You are on page 1of 18

The 7 Layers of the OSI Model are shown below.

• Layer1:Physical Layer
• Layer2:Data Link Layer
• Layer3: Network Layer
• Layer4: Transport Layer
• Layer5: Session Layer
• Layer6: Presentation Layer
• Layer7: Application Layer
The OSI reference model specifies standards for describing “Open Systems Interconnection”. The
term ‘open’ was chosen to emphasise the fact that by using these international standards, a system
may be defined which is open to all other systems obeying the same standards throughout the
world.

It consists of 7 Layers with each Layer being functionally independent of the others. Control is
passed from one layer to the next, starting at the top and proceeding to the bottom layer, over the
channel to the other station and back up the layers. The receiving layer at the destination host
receives exactly the same object as sent by the matching layer at the source host. This is shown in
the diagram below:
The layers are in two groups. The upper four layers are used whenever a message passes from or
to a user. The lower three layers are used when any message passes through the host computer.
Messages intended for this computer pass to the upper layers. Messages destined for some other
host are not passed up to the upper layers but are forwarded to another host.

The sending process passes data to the application layer. The application layer attaches an
application header and then passes the frame to the presentation layer.

The presentation layer can transform data in various ways, if necessary, such as by translating it and
adding a header. It gives the result to the session layer. The presentation layer is not aware of which
portion (if any) of the data received from the application layer is the application header and which
portion is actually user data, because that information is irrelevant to the presentation layer’s role.

The process of adding headers is repeated from layer to layer until the frame reaches the data link
layer. There, in addition to a data-link header, a data-link trailer is added. The data-link trailer
contains a checksum and padding if needed. This aids in frame synchronization. The frame is
passed down to the physical layer, where it is transmitted to the receiving host. On the receiving
host, the various headers and the data trailer are stripped off one by one as the frame ascends the
layers and finally reaches the receiving process.
Testinside v3.29 769

Sybex self study guide

Books:
Sybex Deluxe Edition 2008

Videos:
Learnkey
VTC

1. Sybex Security+ 4th Edition (exam point of view recommended)


2. Security+ instructor Edition
3. CBT/VTC/TestOut ( I like testout)
4. VCE available in CC download section ( helped a lot 60%-70% valid)
2. Darril Gibson's CompTIA Security+: Get Certified Get Ahead: SY0-201 Study
Guide and the study guide from Actual Tests.
3. 20 FTP data (File Transfer Protocol)
21 FTP (File Transfer Protocol)
22 SSH (Secure Shell)
23 Telnet
25 SMTP (Send Mail Transfer Protocol)
43 whois
53 DNS (Domain Name Service)
68 DHCP (Dynamic Host Control Protocol)
79 Finger
80 HTTP (HyperText Transfer Protocol)
110 POP3 (Post Office Protocol, version 3)
115 SFTP (Secure File Transfer Protocol)
119 NNTP (Network New Transfer Protocol)
123 NTP (Network Time Protocol)
137 NetBIOS-ns
138 NetBIOS-dgm
139 NetBIOS
143 IMAP (Internet Message Access Protocol)
161 SNMP (Simple Network Management Protocol)
194 IRC (Internet Relay Chat)
220 IMAP3 (Internet Message Access Protocol 3)
389 LDAP (Lightweight Directory Access Protocol)
443 SSL (Secure Socket Layer)
445 SMB (NetBIOS over TCP)
666 Doom
993 SIMAP (Secure Internet Message Access Protocol)
995 SPOP (Secure Post Office Protocol)

Ports between 1024 and 29151 are known as the Registered Ports. Basically,
programs are supposed to register their use of these ports and thereby try to be
careful and avoid stomping on each other. Here are some common ports and their
programs.

1243 SubSeven (Trojan - security risk!)


1352 Lotus Notes
1433 Microsoft SQL Server
1494 Citrix ICA Protocol
1521 Oracle SQL
1604 Citrix ICA / Microsoft Terminal Server
2049 NFS (Network File System)
3306 mySQL
4000 ICQ
5010 Yahoo! Messenger
5190 AOL Instant Messenger
5632 PCAnywhere
5800 VNC
5900 VNC
6000 X Windowing System
6699 Napster
6776 SubSeven (Trojan - security risk!)
7070 RealServer / QuickTime
7778 Unreal
8080 HTTP
26000 Quake
27010 Half-Life
27960 Quake III
31337 BackOrifice (Trojan - security risk!)

