Answer: C is incorrect. An application firewall is a form of firewall that controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls that do not meet the configured policy of the firewall. The application firewall is typically built to monitor one or more specific applications or services (such as a web or database service), unlike a stateful network firewall, which can provide some access controls for nearly any kind of network traffic. There are two primary categories of application firewalls: Network-based application firewalls Host-based application firewalls

In Unix, the /etc/sysconfig/init file is used to set terminal characteristics and environment variables. Answer: B is incorrect. In Unix, the /proc/net file contains status information about the network protocols. Answer: C is incorrect. In Unix, the /etc/sysconfig/network-scripts/ifcfg-interface file is the configuration file used to define a network interface. Answer: A is incorrect. In Unix, the /etc/sysconfig/routed file is used to set up the dynamic routing policies.

eBox Platform is an open source unified network server (or a Unified Network Platform) for SMEs. eBox Platform can act as a Gateway, Network Infrastructure Manager, Unified Threat Manager, Office Server, Unified Communications Server or a combination of them. Besides, eBox Platform includes a development framework to ease the development of new Unix-based services. Answer: D is incorrect. eBox Platform cannot act as a sandbox. A sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs, from unverified third-parties, suppliers, and untrusted users.

Base64 encryption encoding, which can easily be decoded, is used in the basic authentication method. Answer: B is incorrect. The Md5 hashing technique is used in the digest authentication method. Answer: A is incorrect. The HMAC_MD5 hashing technique is used in the NTLMv2 authentication method. Answer: C is incorrect. DES (ECB mode) is used in the NTLMv1 authentication method.

The above configuration fragment will disable the following services from the router: The BootP service The DNS function The Network Time Protocol The Simple Network Management Protocol Hyper Text Transfer Protocol

Applications other than those supplied or approved by the company shall not be installed on any computer. Answer: A, B, D are incorrect. All of these statements stand true in the ' acceptable use statement ' portion of the firewall policy.

Detection risks are the risks that an auditor will not be able to find what they are looking to detect. Hence, it becomes tedious to report negative results when material conditions (faults) actually exist. Detection risk includes two types of risk: Sampling risk: This risk occurs when an auditor falsely accepts or erroneously rejects an audit sample. Nonsampling risk: This risk occurs when an auditor fails to detect a condition because of not applying the appropriate procedure or using procedures inconsistent with the audit objectives (detection faults). Answer: A is incorrect. Residual risk is the risk or danger of an action or an event, a method or a (technical) process that, although being abreast with science, still conceives these dangers, even if all theoretically possible safety measures would be applied (scientifically conceivable measures). The formula to calculate residual risk is (inherent risk) x (control risk) where inherent risk is (threats vulnerability). In the economic context, residual means " the quantity left over at the end of a process; a remainder " . Answer: B is incorrect. Inherent risk, in auditing, is the risk that the account or section being audited is materially misstated without considering internal controls due to error or fraud. The assessment of inherent risk depends on the professional judgment of the auditor, and it is done after assessing the business environment of the entity being audited. Answer: C is incorrect. A secondary risk is a risk that arises as a straight consequence of implementing a risk response. The secondary risk is an outcome of dealing with the original risk. Secondary risks are not as rigorous or important as primary risks, but can turn out to be so if not estimated and planned properly.

Sarah should use the Cascading Style Sheet (CSS) while creating Web pages. This will give her greater control over the appearance and presentation of the Web pages and will also enable her to precisely specify the display attributes and the appearance of elements on the Web pages.

Network services is the last functional area of the Cisco unified wireless network architecture. This functional area includes the self-depending network, enhanced network support, such as location services, intrusion detection and prevention, firewalls, network admission control, and all other services. Answer: C is incorrect. Network unification is a functional area of the Cisco unified wireless network architecture. This functional area includes the following wireless LAN controllers: 1.The 6500 series catalyst switch 2.Wireless services module (WiSM) 3.Cisco wireless LAN controller module (WLCM) 4.Cisco catalyst 3750 series integrated WLC 5.Cisco 4400 series WLC 6.Cisco 2000 series WLC Answer: B is incorrect. Wireless clients is a functional area of the Cisco unified wireless network. The client devices are connected to a user. Answer: D is incorrect. A wireless access point (WAP) is a device that allows wireless communication devices to connect to a wireless network using Wi-Fi, Bluetooth, or related standards. The WAP usually connects to a wired network, and it can transmit data between wireless devices and wired devices on the network. Each access point can serve multiple users within a defined network area. As people move beyond the range of one access point, they are automatically handed over to the next one. A small WLAN requires a single access point. The number of access points in a network depends on the number of network users and the physical size of the network.

Default shares should be disabled, unless they are absolutely needed. They pose a significant security risk by providing a way for an intruder to enter your machine. Answer: A is incorrect. Whether this is a domain server, a DHCP server, a file server, or database server does not change the issue with shared drives/folders. Answer: C is incorrect. They cannot be hidden. Shared folders are, by definition, not hidden but rather available to users on the network. Answer: D is incorrect. These are not necessary for Windows Server operations.

Magic Lantern works both as an encryption-cracking tool and as a keylogger. Answer: C is incorrect. Alchemy Remote Executor is a system management tool that allows Network Administrators to execute programs on remote network computers without leaving their workplace. From the hacker ' s point of view, it can be useful for installing keyloggers, spyware, Trojans, Windows rootkits and such. One necessary condition for using the Alchemy Remote Executor is that the user/attacker must have the administrative passwords of the remote computers on which the malware is to be installed. Answer: B is incorrect. The KeyGhost keylogger is a hardware keylogger that is used to log all keystrokes on a computer. It is a tiny device that clips onto the keyboard cable. Once the KeyGhost keylogger is attached to the computer, it quietly logs every key pressed on the keyboard into its own internal Flash memory (just as with smart cards). When the log becomes full, it overwrites the oldest keystrokes with the newest ones. Answer: D is incorrect. SocketShield provides a protection shield to a computer system against malware, viruses, spyware, and various types of keyloggers. SocketShield provides protection at the following two levels: 1.Blocking: In this level, SocketShield uses a list of IP addresses that are known as purveyor of exploits. All http requests for any page in these domains are simply blocked. 2.Shielding: In this level, SocketShield blocks all the current and past IP addresses that are the cause of unauthorized access.

