CDS 424 Final Exam | Updated Spring 2025, Complete Solutions

CDS 424 Final Exam | Updated Spring 2025, Complete Solutions Which of the following can affect the confidentiality of documents stored on a server? A server breach Demetrice is a network consultant. She has been hired to design security for a network that hosts 25 employees, many of whom need remote access. The client recently opened another small office in a neighboring community and wants to be able to routinely establish secure network connections between the two locations. The client often deals with customer bank information and requires a particularly secure solution. What is her response to these requirements? Small office/home office (SOHO) virtual private network (VPN) Nina is a corporate attorney for a San Francisco firm. The chief information and security officer (CISO) told her that the firm's data center had been hacked 24 hours ago. The personal information of more than 3 million users was accessed, including their full names, addresses, and login credentials. Nina discusses the company's liability under the law, including the requirement to implement and maintain reasonable security procedures and practices. If it can be proven that the firm was negligent, it may need to pay damages. Which of the following regulates this issue? California Consumer Privacy Act (CCPA) Tonya is redesigning her company's network infrastructure to accommodate rapid growth. Several departments are highly specialized. Tonya needs to allow Network News Transfer Protocol (NNTP) on some, but not all, subnets. Her budget is limited. Which of the following is the best solution? Place existing routers capable of packet filtering at each subnet. A social networking website has been gathering a great deal of personal information on its users for years. This presents the potential danger of exposure if the site is hacked. In addition, the data could be sold by the social networking platform without the users' knowledge or consent. What technology does the social media company most likely use to gather data, such as users' buying preferences? Data mining Which of the following is a protocol that allows web servers to complete secure transactions over the Internet? Hypertext Transfer Protocol Secure (HTTPS) Which of the following is a firewall implementation best practice? Different firewall products should be used depending on firewall placement, such as different products for border firewalls versus internal host firewalls. Which of the following records every connection outside the network on the Internet by IP address and URL requested? Proxy server Chang is a network engineer. He is revising the company's firewall implementation procedure. As part of this work, he is reviewing the procedural element requiring placement of network firewalls at chokepoints and mapping out the network structure to pinpoint the locations where firewalls are to be placed. Which of the following is he focusing on? Network design Protecting computers, hard disks, databases, and other computer equipment attached directly or indirectly to the Internet can be categorized as which kind of security? Network security What does a digital signature provide? Nonrepudiation In preserving the confidentiality of users on a corporate network, which party is responsible for setting up security policies to guarantee users' privacy? Administrator The design of firewall placement and configuration in a network infrastructure has many aspects. Which of the following concerns is most likely related to an upper management decision that does NOT conform with existing security policy? Political A network infrastructure supervisor is designing a firewall placement strategy that will protect the organization's Internet-facing web and email servers and the internal network. Which design will best protect both? Using two firewalls to create a demilitarized zone (DMZ); one firewall is placed between the Internet and the servers, the other firewall is located behind the first firewall and the servers protecting the internal network Which of the following is closely associated with maintaining data integrity? Hash Hashing does not verify the integrity of messages. (T/F)? False Including photos of configuration screens in firewall procedures can speed up restoration after a network incident. (T/F)? True Hypertext Transfer Protocol Secure (HTTPS) does NOT encrypt private transactions made over the Internet. (T/F)? False A firewall best practice is to document every action taken during troubleshooting. (T/F)? True You can check firewall connectivity using the ping and traceroute commands. (T/F)? True What is an example of security through obscurity? Using a nonstandard operating system for workstations such as Free BSD. Which operating system (OS) for a bastion host runs on most appliance firewalls as well as many Internet service provider (ISP) connection devices? Proprietary OS What is an intrusion detection system/intrusion prevention system (IDS/IPS) that uses patterns of known malicious activity similar to how antivirus applications work? Database-based detection Before an Internet user can access a demilitarized zone (DMZ), extranet, or private network resource, it first encounters an entity that is sturdy enough to withstand any sort of attack. What is this entity called? Bastion host operating system A filter pathway is designed to: make it hard to bypass a network filtering system and force all traffic through one route Jacob is a network technician who works for a publishing company. He is setting up a new hire's access permissions. The