The 7 Layers of the OSI Model are shown below.

Layer1: Physical Layer

Layer2: Data Link Layer

Layer3: Network Layer

Layer4: Transport Layer

Layer5: Session Layer

Layer6: Presentation Layer

Layer7: Application Layer

The OSI reference model specifies standards for describing “Open Systems Interconnection”. The term ‘open’ was chosen to emphasise the fact that by using these international standards, a system may be defined which is open to all other systems obeying the same standards throughout the world.

It consists of 7 Layers with each Layer being functionally independent of the others. Control is passed from one layer to the next, starting at the top and proceeding to the bottom layer, over the channel to the other station and back up the layers. The receiving layer at the destination host

receives exactly the same object as sent by the matching layer at the source host. This is shown in the diagram below:

The layers are in two groups. The upper four layers are used whenever a message passes from or to a user. The lower three layers are used when any message passes through the host computer. Messages intended for this computer pass to the upper layers. Messages destined for some other host are not passed up to the upper layers but are forwarded to another host.

The sending process passes data to the application layer. The application layer attaches an application header and then passes the frame to the presentation layer.

The presentation layer can transform data in various ways, if necessary, such as by translating it and adding a header. It gives the result to the session layer. The presentation layer is not aware of which portion (if any) of the data received from the application layer is the application header and which portion is actually user data, because that information is irrelevant to the presentation layer’s role.

The process of adding headers is repeated from layer to layer until the frame reaches the data link layer. There, in addition to a data-link header, a data-link trailer is added. The data-link trailer contains a checksum and padding if needed. This aids in frame synchronization. The frame is passed down to the physical layer, where it is transmitted to the receiving host. On the receiving host, the various headers and the data trailer are stripped off one by one as the frame ascends the layers and finally reaches the receiving process.

Testinside v3.29 769

Sybex self study guide

Books:Sybex Deluxe Edition 2008

Videos:Learnkey VTC

1. Sybex Security+ 4th Edition (exam point of view recommended) 2. Security+ instructor Edition 3. CBT/VTC/TestOut ( I like testout) 4. VCE available in CC download section ( helped a lot 60%-70% valid)

2. Darril Gibson's CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide and the study guide from Actual Tests.

3. 20 FTP data (File Transfer Protocol)21 FTP (File Transfer Protocol)22 SSH (Secure Shell)23 Telnet25 SMTP (Send Mail Transfer Protocol)43 whois53 DNS (Domain Name Service)68 DHCP (Dynamic Host Control Protocol)79 Finger80 HTTP (HyperText Transfer Protocol)110 POP3 (Post Office Protocol, version 3)115 SFTP (Secure File Transfer Protocol)119 NNTP (Network New Transfer Protocol)123 NTP (Network Time Protocol)137 NetBIOS-ns138 NetBIOS-dgm139 NetBIOS143 IMAP (Internet Message Access Protocol)161 SNMP (Simple Network Management Protocol)194 IRC (Internet Relay Chat)220 IMAP3 (Internet Message Access Protocol 3)389 LDAP (Lightweight Directory Access Protocol)443 SSL (Secure Socket Layer)445 SMB (NetBIOS over TCP)666 Doom

993 SIMAP (Secure Internet Message Access Protocol)995 SPOP (Secure Post Office Protocol)

Ports between 1024 and 29151 are known as the Registered Ports. Basically, programs are supposed to register their use of these ports and thereby try to be careful and avoid stomping on each other. Here are some common ports and their programs.

1243 SubSeven (Trojan - security risk!)1352 Lotus Notes1433 Microsoft SQL Server1494 Citrix ICA Protocol1521 Oracle SQL1604 Citrix ICA / Microsoft Terminal Server2049 NFS (Network File System)3306 mySQL4000 ICQ5010 Yahoo! Messenger5190 AOL Instant Messenger5632 PCAnywhere5800 VNC5900 VNC6000 X Windowing System6699 Napster6776 SubSeven (Trojan - security risk!)7070 RealServer / QuickTime7778 Unreal8080 HTTP26000 Quake27010 Half-Life27960 Quake III31337 BackOrifice (Trojan - security risk!)

