QUESTION 900
A proxy based firewall has which one of the following advantages over a firewall employing stateful packet
inspection?
A. It has a greater throughput.
B. It detects intrusion faster.
C. It has greater network isolation.
D. It automatically configures the rule set.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 901
Firewalls filter incoming traffic according to
A. The packet composition.
B. A security policy.
C. Stateful packet rules.
D. A security process.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 902
Application Level Firewalls create:
A. a real circuit between the workstation client and the server
B. a virtual circuit between the workstation client and the server
C. a imaginary circuit between the workstation guest and the server
D. a temporary circuit between the workstation host and the server “Pass Any Exam. Any Time.” – www.
actualtests.com 424
ISC CISSP Exam
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 903
Which of the following is the biggest concern with firewall security?
A. Internal hackers
B. Complex configuration rules leading to misconfiguration
C. Buffer overflows
D. Distributed denial of service (DDOS) attacks
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 904
Which of the following is true of network security?
A. A firewall is not a necessity in today’s connected world
B. A firewall is a necessity in today’s connected world
C. A whitewall is a necessity in today’s connected world
D. A black firewall is a necessity in today’s connected world
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 905
Which of the following statements pertaining to firewalls is incorrect?
A. Firewall create bottlenecks between the internal and external network
B. Firewalls allow for centralization of security services in machines optimized and dedicated to the task
425
ISC CISSP Exam
C. Strong firewalls can protect a network at all layers of the OSI models
D. Firewalls are used to create security checkpoints at the boundaries of private networks
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 906
Which of the following is the least important security service provided by a firewall?
A. Packet filtering
B. Encrypted tunnels
C. Network Address Translation
D. Proxy services
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 907
Which of the following firewall rules is less likely to be found on a firewall installed between an organization’s
internal network and internet?
A. Permit all traffic to and from local host
B. Permit all inbound ssh traffic
C. Permit all inbound tcp connections
D. Permit all syslog traffic to log-server.abc.org
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 908
Which of the following packets should NOT be dropped at a firewall protecting an organization’s internal
network?
426
ISC CISSP Exam
A. Inbound packets with Source Routing option set
B. Router information exchange protocols
C. Inbound packets with an internal source IP address
D. Outbound packets with an external destination IP address
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 909
By examining the “state” and “context” of the incoming data packets, it helps to track the protocols that are
considered “connectionless”, such as UDP-based applications and Remote Procedure Calls (RPC). This type
of firewall system is used in:
A. first generation firewall systems
B. second generation firewall systems
C. third generation firewall systems
D. fourth generation firewall systems
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: “Stateful Inspection Characteristics
The firewall maintains a state table that tracks each and every communication channel.
Frames are analyzed at all communication layers.
It provides a high degree of security and does not introduce the performance hit that proxy firewalls introduce.
It is scaleable and transparent to users
It provides data tracking for tracking connectionless protocols such as UDP and ICMP The stat and context of
the data within the packets are stored and updated continuously. It is considered a third-generation firewall.”
Pg. 375 Shon Harris: All-in-One CISSP Certification
Not A:
“Packet filtering is the first generation firewall–that is, it was the first type that was created and used, and other
types were developed fall into different generations.” Pg 373 Shon Harris: All-in- One CISSP Certification
QUESTION 910
427
ISC CISSP Exam
Which of the following statements pertaining to packet filtering is incorrect?
A. It is based on ACLs
B. It is not application dependant
C. It operates at the network layer
D. It keeps track of the state of a connection
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 911
A screening router can perform packet filtering based upon what data?
A. Translated source destination addresses.
B. Inverse address resolution.
C. Source and destination port number.
D. Source and destination addresses and application data.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: The original answer was A (translated source destination address). I did not come across this term
in my reading.
Screening router
A screening router is one of the simplest firewall strategies to implement. This is a popular design because
most companies already have the hardware in place to implement it. A screening router is an excellent first line
of defense in the creation of your firewall strategy. It’s just a router that has filters associated with it to screen
outbound and inbound traffic based on IP address and UDP and TCP ports.
http://www.zdnet.co.uk/news/specials/2000/10/enterprise/techrepublic/2002/10/article002c.html
QUESTION 912
Why are hardware security features preferred over software security features?
428
ISC CISSP Exam
A. They lock in a particular implementation.
B. They have a lower meantime to failure.
C. Firmware has fever software bugs.
D. They permit higher performance.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: This is a sort of iffy question. Hardware allows faster performance then software and does not
need to utilize an underlying OS to make the security software operate. (An example is PIX firewall vs
checkpoint). The meantime to failure answer to me is ok but the hardware that the software security also has a
MTFF. A few people looked over this question and had no problem with the answer of B (meantime to failure
question) but as I looked into it I have picked D. MTTF is typical the time to failure. “MTFF is the expected
typical functional lifetime of the device given a specific operating environment” (- Ed Tittle CISSP Study Guide
(sybex) pg 657). This leads me to think that this question says hardware has a SHORTER lifespan then
software. Thus I am going to have to go with D (higher performance). This can be because of ASICs. As always
uses your best judgment, knowledge and experience on this question. Below are some points of view.
Few things to consider when deploying software based firewall:
Patching OS or firewall software could bring down firewall or open additional holes OS Expertise vs. firewall
expertise (you may need two administrators). Support contract (One for hardware, one for OS, one for firewall),
who do you call? Administration (One for OS and one for firewall). If your not an expert in both then forget it.
High-availability (Stateful failover) (usually requires additional software and costs a lot of money).
As a result it adds to support costs.
Is software firewalls a bad idea it depends. Every situation is different. -Bob http://www.securityfocus.com/
archive/105/322401/2003-05-22/2003-05-28/2
A software firewall application is designed to be installed onto an existing operating system running on generic
server or desktop hardware. The application may or may not ‘harden’ the underlying operating system by
replacing core components. Typical host operating systems include Windows NT, 2000 server or Solaris.
Software firewall applications all suffer from the following key disadvantages:
They run on a generic operating system that may or may not be hardened by the Firewall installation itself.