According to the scenario, you can use dmesg > bootup_report.txt to create the bootup file. With this command, the bootup messages will be displayed and will be redirected towards bootup_report.txt using the > command.

Web site traffic depends upon the number of users who are able to locate a Web site. Search engines are one of the most frequently used tools to locate Web sites. They perform searches on the basis of keywords contained in the Web pages of a Web site. Keywords are simple text strings that are associated with one or more topics of a Web page. Misspelled keywords prevent Web pages from being displayed in the search results.

Whenever the risk is transferred to someone else, it is an example of transference risk response. Transference usually has a fee attached to the service provider that will own the risk event.

WPA2 is an updated version of WPA. This standard is also known as IEEE 802.11i. WPA2 offers enhanced protection to wireless networks than WPA and WEP standards. It is also available as WPA2-PSK and WPA2-EAP for home and enterprise environment respectively. Answer: B is incorrect. than WEP (Wired Equivalent Protection). Windows Vista supports both WPA-PSK and WPA-EAP. Each of these is described as follows: WPA-PSK: PSK stands for Preshared key. This standard is meant for home environment. WPA-PSK requires a user to enter an 8- character to 63-character passphrase into a wireless client. The WPA converts the passphrase into a 256-bit key. WPA-EAP: EAP stands for Extensible Authentication Protocol. This standard relies on a back-end server that runs Remote Authentication Dial-In User Service for user authentication. Note: Windows Vista supports a user to use a smart card to connect to a WPA-EAP protected network.

Synthetic monitoring is an active Web site monitoring that is done using Web browser emulation or scripted real Web browsers. Behavioral scripts (or paths) are created to simulate an action or path that a customer or end-user would take on a site. Those paths are then continuously monitored at specified intervals for availability and response time measures. Synthetic monitoring is valuable because it enables a Webmaster to identify problems and determine if his Web site or Web application is slow or experiencing downtime before that problem affects actual end-users or customers. Answer: B is incorrect. Passive monitoring is a technique used to analyze network traffic by capturing traffic from a network by generating a copy of that traffic. It is done with the help of a span port, mirror port, or network tap. Once the data (a stream of frames or packets) has been extracted, it can be used in many ways. Passive monitoring can be very helpful in troubleshooting performance problems once they have occurred. Passive monitoring relies on actual inbound Web traffic to take measurements, so problems can only be discovered after they have occurred. Answer: A is incorrect. Route analytics is an emerging network monitoring technology specifically developed to analyze the routing protocols and structures in meshed IP networks. Their main mode of operation is to passively listen to the Layer 3 routing protocol exchanges between routers for the purposes of network discovery, mapping, real-time monitoring, and routing diagnostics. Answer: C is incorrect. Network tomography is an important area of network measurement that deals with monitoring the health of various links in a network using end-to-end probes sent by agents located at vantage points in the network/Internet.

Tiger Analytical Research Assistant (TARA) is a set of scripts that scans a Unix system for security problems. Following are the pros and cons of using TARA. Pros:

It is open source. It is very modular. It can work on a wide variety of platforms. It is composed mostly of bash scripts; hence, it can run on any Unix platform with little difficulty. Cons: It has a very specific function of seeking paths to root. Answer: A is incorrect. It is a limitation of TARA that reduces its flexibility to be used for different purposes.

A code injection attack exists whenever a scripting or programming language is used in a Web page. All that the attacker needs is an error or opening. That opening usually comes in the form of an input field that is not validated correctly. It is not necessary for the code injection attack to be on the Web page. It can be located in the back end as part of a database query of the Web site. If any part of the server uses Java, JavaScript, C, SQL, or any other code between the Internet and the data, it is vulnerable to the code injection attack.

Answer: C is incorrect. A cross site scripting attack is one in which an attacker enters malicious data into a Website. For example, the attacker posts a message that contains malicious code to any newsgroup site. When another user views this message, the browser interprets this code and executes it and, as a result, the attacker is able to take control of the user ' s system. Cross site scripting attacks require the execution of client-side languages such as JavaScript, Java, VBScript, ActiveX, Flash, etc. within a user ' s Web environment. With the help of a cross site scripting attack, the attacker can perform cookie stealing, sessions hijacking, etc. Answer: A is incorrect. A command injection attack is used to inject and execute commands specified by the attacker in the vulnerable application. The application, which executes unwanted system commands, is like a virtual system shell. The attacker may use it as any authorized system user. However, commands are executed with the same privileges and environment as the application has. The command injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker. Answer: D is incorrect. Cross-site request forgery, also known as one-click attack or session riding, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user ' s browser. The attack works by including a link or script in a page that accesses a site to which the user is known to have authenticated.

It is very hard to detect a keylogger ' s activity. Hence, a Network Administrator should take the following steps as countermeasures against software keyloggers: Actively monitor the programs running on the server. Monitor the network whenever an application attempts to make a network connection. Use commercially available anti-keyloggers, such as PrivacyKeyboard. Update one ' s antivirus regularly. Use on-screen keyboards and speech-to-text conversion software which can also be useful against keyloggers, as there are no typing or mouse movements involved.

Answer: C is incorrect. An SNMP service is not used for keystroke logging. Hence, removing an SNMP agent may be a valid option if, and only if, the server is vulnerable to SNMP enumeration.

