Chapter 18 Network Operations

What does the CIA model in network security stand for?
A) Confidentiality, Integrity, Availability
B) Control, Investigation, Access
C) Compliance, Integrity, Authorization
D) Confidentiality, Inspection, Authorization

A — Confidentiality, Integrity, Availability

Which method helps ensure confidentiality in a network?
A) Encryption and principle of least privilege
B) Firmware updates
C) Incremental backups
D) Snapshots

A — Encryption and principle of least privilege

What is meant by integrity in the CIA model?
A) Data must remain consistent from source to destination
B) Only authorized users can view files
C) Data is backed up offsite
D) Devices are physically secured

A — Data must remain consistent from source to destination

What does availability mean in network security?
A) Authorized users can access data when needed
B) All users can see all files
C) Data is stored in multiple formats
D) Firmware is always updated

A — Authorized users can access data when needed

What is the difference between a threat, a vulnerability, and an exploit?
A) Threat is a potential danger, vulnerability is a weakness, exploit takes advantage of the vulnerability
B) Threat is a hacker, vulnerability is software, exploit is hardware
C) Threat is a backup failure, vulnerability is a misconfiguration, exploit is a firewall rule
D) Threat is internal, vulnerability is external, exploit is always a virus

A — Threat is a potential danger, vulnerability is a weakness, exploit takes advantage of the vulnerability

Which of the following is an example of an internal threat?
A) Disgruntled employee with access to sensitive data
B) Hacker accessing the network remotely
C) Malware infection from an email
D) Default passwords on routers

A — Disgruntled employee with access to sensitive data

Which of the following is a vulnerability in a network?
A) Outdated firmware
B) Hackers trying to gain access
C) Security cameras at the entrance
D) Firewall blocking all ports

A — Outdated firmware

Which of the following is an example of an exploit?
A) Spoofing a remote machine to install a backdoor
B) Leaving a firewall port open unintentionally
C) Having an outdated router firmware
D) Employee discussing passwords in the office

A — Spoofing a remote machine to install a backdoor

What is the primary concept of defense in depth in cybersecurity?
A) Using a single strong firewall to protect all assets
B) Implementing multiple layers of security measures to protect systems
C) Relying solely on antivirus software for protection
D) Encrypting only critical files on the network

B — Implementing multiple layers of security measures to protect systems

Which layer in the defense in depth model is considered the first line of defense?
A) Host/Endpoint
B) Network
C) Perimeter
D) Application

C — Perimeter

What is the purpose of a honeypot in perimeter security?
A) To block all network traffic
B) To lure attackers and identify vulnerabilities
C) To store backup data
D) To encrypt data on the network

B — To lure attackers and identify vulnerabilities

What security measures are commonly applied at the network layer?
A) Malware prevention and patch management
B) Network segmentation, VLANs, access control, and guest isolation
C) Application testing in a virtual machine
D) Data separation and principle of least privilege

B — Network segmentation, VLANs, access control, and guest isolation

Which layer focuses on protecting hosts and endpoints?
A) Data layer
B) Application layer
C) Host/Endpoint layer
D) Perimeter layer

C — Host/Endpoint layer

What is the principle of separation of duties in the context of data security?
A) Allowing users full administrative rights over systems
B) Ensuring no single user has enough rights to compromise a system
C) Using the same person for software installation and removal
D) Encrypting data only during transmission

B — Ensuring no single user has enough rights to compromise a system

What is a common sign that there might be a DHCP issue on a network?
A) The network printer stops printing
B) Inconsistent internet speeds, slowdowns, or inability to reach other hosts
C) The Wi-Fi signal is too strong
D) The server reboots automatically

B — Inconsistent internet speeds, slowdowns, or inability to reach other hosts

What indicates that an IP address is outside the expected network range?
A) Its subnet mask is 255.0.0.0
B) The IP address does not match the network ID of the subnet
C) The gateway IP is 192.168.0.1
D) The DNS server responds slowly

B — The IP address does not match the network ID of the subnet

What is a rogue DHCP server?
A) A DHCP server configured to assign static IP addresses
B) An unauthorized device providing IP addresses to network hosts
C) A backup DHCP server for redundancy
D) A DHCP server that only works with wireless networks