A generic operating system is non-specialized and more complex than is necessary to operate the firewall. This
leads to reliability problems and hacking opportunities were peripheral/unnecessary services are kept running.
Generic operating systems have their own CPU and memory overheads making software based firewalls
slower than their dedicated hardware counterparts. If the software firewalls uses PC hardware as the host
platform, then there may be additional reliability problems with the hardware itself. Sub-optimal performance of
generic hardware also affects software applications bundled with their own operating systems.
429
ISC CISSP Exam
There is no physical or topological separation of the firewalling activity.
A dedicated hardware firewall is a software firewall application and operating system running on dedicated
hardware. This means the hardware used is optimized for the task, perhaps including digital signal processors
(DSPs) and several network interfaces. There may also be special hardware used to accelerate the encryption/
decryption of VPN data. It may be rack mounted for easy installation into a comms’ cabinet.
We recommend dedicated hardware firewalls as they offer several key advantages over software applications:
Dedicated hardware is typically more reliable.
Hardware firewalls are simpler, hence more secure.
Hardware firewalls are more efficient and offer superior performance, especially in support of VPNs.
The firewalling activity is physically and topologically distinct. http://www.zensecurity.co.uk/default.asp?
URL=hardware%20software%20firewall
QUESTION 913
Firewalls can be used to
A. Enforce security policy.
B. Protect data confidentiality.
C. Protect against protocol redirects.
D. Enforce Secure Network Interface addressing.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: A firewall is a device that supports and enforces the company’s network security policy. – Shon
Harris All-in-one CISSP Certification Guide pg 412
QUESTION 914
Which one of the following operations of a secure communication session cannot be protected?
430
ISC CISSP Exam
A. Session initialization
B. Session support
C. Session termination
D. Session control
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Session control is protected (Cisco –
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/product_data_sheet0
9186a0080117962.html)
Session initialization is protected (protection against SYN attacks/DoS) Session termination is protected they
terminate idle connection so they don’t consume resources So, by the process of elimination, the correct
answer is `session support’.
QUESTION 915
The general philosophy for DMZ’s are that:
A. any system on the DMZ can be compromised because it’s accessible from the Internet
B. any system on the DMZ cannot be compromised because it’s not accessible from the Internet
C. some systems on the DMZ can be compromised because they are accessible from the Internet
D. any system on the DMZ cannot be compromised because it’s by definition 100% safe and not accessible
from the Internet
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 916
What is NOT an authentication method within IKE and IPsec:
A. CHAP
B. Pre-shared Key
C. certificate based authentication
D. Public Key authentication
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
431
ISC CISSP Exam
QUESTION 917
In IPSec, if the communication mode is gateway-gateway or host-gateway:
A. Only tunnel mode can be used
B. Only transport mode can be used
C. Encapsulating Security Payload (ESP) authentication must be used
D. Both tunnel and transport mode can be used
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
“IPSec can work in one of two modes: transport mode, where the payload of the message is protected, and
tunnel mode, where the payload and the routing and header information is protected.” Pg 527 Shon Harris: Allin-
One CISSP Certification
Not:” Encapsulating Security Payload (ESP) authentication must be used”
“IPSec is not a strict protocol that dictates the type of algorithm, keys, and authentication method to be used,
but it is an open, modular framework that provides a lot of flexibility for companies when they choose to use this
type of technology. IPSec uses two basic security protocols:
Authentication Header (AH) and the Encapsulating Security Payload (ESP). AH is the authenticating protocol,
and ESP is an authenticating and encrypting protocol that uses cryptographic mechanisms to provide source
authentication, confidentiality, and message integrity.” Pg 527 Shon Harris: All-in-One CISSP Certification
QUESTION 918
Internet Protocol Security (IPSec) provides security service within the Internet Protocol (IP) by doing all of the
following EXCEPT
A. Enabling a system to select required security protocols.
B. Providing traffic analysis protection.
C. Determining the algorithm(s) to use for the IPsec services.
432
ISC CISSP Exam
D. Putting in place any cryptographic keys required to provide the requested services.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: Pg 527 Shon Harris CISSP All-In-One Certification Exam Guide
QUESTION 919
Which of the following Internet Protocol (IP) security headers are defined by the Security Architecture for IP
(IPSEC)?
A. The IPv4 and IPv5 Authentication Headers
B. The Authentication Header Encapsulating Security Payload
C. The Authentication Header and Digital Signature Tag
D. The Authentication Header and Message Authentication Code
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: “IPSec uses two basic security protocols: Authentication Header (AH) and the Encapsulating
Security Payload (ESP).” pg 575 Shon Harris CISSP All-In-One Certification Exam Guide
QUESTION 920
Which of the following statements are true of IPSec Transport mode? Select best two.
A. It is required for gateways providing access to internal systems
B. It can be set-up when end-point is host or communications terminates at end-points
C. If used in gateway-to-host communication, gateway must act as host
D. Detective/Administrative Pairing
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 921
433
ISC CISSP Exam
What is called the standard format that was established to set up and manage Security Associations (SA) on
the Internet in IPSec?
A. Internet Key Exchange
B. Secure Key Exchange Mechanism
C. Oakley
D. Internet Security Association and Key Management Protocol
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference: pg 221 Krutz
QUESTION 922
What is the purpose of the Encapsulation Security Payload (ESP) in the Internet Protocol (IP) Security
Architecture for Internet Protocol Security?
A. To provide non-repudiation and confidentiality for IP transmission.
B. To provide integrity and confidentiality for IP transmissions.
C. To provide integrity and authentication for IP transmissions.
D. To provide key management and key distribution for IP transmissions.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: “Encapsulating Security Payload (ESP). AH is the authenticating protocol and ESP is an
authenticating and encrypting protocol that uses cryptographic mechanisms to provide source authentication,
confidentiality, and message integrity.” Pg 575 Shon Harris CISSP All-In- One Certification Exam Guide
QUESTION 923
Which one of the following is a circuit level application gateway and works independent of any supported TCP/
IP application protocol?