The perfect data access auditing solution would address the following six questions: 1.Who accessed the data? 2.When was the data accessed? 3.Which computer program or client software was used to access the data? 4.From what location on the network was the data accessed? 5.What was the SQL query that accessed the data? 6.Was access to the data successfully done; and if so, how many rows of data were retrieved? Answer: C is incorrect. In the perfect data access auditing solution, it cannot be determined for whom the data is being accessed. Only the person accessing the data can be identified.

To define styles only for the active page you should use embedded style sheet. Cascading style sheets (CSS) are used so that the Web site authors can exercise greater control on the appearance and presentation of their Web pages. And also because they increase the ability to precisely point to the location and look of elements on a Web page and help in creating special effects. Cascading Style Sheets have codes, which are interpreteA, Dpplied by the browser on to the Web pages and their elements. There are three types of cascading style sheets. External Style Sheets Embedded Style Sheets Inline Style Sheets External Style Sheets are used whenever consistency in style is required throughout a Web site. A typical external style sheet uses a .css file extension, which can be edited using a text editor such as a Notepad. Embedded Style Sheets are used for defining styles for an active page. Inline Style Sheets are used for defining individual elements of a page. Reference: TechNet, Contents: Microsoft Knowledgebase, February 2000 issue PSS ID Number: Q179628 You want to enable Host A to access the Internet. For this, you need to configure the default gateway settings. Choose the appropriate address to accomplish the task.

The less command is most useful for viewing large files. The less command displays the output of a file one page at a time. Viewing large files through cat may take more time to scroll pages, so it is better to use the less command to see the content of large files. Answer: A is incorrect. The cat command is also used to view the content of a file, but it is most useful for viewing short files. Answer: D is incorrect. The cp command is used to copy files and directories from one location to another. Answer: C is incorrect. The touch command is not used to view the content of a file. It is used to create empty files or to update file timestamps.

In Unix, the /etc/sudoers file contains a list of users with special privileges along with the commands that they can execute. Answer: A is incorrect. In Unix, the /proc/meminfo file shows information about the memory usage, both physical and swap. Answer: B is incorrect. In Unix, the /etc/sysconfig/amd file is the configuration file that is used to configure the auto mount daemon. Answer: C is incorrect. In Unix, the /proc/modules file shows the kernel modules that are currently loaded.

LEAP can use only password hash as the authentication technique. Not only LEAP, but EAP-TLS, EAP-TTLS, and PEAP also support dynamic key encryption and mutual authentication. Answer: C is incorrect. LEAP provides only a moderate level of security. Answer: B is incorrect. LEAP uses password hash for server authentication.

The major advantage that a table-structured Web site has over a frame-structured Web site is that users can bookmark the pages of a table- structured Web site, whereas pages of a frame-structured Web site cannot be bookmarked or added to the Favorites folder. Non-frame Web sites also give better results with search engines. Better navigation: Web pages can be divided into multiple frames and each frame can display a separate Web page. It helps in providing better and consistent navigation. Easy maintenance: Fixed elements, such as a navigation link and company logo page, can be created once and used with all the other pages. Therefore, any change in these pages is required to be made only once.

The HttpSessionActivationListener interface notifies an attribute that the session is about to be activated or passivated. Methods of this interface are as follows: public void sessionDidActivate(HttpSessionEvent session): It notifies the attribute that the session has just been moved to a different JVM. public void sessionWillPassivate(HttpSessionEvent se): It notifies the attribute that the session is about to move to a different JVM. Answer: B, C are incorrect. These functions are performed by the HttpSessionBindingListener interface. The HttpSessionBindingListener interface causes an object of the implementing class to be notified when it is added to or removed from a session. The HttpSessionBindingListener interface has the following methods: public void valueBound(event): This method takes an object of type HttpSessionBindingEvent as an argument. It notifies the object when it is bound to a session. public void valueUnbound(HttpSessionBindingEvent event): This method takes an object of type HttpSessionBindingEvent as an argument. It notifies the object when it is unbound from a session.

Static routing is a data communication concept that describes a way to configure path selection of routers in computer networks. This is achieved by manually adding routes to the routing table. However, when there is a change in the network or a failure occurs between two statically defined nodes, traffic will not be rerouted. Static routing is beneficial in many ways: Precise control over the routes that a packet will take across the network Reduced load on the routers, as no complex routing calculations are required Reduced bandwidth use, as there is no excessive router traffic. Easy to configure in small networks Answer: A is incorrect. This is a property of a dynamic route. A static route cannot choose the best path. It can only choose the paths that are manually entered. When there is a change in the network or a failure occurs between two statically defined nodes, traffic will not be rerouted.

According to the question, Windows Defender should scan the laptop for all the known spyware and other potentially unwanted software, including the latest one. Windows Defender uses definitions to scan the system. Definitions are files that include the information of known spyware and potentially unwanted software. To scan a computer for the latest spyware, Windows Defender requires the latest definition files available on the Internet. For this, you have to configure Windows Defender to check for the latest definitions and download them, if available, before scanning the computer. Furthermore, the question also states that the task must be performed automatically. In order to accomplish the task, you will have to select the Check for updated definitions before scanning check box in the Automatic Scanning section.

AirSnort is a Linux-based WLAN WEP cracking tool that recovers encryption keys. AirSnort operates by passively monitoring transmissions. It uses Ciphertext Only Attack and captures approximately 5 to 10 million packets to decrypt the WEP keys. Answer: C is incorrect. Kismet is an IEEE 802.11 wireless network sniffer and intrusion detection system.