4. You are performing risk assessment for an organization. What should you do during impact assessment?

Determine the potential monetary costs related to a threat.

Determine how well the organization is prepared to manage the threat.

Determine actions that can be taken to mitigate a potential threat.

Determine how likely it is that a threat might actually occur.

For which of the following is centralized key management most complicated?

Whole disk encryption

Asymmetric key

Symmetric key

TPM

You are preparing to perform vulnerability analysis on a network. Which tools require a computer with a network adapter that can be placed in promiscuous mode? (Choose two.)

Vulnerability scanner

Network mapper

Port scanner

Password cracker

Protocol analyzer

The 802.11i standard specifies support for which encryption algorithms? (Choose two.)

DES

ECC

TKIP

RSA

AES

You have several computers that use the NTLM authentication protocol for client authentication. Network policy requires user passwords with at least 16 characters.

What hash algorithm is used for password authentication?

LM hash

AES

SHA

MD5

You need to ensure that a critical server has minimal down time. You need to ensure data fault tolerance for the server.

What should you do?

Deploy a UPS.

Configure a redundant server.

Provide spare parts.

Use RAID.

You are preparing to deploy an e-commerce Web site. The Web site uses dynamically generated Web pages based on user input. This is a requirement for the application running on the Web site. You need to design the site to prevent cross-site scripting attacks. You need to choose the most appropriate action to take. That should you do? Implement user input validation.

You discover that when network users attempt to navigate to your company's

public Web site, they are being redirected to a different Web site. This is an example of what type of attack? DNS poisoning

You are designing network access control so that remote users are limited to accessing the network during normal business hours only. Policies regarding user access apply to all users.

This is an example of what type of access control? Rule-based access control

A HIDS that recognizes possible attacks by monitoring attempts to make unauthorized changes to files is an example of what kind of monitoring methodology? Behavior-based

What protocol is used to encrypt e-mail messages for transmission and delivery? Secure Multipurpose Internet Mail Extension (S/MIME)

You want to create a document that describes what types of things employees are permitted to do regarding e-mail and Web usage. Acceptable use policy

You are looking for ways to protect data on a network. Your solution should:

* Provide for easy backup of all user data.

* Minimize risk of physical data theft.

* Minimize the impact of the failure of any one file server.

Which solution should you use? Use file servers attached to an NAS system. Lock the file servers and NAS in a secure area.

You suspect that an attacker is sending damaged packets into your network as a way to compromise your firewall. You need collect as much information about network traffic as possible.

What should you use? Protocol analyzer

You are designing a secure application environment. You need to ensure that data is kept as secure as possible. You need to select the strictest access control model.

What access control model should you use? You should use the mandatory access control (MAC) model.

You need to determine if intermittent spikes in network activity are related to an attempt to breach the network. You need to identify exactly when the activity is occurring and what type of traffic is causing the activity.

What should you do? Use a protocol analyzer.

Why should you require the sender to digitally sign sensitive e-mail messages? To provide for nonrepudiation.

To validate the sender.

Which environmental control is part of TEMPEST compliance? Shielding

Your office is TEMPEST-compliant. This prevents what potential risk? Using a cell phone to access unauthorized Web sites.

What should you do first if you discover a rogue AP on your LAN? Immediately disconnect the rogue AP from your network.

The process of logging onto a network with a user name and password is an example of which of the following? Authentication

Your network is protected from the Internet by a firewall. You are concerned about potential risks in the firewall protection.

What should you do? Scan the firewall's incoming ports with a port scanner.

In a PKI system, what is the role of a private key? Data decryption

Your network administrator backs up the server by using an incremental backup strategy. He uses seven tapes, one tape per day, and he performs the backup at the end of each business day. He does a full backup on Friday and Tuesday and an incremental on the other days (Sunday, Monday, Wednesday, Thursday, and Saturday).

The server crashes on Sunday morning before the opening of business.