new hire, Latisha, is an editor. She needs access to books that have been accepted for publication but are in the review stage. Jacob gives her access to the network drive containing only books in review, but not access to administrative or human resources network drives. What principle is Jacob applying? The principle of least privilege Which of the following is described as an approach to network security in which each administrator is given sufficient privileges only within a limited scope of responsibility? Separation of duties Rachel is the cybersecurity engineer for a company that fulfills government contracts on Top Secret projects. She needs to find a way to send highly sensitive information by email in a way that won't arouse the suspicion of malicious parties. If she encrypts the emails, everyone will assume they contain confidential information. What is her solution? Hide messages in the company's logo within the email. Which of the following can be described as putting each resource on a dedicated subnet behind a demilitarized zone (DMZ) and separating it from the internal local area network (LAN)? N-tier deployment Landon is a network contractor. He has been hired to design security for the network of a small company. The company has a limited budget. Landon is asked to create a system that will protect the company's workstations and servers without undo expense. Landon decides to deploy one hardware firewall between the Internet and the local area network (LAN). What is this solution called? Single defense Carl is a network engineer for a mid-sized company. He has been assigned the task of positioning hardware firewalls in the IT infrastructure based on common pathways of communication. After analyzing the problem, on which aspect of the network does he base his design? Traffic patterns Alejandro is a cybersecurity contractor. He was hired by a Fortune 500 company to redesign its network security system, which was originally implemented when the company was a much smaller organization. The company's current solution is to use multiple firewall platforms from different vendors to protect internal resources. Alejandro proposes an infrastructure security method that, in addition to firewalls, adds tools such as an intrusion detection system (IDS), antivirus, strong authentication, virtual private network (VPN) support, and granular access control. What is this solution called? Diversity of defense Joaquin is a senior network technician for a mid-sized company who has been assigned the task of improving security for the IT infrastructure. He has been given a limited budget and must increase security without redesigning the network or replacing all internetworking security devices. He focuses on an approach that will identify a single vulnerability. What does he recommend? Weakest link Which of the following is an authentication method that supports smart cards, biometrics, and credit cards, and is a fully scalable architecture? 802.1x Amy is a network engineering consultant. She is designing security for a small to medium-sized government contractor working on a project for the military. The government contractor's network is comprised of 30 workstations plus a wireless printer, and it needs remote authentication. Which of the following is a type of authentication solution she should deploy? One that authenticates at the firewall and doesn't integrate with single sign-on (SSO). Firewalls should be considered a part of a security infrastructure, not the totality of security. (T/F)? True The less complex a solution, the more room there is for mistakes, bugs, flaws, or oversights by security administrators. (T/F)? False With diversity of defense, most layers use a different security mechanism. (T/F)? True In intrusion detection, anamoly-based detection looks for differences from normal traffic based on a recording of real-world traffic that establishes a baseline. (T/F)? False The weakest link security strategy gains protection by using abnormal configurations. (T/F)? False Torri is a network technician. She needs to configure the edge firewalls for her company's IT infrastructure. Her supervisor has told her she must find a configuration method that assumes all network traffic is safe and, as malicious traffic is identified, it is added to a list of exceptions. Which of the following configuration methods does Torri select? Allow by default/deny by exception. Elissa is a network technician. She is configuring firewall rules for one of her company's branch offices, which provides online retail sales of their products. She is configuring rules to block traffic based on a traditional model but needs to allow a particular type of traffic. What should she allow? All traffic from port 80 originating from the office's web server, which is in a protected subnet Reid is a network security trainer for a mid-sized company. He is demonstrating alternative methods of protecting a network using unconventional means. The IT department's "sandbox" network is used for testing and is not connected to the production network. Using the sandbox, Reid shows how to protect a network from external threats without using a firewall. What is Reid's approach? Packet sniffer Hajar is a new network administrator. She is inventorying firewalls in her company. She finds one that has a management interface lacking something and makes a note to replace it immediately. What is the missing firewall management interface? Encryption Carl is a networking student who is reading about methods of encryption and how they work with firewalls. Right now, he is studying a form of