A. SOCK-et-S (SOCKS)
B. Common Information Model (CIM)
434
ISC CISSP Exam
C. Secure Multipurpose Internet Mail Extension (S/MIME)
D. Generic Security Service Application Programming Interface (GSS-API)
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: “Socks Proxy Server Characteristics
Circuit-level proxy server
Requires clients to be SOCKS-fied with SOCKS client software Mainly used for outbound Internet access and
virtual private network (VPN) functionality Can be resource-intensive
Provides authentication and encryption features to other VPN protocols, but not considered a traditional VPN
protocol”
Pg. 422 Shon Harris CISSP All-In-One Certification Exam Guide
Reference:
The SOCKS is an example of a circuit-level proxy gateway that provides a secure channel between two
computers. pg. 379 Shon Harris CISSP
QUESTION 924
How does the SOCKS protocol secure Internet Protocol (IP) connections?
A. By negotiating encryption keys during the connection setup.
B. By attaching Authentication Headers (AH) to each packet.
C. By distributing encryption keys to SOCKS enabled applications.
D. By acting as a connection proxy.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: “SOCKS is an example of a circuit-level proxy gateway that provides a secure channel between
two computers. When a SOCKS-enabled client sends a request to a computer on the Internet, this request
actually goes to the network’s SOCKS proxy server…” pg 379 Shon Harris: All-in-One CISSP Certification
QUESTION 925
435
ISC CISSP Exam
In the TCP/IP protocol stack, at what level is the SSL (Secure Sockets Layer) protocol provided?
A. Application
B. Network
C. Presentation
D. Session
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The major functional groups of protocols and methods are the Application Layer, the Transport Layer, the
Internet Layer, and the Link Layer (RFC 1122). It should be noted that this model was not intended to be a rigid
reference model into which new protocols have to fit in order to be accepted as a standard.
The following table provides some examples of the protocols grouped in their respective layers.
QUESTION 926
SSL (Secure Sockets Layer) has two possible ‘session key’ lengths, what are they?
A. 40 bit & 54 bit
B. 40 bit & 128 bit
C. 64 bit & 128 bit
D. 128 bit & 256 bit
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 927
Which of the following is NOT true of SSL?
A. By convention is uses `s-http://’ instead of `http://’.
436
ISC CISSP Exam
B. It stands for Secure Sockets Layer
C. It was developed by Netscape
D. IT is used for transmitting private documents over the internet
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 928
Which SSL version offers client-side authentication
A. SSL v1
B. SSL v2
C. SSL v3
D. SSL v4
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: “Client Authentication using Digital IDs
Enable access by certificates
http://www.verisign.com/repository/clientauth/ent_ig.htm#clientauth
QUESTION 929
In which way does a Secure Socket Layer (SSL) server prevent a “man-in-the-middle” attack?
A. It uses signed certificates to authenticate the server’s public key.
B. A 128 bit value is used during the handshake protocol that is unique to the connection.
C. It uses only 40 bits of secret key within a 128 bit key length.
D. Every message sent by the SSL includes a sequence number within the message contents.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: Secure Sockets Layer (SSL). An encryption technology that is used to provide secure transactions
such as the exchange of credit card numbers. SSL is a socket layer security protocol and is a two-layered
protocol that contains the SSL Record Protocol and the SSL Handshake Protocol. Similiar to SSH, SSL uses
symmetric encryption for private connections and asymmetric or public key cryptography (certificates) for peer
authentication. It also uses a
437
ISC CISSP Exam
Message Authentication Code for message integrity checking.
Krutz: The CISSP Prep Guide pg. 89. It prevents a man in the middle attack by confirming that you are
authenticating with the server desired prior entering your user name and password. If the server was not
authenticated, a man-in-the-middle could retrieve the username and password then use it to login.
The SSL protocol has been known to be vulnerable to some man-in-the-middle attacks. The attacker injects
herself right at the beginning of the authentication phase so that she obtains both parties’ keys. This enables
her to decrypt and view messages that were not intended for her. Using digital signatures during the sessionkey
exchange can circumvent the man-in-the-middle attack. If using kerberos, when Lance and Tanya obtain
each other’s public keys from the KDC, the public keys are signed by the KDC. Because Tanya and Lanace
have the public key of the KDC, they both can decrypt and verify the signature on each other’s public key and
be sure that it came from the KDC itself. Because David does not have the private key of the KDC, he cannot
substitute his pubic key during this type of transmission. Shon Harris All-In-One CISSP Certification pg. 579.
One of the most important pieces a PKI is its public key certificate. A certificate is the mechanism used to
associate a public key with a collection of components sufficient to uniquely authenticate the claimed owner.
Shon Harris All-In-One CISSP Certification pg. 540.
QUESTION 930
Secure Shell (SSH) and Secure Sockets Layer (SSL) are very heavily used for protecting
A. Internet transactions
B. Ethernet transactions
C. Telnet transactions
D. Electronic Payment transactions
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 931
438
ISC CISSP Exam
Which one of the following CANNOT be prevented by the Secure Shell (SSH) program?
A. Internet Protocol (IP) spoofing.
B. Data manipulation during transmissions.
C. Network based birthday attack.
D. Compromise of the source/destination host.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: This is a question that I disagreed with. The premises that SSH does use RSA and 3DES, thus
susceptible to cryptographic attack (namely birthday attach) has merit but I think the answer is more simple, in
that you SSH cant protect against a compromised source/destination. You can safely rule out spoofing and
manipulation (that is the job of ssh to protect the transmission). Original answer was C birthday attack. Use
your best judgment based on knowledge and experience.
The use of ssh helps to correct these vulnerabilities. Specifically, ssh protects against these attacks: IP
spoofing (where the spoofer is on either a remote or local host), IP source routing, DNS spoofing, interception
of cleartext passwords/data and attacks based on listening to X authentication data and spoofed connections to
an X11 server. http://www- arc.com/sara/cve/SSH_vulnerabilities.html
Birthday attack – Usually applied to the probability of two different messages using the same hash function that
produces a common message digest; or given a message and its corresponding message digest, finding
another message that when passed through the same hash function generates the same specific message
digest. The term “birthday” comes from the fact that in a room with 23 people, the probability of two people
having the same birthday is great than 50 percent. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 212
QUESTION 932
Another name for a VPN is a:
A. tunnel
B. one-time password
C. pipeline
D. bypass
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
439
ISC CISSP Exam
QUESTION 933
Which one of the following attacks is MOST effective against an Internet Protocol Security (IPSEC) based
virtual private network (VPN)?