B — An unauthorized device providing IP addresses to network hosts

Why is a rogue DHCP server particularly dangerous in wireless networks?
A) Wireless networks do not use DHCP
B) Hosts may receive IP information from the rogue device first
C) Wireless networks have built-in encryption
D) Rogue DHCP servers cannot connect to wireless networks

B — Hosts may receive IP information from the rogue device first

What actions should network administrators take to prevent rogue DHCP issues?
A) Assign random IP addresses to all devices
B) Know their network ID, know the DHCP server IP, and disable unused wall ports
C) Disconnect all wireless access points
D) Block all incoming email

B — Know their network ID, know the DHCP server IP, and disable unused wall ports

What types of attacks can a rogue DHCP server enable?
A) Man-in-the-middle attacks, packet sniffing, and reconnaissance attacks
B) SQL injection and cross-site scripting
C) Physical theft of servers
D) Password brute force attacks

A — Man-in-the-middle attacks, packet sniffing, and reconnaissance attacks

What is the main goal of a denial of service (DoS) attack?
A) To steal passwords from a server
B) To deny access to a service by overwhelming it with requests
C) To encrypt data on the server
D) To physically damage the server

B — To deny access to a service by overwhelming it with requests

Which of the following is an example of a volumetric DoS attack?
A) Slowloris attack
B) SYN flood attack
C) Ping flood or UDP flood
D) Command and control malware

C — Ping flood or UDP flood

What distinguishes a protocol-based DoS attack from a volumetric attack?
A) It targets the network cable
B) It exploits weaknesses in a protocol, such as TCP/IP, to overwhelm the server
C) It sends a large volume of valid requests
D) It encrypts server communications

B — It exploits weaknesses in a protocol, such as TCP/IP, to overwhelm the server

What is a Slowloris attack an example of?
A) A volumetric attack
B) A protocol attack
C) An application-layer DoS attack
D) A malware infection

C — An application-layer DoS attack

How does a distributed denial of service (DDoS) attack differ from a regular DoS attack?
A) DDoS only targets wireless networks
B) DDoS uses multiple computers (zombies) controlled by a single system to attack a target
C) DDoS is slower than a DoS attack
D) DDoS encrypts the server before attacking

B — DDoS uses multiple computers (zombies) controlled by a single system to attack a target

What is the purpose of a command and control (CNC) server in a network attack?
A) To scan for vulnerable ports on the network
B) To control infected computers (zombies) and execute malicious actions such as DDoS or data theft
C) To prevent malware infections
D) To provide backup for critical network data

B — To control infected computers (zombies) and execute malicious actions such as DDoS or data theft

What best describes a man-in-the-middle (MITM) attack?
A) Two systems directly communicating without interference
B) A third party inserting itself between two communicating systems to intercept or manipulate the conversation
C) Encrypting a communication channel to prevent eavesdropping
D) Physically stealing a server from a data center

B — A third party inserting itself between two communicating systems to intercept or manipulate the conversation

Which wireless technique makes it easy for an attacker to perform MITM by capturing packets?
A) Setting a router to bridge mode
B) Using a wireless card in promiscuous/monitor mode to sniff unencrypted 802.11 traffic
C) Increasing the Wi-Fi transmit power
D) Enabling MAC address filtering on the AP

B — Using a wireless card in promiscuous/monitor mode to sniff unencrypted 802.11 traffic

In a wired network, what method is commonly used to position an attacker between two hosts?
A) Replacing the switch with a hub
B) Spoofing (e.g., MAC/IP/DNS) such as ARP poisoning to impersonate another host or gateway
C) Moving the devices to a different VLAN
D) Enabling DHCP snooping on the router

B — Spoofing (e.g., MAC/IP/DNS) such as ARP poisoning to impersonate another host or gateway

What capability makes Ettercap useful for MITM attacks?
A) It automatically patches vulnerable hosts
B) It combines poisoning/spoofing with built-in sniffing and can extract credentials from captured traffic
C) It encrypts all traffic to protect users
D) It only scans for open ports without capturing traffic

B — It combines poisoning/spoofing with built-in sniffing and can extract credentials from captured traffic

What is a replay attack in the context of MITM?
A) Capturing valid authentication data (e.g., username/hash) and replaying it later to authenticate as that user
B) Replaying audio recorded from a VoIP call to confuse users
C) Re-transmitting DNS responses to speed up resolution
D) Rebooting a server repeatedly to cause downtime

A — Capturing valid authentication data (e.g., username/hash) and replaying it later to authenticate as that user