encryption that encrypts the entire original payload and header of a packet. However, because the header contains only information about endpoints, it is not useful for a firewall filtering malicious traffic. Which of the following is the encryption method being described? Tunnel mode Leandro is writing a firewall policy. He needs to define which type of firewall he needs for each portion of the infrastructure based on differing areas of risk and trust. What are these areas called? Security zones Tiffany is a network engineer for her company. To enhance the performance of the network, she uses a method that assigns incoming transactions as they arrive in sequence to each of the infrastructure's three firewalls. Transaction 1 goes to firewall 1, transaction 2 goes to firewall 3, transaction 3 to firewall 2, and so on. Which technique is Tiffany using? Round-robin Which of the following can delay in firewall software patching cause? Exploitation of the firewall Fumiko is a network technician. She is configuring rules on one of her company's externally facing firewalls. Her network has a host address range of 192.168.42.140-190. She wants to allow all hosts access to a certain port except for 188, 189, and 190. What rule or rules must she write? A single rule allowing hosts 140-187 is all that is necessary; the default-deny rule takes care of blocking the remaining nonincluded hosts. Which of the following is needed when determining what firewall traffic to allow and what to block? A complete inventory of all needed or desired network communications. All firewalls, including those using static packet filtering, stateful inspection, and application proxy, have one thing in common. What is it? Rules Hyon is a network consultant. She was hired by a client company to examine the effectiveness of its IT infrastructure. She discovers that the company's Internet-facing firewall is not capable of automatically handling and adjusting for random source ports when a session is being established to its web and gaming servers. How should she correct this? Create a custom rule to manage random source ports Teodora is the procurement manager for her company's IT department. She is researching firewalls that come with enhancements beyond basic traffic filtering. Which of the following is considered a firewall enhancement? Anti-malware scanning Shoshana is a network technician for a mid-sized organization. She is configuring firewall rules. She is in a firewall's graphical interface and sets a rule as TCP, 192.168.42.0/24, ANY, ANY, 443, Allow. In what order is this rule organizing protocols, source addresses, source and target ports, and actions? Protocol, source address, source port, target address, target port, action Bill is a network technician. He is currently configuring the infrastructure's Internet-facing firewalls. He knows that the Internet Control Message Protocol (ICMP) echo type often referred to as "ping" is used by malicious persons to probe networks. He wants to set up a rule that will deny ping attempts from outside the network. What does he deny? Type 8 An access control list (ACL) focuses on controlling a specific user's or client's access to a protocol or port. (T/F)? True The source address and the port address of inbound firewall rules are often set to Deny, unless the rule is to apply to specific systems or ports. (T/F)? False The source address and the port address of outbound firewall rules are often set as ANY, unless the rule is to apply to specific systems or ports. (T/F)? True A default-allow firewall stance assumes that most traffic is benign. (T/F)? True A best practice is to define a complete firewall rule set for each prescribed firewall in a written firewall policy. (T/F)? True Opal is the chief technology officer for her company. She is working with the legal department to acquire virtual private network (VPN) service through a cloud implementation. Unless it is spelled out in the contract, Opal is afraid that a critical element in the VPN service will not be present, leaving remote access services vulnerable in case of a failure. What is she concerned about? Redundancy Miriam is the cybersecurity manager for her company's IT department. She is updating the computing and networking-related policies that apply company-wide. She learns that Wyatt, an engineer responsible for maintaining VPN access for remote employees, has written a VPN usage policy specifying parameters for use that is independent of what she is crafting. What is the most likely problem? The correct answer is: The two independent policies might describe conflicting requirements such as differing password lengths. Analisa is a sales representative who travels extensively. At a trade show, Analisa uses her virtual private network (VPN) connection to simultaneously connect to the office LAN and her personal computer at home. What security risk does this pose? Split tunneling Armand is the IT director of his organization. He is working with accounting to determine a budget for upgrading the company's virtual private network (VPN) equipment. Several options are available, and after narrowing down his requirements, he still needs more technical assistance to make a decision. Rather than going with award-winning VPN products he has found in industry magazines and websites, what option does he select that will gain him assistance in doing "legwork"? Reseller Which component of a virtual private network (VPN) policy describes the parameters for employee use of the VPN, including consequences for not following the policy? Scope/binding nature statement Which of the following is a vulnerability of both hardware and software virtual private networks (VPNs)? Unpublished vulnerabilities in the code While there is no single way to troubleshoot a virtual private network (VPN) issue, what is the MOST appropriate first step? Identify the specific symptoms of the problem. Alphonse is a network engineer who is developing his IT infrastructure's virtual private network (VPN) deployment plan. He has decided to place the VPN device between the externally facing and internally facing firewalls in the demilitarized zone (DMZ). He is determining the rule sets with which to configure both firewalls. His VPN device is a Secure Sockets Layer (SSL) VPN and he wants to use default settings. Which port should he allow the firewalls to pass traffic through? 