The residual risk is the risk or danger of an action or an event, a method or a (technical) process that still conceives these dangers even if all theoretically possible safety measures would be applied. The formula to calculate residual risk is (inherent risk) x (control risk) where inherent risk is (threats vulnerability). Answer: B is incorrect. In information security, security risks are considered as an indicator of threats coupled with vulnerability. In other words, security risk is a probabilistic function of a given threat agent exercising a particular vulnerability and the impact of that risk on the organization. Security risks can be mitigated by reviewing and taking responsible actions based on possible risks. Answer: C is incorrect. Vulnerability is a weakness or lack of safeguard that can be exploited by a threat, thus causing harm to the information systems or networks. It can exist in hardware , operating systems, firmware, applications, and configuration files. Vulnerability has been variously defined in the current context as follows: 1.A security weakness in a Target of Evaluation due to failures in analysis, design, implementation, or operation and such. 2.Weakness in an information system or components (e.g. system security procedures, hardware design, or internal controls that could be exploited to produce an information-related misfortune.) 3.The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the system, network, application, or protocol involved.

The following are the drawbacks of the NTLM Web Authentication Scheme: NTLM Web authentication is not entirely safe because NTLM hashes (or challenge/response pairs) can be cracked with the help of brute force password guessing. The " cracking " program would repeatedly try all possible passwords, hashing each and comparing the result to the hash that the malicious user has obtained. When it discovers a match, the malicious user will know that the password that produced the hash is the user ' s password. This authentication technique works only with Microsoft Internet Explorer. Answer: A, C are incorrect. NTLM authentication does not send the user ' s password (or hashed representation of the password) across the network. Instead, NTLM authentication utilizes challenge/response mechanisms to ensure that the actual password never traverses the network. How does it work? When the authentication process begins, the client sends a login request to the telnet server. The server replies with a randomly generated ' token ' to the client. The client hashes the currently logged-on user ' s cryptographically protected password with the challenge and sends the resulting " response " to the server. The server receives the challenge-hashed response and compares it in the following manner:

The server takes a copy of the original token. Now it hashes the token against the user ' s password hash from its own user account database. If the received response matches the expected response, the user is successfully authenticated to the host.

A ping scanner is a tool that sends ICMP ECHO requests across a network and rapidly makes a list of responding nodes. Internet Control Message Protocol (ICMP) is an integral part of IP. It is used to report an error in datagram processing. The Internet Protocol (IP) is used for host-to-host datagram service in a network. The network is configured with connecting devices called gateways. When an error occurs in datagram processing, gateways or destination hosts report the error to the source hosts through the ICMP protocol. The ICMP messages are sent in various situations, such as when a datagram cannot reach its destination, when the gateway cannot direct the host to send traffic on a shorter route, when the gateway does not have the buffering capacity, etc. Answer: A, B, C are incorrect. These tools do not use ICMP to perform their functions.

DumpSec, a program launched by Somarsoft, is a security auditing and reporting program for Microsoft Windows. It collates and obtains the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers, and shares in a concise, readable format, so that holes in system security are readily apparent. DumpSec also dumps user, group, and replication information, policies, as well as services (Win32) and kernel drivers loaded on the system. It can also report the current status of services (running or stopped) in the Windows environment. Answer: D is incorrect. It cannot kill running services. It can only report the current status of services (running or stopped) in the Windows environment.

Routinely doing site surveys (or better still, having them automatically conducted frequently) is the only way to know what is connected to your network. And it will reveal any rogue access points. Answer: B is incorrect. While anti virus software is always a good idea, it will do nothing to prevent rogue access points. Answer: A is incorrect. While anti-spyware software is always a good idea, it will do nothing to prevent rogue access points. Answer: C is incorrect. A protocol analyzer will help you analyze the specific traffic on a given node, but won ' t be much help in directly detecting rogue access points.

The Unix utility sed (stream editor) is a text editing tool that can be used to edit text files without having to open them. This utility parses text files and implements a programming language which can apply textual transformations to such files. It reads input files line by line (sequentially), applying the operation which has been specified via the command line (or a sed script), and then outputs the line. Answer: D is incorrect. The more command is used to view (but not modify) the contents of a text file on the terminal screen at a time. The syntax of the more command is as follows: more [options] file_name Where,

C:\Documents and Settings\user-nwz\Desktop\1.JPG

Answer: A is incorrect. The less command is used to view (but not change) the contents of a text file, one screen at a time. It is similar to the more command. However, it has the extended capability of allowing both forwarB, Dackward navigation through the file. Unlike most Unix text editors/viewers, less does not need to read the entire file before starting; therefore, it has faster load times with large files. The command syntax of the less command is as follows: less [options] file_name Where,

C:\Documents and Settings\user-nwz\Desktop\1.JPG

Answer: C is incorrect. The vi editor is an interactive, cryptic, and screen-based text editor used to create and edit a file. It operates in either Input mode or Command mode. In Input mode, the vi editor accepts a keystroke as text and displays it on the screen, whereas in Command mode, it interprets keystrokes as commands. As the vi editor is case sensitive, it interprets the same character or characters as different commands, depending upon whether the user enters a lowercase or uppercase character. When a user starts a new session with vi, he must put the editor in Input mode by pressing the " I " key. If he is not able to see the entered text on the vi editor ' s screen, it means that he has not put the editor in Insert mode. The user must change the editor to Input mode before entering any text so that he can see the text he has entered.

In order to provide the best level of security for the kind of authentication used by the company, Mark will have to use the PEAP protocol. This protocol will provide the strongest password-based authentication for a WEP solution with 802.1x. Implementing 802.1x authentication for wireless security requires using an Extensible Authentication Protocol (EAP)-based method for authentication. There are two EAP-based methods: 1.EAP-Transport Layer Security (EAP-TLS) 2.Protected EAP (PEAP) Answer: A is incorrect. IPSec has nothing to do with this issue.

The which and type commands can be used to find out where commands are located.

The PrincipalPermission class allows security checks against the active principal. This is done by using the language constructs that are defined for both imperative and declarative security actions. To perform an imperative security demand for membership in a built-in Microsoft Windows group, you must first set the default principal policy to the Windows principal by calling the SetPrincipalPolicy (PrincipalPolicy.WindowsPrincipal) statement. Construct a PrincipalPermission object specifying the group name. To specify the group name, you can provide just the group name, or you can preface the group name with either " BUILTIN\ " or the computer name and a backslash. Finally, call the PrincipalPermission.Demand method. There is another method of identifying group membership, i.e. by using the PrincipalPermission class or the PrincipalPermissionAttribute attribute derived from the System.Security.Permissions namespace. The PrincipalPermission object identifies that the identity of the active principal should match its information with the identity information that is passed to its constructor. The identity information contains the user ' s identity name and role.