A. Brute force
B. Man-in-the-middle
C. Traffic analysis
D. Replay
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: Active attacks find identities by being a man-in-the-middle or by replacing the responder in the
negotiation. The attacker proceeds through the key negotiation with the attackee until the attackee has revealed
its identity. In a well-designed system, the negotiation will fail after the attackee has revealed its identity
because the attacker cannot spoof the identity of the originally-intended system.
The attackee might then suspect that there was an attack because the other side failed before it gave its
identity. Therefore, an active attack cannot be persistent because it would prevent all legitimate
access to the desired IPsec system.
http://msgs.securepoint.com/cgi-bin/get/ipsec-0201/18.html
Not C: Traffic analysis is a good attack but not the most effective as it is passive in nature, while Man in the
middle is active.
QUESTION 934
Which of the following is NOT an essential component of a VPN?
A. VPN Server
B. NAT Server
C. authentication
440
ISC CISSP Exam
D. encryption
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 935
Virtual Private Network software typically encrypts all of the following EXCEPT
A. File transfer protocol
B. Data link messaging
C. HTTP protocol
D. Session information
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 936
Which of the following is less likely to be used in creating a Virtual Private Network?
A. L2TP
B. PPTP
C. IPSec
D. L2F
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: “The following are the three most common VPN communications protocol standards:
Point-to-Point Tunneling Protocol(PPTP). PPTP works at the Data Link Layer of the OSI model. Designed for
individual client to server connections, it enables only a single point-to-point connection per session. This
standard is very common with asynchronous connections that use Win9x or NT clients. PPTP uses native
Point-to-Point Protocol (PPP) authentication and encryption services.
Layer 2 Tunneling Protocol (L2TP). L2TP is a combination of PPTP and the earlier Layer 2
441
ISC CISSP Exam
Forwarding (L2F) Protocol that works at the Data Link Layer like PPTP. It has become an accepted tunneling
standard for VPN’s. In fact, dial-up VPNs use this standard quite frequently. Like PPTP, this standard was
designed for single point-to-point client to server connections. Not that multiple protocols can be encapsulated
within the L2TP tunnel, but do not use encryption like PPTP. Also, L2TP supports TACACS+ and RADIUS, but
PPTP does not.
IPSEC. IPSec operates at the Network Layer and it enables multiple and simultaneous tunnels, unlike the
single connection of the previous standards. IPSec has the functionality to encrypt and authenticate IP data. It
is built into the new Ipv6 standard, and is used as an add-on to the current Ipv4. While PPTP and L2TP are
aimed more at dial-up VPNs, IPSec focuses more on network-to- network connectivity.” Pg. 123-125 Krutz: The
CISSP Prep Guide: Gold Edition.
QUESTION 937
Which one of the following instigates a SYN flood attack?
A. Generating excessive broadcast packets.
B. Creating a high number of half-open connections.
C. Inserting repetitive Internet Relay Chat (IRC) messages.
D. A large number of Internet Control Message Protocol (ICMP) traces.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: A SYN attack occurs when an attacker exploits the use of the buffer space during a Transmission
Control Protocol (TCP) session initialization handshake. The attacker floods the target system’s small “inprocess”
queue with connection requests, but it does not respond when a target system replies to those
requests. This causes the target system to time out while waiting for the proper response, which makes the
system crash or become unusable. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 103
“In a SYN flood attack, hackers use special software that sends a large number of fake packets with the SYN
flag set to the targeted system. The victim then reserves space in memory for the connection and attempts to
send the standard SYN/ACK reply but never hears back from the originator. This process repeats hundreds or
even thousands of times, and the targeted computer eventually becomes overwhelmed and runs out of
available resources for the half-opened connections. At that time, it either crashes or simply ignores all inbound
connection requests because it can’t possibly handle any more half-open connections.” Pg 266 Tittel: CISSP
Study
442
ISC CISSP Exam
Guide.
QUESTION 938
Which one of the following is defined as the process of distributing incorrect Internet Protocol (IP) addresses/
names with the intent of diverting traffic?
A. Network aliasing
B. Domain Name Server (DNS) poisoning
C. Reverse Address Resolution Protocol (ARP)
D. Port scanning
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: This reference is close to the one listed DNS poisoning is the correct answer however, Harris does
not say the name when describing the attack but later on the page she state the following.
This is how DNS DOS attack can occur. If the actual DNS records are unattainable to the attacker for him to
alter in this fashion, which they should be, the attacker can insert this data into the cache of there server
instead of replacing the actual records, which is referred to as cache poisoning. – Shon Harris All-in-one CISSP
Certification Guide pg 795
QUESTION 939
A Packet containing a long string of NOP’s followed by a command is usually indicative of what?
A. A syn scan
B. A half-port scan
C. A buffer overflow
D. A packet destined for the network’s broadcast address
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: Reference “This paper is for those who want a practical approach to writing buffer overflow
exploits. As the title says, this text will teach you how to write these exploits in Perl.
443
ISC CISSP Exam
…..
There are reasons why we construct the buffer this way. First we have a lot of NOPs, then the shellcode (which
in this example will execute /bin/sh), and at last the ESP + offset values.” http://hackersplayground.org/papers/
perl-buffer.txt
QUESTION 940
You are running a packet sniffer on a network and see a packet with a long string of long string of “90 90 90
90….” in the middle of it traveling to an x86-based machine. This could be indicative of what?
