Modules 18 – 20: Network Defense

Group Exam (Answers)

Sep 9, 2020 Last Updated: May 28, 2022 CyberOps Associate 29 Comments
Share TweetSharePin it

How to find: Press “Ctrl + F” in the browser and fill in

whatever wording is in the question to find that

question/answer. If the question is not here, find it

in Questions Bank.
NOTE: If you have the new question on this test, please comment Question
and Multiple-Choice list in form below this article. We will update answers
for you in the shortest time. Thank you! We truly value your contribution
to the website.

CyberOps Associate (Version 1.0) –

Modules 18 – 20: Network Defense Group
Exam
1. Why is asset management a critical function of a growing organization
against security threats?
 It identifies the ever increasing attack surface to threats.

 It allows for a build of a comprehensive AUP.

 It serves to preserve an audit trail of all new

purchases.

 It prevents theft of older assets that are

decommissioned.

Explanation: Asset management is a critical component of

a growing organization from a security aspect. Asset

management consists of inventorying all assets, and then

developing and implementing policies and procedures to

protect them. As an organization grows, so does the

attack surface in terms of security threats. Each of these

assets can attract different threat actors who have

different skill levels and motivations. Asset management

can help mitigate these threats by inventorying the risks

as the attack surface grows.

2. In a defense-in-depth approach, which three options must be identified
to effectively defend a network against attacks? (Choose three.)
 total number of devices that attach to the wired

and wireless network

 assets that need protection
 vulnerabilities in the system
 location of attacker or attackers

 past security breaches

 threats to assets
Explanation: In order to prepare for a security attack, IT

security personnel must identify assets that need to be

protected such as servers, routers, access points, and

end devices. They must also identify potential threats to

the assets and vulnerabilities in the system or design.

3. What is the first line of defense when an organization is using a defense-
in-depth approach to network security?
 edge router

 firewall
  proxy server

 IPS

Explanation: A defense-in-depth approach uses layers of

security measures starting at the network edge, working

through the network, and finally ending at the network

endpoints. Routers at the network edge are the first line

of defense and forward traffic intended for the internal

network to the firewall.

4. What three goals does a BYOD security policy accomplish? (Choose
three.)
 identify all malware signatures and synchronize

them across corporate databases

 identify which employees can bring their own devices
 identify safeguards to put in place if a device is compromised
 identify and prevent all heuristic virus signatures

 identify a list of websites that users are not

permitted to access
 describe the rights to access and activities permitted to security
personnel on the device
Explanation: A comprehensive BYOD policy should

accomplish the following:

Identification of which employees can bring their own

devices

Identification of which devices will be supported

Identification of the level of access employees are

granted when using personal devices

Describe the rights to access and activities permitted to

security personnel on the device

Identification of which regulations must be adhered to

when using employee devices

Identification of safeguards to put in place if a device is

compromised
5. Which two options are security best practices that help mitigate BYOD
risks? (Choose two.)
 Use paint that reflects wireless signals and glass

that prevents the signals from going outside the

building.
 Keep the device OS and software updated.
 Only allow devices that have been approved by

the corporate IT team.

 Only turn on Wi-Fi when using the wireless network.
 Decrease the wireless antenna gain level.

 Use wireless MAC address filtering.

Explanation: Many companies now support employees and

visitors attaching and using wireless devices that

connect to and use the corporate wireless network. This

practice is known as a bring-your-own-device policy or

BYOD. Commonly, BYOD security practices are included

in the security policy. Some best practices that mitigate

BYOD risks include the following:

Use unique passwords for each device and account.

Turn off Wi-Fi and Bluetooth connectivity when not being

used. Only connect to trusted networks.

Keep the device OS and other software updated.

Backup any data stored on the device.

Subscribe to a device locator service with a remote wipe

feature.

Provide antivirus software for approved BYODs.

Use Mobile Device Management (MDM) software that

allows IT teams to track the device and implement

security settings and software controls.

6. What is the purpose of mobile device management (MDM) software?
 It is used to create a security policy.
 It is used to implement security policies, setting, and software
configurations on mobile devices.
 It is used to identify potential mobile device

vulnerabilities.

 It is used by threat actors to penetrate the

system.