In order to accomplish the task, you will have to run the following sets of commands: access-list 10 permit host 10.10.2.103 access-list 10 permit 10.10.0.0 0.0.0.255 access-list 10 deny any line vty 0 4 access-class 10 in This configuration set meets all the requirements. The ACL is correctly configured and is applied to the VTY lines using the access-class command for inbound connections. Answer: D is incorrect. This configuration actually creates 3 separate ACL ' s (10, 11, and 12) and also incorrectly attempts to apply the ACL ' s to the VTY lines. Answer: A is incorrect. This configuration is correct except for the access-class command being applied in the outbound direction. When using " access-class out " , the router will not match connections coming into the router for Telnet and/or SSH. Instead, it will match connections being generated from the router.

Answer: B is incorrect. This configuration is correct except for the access-group command. Access-group is used to apply ACLs to an interface. Access-class is used to apply ACLs to VTY lines.

In the given rule set, ' Input chain ' defines that the rule is for the incoming traffic, i.e., traffic coming from the intranet to the Internet. Port 25 is being allowed for SNMP traffic and port 443 for the HTTPS traffic. Deny all is being used after allowing port 25 and 443; hence, all the other traffic will be denied. Answer: B is incorrect. Deny all is executed first; hence, all the traffic will be denied including port 25 and 443. Answer: A, D are incorrect. These rule sets are used for outgoing traffic, i.e., traffic going from the intranet to the Internet as the ' Output chain ' rule is being used.

The klogd and sysklogd commands can be used to intercept and log the Linux kernel messages.

Website monitoring service can check HTTP pages, HTTPS, FTP, SMTP, POP3, IMAP, DNS, SSH, Telnet, SSL, TCP, PING, Domain Name Expiry, SSL Certificate Expiry, and a range of other ports with great variety of check intervals from every four hours to every one minute. Typically, most website monitoring services test a server anywhere between once-per hour to once-per-minute. Advanced services offer in-browser web transaction monitoring based on browser add-ons such as Selenium or iMacros. These services test a website by remotely controlling a large number of web browsers. Hence, it can also detect website issues such a JavaScript bugs that are browser specific. Answer: A is incorrect. This task is performed under network monitoring. Network tomography deals with monitoring the health of various links in a network using end-to-end probes sent by agents located at vantage points in the network/Internet.

In Unix, the /etc/passwd file contains username, real name, home directory, encrypted password, and other information about a user. Answer: C is incorrect. In Unix, the /etc/hosts file lists the hosts for name lookup use that are locally required. Answer: D is incorrect. In Unix, the /etc/inittab file is the configuration file for init. It controls startup run levels and determines scripts to start with. Answer: B is incorrect. In Unix, the /etc/printcap file is the configuration file for printers.

The history !! command shows the previously entered command in the bash shell. In the bash shell, the history command is used to view the recently executed commands. History is on by default. A user can turn off history using the command set +o history and turn it on using set -o history. An environment variable HISTSIZE is used to inform bash about how many history lines should be kept. The following commands are frequently used to view and manipulate history:

C:\Documents and Settings\user-nwz\Desktop\1.JPG

Answer: B is incorrect. The history !# command shows the entire command line typed. Answer: D is incorrect. The history !n command shows the nth command typed. Since n is equal to 1 in this command, the first command will be shown. Answer: A is incorrect. It is not a valid command.

With either encryption method (WEP or WPA) you can give the password to customers who need it, and even change it frequently (daily if you like). So this won ' t be an inconvenience for customers.

By not broadcasting your SSID some simple war driving tools won ' t detect your network. However you should be aware that there are tools that will still detect networks that are not broadcasting their SSID across your network. Answer: D is incorrect. While MAC filtering may help prevent a hacker from accessing your network, it won ' t keep him or her from finding your network.

To configure all the wireless access points and client computers to act in accordance with the company ' s security policy, Mark will take the following actions: Configure the authentication type for the wireless LAN to Shared Key. Shared Key authentication provides access control. Disable SSID Broadcast and enable MAC address filtering on all the wireless access points. Disabling SSID Broadcast and enabling MAC address filtering will prevent unauthorized wireless client computers from connecting to the access point (AP). Only the computers with particular MAC addresses will be able to connect to the wireless access points. On each client computer, add the SSID for the wireless LAN as the preferred network. Answer: E is incorrect. Setting the authentication type for the wireless LAN to Open System will disable Wired Equivalent Privacy (WEP). This level of WEP will not provide security.

You will use the tee command to write its content to standard output and simultaneously copy it into the specified file. The tee command is used to split the output of a program so that it can be seen on the display and also be saved in a file. It can also be used to capture intermediate output before the data is altered by another command or program. The tee command reads standard input, then writes its content to standard output, and simultaneously copies it into the specified file(s) or variables. The syntax of the tee command is as follows: tee [-a] [-i] [File] where, the -a option appends the output to the end of File instead of writing over it and the -i option is used to ignore interrupts. Answer: A is incorrect. The concatenate (cat) command is used to display or print the contents of a file. Syntax: cat filename For example, the following command will display the contents of the /var/log/dmesg file: cat /var/log/dmesg Note: The more command is used in conjunction with the cat command to prevent scrolling of the screen while displaying the contents of a file. Answer: C is incorrect. The less command is used to view (but not change) the contents of a text file, one screen at a time. It is similar to the more command. However, it has the extended capability of allowing both forwarB, Dackward navigation through the file. Unlike most Unix text editors/viewers, less does not need to read the entire file before starting; therefore, it has faster load times with large files. The command syntax of the less command is as follows: less [options] file_name Where,