What is session hijacking and which tool demonstrated it on unencrypted web sessions?
A) Forcing a system to change its session timeout; demonstrated by Wireshark
B) Injecting into or taking over an active session to impersonate a user; demonstrated by Firesheep capturing unencrypted web sessions on wireless
C) Rotating session keys frequently to enhance security; demonstrated by Ettercap
D) Blocking all session cookies to prevent login; demonstrated by Nmap

B — Injecting into or taking over an active session to impersonate a user; demonstrated by Firesheep capturing unencrypted web sessions on wireless

What is VLAN hopping?
A) Using VLANs to increase network speed
B) Bypassing Layer 2 VLAN restrictions to access traffic on other VLANs
C) Physically connecting two switches
D) Encrypting VLAN traffic to prevent interception

B — Bypassing Layer 2 VLAN restrictions to access traffic on other VLANs

What are the two main types of VLAN hopping attacks?
A) MAC flooding and IP spoofing
B) VLAN spoofing and double tagging
C) ARP poisoning and DHCP starvation
D) Trunk negotiation and port scanning

B — VLAN spoofing and double tagging

How does VLAN spoofing work?
A) By injecting multiple IP addresses into a subnet
B) By tricking a legitimate switch into forming a trunk link using DTP
C) By encrypting VLAN traffic
D) By isolating ports within a VLAN

B — By tricking a legitimate switch into forming a trunk link using DTP

In a double tagging VLAN hopping attack, why is the native VLAN important?
A) The attacker must be on the native VLAN to have the outer tag stripped, allowing the inner tag to reach the target VLAN
B) The native VLAN encrypts the inner VLAN tag
C) Native VLANs prevent VLAN hopping automatically
D) Native VLANs cannot be used for any communication

A — The attacker must be on the native VLAN to have the outer tag stripped, allowing the inner tag to reach the target VLAN

Which configuration best protects against VLAN hopping attacks?
A) Use dynamic trunking for all ports
B) Manually configure trunk ports and use a dedicated native VLAN only for maintenance
C) Assign all ports to VLAN 1
D) Enable DHCP on all VLANs

B — Manually configure trunk ports and use a dedicated native VLAN only for maintenance

What is the purpose of private VLANs (port isolation)?
A) To allow only isolated ports to communicate with each other
B) To control communication within a VLAN by designating community and isolated ports
C) To merge multiple VLANs into one network
D) To automatically assign IP addresses to VLANs

B — To control communication within a VLAN by designating community and isolated ports

What is IT asset disposal (ITAD)?
A) Selling old equipment to employees
B) Properly retiring and securely disposing of outdated IT equipment
C) Donating old devices without documentation
D) Storing old devices indefinitely

B — Properly retiring and securely disposing of outdated IT equipment

Card 2
Why is maintaining an audit trail important during IT asset disposal?
A) To track internet usage
B) To ensure devices are relocated quickly
C) To confirm that information on devices is not compromised and document the disposal process
D) To reduce energy consumption

C — To confirm that information on devices is not compromised and document the disposal process

Which method is considered compliant for securely wiping hard drives?
A) Single quick format
B) Using DOS UNDELETE
C) Software following DOD 5220.22-M standards with at least three passes
D) Turning the drive off and on

C — Software following DOD 5220.22-M standards with at least three passes

What is the purpose of using asset tags in ITAD?
A) To decorate devices
B) To track and log devices in an asset management system for proper disposal and security
C) To increase resale value
D) To speed up network performance

B — To track and log devices in an asset management system for proper disposal and security

What is software patch management?
A) Installing new software only when a device is replaced
B) Keeping software and firmware up to date by managing and applying patches and fixes
C) Deleting old files to free storage
D) Outsourcing all software updates

B — Keeping software and firmware up to date by managing and applying patches and fixes

What does decommissioning of IT systems involve?
A) Simply shutting down equipment
B) Properly retiring, disposing, or phasing out hardware, software, and infrastructure with documentation and verification
C) Selling old systems online
D) Leaving devices in storage for future use

B — Properly retiring, disposing, or phasing out hardware, software, and infrastructure with documentation and verification

Which of the following is NOT a type of system decommissioning?
A) Partial decommissioning
B) Full decommissioning
C) Network acceleration decommissioning
D) Application decommissioning

