Читаем CISSP Practice полностью

Timers are implemented to mitigate the IRC vulnerability of netsplits. A system lockdown mode is implemented to combat denial-of-service (DoS) attacks on the IRC network. The security administrator should block outright filtering requests based on filename extensions to prevent direct client connection (DCC) vulnerability within IRC networks. DCCs are performed directly from one client application to another, thus bypassing the IRC servers to form a client-to-client connection. DCC vulnerabilities, if not controlled properly, lead to unauthorized file transfers between IRC clients, allow users to bypass server-based security, shorten the communication path, allow social engineering attacks, and compromise the user’s application system.

148. Which of the following is the long-term solution as a core cryptographic algorithm for the wireless local-area network (WLAN) using the IEEE 802.11i standard to ensure a robust security network (RSN)?

a. Wired equivalent privacy (WEP)

b. Temporal key integrity protocol (TKIP)

c. Counter mode with cipher block chaining message authentication code protocol (CCMP)

d. Wi-Fi protected access 2 (WPA2)

148. c. The counter mode with cipher block chaining message authentication code protocol (CCMP) is considered the long-term solution for IEEE 802.11 WLANs because it requires hardware updates and replaces pre-RSN equipment. Of all the four choices, only CCMP uses the advanced encryption standard (AES) as the core cryptographic algorithm. For legacy IEEE 802.11 equipment that does not provide CCMP, IPsec VPN can be used as auxiliary security protection. WEP is an original standard as a data confidentiality and integrity protocol with several security problems. Later, WPA2 was designed as the interim solution as an upgrade to existing WEP-enabled equipment to provide a higher level of security, primarily through the use of TKIP and MIC (message integrity code). TKIP is intended as an interim solution along with WEP and WPA2. TKIP can be implemented through software updates and does not require hardware replacement of access points and stations.

149. Which of the following provides stronger security in managing access point (AP) configuration in a legacy wireless local-area network (WLAN) environment?

a. Simple network management protocol (SNMP)

b. SNMP version 1

c. SNMP version 2

d. SNMP version 3

149. d. Simple network management protocol (SNMP) version 3 provides strong security feature enhancements to basic SNMP, including encryption and message authentication, and therefore should be used.

The earlier versions of SNMP, SNMPv1, and SNMPv2 should not be used because they are fundamentally insecure as they support only trivial authentication based on default plaintext community strings. The default SNMP community string that SNMPv1 and SNMPv2 agents commonly use is the word “public” with assigned “read” or “read and write” privileges; using this string leaves devices vulnerable to attack. If an unauthorized user were to gain access and had read/write privileges, that user could write data to the AP, compromising its original configuration. Organizations using SNMPv1 or SNMPv2 should change the community string as often as needed, taking into consideration that the string is transmitted in plaintext. For all versions of SNMP, privileges should be set to the least required (e.g., read only).

150. Which of the following cannot defend the enclave boundary?

a. Firewalls

b. Switches and routers

c. Virtual private networks

d. Software/hardware guards

150. b. Switches and routers defend the networks and their infrastructures such as LANs, campus area networks (CANs), MANs, and WANs. The other three choices defend the enclave boundary, which defines a clear separation between inside and outside of a network where local computing environment (LAN) is inside the enclave and connection to external networks and remote users (e.g., dial-up access, ISP connection, and dedicated line) is outside the enclave. Boundary protection is provided by software/hardware guards, firewalls, and other devices, which control access into the local computing environment (LAN). Remote access protection is provided by communications server, encryption, VPN, and others.