C:\Documents and Settings\user-nwz\Desktop\1.JPG

Answer: B is incorrect. The more command is used to view (but not modify) the contents of a text file on the terminal screen at a time. The syntax of the more command is as follows: more [options] file_name Where,

C:\Documents and Settings\user-nwz\Desktop\1.JPG

Ptunnel and Itunnel are the tools that are used to perform ICMP tunneling. In ICMP tunneling, an attacker establishes a covert connection between two remote computers (a client and proxy), using ICMP echo requests and reply packets. ICMP tunneling works by injecting arbitrary data into an echo packet sent to a remote computer. The remote computer replies in the same manner, injecting an answer into another ICMP packet and sending it back. The client performs all communication using ICMP echo request packets, while the proxy uses echo reply packets. Normally, ICMP tunneling involves sending what appear to be ICMP commands but really they are the Trojan communications. Answer: C is incorrect. WinTunnel is used to perform TCP tunneling. Answer: D is incorrect. Ethereal is a network sniffer.

A SQL statement or a PL/SQL block can be executed by entering a semicolon (;) or a slash (/), or by using the RUN command at SQL prompt. When a semicolon (;) is entered at the end of a command, the command is completed and executed. When a slash (/) is entered, the command in the buffer is executed. It can also be used to execute a PL/SQL block. The RUN command is used to execute a command in the buffer. Note: The SQL buffer stores the most recently used SQL commands and PL/SQL blocks. It does not store SQL* Plus commands. It can be edited or saved to a file. Note: A SQL command can be saved in the buffer by entering a blank line. Reference: Oracle8i Online Documentation, Contents: " SQL*PLUS Users Guide and Reference " , " Learning SQL*PLUS Basics,3 of 4 " , " Understanding SQL COMMAND Syntax "

A contingency plan is a plan devised for a specific situation when things could go wrong. Contingency plans include specific strategies and actions to deal with specific variances to assumptions resulting in a particular problem, emergency, or state of affairs. They also include a monitoring process and triggers for initiating planned actions. Answer: A is incorrect. Disaster recovery is the process, policies, and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster. Answer: C is incorrect. It deals with the plans and procedures that identify and prioritize the critical business functions that must be preserved. Answer: B is incorrect. It includes the plans and procedures documented that ensure the continuity of critical operations during any period where normal operations are impossible.

The getCreationTime() method returns the time when the session was created. The time is measured in milliseconds since midnight January 1, 1970. This method throws an IllegalStateException if it is called on an invalidated session.

The nmap utility, also commonly known as port scanner, is used to view the open ports on a Linux computer. It is used by administrators to determine which services are available for external users. This utility helps administrators in deciding whether to disable the services that are not being used in order to minimize any security risk. Answer: B is incorrect. NSLOOKUP is a tool for diagnosing and troubleshooting Domain Name System (DNS) problems. It performs its function by sending queries to the DNS server and obtaining detailed responses at the command prompt. This information can be useful for diagnosing and resolving name resolution issues, verifying whether or not the resource records are added or updated correctly in a zone, and debugging other server-related problems. This tool is installed along with the TCP/IP protocol through the Control Panel.

Answer: C is incorrect. NETSH is a command line tool to configure TCP/IP settings such as the IP address, Subnet Mask, Default Gateway, DNS, WINS addresses, etc. Answer: A is incorrect. L0phtcrack is a tool which identifies and remediate security vulnerabilities that result from the use of weak or easily guessed passwords. It recovers Windows and Unix account passwords to access user and administrator accounts.

Whois queries are used to determine the IP address ranges associated with clients. A whois query can be run on most UNIX environments. In a Windows environment, the tools such as WsPingPro and Sam Spade can be used to perform whois queries. Whois queries can also be executed over the Web from www.arin.net and www.networksolutions.com. Answer: B is incorrect. A SQL injection attack is a process in which an attacker tries to execute unauthorized SQL statements. These statements can be used to delete data from a database, delete database objects such as tables, views, stored procedures, etc. An attacker can either directly enter the code into input variables or insert malicious code in strings that can be stored in a database. For example, the following line of code illustrates one form of SQL injection attack: query = " SELECT * FROM users WHERE name = ' " + userName + " ' ; " This SQL code is designed to fetch the records of any specified username from its table of users. However, if the " userName " variable is crafted in a specific way by a malicious hacker, the SQL statement may do more than the code author intended. For example, if the attacker puts the " userName " value as ' or ' ' = ' , the SQL statement will now be as follows: SELECT * FROM users WHERE name = ' ' OR ' ' = ' ' ; Answer: D is incorrect. Web ripping is a technique in which the attacker copies the whole structure of a Web site to the local disk and obtains all files of the Web site. Web ripping helps an attacker to trace the loopholes of the Web site. Answer: C is incorrect. Snooping is an activity of observing the content that appears on a computer monitor or watching what a user is typing. Snooping also occurs by using software programs to remotely monitor activity on a computer or network device. Hackers or attackers use snooping techniques and equipment such as keyloggers to monitor keystrokes, capture passwords and login information, and to intercept e-mail and other private communications. Sometimes, organizations also snoop their employees legitimately to monitor their use of organizations ' computers and track Internet usage.

A Cascading Style Sheet (CSS) is a separate text file that keeps track of design and formatting information, such as colors, fonts, font sizes, and margins, used in Web pages. CSS is used to provide Web site authors greater control on the appearance and presentation of their Web pages. It has codes that are interpreteA, Dpplied by the browser on to the Web pages and their elements. CSS files have .css extension. There are three types of Cascading Style Sheets: External Style Sheet Embedded Style Sheet Inline Style Sheet Answer: A is incorrect. A style sheet is a set of additional tags used to describe the appearance of individual HTML tags. These tags can

A Cisco router can have multiple connections to networks. These connections are known as interfaces for Cisco Routers. For naming each interface, Cisco generally uses the type of interface as part of the name. Following are some of the naming conventions of Cisco Router interfaces: An Ethernet interface that is fast always starts with an F. An interface connected to a serial connection always starts with an S. An interface connected to an Ethernet segment of the network always starts with an E. An interface connected to a Token Ring segment always starts with To.