C — Network acceleration decommissioning

What is the defining characteristic of a computer virus?
A) It only displays ads on your screen
B) It attaches itself to files or programs and can propagate to other files, causing damage
C) It encrypts your files for ransom
D) It provides remote access to a hacker

B — It attaches itself to files or programs and can propagate to other files, causing damage

What distinguishes adware from other types of malware?
A) It hides and records keystrokes
B) It appears to be innocent but is actually malicious
C) It floods your screen with ads and is usually more annoying than dangerous
D) It encrypts files until a ransom is paid

C — It floods your screen with ads and is usually more annoying than dangerous

How does spyware commonly collect sensitive information?
A) By encrypting files
B) By tracking user activity and logging keystrokes via software or hardware keyloggers
C) By displaying pop-up ads
D) By installing fake antivirus programs

B — By tracking user activity and logging keystrokes via software or hardware keyloggers

What is a Trojan, and how does it typically operate?
A) A program that encrypts files immediately
B) A malicious program that appears innocent but executes harmful actions when activated locally
C) Software that displays ads
D) A type of hardware keylogger

B — A malicious program that appears innocent but executes harmful actions when activated locally

What is the difference between a regular Trojan and a Remote Access Trojan (RAT)?
A) A Trojan encrypts files, while a RAT shows ads
B) A Trojan executes locally, while a RAT allows remote activation and control
C) A Trojan is harmless, while a RAT is always dangerous
D) There is no difference

B — A Trojan executes locally, while a RAT allows remote activation and control

What triggers a logic bomb?
A) When a user visits a website
B) When specific conditions or events occur, such as disabling an account
C) When antivirus software is installed
D) When hardware is removed

B — When specific conditions or events occur, such as disabling an account

What is the main purpose of ransomware or crypto malware?
A) To spy on keystrokes
B) To flood the screen with ads
C) To lock or encrypt files and demand payment for access
D) To provide remote access for maintenance

C — To lock or encrypt files and demand payment for access

How are rootkits and backdoors typically used maliciously?
A) Rootkits encrypt files; backdoors display ads
B) Rootkits gain unauthorized privileges; backdoors provide hidden access points, often used by attackers
C) Both are harmless programs used for diagnostics
D) Rootkits delete files; backdoors steal passwords

B — Rootkits gain unauthorized privileges; backdoors provide hidden access points, often used by attackers

What are key defenses against malware?
A) Keeping antivirus software updated and educating users to avoid suspicious activity
B) Only using ad blockers
C) Reformatting the hard drive monthly
D) Disabling firewalls

A — Keeping antivirus software updated and educating users to avoid suspicious activity

What is dumpster diving in the context of social engineering?
A) Searching trash or discarded items for sensitive company information
B) Fishing in rivers for lost documents
C) Installing malware on a computer
D) Following employees into a secure building

A — Searching trash or discarded items for sensitive company information

What is phishing and how does it differ from whaling?
A) Phishing targets high-profile individuals, whaling targets all employees
B) Phishing uses physical deception, whaling uses email
C) Phishing is sending fraudulent emails to gain personal information; whaling specifically targets high-profile individuals
D) Phishing encrypts files, whaling deletes them

C — Phishing is sending fraudulent emails to gain personal information; whaling specifically targets high-profile individuals

What is shoulder surfing and how can it be mitigated?
A) Observing someone’s screen or keystrokes to obtain sensitive information; mitigated with privacy filters or awareness of surroundings
B) Following someone into a building; mitigated with turnstiles
C) Sending fake emails; mitigated with antivirus software
D) Listening to phone conversations; mitigated with call encryption

A — Observing someone’s screen or keystrokes to obtain sensitive information; mitigated with privacy filters or awareness of surroundings

How does eavesdropping function as a social engineering attack?
A) It installs malware on a network
B) It involves listening to conversations to gather sensitive information, often in casual settings like near a water cooler
C) It steals documents from trash bins
D) It requires impersonating a high-profile executive

B — It involves listening to conversations to gather sensitive information, often in casual settings like near a water cooler

What is tailgating (or piggybacking) in social engineering, and how can it be prevented?
A) Following an authorized person into a secure area; prevented by turnstiles or access control vestibules
B) Sending fake emails to executives; prevented by spam filters
C) Watching someone type their password; prevented by privacy screens
D) Stealing documents from the trash; prevented by shredders

A — Following an authorized person into a secure area; prevented by turnstiles or access control vestibules