443 Maria is a network engineer assigned to select a new virtual private network (VPN) solution for her company. She is weighing the benefits of commercial versus open-source VPNs. Which of the following is a benefit of open-source platforms? Access to internet-based support In balancing competing concerns while deploying a personal virtual private network (VPN) solution, Yee values his privacy more than his anonymity. Which is he most concerned about? Having the endpoints of his VPN connection tracked Which of the following steps helps you verify that the internal network port of a virtual private network (VPN) device is available? Open a command-line interface and use the ping command Tomika is a network architect. A coworker is helping to design a more secure placement of the company's virtual private network (VPN) device. The coworker suggests that the device be placed between the Internet-facing firewall and the internal network. What is Tomika's opinion of this deployment strategy? Iti is somewhat secure but does not address possible security issues involving untrustworthy VPN connections. Kasim is a network technician. He is tasked with deploying a virtual private network (VPN) in his company's IT infrastructure. He wants to place the VPN device where it is directly connected to both the Internet and the internal LAN. He believes that security will not be a concern because the VPN is already encrypted point-to-point. Which of the following statements is TRUE about this configuration? The VPN device itself is still capable of being attacked. Cassie is an IT help desk representative. She just received a trouble ticket from a remote user stating they cannot connect to the company network over the virtual private network (VPN). Cassie begins troubleshooting the matter, checking on recent configuration changes to the VPN equipment, looking at the unit's logs for error messages, and so on. She has examined the VPN-related features and potential problems but still doesn't understand why the end user's connection failed. She has been assured that both the end user and the company have Internet connectivity. What is the most likely reason the user cannot connect? A network engineer has inadvertently changed the IP address of the firewall's internal interface that connects to the VPN's outward-facing port. Which of the following is a type of virtual private network (VPN) architecture that places a firewall in front of the VPN to protect it from Internet-based attacks as well as a firewall behind the VPN to protect the internal network? DMZ architecture In a bypass virtual private network (VPN), traffic to the VPN and from the VPN to the internal network is not firewalled. (T/F)? True In an internally connected virtual private network (VPN), the Internet-facing VPN connection is front of a firewall. (T/F)? False Malware is a vulnerability of a software virtual private network (VPN). (T/F)? True A virtual private network (VPN) policy helps to ensure that users understand the requirements for computing on a VPN. (T/F)? True Instability is not considered a potential threat associated with software virtual private networks (VPNs). (T/F)? False Which of the following is an advantage of Secure Sockets Layer/Transport Layer Security (SSL/TLS) virtual private networks (VPNs) versus Internet Protocol Security (IPSec) VPNs? No NAT problems Mei is a new network technician for a mid-sized company. She is trying to determine what is causing a performance lag on the infrastructure's virtual private network (VPN). The lags typically occur between 8 a.m. and 9 a.m., and again between 1 p.m. and 2 p.m. What is the most likely cause? Peak usage loads Which of the following provides integrity protection for packet headers and data and can optionally provide replay protection and access protection? Authentication Header (AH) Felicia is a network engineer deploying a virtual private network (VPN) solution. The VPN operates using Secure Shell (SSH). When asked by a new help desk tech about which layer of the OSI model it employs, how does Felicia answer? 7 Chris is a network engineer deploying a virtual private network (VPN) solution. He needs an implementation of Secure Sockets Layer/Transport Layer Security (SSL/TLS) that adds a layer of authentication to the access. What feature does he require? Bidirectional authentication Which of the following is the protocol used with HTTPS for encrypting communications to and from websites? Secure Sockets Layer/Transport Layer Security (SSL/TLS) The configuration, location, software version, and underlying operating system of a virtual private network (VPN) are all factors that are most likely to affect: Stability Which of the following is a protocol that supports Advanced Encryption Standard (AES) with 128, 192, and 256 keys? Transport Layer Security (TLS)