SSL and TLS protocols are used to provide secure communication between a client and a server over the Internet.

David system is a network management system that allows a user to manage the resources and services through both Intranet and Internet. It provides auto-discovering and network topology building features to facilitate in keeping an intuitive view of the IT infrastructure. The resources, real-time monitoring, and accessibility of historical data facilitate reaction to failures. Configured interfaces for monitored devices permit a user to focus on the most important aspects of their work. Answer: B is incorrect. dopplerVUe is a network management tool that facilitates network discovery, mapping, alerts and alarm management, and bandwidth management system. It enables monitoring of Ping, SNMP, syslog, and WMI performance metrics. It can also be used to monitor IPv6 devices, as well as services such as DNS, http, and email. Answer: A is incorrect. eBox is an open source distribution and web development framework. This framework is used to manage server application configuration. It is based on Ubuntu Linux. It is projected to manage services in a computer network. The modular design of eBox allows a user to pick and choose the services. Answer: D is incorrect. EM7 is a network monitoring system that is used to measure IT infrastructure health and performance. It is an NMS integrated system. It is designed to help in optimizing the performance and availability of the networks, systems, and applications. It facilitates trouble-ticketing, event management, reporting, IP management, DNS, and monitoring.

The < session-timeout > element of the deployment descriptor sets the session timeout. If the time specified for timeout is zero or negative, the session will never timeout.

' Printenv ' vulnerability allows an attacker to input specially crafted links and/or other malicious scripts. For example, http://www/cgi-bin/printenv/ < script > alert (An attacker can misuse it!) < /script > Since ' printenv ' is just an example CGI script (It comes with various versions of the Apache Web server.) that has no real use and has its own problems, there is no problem in removing it. Answer: B is incorrect. ' Printenv ' does not maintain any log file of user activities.

The following two code are used to retrieve Attribute1: 1.Object obj=session1.getAttribute( " Attribute1 " ); The getAttribute() method is used to retrieve the bound object with the specified name in this session, or null if no object is bound under the name. 2.Object obj=binding1.getSession().getAttribute( " Attribute1 " ); The getSession() gets the current valid session associated with this request. a String object. Answer: B is incorrect. The HttpSessionBindingEvent object cannot use the getAttribute() method.

Wireless intrusion prevention system (WIPS) monitors the radio spectrum for the presence of unauthorized, rogue access points and the use of wireless attack tools. The system monitors the radio spectrum used by wireless LANs, and immediately alerts a systems administrator whenever a rogue access point is detected. Conventionally it is achieved by comparing the MAC address of the participating wireless devices. Rogue devices can spoof MAC address of an authorized network device as their own. WIPS uses fingerprinting approach to weed out devices with spoofed MAC addresses. The idea is to compare the unique signatures exhibited by the signals emitted by each wireless device against the known signatures of pre-authorized, known wireless devices.

Answer: B is incorrect. An Intrusion detection system (IDS) is used to detect unauthorized attempts to access and manipulate computer systems locally or through the Internet or an intranet. It can detect several types of attacks and malicious behaviors that can compromise the security of a network and computers. This includes network attacks against vulnerable services, unauthorized logins and access to sensitive data, and malware (e.g. viruses, worms, etc.). An IDS also detects attacks that originate from within a system. In most cases, an IDS has three main components: Sensors, Console, and Engine. Sensors generate security events. A console is used to alert and control sensors and to monitor events. An engine is used to record events and to generate security alerts based on received security events. In many IDS implementations, these three components are combined into a single device. Basically, following two types of IDS are used : Network-based IDS Host-based IDS Answer: A is incorrect. Snort is an open source network intrusion prevention and detection system that operates as a network sniffer. It logs activities of the network that is matched with the predefined signatures. Signatures can be designed for a wide range of traffic, including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). The three main modes in which Snort can be configured are as follows: Sniffer mode: It reads the packets of the network and displays them in a continuous stream on the console. Packet logger mode: It logs the packets to the disk. Network intrusion detection mode: It is the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user-defined rule set. Answer: C is incorrect. A firewall is a tool to provide security to a network. It is used to protect an internal network or intranet against unauthorized access from the Internet or other outside networks. It restricts inbound and outbound access and can analyze all traffic between an internal network and the Internet. Users can configure a firewall to pass or block packets from specific IP addresses and ports.

According to the scenario, you have enabled system message logging (syslog) service on all the routers that are currently working in the network. If you want to store all the repots, important error and notification messages sent by the routers, you can store all of these in the buffer, console, syslog server, and tty lines. You can use buffer, if you want to store syslog messages for later analysis of the network. Buffer is the memory of the router. The syslog messages that you have stored in the buffer are later available for the network analysis until the router is rebooted. You can use console port of the routers to send syslog messages to the attached terminal. You can also use vty and tty lines to send syslog messages to the remote terminal. However, the messages send through the console, vty, and tty lines are not later available for network analysis. You can use syslog server to store all the reports, and important error and notification messages. It is the best option to store all these because it is easy to configure a syslog server and you can store a large volume of logs. Note: If you have configured to run an SNMP agent, the routers send all the reports, and important error and messages in the form of SNMP traps to an SNMP server. Using this you can store the reports and messages for a long period of time. Answer: A is incorrect. You cannot store syslog messages in the auxiliary line.