What is masquerading (or impersonation) in social engineering, and how should it be handled?
A) Pretending to be malware to scare users; handled by antivirus software
B) Pretending to be an authorized person to extract information; handled by forwarding calls to a higher authority or hanging up
C) Following someone into a secure building; handled by turnstiles
D) Listening to private conversations; handled by talking quietly

B — Pretending to be an authorized person to extract information; handled by forwarding calls to a higher authority or hanging up

What is the key to protecting against social engineering attacks?
A) Installing antivirus software
B) Educating and training users to recognize and respond appropriately to suspicious actions or requests
C) Physically locking all computers
D) Using complex passwords only

B — Educating and training users to recognize and respond appropriately to suspicious actions or requests

What is logical security in the context of IT?
A) Physical locks and guards to protect servers
B) Protecting software and data components of a system or network from threats or attacks
C) Installing security cameras in data centers
D) Restricting access to a building

B — Protecting software and data components of a system or network from threats or attacks

B — Protecting software and data components of a system or network from threats or attacks

A — Data at rest, data in transit, data in use

What is “data at rest” and how can it be secured?
A) Data being transmitted across networks; secured with VPNs and TLS
B) Data stored on non-volatile devices; secured by identifying, classifying, encrypting, and training users
C) Data being processed in memory; secured by antivirus software
D) Data deleted from storage; secured by shredding

B — Data stored on non-volatile devices; secured by identifying, classifying, encrypting, and training users

Why is data in transit considered vulnerable, and what are common protections?
A) It’s physically stolen easily; use locked cabinets
B) It can be intercepted or accessed unauthorizedly; use SSL certificates, VPNs, and encryption protocols like TLS, SFTP
C) It is easily corrupted; use checksum validation only
D) It is stored temporarily; use access control lists

B — It can be intercepted or accessed unauthorizedly; use SSL certificates, VPNs, and encryption protocols like TLS, SFTP

What is “data in use” and what is the best way to protect it?
A) Data stored in archives; protect with long-term storage encryption
B) Data present in primary memory or caches while being processed; protect by limiting access to authorized users
C) Data being transmitted; protect with SSL
D) Data deleted from the system; protect with shredding

B — Data present in primary memory or caches while being processed; protect by limiting access to authorized users

How do the CIA triad and AAA model differ in focus?
A) CIA protects users; AAA protects hardware
B) CIA deals with data confidentiality, integrity, and availability; AAA handles authentication, authorization, and accounting of users
C) CIA is physical security; AAA is software security
D) CIA is compliance only; AAA is encryption only

B — CIA deals with data confidentiality, integrity, and availability; AAA handles authentication, authorization, and accounting of users

What is the main purpose of physical security in network protection?
A) Protect software from malware
B) Prevent theft or unauthorized access to devices and infrastructure
C) Encrypt data in transit
D) Monitor employee performance

B — Prevent theft or unauthorized access to devices and infrastructure

Which of the following are examples of detection physical security methods?
A) Badge readers and biometrics
B) Motion detection systems, asset tags, and tamper detection
C) Fences and bollards
D) Safes and cable locks

B — Motion detection systems, asset tags, and tamper detection

What are examples of preventative physical controls?
A) Alarms and log files
B) Fences, gates, mantraps, locks, and biometric access
C) Security cameras only
D) Motion sensors and infrared detectors

B — Fences, gates, mantraps, locks, and biometric access

What are K ratings in physical security?
A) Encryption standards for secure networks
B) Ratings for fences designed to stop vehicles at specific speeds
C) Badge clearance levels for employees
D) Types of motion detectors

B — Ratings for fences designed to stop vehicles at specific speeds

Which physical control is used to prevent shoulder surfing or data visibility on screens?
A) Retinal scanners
B) Screen filters
C) Smart lockers
D) Motion detectors

B — Screen filters

What are detective physical controls and examples?
A) Prevent attacks; fences and gates
B) Detect unauthorized activity; alarms, cameras, motion detectors, log files
C) Stop phishing; antivirus software
D) Control user permissions; biometrics and badge readers

B — Detect unauthorized activity; alarms, cameras, motion detectors, log files

What is a compensating control in physical security?
A) A control that encrypts sensitive files
B) A temporary measure to maintain security when a primary control is unavailable
C) A type of motion detector
D) A firewall to prevent intrusions

B — A temporary measure to maintain security when a primary control is unavailable