A. Over-subscription of the traffic on a backbone
B. A source quench packet
C. a FIN scan
D. A buffer overflow
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference: “TCP Port 5000 Buffer Overflow Attack
The attack on Port 5000 was part of this scan pattern
Mar 14, 2004 15:58:17.837 – (TCP) 68.144.13.102 : 2282 >>> 192.168.1.36 : 2745
Mar 14, 2004 15:58:17.857 – (TCP) 68.144.13.102 : 2283 >>> 68.144.193.246 : 135
Mar 14, 2004 15:58:17.887 – (TCP) 68.144.13.102 : 2284 >>> 192.168.1.38 : 1025
Mar 14, 2004 15:58:17.907 – (TCP) 68.144.13.102 : 2285 >>> 68.144.193.246 : 445
Mar 14, 2004 15:58:17.938 – (TCP) 68.144.13.102 : 2286 >>> 192.168.1.36 : 3127
Mar 14, 2004 15:58:17.958 – (TCP) 68.144.13.102 : 2287 >>> 68.144.193.246 : 6129
Mar 14, 2004 15:58:17.988 – (TCP) 68.144.13.102 : 2288 >>> 68.144.193.246 : 139
Mar 14, 2004 15:58:18.008 – (TCP) 68.144.13.102 : 2289 >>> 192.168.1.36 : 5000
Mar 14, 2004 15:58:29.164 – (TCP) 68.144.13.102 : 1442 >>> 68.144.193.246 : 1981
Mar 14, 2004 15:58:33.470 – (TCP) 68.144.13.102 : 1442 >>> 68.144.193.246 : 1981
Mar 14, 2004 15:58:39.288 – (TCP) 68.144.13.102 : 1442 >>> 68.144.193.246 : 1981
444
ISC CISSP Exam
The attack appears to be a buffer overfull attack on the Plug and Play service on TCP Port 5000, which likely
contains instructions to download and execute the rest of the worm.
TCP Connection Request
—- 14/03/2004 15:40:57.910
68.144.193.124 : 4560 TCP Connected ID = 1
—- 14/03/2004 15:40:57.910
Status Code: 0 OK
68.144.193.124 : 4560 TCP Data In Length 697 bytes
MD5 = 19323C2EA6F5FCEE2382690100455C17
—- 14/03/2004 15:40:57.920
0000 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0010 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0020 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0030 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0040 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0050 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0060 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0070 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0080 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
00A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
00B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
00C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
00D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
00E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
00F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
445
ISC CISSP Exam
0100 90 90 90 90 90 90 90 90 90 90 90 90 4D 3F E3 77 …………M?.w
0110 90 90 90 90 FF 63 64 90 90 90 90 90 90 90 90 90 …..cd………
0120 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0130 90 90 90 90 90 90 90 90 EB 10 5A 4A 33 C9 66 B9 ……….ZJ3.f.
0140 66 01 80 34 0A 99 E2 FA EB 05 E8 EB FF FF FF 70 f..4………..p
0150 99 98 99 99 C3 21 95 69 64 E6 12 99 12 E9 85 34 …..!.id……4
0160 12 D9 91 12 41 12 EA A5 9A 6A 12 EF E1 9A 6A 12 ….A….j….j.
0170 E7 B9 9A 62 12 D7 8D AA 74 CF CE C8 12 A6 9A 62 …b….t……b
0180 12 6B F3 97 C0 6A 3F ED 91 C0 C6 1A 5E 9D DC 7B .k…j?…..^..{
0190 70 C0 C6 C7 12 54 12 DF BD 9A 5A 48 78 9A 58 AA p….T….ZHx.X.
01A0 50 FF 12 91 12 DF 85 9A 5A 58 78 9B 9A 58 12 99 P…….ZXx..X..
01B0 9A 5A 12 63 12 6E 1A 5F 97 12 49 F3 9A C0 71 E5 .Z.c.n._..I…q.
01C0 99 99 99 1A 5F 94 CB CF 66 CE 65 C3 12 41 F3 9D …._…f.e..A..
01D0 C0 71 F0 99 99 99 C9 C9 C9 C9 F3 98 F3 9B 66 CE .q…………f.
01E0 69 12 41 5E 9E 9B 99 9E 24 AA 59 10 DE 9D F3 89 i.A^….$.Y…..
01F0 CE CA 66 CE 6D F3 98 CA 66 CE 61 C9 C9 CA 66 CE ..f.m…f.a…f.
0200 65 1A 75 DD 12 6D AA 42 F3 89 C0 10 85 17 7B 62 e.u..m.B……{b
0210 10 DF A1 10 DF A5 10 DF D9 5E DF B5 98 98 99 99 ………^……
0220 14 DE 89 C9 CF CA CA CA F3 98 CA CA 5E DE A5 FA …………^…
0230 F4 FD 99 14 DE A5 C9 CA 66 CE 7D C9 66 CE 71 AA ……..f.}.f.q.
0240 59 35 1C 59 EC 60 C8 CB CF CA 66 4B C3 C0 32 7B Y5.Y.`….fK..2{
0250 77 AA 59 5A 71 62 67 66 66 DE FC ED C9 EB F6 FA w.YZqbgff…….
0260 D8 FD FD EB FC EA EA 99 DA EB FC F8 ED FC C9 EB …………….
0270 F6 FA FC EA EA D8 99 DC E1 F0 ED C9 EB F6 FA FC …………….
0280 EA EA 99 D5 F6 F8 FD D5 F0 FB EB F8 EB E0 D8 99 …………….
0290 EE EA AB C6 AA AB 99 CE CA D8 CA F6 FA F2 FC ED …………….
02A0 D8 99 FB F0 F7 FD 99 F5 F0 EA ED FC F7 99 F8 FA …………….
446
ISC CISSP Exam
02B0 FA FC E9 ED 99 0D 0A 0D 0A ……… ”
http://www.linklogger.com/TCP5000_Overflow.htm
QUESTION 941
Which of the following is true related to network sniffing?
A. Sniffers allow an attacker to monitor data passing across a network.
B. Sniffers alter the source address of a computer to disguise and exploit weak authentication methods.
C. Sniffers take over network connections
D. Sniffers send IP fragments to a system that overlap with each other.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: Sniffing is the action of capture / monitor the traffic going over the network. Because, in a normal
networking environment, account and password information is passed along Ethernet in clear-text, it is not hard
for an intruder to put a machine into promiscuous mode and by sniffing, compromise all the machines on the
net by capturing password in an illegal fashion.