4. You are performing risk assessment for an organization. What should you do during
impact assessment?

5.
Determine the potential monetary costs related to a threat.

Determine how well the organization is prepared to manage the


threat.

Determine actions that can be taken to mitigate a potential threat.


Determine how likely it is that a threat might actually occur.

For which of the following is centralized key management most complicated?

Whole disk encryption

Asymmetric key

Symmetric key

TPM

You are preparing to perform vulnerability analysis on a network. Which tools require a computer
with a network adapter that can be placed in promiscuous mode? (Choose two.)

Vulnerability scanner

Network mapper

Port scanner

Password cracker

Protocol analyzer

The 802.11i standard specifies support for which encryption algorithms? (Choose two.)

DES

ECC

TKIP

RSA
AES

You have several computers that use the NTLM authentication protocol for client authentication.
Network policy requires user passwords with at least 16 characters.

What hash algorithm is used for password authentication?

LM hash

AES

SHA

MD5

You need to ensure that a critical server has minimal down time. You need to ensure data fault
tolerance for the server.

What should you do?

Deploy a UPS.

Configure a redundant server.

Provide spare parts.

Use RAID.

You are preparing to deploy an e-commerce Web site. The Web site uses
dynamically generated Web pages based on user input. This is a requirement for
the application running on the Web site. You need to design the site to prevent
cross-site scripting attacks. You need to choose the most appropriate action to take.
That should you do? Implement user input validation.

You discover that when network users attempt to navigate to your company's

public Web site, they are being redirected to a different Web site. This is an
example of what type of attack? DNS poisoning

You are designing network access control so that remote users are limited to
accessing the network during normal business hours only. Policies regarding user
access apply to all users.
This is an example of what type of access control? Rule-based access control

A HIDS that recognizes possible attacks by monitoring attempts to make


unauthorized changes to files is an example of what kind of monitoring
methodology? Behavior-based

What protocol is used to encrypt e-mail messages for transmission and delivery?
Secure Multipurpose Internet Mail Extension (S/MIME)

You want to create a document that describes what types of things employees are
permitted to do regarding e-mail and Web usage. Acceptable use policy

You are looking for ways to protect data on a network. Your solution should:

* Provide for easy backup of all user data.

* Minimize risk of physical data theft.

* Minimize the impact of the failure of any one file server.

Which solution should you use? Use file servers attached to an NAS system. Lock
the file servers and NAS in a secure area.

You suspect that an attacker is sending damaged packets into your network as a
way to compromise your firewall. You need collect as much information about
network traffic as possible.

What should you use? Protocol analyzer

You are designing a secure application environment. You need to ensure that data
is kept as secure as possible. You need to select the strictest access control model.

What access control model should you use? You should use the mandatory access
control (MAC) model.

You need to determine if intermittent spikes in network activity are related to an


attempt to breach the network. You need to identify exactly when the activity is
occurring and what type of traffic is causing the activity.

What should you do? Use a protocol analyzer.

Why should you require the sender to digitally sign sensitive e-mail messages? To
provide for nonrepudiation.

To validate the sender.


Which environmental control is part of TEMPEST compliance? Shielding

Your office is TEMPEST-compliant. This prevents what potential risk? Using a cell
phone to access unauthorized Web sites.

What should you do first if you discover a rogue AP on your LAN? Immediately
disconnect the rogue AP from your network.

The process of logging onto a network with a user name and password is an
example of which of the following? Authentication

Your network is protected from the Internet by a firewall. You are concerned about
potential risks in the firewall protection.

What should you do? Scan the firewall's incoming ports with a port scanner.

In a PKI system, what is the role of a private key? Data decryption

Your network administrator backs up the server by using an incremental backup


strategy. He uses seven tapes, one tape per day, and he performs the backup at the
end of each business day. He does a full backup on Friday and Tuesday and an
incremental on the other days (Sunday, Monday, Wednesday, Thursday, and
Saturday).