Explanation: Mobile device management (MDM) software is

used with mobile devices so that corporate IT personnel

can track the devices, implement security settings, as

well as control software configurations.

7. What does the incident handling procedures security policy describe?
 It describes how security incidents are handled.

 It describes the procedure for auditing the

network after a cyberattack.

 It describes the procedure for mitigating

cyberattacks.

 It describes how to prevent various cyberattacks.

Explanation: The incident handling procedures security

policy describes how security incidents are handled.

8. Match the type of business policy to the description.
  defines system requirements and objectives,

rules, and requirements for users when they

attach to or on the network ==> security

 protects the rights of workers and the company

interests ==> company

 identifies salary, pay schedule, benefits, work

schedule, vacations, etc. ==> employee

9. Which statement describes Trusted Automated Exchange of

Indicator Information (TAXII)?

 It is a dynamic database of real-time vulnerabilities.

 It is the specification for an application layer protocol that allows the communication of CTI over
HTTPS.
 It is a signature-less engine utilizing stateful attack analysis to detect zero-day threats.
 It is a set of specifications for exchanging cyber threat information between organizations.
 Navigation Bar
 This is the specification for an application layer

protocol that allows the communication of CTI

over HTTPS. ==> TAXII

  This is a set of specifications for exchanging

cyberthreat information between

organizations. ==> STIX

 This is is a set of standardized schemata for

specifying, capturing, characterizing, and

communicating events and properties of network

operations. ==> CybOX

10. What is the primary purpose of the Forum of Incident Response and
Security Teams (FIRST)?
 to enable a variety of computer security incident response
teams to collaborate, cooperate, and coordinate information
sharing, incident prevention, and rapid reaction strategies
 to provide a security news portal that aggregates

the latest breaking news pertaining to alerts,

exploits, and vulnerabilities

 to offer 24×7 cyberthreat warnings and

advisories, vulnerability identification, and

mitigation and incident response

 to provide vendor neutral education products and

career services to industry professionals

worldwide

Explanation: The primary purpose of the Forum of Incident

Response and Security Teams (FIRST) is to enable a

variety of computer security incident response teams to

collaborate, cooperate, and coordinate information

sharing, incident prevention, and rapid reaction between

the teams.
11. What is the primary purpose of the Malware Information Sharing
Platform (MISP) ?
 to publish all informational materials on known

and newly discovered cyberthreats

 to enable automated sharing of IOCs between people and
machines using the STIX and other exports formats
 to provide a set of standardized schemata for

specifying and capturing events and properties of

network operations

 to exchange all the response mechanisms to

known threats

Explanation: Malware Information Sharing Platform (MISP)

is an open source platform that enables automated

sharing of IOCs between people and machines using the

STIX and other exports formats.

12. Which statement describes Trusted Automated Exchange of Indicator
Information (TAXII)?
 It is a set of specifications for exchanging cyber

threat information between organizations.

 It is a signature-less engine utilizing stateful

attack analysis to detect zero-day threats.

  It is a dynamic database of real-time

vulnerabilities.
 It is the specification for an application layer protocol that
allows the communication of CTI over HTTPS.
Explanation: Trusted Automated Exchange of Indicator

Information (TAXII) is the specification for an application

layer protocol that allows the communication of CTI over

HTTPS. TAXII is designed to support Structured Threat

Information Expression (STIX).

13. Which organization defines unique CVE Identifiers for publicly known
information-security vulnerabilities that make it easier to share data?
 Cisco Talos

 DHS

 FireEye
 MITRE
Explanation: The United States government sponsored the

MITRE Corporation to create and maintain a catalog of

known security threats called Common Vulnerabilities

and Exposures (CVE). The CVE serves as a dictionary of

common names (i.e., CVE Identifiers) for publicly known

cybersecurity vulnerabilities.
14. How does FireEye detect and prevent zero-day attacks?
 by establishing an authentication parameter prior

to any data exchange

 by addressing all stages of an attack lifecycle with a signature-
less engine utilizing stateful attack analysis
  by keeping a detailed analysis of all viruses and

malware

 by only accepting encrypted data packets that

validate against their configured hash values

Explanation: FireEye uses a three-pronged approach

combining security intelligence, security expertise, and

technology. It addresses all stages of an attack lifecycle

with a signature-less engine utilizing stateful attack

analysis to detect zero-day threats.