QUESTION 942
Which one of the following threats does NOT rely on packet size or large volumes of data?
A. SYN flood
B. Spam
C. Ping of death
D. Macro virus
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: SPAM – The term describing unwanted email, newsgroup, or discussion forum messages. Spam
can be innocuous as an advertisement from a well-meaning vendor or as malignant as floods or unrequested
messages with viruses or Trojan horses attached SYN Flood Attack – A type of DoS. A Syn flood attack is
waged by not sending the final ACK packet, which breaks the standard three-way handshake used by TCP/IP
to initiate communication
447
ISC CISSP Exam
sessions.
Ping of death attack – A type of DoS. A ping of death attack employs an oversized ping packet. Using special
tools, an attacker can send numerous oversized ping packets to a victim. In many cases, when the victimized
system attempts to process the packets, an error occurs causing the system to freeze, crash, or reboot.
Macro Viruses – A virus that utilizes crude technologies to infect documents created in the Microsoft Word
environment.
– Ed Tittle CISSP Study Guide (sybex) pg 550 740, 743, 723, 713
QUESTION 943
A TCP SYN Attack:
A. requires a synchronized effort by multiple attackers
B. takes advantage of the way a TCP session is established
C. may result in elevation of privileges.
D. is not something system users would notice
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: “[SYN Flood] Attackers can take advantage of this design flaw by continually sending the victim
SYN messages with spoofed packets. The victim will commit the necessary resources to setup this
communication socket, and it will send its SYN/ACK message waiting for the ACK message in return. However,
the victim will never receive the ACK message, because the packet is spoofed, and victim system sent the
SYN/ACK message to a computer that does not exist. So the victim system receives a SYN message, add it
dutifully commits the necessary resources to setup a connection with another computer. This connection is
queued waiting for the ACK message, and the attacker sends another SYN message. The victim system does
what is supposed to can commits more resources, sends the SYN/ACK message, and queues this connection.
This may only need to happen a dozen times before the victim system no longer has the necessary resources
to open up another connection. This makes the victim computer unreachable from legitimate computers,
denying other systems service from the victim computer.” Pg. 735 Shon Harris CISSP All-In-One Exam Guide
QUESTION 944
448
ISC CISSP Exam
What attack is typically used for identifying the topology of the target network?
A. Spoofing
B. Brute force
C. Teardrop
D. Scanning
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Flaw exploitation attacks exploit a flaw in the target system’s software in order to cause a processing failure or
to cause it to exhaust system resources. An example of such a processing failure is the ‘ping of death’ attack.
This attack involved sending an unexpectedly large ping packet to certain Windows systems. The target system
could not handle this abnormal packet, and a system crash resulted. With respect to resource exhaustion
attacks, the resources targeted include CPU time, memory, disk space, space in a special buffer, or network
bandwidth. In many cases, simply patching the software can circumvent this type of DOS attack.
QUESTION 945
Which one of the following is the reason for why hyperlink spoofing attacks are usually successful?
A. Most users requesting DNS name service do not follow hyperlinks.
B. The attack performs user authentication with audit logs.
C. The attack relies on modifications to server software.
D. Most users do not make a request to connect to a DNS names, they follow hyperlinks.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The problem is that most users do not request to connect to DNS names or even URLs, they follow
hyperlinks… But, whereas DNS names are subject to “DNS spoofing” (whereby a DNS server lies about the
internet address of a server) so too are URLs subject to what I call “hyperlink spoofing” or “Trojan HTML”,
whereby a page lies about an URLs DNS name. Both forms of spoofing have the same effect of steering you to
the wrong internet site, however hyperlink spoofing is technically much easier than DNS spoofing.
http://www.brd.ie/papers/sslpaper/sslpaper.html
449
ISC CISSP Exam
QUESTION 946
Which of the following identifies the first phase of a Distributed Denial of Service attack?
A. Establishing communications between the handler and agent.
B. Disrupting the normal traffic to the host.
C. Disabling the router so it cannot filter traffic.
D. Compromising as many machines as possible.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: Another form of attack is called the distributed denial of service (DDOS). A distributed denial of
service occurs when the attacker compromises several systems and uses them as launching platforms against
on or more victims. – Ed Tittle CISSP Study Guide (sybex) pg
QUESTION 947
This type of vulnerability enables the intruder to re-route data traffic from a network device to a personal
machine? This diversion enables the intruder to capture data traffic to and from the devices for analysis or
modification, or to steal the password file from the server and gain access to user accounts.
A. Network Address Translation
B. Network Address Hijacking
C. Network Address Supernetting
D. Network Address Sniffing
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: “Network Address Hijacking. It might be possible for an intruder to reroute data traffic from a
server or network device to a personal machine, either by device address modification or network address
“hijacking.” This diversion enables the intruder to capture traffic to and from the devices for data analysis or
modification or to steal the password file from the server and gain access to user accounts. By rerouting the
data output, the intruder can obtain supervisory terminal functions and bypass the system logs.”
450
ISC CISSP Exam
Pg. 324 Krutz: The CISSP Prep Guide: Gold Edition
QUESTION 948
Which one of the following is an example of hyperlink spoofing?
A. Compromising a web server Domain Name Service reference.
B. Connecting the user to a different web server.
C. Executing Hypertext Transport Protocol Secure GET commands.
D. Starting the user’s browser on a secured page.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: The problem is that most users do not request to connect to DNS names or even URLs, they
follow hyperlinks… But, whereas DNS names are subject to “DNS spoofing” (whereby a DNS server lies about
the internet address of a server) so too are URLs subject to what I call “hyperlink spoofing” or “Trojan HTML”,
whereby a page lies about an URLs DNS name. Both forms of spoofing have the same effect of steering you to
the wrong internet site, however hyperlink spoofing is technically much easier than DNS spoofing.
http://www.brd.ie/papers/sslpaper/sslpaper.html
QUESTION 949
Why are packet filtering routers NOT effective against mail bomb attacks?
A. The bomb code is obscured by the message encoding algorithm.
B. Mail bombs are polymorphic and present no consistent signature to filter on.
C. Filters do not examine the data portion of a packet.
D. The bomb code is hidden in the header and appears as a normal routing information.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
451
ISC CISSP Exam
QUESTION 950
Which one of the following correctly identifies the components of a Distributed Denial of Service Attack?