Circumstantial evidences are the collection of facts that, when considered together, can be used to infer a conclusion about the malicious activity/person. Answer: B is incorrect. Corroborating evidence is evidence that tends to support a proposition that is already supported by some evidence. Answer: A is incorrect. Incontrovertible evidence is a colloquial term for evidence introduced to prove a fact that is supposed to be so conclusive that there can be no other truth as to the matter; evidence so strong, it overpowers contrary evidence, directing a fact-finder to a specific and certain conclusion. Answer: C is incorrect. Direct evidence is testimony proof for any evidence, which expressly or straight-forwardly proves the existence of a fact.

The hard or soft NFS mount options are used to specify whether a program using a file via an NFS connection should stop and wait (hard) for the server to come back online, if the host serving the exported file system is unavailable, or if it should report an error. Answer: A is incorrect. The intr NFS mount option allows NFS requests to be interrupted if the server goes down or cannot be reached. Answer: C is incorrect. The nfsvers=2 or nfsvers=3 NFS mount options are used to specify which version of the NFS protocol to use. Answer: D is incorrect. The fsid=num NFS mount option forces the file handle and file attributes settings on the wire to be num.

Publishing rules are applied on SMTP servers to accept inbound mail delivery. There are three basic rules of ISA Server, which are as follows: Access rules: These rules determine what network traffic from the internal network is allowed to access the external network. Publishing rules: These rules are used for controlling access requests from the external network for the internal resources. These types of rules are usually applied to Web servers that are used for providing public access. These are also applied on SMTP servers to accept inbound mail delivery. Network rules: These rules define the traffic source, traffic destination, and the network relationship. Answer: D is incorrect. These rules are set for controlling outbound traffic. Answer: B is incorrect. These rules define how to handle the traffic. Answer: C is incorrect. There are no such ISA Server rule sets.

You took 3 seconds to establish a connection. During this time, the value of the Initial Sequence Number would become [24171311 + (1 * 64000) + (3 * 128000)], i.e., 24619311.

AS PATH Inference is one of the prominent techniques used for creating Internet maps. This technique relies on various BGP collectors that collect information such as routing updates and tables and provide this information publicly. Each BGP entry contains a Path Vector attribute called the AS Path. This path represents an autonomous system forwarding path from a given origin for a given set of prefixes. These paths can be used to infer AS-level connectivity and in turn be used to build AS topology graphs. However, these paths do not necessarily reflect how data is actually forwardeA, Ddjacencies between AS nodes only represent a policy relationship between them. A single AS link can in reality be several router links. It is also much harder to infer peering between two AS nodes, as these peering relationships are only propagated to an ISP ' s customer networks. Nevertheless, support for this type of mapping is increasing as more and more ISP ' s offer to peer with public route collectors such as Route-Views and RIPE. New toolsets are emerging such as Cyclops and NetViews that take advantage of a new experimental BGP collector BGPMon. NetViews can not only build topology maps in seconds but visualize topology changes moments after occurring at the actual router. Hence, routing dynamics can be visualized in real time. Answer: B is incorrect. There is no such Internet mapping technique.

Answer: D is incorrect. Firewalking is a technique for gathering information about a remote network protected by a firewall. This technique can be used effectively to perform information gathering attacks. In this technique, an attacker sends a crafted packet with a TTL value that is set to expire one hop past the firewall. If the firewall allows this crafted packet through, it forwards the packet to the next hop. On the next hop, the packet expires and elicits an ICMP " TTL expired in transit " message to the attacker. If the firewall does not allow the traffic, there should be no response, or an ICMP " administratively prohibited " message should be returned to the attacker. A malicious attacker can use firewalking to determine the types of ports/protocols that can bypass the firewall. To use firewalking, the attacker needs the IP address of the last known gateway before the firewall and the IP address of a host located behind the firewall. The main drawback of this technique is that if an administrator blocks ICMP packets from leaving the network, it is ineffective. Answer: A is incorrect. Path MTU discovery (PMTUD) is a technique in computer networking for determining the maximum transmission unit (MTU) size on the network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP fragmentation. Path MTU discovery works by setting the DF (Don ' t Fragment) option bit in the IP headers of outgoing packets. Then, any device along the path whose MTU is smaller than the packet will drop it, and send back an ICMP " Fragmentation Needed " (Type 3, Code 4) message containing its MTU, allowing the source host to reduce its path MTU appropriately. The process repeats until the MTU is small enough to traverse the entire path without fragmentation. If the path MTU changes after the connection is set up and is lower than the previously determined path MTU, the first large packet will cause an ICMP error and the new, lower path MTU will be found. Conversely, if PMTUD finds that the path allows a larger MTU than what is possible on the lower link, the OS will periodically reprobe to see if the path has changed and now allows larger packets. On Linux this timer is set by default to ten minutes.

Sawmill is a software package for the statistical analysis and reporting of log files, with dynamic contextual filtering, ' live ' data zooming, user interface customization, and custom calculated reports. Sawmill incorporates real-time reporting and real-time alerting. Sawmill also includes a page tagging server and JavaScript page tag for the analysis of client side clicks (client requests) providing a total view of visitor traffic and on-site behavioral activity. Sawmill Analytics is offered in three forms, as a software package for user deployment, as a turnkey on-premise system appliance, and as a SaaS service. Sawmill analyzes any device or software package producing a log file and that includes Web servers, firewalls, proxy servers, mail servers, network devices (switches & routers etc.), syslog servers, databases etc. Its range of potential uses by knowledge workers is essentially limitless. Answer: D is incorrect. Sawmill Analytics software is available in three different forms; as a software package for user deployment, as a turnkey on-premise system appliance, and as a SaaS service.

The getSession() method of the HttpServletRequest interface returns the current session associated with the request, or creates a new session if no session exists. The method has two syntaxes as follows: public HttpSession getSession(): This method creates a new session if it does not exist. public HttpSession getSession(boolean create): This method becomes similar to the above method if create is true, and returns the current session if create is false. It returns null if no session exists. Answer: B is incorrect. The getSession(false) method returns a pre-existing session. It returns null if the client has no session associated with it.