How many tapes will he use to perform the restore on Sunday? 2

You need to encrypt the contents of a USB flash drive.

Which type of encryption should you use? Advanced Encryption Standard (AES) is a symmetric key encryption algorithm.

You are brought in to assist on a local area network configured with a single network address. Network clients access the Internet through a wireless access point that is also a high-bandwidth Internet gateway connected to a cable modem.

You discover that some network traffic is being redirected to a client that is infected with a Trojan. The IP addresses and MAC addresses on the redirected packets do not match up correctly. All packets have the MAC address of the infected system. The IP addresses are legitimate host addresses.

Of what kind of attack is this a symptom? Address Resolution Protocol (ARP) poisoning.

You deploy a two-factor authentication system for your network computers using a smart card and PIN. Despite this, unauthorized personnel are gaining access to the network.

What should you do to help prevent this in the future? Improve user education and awareness training.

You need to determine which ports are open on your perimeter network's firewall.

What should you use? Port scanner

Which statement best describes hashing? Transforming a variable-length input into a fixed-length string

You need to dispose of several computers. You want to ensure that the highly confidential medical patient information on the hard drives cannot be recovered.

What should you do? Use a third-party company to destroy/shred/melt the drives.

A critical Web server is targeted by an attacker for buffer overflow attacks. Capture of user input contains packets with a long string of no operation (NOP) commands coming from various Internet IP addresses. You need to minimize the affect of these attacks.

What should you do? Check all user input for validity &

Run applications with the least privileged account context possible.

Your network has servers that are configured as member servers in a Windows Active Directory domain. You need to minimize the risk of unauthorized persons logging on locally to the servers. The solution should have minimal impact on local management and administration and should not limit administrator access.

What should you do? Require strong passwords. & Rename the local default accounts.

Using a user ID and password for authentication is an example of which of the following? Single-factor authentication

You want to be able to identify changes in activity in critical Windows servers that might identify attempts to compromise the server or its data. You have installed security software such as antivirus software on the servers and have locked down the server configurations.

What should you do next? Use Performance Monitor to establish a performance baseline for each server.

For which of the following is centralized key management most complicated? Symmetric key

Your company has a Web farm that runs an e-commerce Web site. There are four servers in the Web farm. The Web farm is supported by a database server.

What does the database server represent? Single point of failure

Which security threat is made up of a set of (usually malicious) programs that enable administrator-access to a computer? Rootkit

A computer configured as a router protects your network from the Internet. You discover that the router has been reconfigured.

How might an attacker have gained access to the router? By logging on to a default account.

& Through a rootkit infection.

What does LDAP use to provide security? It uses Transport Layer Security (TLS) to provide confidentiality and data integrity.

One of your colleagues has suggested that you use Nessus to help analyze security on your network.

Nessus is associated with: Scanning

An image file that contains a hidden message or data uses which technique? Steganography

Which of the following presents the incident response steps in the correct order? Preparation, Identification, Containment, Eradication, Recovery, Follow-up

Your network is configured as an internal network protected from the Internet by a perimeter network. The internal network is configured as an Active Directory domain. There are three Web servers configured as a peer-to-peer (P2P) network deployed in the perimeter network.

You need to do what you can to prevent buffer overflows at any of the Web servers.

What can you do to minimize the risk of buffer overflows? Implement user input validation to prevent script injection.

What is a potential risk associated with WEP when it is used to secure a WLAN? Weak encryption

Which of the following is typically used to authenticate the Web site of an online business? Digital certificate

You need to secure access to network file servers. Your first task is to determine current access permissions.

What should you do? Review effective access permissions.

What does IPSec use to determine when to create a new set of keys? ISAKMP

You are investigating some malware that has infected a server in your company. You make a digital copy of the hard drive that you can analyze. You place the original drive in a secure cabinet.

What aspect of incident response does this illustrate? Chain of custody

You download a file management application from the Internet. When you launch the application, your screen goes blank and your hard disk's active light starts flashing. You restart the computer and discover that your hard disk partitions have been deleted.