A. Node, server, hacker, destination
B. Client, handler, agent, target
C. Source, destination, client, server
D. Attacker, proxy, handler, agent
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: Another form of DoS. A distributed denial of service occurs when the attacker compromises
several systems to be used as launching platforms against one or more victims. The compromised systems
used in the attacks are often called claves or zombies. A DDoS attack results in the victims being flooded with
data from numerous sources. – Ed Tittle CISSP Study Guide (sybex) pg 693
QUESTION 951
Which one of the following attacks will pass through a network layer intrusion detection system undetected?
A. A teardrop attack
B. A SYN flood attack
C. A DNS spoofing attack
D. A test.cgi attack
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
“Because a network-based IDS reviews packets and headers, it can also detect denial of service (DoS)
attacks.” Pg. 64 Krutz: The CISSP Prep Guide
Not A or B:
“The following sections discuss some of the possible DoS attacks available.
Smurf
452
ISC CISSP Exam
Fraggle
SYN Flood
Teardrop
DNS DoS Attacks”
Pg. 732-737 Shon Harris: All-In-One CISSP Certification Exam Guide
QUESTION 952
Which one of the following is a passive network attack?
A. Spoofing
B. Traffic Analysis
C. Playback
D. Masquerading
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
“Traffic analysis and trend analysis are forms of monitoring that examine the flow of packets rather than the
actual content of packets. Traffic and trend analysis can be used to infer a large amount of information, such as
primary communication routes, sources of encrypted traffic, location of primary servers, primary and backup
communication pathways, amount of traffic supported by the network, typical direction of traffic flow, frequency
of communications, and much more.” Pg 429 Tittel: CISSP Study Guide
QUESTION 953
Which one of the following can NOT typically be accomplished using a Man-in-the-middle attack?
A. DNS spoofing
B. Session hijacking
C. Denial of service flooding
D. Digital signature spoofing
453
ISC CISSP Exam
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 954
What is called an attach where the attacker spoofs the source IP address in an ICMP ECHO broadcast packet
so it seems to have originated at the victim’s system, in order to flood it with REPLY packets?
A. SYN flood attack
B. Smurf attack
C. Ping of Dead Attack
D. Denial of Service (DOS) Attack
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference: pg 158 Hansche: Official (ISC)2 Guide to the CISSP Exam
QUESTION 955
Which type of attack involves the alteration of a packet at the IP level to convince a system that it is
communicating with a known entity in order to gain access to a system?
A. TCP sequence number attack
B. IP spoofing attack
C. Piggybacking attack
D. Teardrop attack
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
454
ISC CISSP Exam
QUESTION 956
What attack takes advantage of operating system buffer overflows?
A. Spoofing
B. Brute force
C. DoS
D. Exhaustive
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Denial of Service is an attack on the operating system or software using buffer overflows. The result is that the
target is unable to reply to service requests. This is too a large an area of information to try to cover here, so I
will limit my discussion to the types of denial of service (DoS) attacks:
QUESTION 957
What attack is primarily based on the fragmentation implementation of IP and large ICMP packet size?
A. Exhaustive
B. Brute force
C. Ping of Death
D. Spoofing
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Ping of Death — This exploit is based on the fragmentation implementation of IP whereby large packets are
reassembled and can cause machines to crash. ‘Ping of Death takes advantage of the fact that it is possible to
send an illegal ICMP Echo packet with more than the allowable 65, 507 octets of data because of the way
fragmentation is performed. A temporary fix is block ping packets. Ideally, an engineer should secure TCP/IP
from overflow when reconstructing IP fragments.
455
ISC CISSP Exam
QUESTION 958
Land attack attacks a target by:
A. Producing large volume of ICMP echos.
B. Producing fragmented IP packets.
C. Attacking an established TCP connection.
D. None of the choices.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Land.c. attack — Attacks an established TCP connection. A program sends a TCP SYN packet giving the target
host address as both the sender and destination using the same port causing the OS to hang.
QUESTION 959
What attack is primarily based on the fragmentation implementation of IP?
A. Teardrop
B. Exhaustive
C. Spoofing
D. Brute force
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Teardrop attack – This is based on the fragmentation implementation of IP whereby reassembly problems can
cause machines to crash. The attack uses a reassembly bug with overlapping fragments and causes systems
to hang or crash. It works for any Internet Protocol type because it hits the IP layer itself. Engineers should turn
off directed broadcast capability.
456
ISC CISSP Exam
QUESTION 960
What attack floods networks with broadcast traffic so that the network is congested?
A. Spoofing
B. Teardrop
C. Brute force
D. SMURF
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
SMURF attack — This attack floods networks with broadcast traffic so that the network is congested. The
perpetrator sends a large number of spoofed ICMP (Internet Control Message Protocol) echo requests to
broadcast addresses hoping packets will be sent to the spoofed addresses. You need to understand the OSI
model and how protocols are transferred between layer 3 and layer 2 to understand this attack. The layer 2 will
respond to the ICMP echo request with an ICMP echo reply each time, multiplying the traffic by the number of
hosts involved. Engineers should turn off broadcast capability (if possible in your environment) to deter this kind
of attack.
QUESTION 961
What attack involves repeatedly sending identical e-message to a particular address?
A. SMURF
B. Brute force
C. Teardrop
D. Spamming
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
457
ISC CISSP Exam
Spamming — Involves repeatedly sending identical e-message to a particular address. It is a variant of
bombing, and is made worse when the recipient replies — i.e. recent cases where viruses or worms were
attached to the e-mail message and ran a program that forwarded the message from the reader to any one on
the user’s distribution lists. This attack cannot be prevented, but you should ensure that entrance and exit of
such mail is only through central mail hubs.
QUESTION 962
A stack overflow attack that “crashes” a Transmission Control Protocol/Internet Protocol (TCP/IP) service
daemon can result in a serious security breach because the
A. Process does not implement proper object reuse.
B. Process is executed by a privileged entity.
C. Network interface becomes promiscuous.
D. Daemon can be replaced by a trojan horse.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 963
The intrusion detection system at your site has detected Internet Protocol (IP) packets where the IP source
address is the same as the destination address.