15. What is the primary function of the Center for Internet Security
(CIS)?
 to maintain a list of common vulnerabilities and

exposures (CVE) used by security organizations

 to provide a security news portal that aggregates

the latest breaking news pertaining to alerts,

exploits, and vulnerabilities

 to offer 24×7 cyberthreat warnings and advisories, vulnerability
identification, and mitigation and incident responses
 to provide vendor-neutral education products and

career services to industry professionals

worldwide

Explanation: CIS offers 24×7 cyberthreat warnings and

advisories, vulnerability identification, and mitigation and

incident responses to state, local, tribal, and territorial

(SLTT) governments through the Multi-State Information

Sharing and Analysis Center (MS-ISAC).

16. What is the primary function of the Center for Internet

Security (CIS)?

 to provide a security news portal that aggregates the latest breaking news pertaining to alerts,
exploits, and vulnerabilities
 to maintain a list of common vulnerabilities and exposures (CVE) used by security
organizations
 to offer 24x7 cyberthreat warnings and advisories, vulnerability identification, and mitigation
and incident responses
 to provide vendor-neutral education products and career services to industry professionals
worldwide

 It is a specification for an application layer

protocol that allows the communication of CTI

over HTTPS.
 It is a set of standardized schemata for specifying, capturing,
characterizing, and communicating events and properties of
network operations.
 It enables the real-time exchange of cyberthreat

indicators between the U.S. Federal Government

and the private sector.

 It is a catalog of known security threats called

Common Vulnerabilities and Exposures (CVE) for

publicly known cybersecurity vulnerabilities.

Explanation: CybOX is a set of open standards that provide

the specifications that aid in the automated exchange of

cyberthreat intelligence information in a standardized

format. It is a set of standardized schemata for

specifying, capturing, characterizing, and communicating

events and properties of network operations that support

many cybersecurity functions.

17. A web server administrator is configuring access settings to require
users to authenticate first before accessing certain web pages. Which
requirement of information security is addressed through the
configuration?
 availability

 integrity

 scalability
 confidentiality
Explanation: Confidentiality ensures that data is accessed

only by authorized individuals. Authentication will help

verify the identity of the individuals.

18. When designing a prototype network for a new server farm, a network
designer chooses to use redundant links to connect to the rest of the
network. Which business goal will be addressed by this choice?
 availability

 manageability

 security

 scalability

Explanation: Availability is one of the components of

information security where authorized users must have

uninterrupted access to important resources and data.

19. When a security audit is performed at a company, the auditor reports
that new users have access to network resources beyond their normal job
roles. Additionally, users who move to different positions retain their prior
permissions. What kind of violation is occurring?
 least privilege

 network policy

 password

 audit

Explanation: Users should have access to information on a

need to know basis. When a user moves from job role to

job role, the same concept applies.

20. Which component of the zero trust security model focuses on secure
access when an API, a microservice, or a container is accessing a database
within an application?
 workflow

 workforce
 workload
 workplace

Explanation: The workload pillar focuses on applications

that are running in the cloud, in data centers, and other

virtualized environments that interact with one another. It

focuses on secure access when an API, a microservice, or

a container is accessing a database within an application.

21. What is the purpose of the network security accounting function?
 to determine which resources a user can access

 to provide challenge and response questions

 to keep track of the actions of a user
  to require users to prove who they are

Explanation: Authentication, authorization, and accounting

are network services collectively known as AAA.

Authentication requires users to prove who they are.

Authorization determines which resources the user can

access. Accounting keeps track of the actions of the

user.
22. Which term describes the ability of a web server to keep a log of the
users who access the server, as well as the length of time they use it?
 authentication
 accounting
 assigning permissions

 authorization

Explanation: Accounting records what users do and when

they do it, including what is accessed, the amount of time

the resource is accessed, and any changes that were

made. Accounting keeps track of how network resources

are used.
23. Match the information security component with the description.