The server crashes on Sunday morning before the opening of business.

How many tapes will he use to perform the restore on Sunday? 2

You need to encrypt the contents of a USB flash drive.

Which type of encryption should you use? Advanced Encryption Standard (AES) is
a symmetric key encryption algorithm.

You are brought in to assist on a local area network configured with a single
network address. Network clients access the Internet through a wireless access
point that is also a high-bandwidth Internet gateway connected to a cable modem.

You discover that some network traffic is being redirected to a client that is infected
with a Trojan. The IP addresses and MAC addresses on the redirected packets do
not match up correctly. All packets have the MAC address of the infected system.
The IP addresses are legitimate host addresses.
Of what kind of attack is this a symptom? Address Resolution Protocol (ARP)
poisoning.

You deploy a two-factor authentication system for your network computers using a
smart card and PIN. Despite this, unauthorized personnel are gaining access to the
network.

What should you do to help prevent this in the future? Improve user education
and awareness training.

You need to determine which ports are open on your perimeter network's firewall.

What should you use? Port scanner

Which statement best describes hashing? Transforming a variable-length input


into a fixed-length string

You need to dispose of several computers. You want to ensure that the highly
confidential medical patient information on the hard drives cannot be recovered.

What should you do? Use a third-party company to destroy/shred/melt the drives.

A critical Web server is targeted by an attacker for buffer overflow attacks. Capture
of user input contains packets with a long string of no operation (NOP) commands
coming from various Internet IP addresses. You need to minimize the affect of these
attacks.

What should you do? Check all user input for validity &

Run applications with the least privileged account context possible.

Your network has servers that are configured as member servers in a Windows
Active Directory domain. You need to minimize the risk of unauthorized persons
logging on locally to the servers. The solution should have minimal impact on local
management and administration and should not limit administrator access.

What should you do? Require strong passwords. & Rename the local default
accounts.

Using a user ID and password for authentication is an example of which of the


following? Single-factor authentication

You want to be able to identify changes in activity in critical Windows servers that
might identify attempts to compromise the server or its data. You have installed
security software such as antivirus software on the servers and have locked down
the server configurations.

What should you do next? Use Performance Monitor to establish a performance


baseline for each server.

For which of the following is centralized key management most complicated?


Symmetric key

Your company has a Web farm that runs an e-commerce Web site. There are four
servers in the Web farm. The Web farm is supported by a database server.

What does the database server represent? Single point of failure

Which security threat is made up of a set of (usually malicious) programs that


enable administrator-access to a computer? Rootkit

A computer configured as a router protects your network from the Internet. You
discover that the router has been reconfigured.

How might an attacker have gained access to the router? By logging on to a


default account.

& Through a rootkit infection.

What does LDAP use to provide security? It uses Transport Layer Security (TLS) to
provide confidentiality and data integrity.

One of your colleagues has suggested that you use Nessus to help analyze security
on your network.

Nessus is associated with: Scanning

An image file that contains a hidden message or data uses which technique?
Steganography

Which of the following presents the incident response steps in the correct order?
Preparation, Identification, Containment, Eradication, Recovery, Follow-up

Your network is configured as an internal network protected from the Internet by a


perimeter network. The internal network is configured as an Active Directory
domain. There are three Web servers configured as a peer-to-peer (P2P) network
deployed in the perimeter network.

You need to do what you can to prevent buffer overflows at any of the Web servers.
What can you do to minimize the risk of buffer overflows? Implement user input
validation to prevent script injection.

What is a potential risk associated with WEP when it is used to secure a WLAN?
Weak encryption

Which of the following is typically used to authenticate the Web site of an online
business? Digital certificate

You need to secure access to network file servers. Your first task is to determine
current access permissions.

What should you do? Review effective access permissions.

What does IPSec use to determine when to create a new set of keys? ISAKMP

You are investigating some malware that has infected a server in your company.
You make a digital copy of the hard drive that you can analyze. You place the
original drive in a secure cabinet.

What aspect of incident response does this illustrate? Chain of custody

You download a file management application from the Internet. When you launch
the application, your screen goes blank and your hard disk's active light starts
flashing. You restart the computer and discover that your hard disk partitions have
been deleted.