This is an example of what kind of threat? Trojan horse

Which of the following refers to the practice of registering a domain name, canceling it within a five-day grace period, and then re-registering it without ever paying for the registration? Kiting

Smart card access control relies on which of the following access control methods? Logical token

You are preparing to perform vulnerability analysis on a network. Which tools require a computer with a network adapter that can be placed in promiscuous mode? Vulnerability scanner

& Protocol analyzer

Which of the following best describes a digital signature? A message hash encrypted with the sender's private key.

You want to use a backup scheme that does not take too much time or require very high capacity tapes each night. Because you do not have to restore data that often, you do not care if the restore process is lengthier as a result, but you do not want it to take an unreasonable amount of time.

Which of the following would be the best backup scheme to meet your goals? Perform a full backup weekly. Perform incremental backups nightly.

Network users whose computers are running Windows XP Professional complain that the extra windows that appear when they browse the Internet are becoming a nuisance. You need to minimize how often these windows appear.

What should you do? Configure the Internet Explorer popup blockers.

You need to connect your LAN to the Internet. The configuration needs to include a perimeter network. You need to keep the hardware requirements to a minimum.

What should you do? Deploy one firewall.

Your network is configured as a Windows Active Directory domain. You need to configure user access to file folders that are shared to the network. Directory access is dependent upon a user's role in the organization.

You need to keep the administrative overhead needed to manage access security to a minimum. You need to be able to quickly modify a user's permissions if that user is assigned to a different role. A user can be assigned to more than one role within the organization.

What should you do? Create security groups and assign access permissions based on organizational roles. & Assign users membership to security groups based on organizational roles

What is the best way to determine if users are selecting strong passwords for their user accounts? Use a password cracker.

SSL is used to provide encryption for which communication protocol? HTTP

Which of the following can be used to prevent external electrical fields from affecting sensitive equipment? Faraday cage

You need to test a Linux program that might be a previously unknown type of malware. You need to minimize the risk while testing and also minimize the effort necessary to recover after testing.

What should you do? Test the program in a virtual environment.

Which type of IDS is more ambitious and informative than other types? HIDS

Which of the following uses public-key cryptography to provide authentication, confidentiality, and data integrity? Secure European System For Applications in a Multi-Vendor Environment (SESAME)

Your network is isolated from the Internet by a firewall that also acts as a proxy server. You suspect that a potential attacker has been probing your network looking for open ports.

What should you do? Check the firewall log.

What entity within a PKI is able to provide digital keys to an authorized third party? Key Escrow

You have six 100 GB hard disks available for data storage. Which RAID configuration will provide the most available storage with fault tolerance? RAID-5

What is the advantage of using application virtualization? It lets you minimize the attack surface relating to the application.

A critical server application is susceptible to shell injection privilege escalation attacks.

How can you minimize the potential impact of this type of attack? Run the application with the minimum permissions required.

The process of verifying a user's security credentials before allowing access to protected resources is referred to as what? Authentication

standard antivirus program is based on what kind of monitoring methodology? Signature-based

MD5 and SHA are what type of algorithms? Hashing

What kinds of attacks are best prevented through user education and awareness training? (Choose two.) Phishing & Dumpster diving

What can be done to prevent cookie poisoning? Encrypt cookies before transmission.

An attacker is most likely to be able to intercept traffic from which type of transmission media? Wireless

What type of physical security allows you to hold an intruder in between two sets of doors? Mantrap

You need to secure traffic between SMTP servers over the Internet. You want to make sure that servers that can connect securely use a secure connection, but you do not want to lose connections with servers that cannot connect securely.

Which protocol offers the best solution? Transport Layer Security (TLS)

You have developed a disaster recovery plan for an organization. You need to ensure that it can be implemented quickly and correctly.

What should you do? Run a test of the recovery plan.

You currently have all computer systems set up to boot first from the hard drive. You want to prevent users from booting the computers from CDs, DVDs, or USB drives.

What should you do? Password protect the BIOS

You are designing Internet access controls for a company. You need to ensure that internal network users are prevented from accessing inappropriate Web sites.