This situation indicates
A. Misdirected traffic jammed to the internal network.
B. A denial of service attack.
C. An error in the internal address matrix.
D. A hyper overflow in the IP stack.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: “The Land denial of service attack causes many older operating systems (such as Windows NT 4,
Windows 95, and SunOS 4.1.4) to freeze and behave in an unpredictable manner.
458
ISC CISSP Exam
It works by creating an artificial TCP packet that has the SYN flag set. The attacker set the destination IP
address to the address of the victim machine and the destination port to an open port on that machine. Next,
the attacker set the source IP address and source port to the same values as the destination IP address and
port. When the targeted host receives this unusual packet, the operating system doesn’t know how to process it
and freezes, crashes, or behaves in an unusual manner as a result.” Pg 237 Tittel: CISSP Study Guide
QUESTION 964
What type of attacks occurs when a rogue application has been planted on an unsuspecting user’s
workstation?
A. Physical attacks
B. Logical attacks
C. Trojan Horse attacks
D. Social Engineering attacks
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Trojan Horse attacks – This attack involves a rogue, Trojan horse application that has been planted on an
unsuspecting user’s workstation. The Trojan horse waits until the user submits a valid PIN from a trusted
application, thus enabling usage of the private key, and then asks the smartcard to digitally sign some rogue
data. The operation completes but the user never knows that their private key was just used against their will.
QUESTION 965
Man-in-the-middle attacks are a real threat to what type of communication?
A. Communication based on random challenge.
B. Communication based on face to face contact.
459
ISC CISSP Exam
C. Communication based on token.
D. Communication based on asymmetric encryption.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The weakest point in the communication based on asymmetric encryption is the knowledge about the real
owners of keys. Somebody evil could generate a key pair, give the public key away and tell everybody, that it
belongs to somebody else. Now, everyone believing it will use this key for encryption, resulting in the evil man
being able to read the messages. If he encrypts the messages again with the public key of the real recipient, he
will not be easily recognized. This sort of attack is called “man-in-the-middle” attack and can only be prevented
by making sure, public keys really belong to the one being designated as owner.
QUESTION 966
Which of the following threats is not addressed by digital signature and token technologies?
A. Spoofing
B. replay attacks
C. password compromise
D. denial-of-service
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 967
Which one of the following is concerned with masking the frequency, length, and origin-destination patterns of
the communications between protocol entities?
A. Masking analysis
B. Protocol analysis
C. Traffic analysis
D. Pattern analysis
460
ISC CISSP Exam
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: Traffic analysis, which is sometimes called trend analysis, is a technique employed by an intruder
that involves analyzing data characteristics (message length, message frequency, and so forth) and the
patterns of transmissions (rather than any knowledge of the actual information transmitted) to infer information
that is useful to an intruder) . -Ronald Krutz The CISSP PREP Guide (gold edition) pg 323
QUESTION 968
Which of the following would NOT be considered a Denial of Service Attack?
A. Zone Transfer
B. Smurf
C. Syn Flood
D. TearDrop
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: Zone transfer is method that DNS uses to transfer zone information between servers. In some unsecure
DNS installations zone transfers are allowed to un-trusted DNS servers. This allows the hacker to
determine internal host names and ip addresses to provide additional information for an attack.
QUESTION 969
The connection using fiber optics from a phone company’s branch office to local customers is which of the
following?
A. new loop
B. local loop
C. loopback
D. indigenous loop
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: In telecommunications Telecommunication the local loop is the wiring between the central office
and the customer’s premises demarcation point. The telephony local loop connection is typically a copper
twisted pair carrying current from the central office to the customer premises and back again. Individual local
loop telephone lines are connected to the local central office or to
461
ISC CISSP Exam
a remote concentrator.
Local loop connections can be used to carry a range of technologies, including:
Analog Voice
ISDN
DSL
QUESTION 970
Which step ensures the confidentiality of a facsimile transmission?
A. Pre-schedule the transmission of the information.
B. Locate the facsimile equipment in a private area.
C. Encrypt the transmission.
D. Phone ahead to the intended recipient.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 971
Which one of the following could a company implement to help reduce PBX fraud?
A. Call vectoring
B. Direct Inward System Access (DISA)
C. Teleconferencing bridges
D. Remote maintenance ports
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: The potential for fraud to occur in voice telecommunications equipment is a serious threat. PBX’s
(Private Branch Exchange) are telephone switches used within state agencies to allow employees to make outgoing
and receive in- coming phone calls. These PBX’s can also provide connections for communications
between personal computers and local and wide area networks. Security measures must be taken to avoid the
possibility of theft of either phone service or information through the telephone systems.
462
ISC CISSP Exam
Direct Inward System Access (DISA) is the ability to call into a PBX, either on an 800 number or a local dial-in,
and by using an authorization code, gain access to the long distance lines and place long distance calls through
the PBX
http://www.all.net/books/Texas/chap10.html
QUESTION 972
Phreakers are hackers who specialize in telephone fraud. What type of telephone fraud manipulates the line
voltage to receive a toll-free call?
A. Red boxes
B. Blue boxes
C. White boxes
D. Black boxes
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 973
Which one of the following devices might be used to commit telecommunications fraud using the “shoulder
surfing” technique?
A. Magnetic stripe copier
B. Tone generator
C. Tone recorder
D. Video recorder
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 974
463
ISC CISSP Exam
What technique is used to prevent eavesdropping of digital cellular telephone conversations?
A. Encryption
B. Authentication
C. Call detail suppression
D. Time-division multiplexing
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: The name “TDMA”( Time Division Multiple Access) is also used to refer to a specific second
generation mobile phone standard – more properly referred to as IS-136, which uses the TDMA technique to
timeshare the bandwidth of the carrier wave. It provides between 3 to 6 times the capacity of its predecessor
AMPS, and also improved security and privacy. In the United States, for example, AT&T Wireless uses the IS-
136 TDMA stan