This is an example of what kind of threat? Trojan horse

Which of the following refers to the practice of registering a domain name,


canceling it within a five-day grace period, and then re-registering it without ever
paying for the registration? Kiting

Smart card access control relies on which of the following access control methods?
Logical token

You are preparing to perform vulnerability analysis on a network. Which tools


require a computer with a network adapter that can be placed in promiscuous
mode? Vulnerability scanner

& Protocol analyzer

Which of the following best describes a digital signature? A message hash


encrypted with the sender's private key.
You want to use a backup scheme that does not take too much time or require very
high capacity tapes each night. Because you do not have to restore data that often,
you do not care if the restore process is lengthier as a result, but you do not want it
to take an unreasonable amount of time.

Which of the following would be the best backup scheme to meet your goals?
Perform a full backup weekly. Perform incremental backups nightly.

Network users whose computers are running Windows XP Professional complain that
the extra windows that appear when they browse the Internet are becoming a
nuisance. You need to minimize how often these windows appear.

What should you do? Configure the Internet Explorer popup blockers.

You need to connect your LAN to the Internet. The configuration needs to include a
perimeter network. You need to keep the hardware requirements to a minimum.

What should you do? Deploy one firewall.

Your network is configured as a Windows Active Directory domain. You need to


configure user access to file folders that are shared to the network. Directory access
is dependent upon a user's role in the organization.

You need to keep the administrative overhead needed to manage access security to
a minimum. You need to be able to quickly modify a user's permissions if that user
is assigned to a different role. A user can be assigned to more than one role within
the organization.

What should you do? Create security groups and assign access permissions based
on organizational roles. & Assign users membership to security groups based on
organizational roles

What is the best way to determine if users are selecting strong passwords for their
user accounts? Use a password cracker.

SSL is used to provide encryption for which communication protocol? HTTP

Which of the following can be used to prevent external electrical fields from
affecting sensitive equipment? Faraday cage

You need to test a Linux program that might be a previously unknown type of
malware. You need to minimize the risk while testing and also minimize the effort
necessary to recover after testing.
What should you do? Test the program in a virtual environment.

Which type of IDS is more ambitious and informative than other types? HIDS

Which of the following uses public-key cryptography to provide authentication,


confidentiality, and data integrity? Secure European System For Applications in a
Multi-Vendor Environment (SESAME)

Your network is isolated from the Internet by a firewall that also acts as a proxy
server. You suspect that a potential attacker has been probing your network looking
for open ports.

What should you do? Check the firewall log.

What entity within a PKI is able to provide digital keys to an authorized third party?
Key Escrow

You have six 100 GB hard disks available for data storage. Which RAID configuration
will provide the most available storage with fault tolerance? RAID-5

What is the advantage of using application virtualization? It lets you minimize the
attack surface relating to the application.

A critical server application is susceptible to shell injection privilege escalation


attacks.

How can you minimize the potential impact of this type of attack? Run the
application with the minimum permissions required.

The process of verifying a user's security credentials before allowing access to


protected resources is referred to as what? Authentication

standard antivirus program is based on what kind of monitoring methodology?


Signature-based

MD5 and SHA are what type of algorithms? Hashing

What kinds of attacks are best prevented through user education and awareness
training? (Choose two.) Phishing & Dumpster diving

What can be done to prevent cookie poisoning? Encrypt cookies before


transmission.

An attacker is most likely to be able to intercept traffic from which type of


transmission media? Wireless

What type of physical security allows you to hold an intruder in between two sets of
doors? Mantrap
You need to secure traffic between SMTP servers over the Internet. You want to
make sure that servers that can connect securely use a secure connection, but you
do not want to lose connections with servers that cannot connect securely.

Which protocol offers the best solution? Transport Layer Security (TLS)

You have developed a disaster recovery plan for an organization. You need to
ensure that it can be implemented quickly and correctly.

What should you do? Run a test of the recovery plan.

You currently have all computer systems set up to boot first from the hard drive.
You want to prevent users from booting the computers from CDs, DVDs, or USB
drives.

What should you do? Password protect the BIOS

You are designing Internet access controls for a company. You need to ensure that
internal network users are prevented from accessing inappropriate Web sites.