What should you do? Implement content filtering.

Your network is configured as a Windows Server 2003 Active Directory domain. The network includes two file servers named FS0 and FS1. Folders from both file servers are shared to the network.

You need to configure the same access permissions for 20 domain users to folders shared from FS0 and FS1. The users that need access to this set of folders may change over time. You need to minimize the effort needed to deploy and maintain this solution.

What should you do? Create one domain security group.

You have been tasked to perform a risk assessment for an organization.

What should you do first? Identify organizational assets.

What is used to provide secure communication over a L2TP VPN connection? IPSec

Making sure that proper procedures are followed during an investigation of a security incident and that the rights of the suspect are respected is known as: Due process

Kernel-level rootkits are designed to do what on a computer? To hide evidence of an attacker's presence & To hide a back door into the system

You are designing a solution to protect your network from Internet-based attacks. You need to provide:

* Pre-admission security checks

* Automated remediation

The solution should integrate existing network infrastructure devices.

What should you do? Implement NAC.

Which form of biometric authentication is the least secure? Keystroke dynamics

When calculating risk assessment for an organization, what is the role of impact assessment? Estimating the potential costs related to a threat

What entity within a PKI verifies user requests for digital certificates? Registration Authority

You are determining environmental control requirements for a data center that will contain several computers?

What is the role of an HVAC system in this environment? Provide an appropriate ambient temperature & Maintain appropriate humidity levels

You need to test a new network-aware application that will be deployed on your network. You need to keep the potential risks to the production network and the costs involved to a minimum.

What should you do? Configure a virtual server and client and test the application in a virtualized network environment.

What type of IDS reports possible attacks when it detects conditions that match the conditions contained in a database of attacks? Signature-based

When users log on to the domain, in addition to being given access to domain file resources, they are given access to a Microsoft SQL Server database server and an internal Web site through Windows integrated authentication.

This is an example of what authentication model? single sign-on (SSO)

You need to determine if you can identify the source of requests sent to Web servers in your perimeter network. You are concerned about traffic originating from the Internet.

What should you use? Protocol analyzer

Which of the following is designed to perform one-way encryption? Secure Hash Algorithm (SHA)

What is the role of change management in an IT infrastructure? Controlling changes through standardized methods and procedures.

Engineering department computers are deployed on a screened subnet. You need to protect the computers against malware attacks.

What should you do? Install a HIDS on each of the departmental computers.

The following ports are open on your perimeter network firewall:

22

23

443

992

Which port represents the biggest security risk from an antiquated protocol? 23

Your network is configured as a Windows Server 2003 Active Directory domain. The Finance group has read permission to the Reports and History shared folders as well as other shared folders. The Accounting group has read and write permissions to the Reports, AccountRecs, and Statements shared folders. Several users are members of both the Finance and Accounting groups.

All of the folders are located on a file server named FS0. The Everyone group is granted the Full Control NTFS permission for each folder through inheritance, but non-administrative users do not have the right to log on locally at the server. Access to the shared folders is managed through share permissions.

It is determined that the Finance group should no longer have read access to the Reports folder. This change should not affect access permissions granted through membership in other groups.

What should you do? Remove the read permission from the Finance group for the Reports folder.

You determine that group policies that should apply to all users in the domain are not being applied to users in the Maintenance OU. The group policies are linked at the domain and apply to all other domain users.

What should you do? Review group policy properties for the Maintenance OU.

The 802.11i standard specifies support for which encryption algorithms AES & TKIP

Which type of social engineering attack on a business typically relies on impersonation to gain personal information? Phishing

You are configuring antispam software for network computers.

What should you have the antispam software do when it identifies an e-mail as spam? Save the message in a separate folder.

What can you use to monitor traffic on a switched network? Port mirroring

Your company has three computer security professionals. Every month, a different one is assigned to auditing duties.

What principle does this illustrate? Job rotation

You install an NIPS in your perimeter network. You need to determine how effective the NIPS is against DoS attacks targeting your Web servers.

What should you do? Perform penetration testing.