 Only authorized individuals, entities, or

processes can access sensitive

information. : confidentiality

 Data is protected from unauthorized

alteration. : Integrity

 Authorized users must have uninterrupted access

to important resources and data. : availability

24. What are two characteristics of the RADIUS protocol? (Choose two.)
 encryption of the entire body of the packet
 encryption of the password only
 the use of UDP ports for authentication and accounting
 the separation of the authentication and

authorization processes
  the use of TCP port 49

Explanation: RADIUS is an open-standard AAA protocol

using UDP port 1645 or 1812 for authentication and UDP

port 1646 or 1813 for accounting. It combines

authentication and authorization into one process.

25. Which AAA component can be established using token cards?
 accounting

 authorization
 authentication
 auditing

Explanation: The authentication component of AAA is

established using username and password combinations,

challenge and response questions, and token cards. The

authorization component of AAA determines which

resources the user can access and which operations the

user is allowed to perform. The accounting and auditing

component of AAA keeps track of how network resources

are used.
26. What is a characteristic of the security artichoke, defense-in-depth
approach?
 Threat actors can easily compromise all layers

safeguarding the data or systems.

 Threat actors no longer have to peel away each layer before
reaching the target data or system.
  Threat actors can no longer penetrate any layers

safeguarding the data or system.

 Each layer has to be penetrated before the threat

actor can reach the target data or system.

Explanation: In the security artichoke, defense-in-depth

approach not every layer needs to be penetrated by the

threat actor in order to get to the data or systems. Each

layer provides a layer of protection while simultaneously

providing a path to attack.

27. What is a characteristic of a layered defense-in-depth security
approach?
 Three or more devices are used.

 Routers are replaced with firewalls.

 One safeguard failure does not affect the effectiveness of other
safeguards.
 When one device fails, another one takes over.

Explanation: When a layered defense-in-depth security

approach is used, layers of security are placed through

the organization-at the edge, within the network, and on

endpoints. The layers work together to create the

security architecture. In this environment, a failure of one

safeguard does not affect the effectiveness of other

safeguards.
28. What is the benefit of a defense-in-depth approach?
  All network vulnerabilities are mitigated.

 The need for firewalls is eliminated.

 Only a single layer of security at the network

core is required.
 The effectiveness of other security measures is not impacted
when a security mechanism fails.
Explanation: The benefit of the defense-in-depth approach

is that network defenses are implemented in layers so

that failure of any single security mechanism does not

impact other secuirty measures.

29. Match the term to the description.

30. What is the principle behind the nondiscretionary access control

model?
 It applies the strictest access control possible.
 It allows access decisions to be based on roles and
responsibilities of a user within the organization.
  It allows users to control access to their data as

owners of that data.

 It allows access based on attributes of the object

be to accessed.

Explanation: The nondiscretionary access control model

used the roles and responsibilities of the user as the

basis for access decisions.

31. Which type of access control applies the strictest access control and is
commonly used in military or mission critical applications?
 Non-discretionary access control

 discretionary access control (DAC)

 attribute-based access control (ABAC)

 mandatory access control (MAC)
Explanation: Access control models are used to define the access controls
implemented to protect corporate IT resources. The different types of
access control models are as follows:
Mandatory access control (MAC) – The strictest access

control that is typically used in military or mission critical

applications.

Discretionary access control (DAC) – Allows users to

control access to their data as owners of that data.

Access control lists (ACLs) or other security measures

may be used to specify who else may have access to the

information.
Non-discretionary access control – Also known as role-

based access control (RBAC). Allows access based on the

role and responsibilities of the individual within the

organization.

Attribute-based access control (ABAC) – Allows access

based on the attributes of the resource to be accessed,

the user accessing the resource, and the environmental

factors such as the time of day.

32. Passwords, passphrases, and PINs are examples of which security
term?
 identification

 access
 authentication
 authorization

Explanation: Authentication methods are used to

strengthen access control systems. It is important to

understand the available authentication methods.

33. How does AIS address a newly discovered threat?
 by creating response strategies against the new

threat

 by advising the U.S. Federal Government to

publish internal response strategies

 by enabling real-time exchange of cyberthreat indicators with
U.S. Federal Government and the private sector
  by mitigating the attack with active response

defense mechanisms

Explanation: AIS responds to a new threat as soon as it is

recognized by immediately sharing it with U.S. Federal

Government and the private sector to help them protect

their networks against that particular threat.