What should you do? Implement content filtering.

Your network is configured as a Windows Server 2003 Active Directory domain. The
network includes two file servers named FS0 and FS1. Folders from both file servers
are shared to the network.

You need to configure the same access permissions for 20 domain users to folders
shared from FS0 and FS1. The users that need access to this set of folders may
change over time. You need to minimize the effort needed to deploy and maintain
this solution.

What should you do? Create one domain security group.

You have been tasked to perform a risk assessment for an organization.

What should you do first? Identify organizational assets.

What is used to provide secure communication over a L2TP VPN connection? IPSec

Making sure that proper procedures are followed during an investigation of a


security incident and that the rights of the suspect are respected is known as: Due
process

Kernel-level rootkits are designed to do what on a computer? To hide evidence of


an attacker's presence & To hide a back door into the system
You are designing a solution to protect your network from Internet-based attacks.
You need to provide:

* Pre-admission security checks

* Automated remediation

The solution should integrate existing network infrastructure devices.

What should you do? Implement NAC.

Which form of biometric authentication is the least secure? Keystroke dynamics

When calculating risk assessment for an organization, what is the role of impact
assessment? Estimating the potential costs related to a threat

What entity within a PKI verifies user requests for digital certificates? Registration
Authority

You are determining environmental control requirements for a data center that will
contain several computers?

What is the role of an HVAC system in this environment? Provide an appropriate


ambient temperature & Maintain appropriate humidity levels

You need to test a new network-aware application that will be deployed on your
network. You need to keep the potential risks to the production network and the
costs involved to a minimum.

What should you do? Configure a virtual server and client and test the application
in a virtualized network environment.

What type of IDS reports possible attacks when it detects conditions that match the
conditions contained in a database of attacks? Signature-based

When users log on to the domain, in addition to being given access to domain file
resources, they are given access to a Microsoft SQL Server database server and an
internal Web site through Windows integrated authentication.

This is an example of what authentication model? single sign-on (SSO)


You need to determine if you can identify the source of requests sent to Web
servers in your perimeter network. You are concerned about traffic originating from
the Internet.

What should you use? Protocol analyzer

Which of the following is designed to perform one-way encryption? Secure Hash


Algorithm (SHA)

What is the role of change management in an IT infrastructure? Controlling


changes through standardized methods and procedures.

Engineering department computers are deployed on a screened subnet. You need


to protect the computers against malware attacks.

What should you do? Install a HIDS on each of the departmental computers.

The following ports are open on your perimeter network firewall:

22

23

443

992

Which port represents the biggest security risk from an antiquated protocol? 23

Your network is configured as a Windows Server 2003 Active Directory domain. The
Finance group has read permission to the Reports and History shared folders as well
as other shared folders. The Accounting group has read and write permissions to
the Reports, AccountRecs, and Statements shared folders. Several users are
members of both the Finance and Accounting groups.

All of the folders are located on a file server named FS0. The Everyone group is
granted the Full Control NTFS permission for each folder through inheritance, but
non-administrative users do not have the right to log on locally at the server. Access
to the shared folders is managed through share permissions.

It is determined that the Finance group should no longer have read access to the
Reports folder. This change should not affect access permissions granted through
membership in other groups.
What should you do? Remove the read permission from the Finance group for the
Reports folder.

You determine that group policies that should apply to all users in the domain are
not being applied to users in the Maintenance OU. The group policies are linked at
the domain and apply to all other domain users.

What should you do? Review group policy properties for the Maintenance OU.

The 802.11i standard specifies support for which encryption algorithms AES &
TKIP

Which type of social engineering attack on a business typically relies on


impersonation to gain personal information? Phishing

You are configuring antispam software for network computers.

What should you have the antispam software do when it identifies an e-mail as
spam? Save the message in a separate folder.

What can you use to monitor traffic on a switched network? Port mirroring

Your company has three computer security professionals. Every month, a different
one is assigned to auditing duties.

What principle does this illustrate? Job rotation

You install an NIPS in your perimeter network. You need to determine how effective
the NIPS is against DoS attacks targeting your Web servers.

What should you do? Perform penetration testing.

You might also like