1. Name: Class: Date:
Chapter 12: Protection Mechanisms
Copyright Cengage Learning. Powered by Cognero. Page 1
1. Technical controls alone, when properly configured, can secure an IT environment.
a. True
b. False
ANSWER: False
2. The “something a person has” authentication mechanism takes advantage of something inherent in the user that is
evaluated using biometrics.
a. True
b. False
ANSWER: False
3. The ability to restrict specific services is a common practice in most modern routers, and is invisible to the user.
a. True
b. False
ANSWER: True
4. Secure Shell (SSH) provides security for remote access connections over public networks by creating a secure and
persistent connection..
a. True
b. False
ANSWER: True
5. The KDC component of Kerberos knows the secret keys of all clients and servers on the network.
a. True
b. False
ANSWER: True
6. Which of the following access controlprocesses confirms the identity of the entity seeking access to a logical or
physical area?
a. Identification b. Authentication
c. Authorization d. Accountability
ANSWER: b
7. Which of the following is NOT among the three types of authentication mechanisms?
a. Something a person knows b. Something a person has
c. Something a person sees d. Something a person can produce
ANSWER: c
8. Which of the following characteristics currently used today for authentication purposes is the LEAST unique?
a. Fingerprints b. Iris
c. Retina d. Face geometry
ANSWER: d
9. Which of the following is a commonly used criteria used to compare and evaluate biometric technologies?
a. False accept rate b. Crossover error rate
2. Name: Class: Date:
Chapter 12: Protection Mechanisms
Copyright Cengage Learning. Powered by Cognero. Page 2
c. False reject rate d. Valid accept rate
ANSWER: b
10. Which of the following biometric authentication systems is considered to be the most secure?
a. Fingerprint recognition b. Signature recognition
c. Voice pattern recognition d. Retina pattern recognition
ANSWER: d
11. Which of the following biometric authentication systems is the most accepted by users?
a. Keystroke pattern recognition b. Fingerprint recognition
c. Signature recognition d. Retina pattern recognition
ANSWER: c
12. Which type of firewall keeps track of each network connection established between internal and external systems?
a. Packet filtering b. Stateful packet inspection
c. Application layer d. Cache server
ANSWER: b
13. The intermediate area between trusted and untrusted networks is referred to as which of the following?
a. Unfiltered area b. Semi-trusted area
c. Demilitarized zone d. Proxy zone
ANSWER: c
14. Which type of device allows only specific packets with a particular source, destination, and port address to pass
through it.
a. Dynamic packet filtering firewall b. Proxy server
c. Intrusion detection system d. Application layer firewall
ANSWER: a
15. Which technology employs sockets to map internal private network addresses to a public address using a one-to-many
mapping?
a. Network-address translation b. Screened-subnet firewall
c. Port-address translation d. Private address mapping
ANSWER: c
16. Which of the following is true about firewalls and their ability to adapt in a network?
a. Firewalls can interpret human actions and make decisions outside their programming
b. Because firewalls are not programmed like a computer, they are less error prone
c. Firewalls are flexible and can adapt to new threats
d. Firewalls deal strictly with defined patterns of measured observation
ANSWER: d
17. Which of the following is NOT a method employed by IDPSs to prevent an attack from succeeding?
a. Sending DoS packets to the source b. Terminating the network connection
c. Reconfiguring network devices d. Changing the attack’s content
3. Name: Class: Date:
Chapter 12: Protection Mechanisms
Copyright Cengage Learning. Powered by Cognero. Page 3
ANSWER: a
18. Which type of IDPS is also known as a behavior-based intrusion detection system?
a. Network-based b. Anomaly-based
c. Host-based d. Signature-based
ANSWER: b
19. Which tool can best identify active computers on a network?
a. Packet sniffer
b. Port scanner
c. Trap and trace
d. Honey pot
ANSWER: b
20. What is the next phase of the preattack data gathering process after an attacker has collected all of an organization’s
Internet addresses?
a. Footprinting b. Content filtering
c. Deciphering d. Fingerprinting
ANSWER: d
21. What is the range of the well-known ports used by TCP and UDP?
a. 1024-65,536 b. 0-1023
c. 0-65,536 d. 20, 21, 25, 53, 80
ANSWER: b
22. Which port number is commonly used for the Hypertext Transfer Protocol service.
a. 25 b. 53
c. 80 d. 8080
ANSWER: c
23. Which port number is commonly used for the Simple Mail Transfer Protocol service?
a. 25 b. 53
c. 68 d. 443
ANSWER: a
24. What tool would you use if you want to collect information as it is being transmitted on the network and analyze the
contents for the purpose of solving network problems?
a. Port scanner b. Packet sniffer
c. Vulnerability scanner d. Content filter
ANSWER: b
25. Which of the following is used in conjunction with an algorithm to make computer data secure from anybody except
the intended recipient of the data?
a. Key b. Plaintext
c. Cipher d. Cryptosystem
4. Name: Class: Date:
Chapter 12: Protection Mechanisms
Copyright Cengage Learning. Powered by Cognero. Page 4
ANSWER: a
26. In which cipher method are values rearranged within a block to create the ciphertext?
a. Permutation b. Vernam
c. Substitution d. Monoalphabetic
ANSWER: a
27. Which of the following is true about symmetric encryption?
a. Uses a secret key to encrypt and decrypt b. Uses a private and public key
c. It is also known as public key encryption d. It requires four keys to hold a conversation
ANSWER: a
28. Which technology has two modes of operation: transport and tunnel?
a. Secure Hypertext Transfer Protocol b. Secure Shell
c. IP Security d. Secure Sockets Layer
ANSWER: c
29. Which of the following provides an identification card of sorts to clients who request services in a Kerberos system?
a. Ticket Granting Service b. Authentication Server
c. Authentication Client d. Key Distribution Center
ANSWER: a
30. Which of the following is a Kerberos service that initially exchanges information with the client and server by using
secret keys?
a. Authentication Server b. Authentication Client
c. Key Distribution Center d. Ticket Granting Service
ANSWER: c
31. What is most commonly used for the goal of nonrepudiation in cryptography?
a. Block cipher b. Secret key
c. PKI d. Digital signature
ANSWER: d
32. ____________________ is the determination of actions that an entity can perform in a physical or logical area.
ANSWER: Authorization
33. A(n) ____________________ is a secret word or combination of characters known only by the user.
ANSWER: password
34. ________ recognition authentication captures the analog waveforms of human speech.
ANSWER: Voice
35. A(n) ____________________ token uses a challenge-response system in which the server challenges the user with a
number, that when entered into the token provides a response that provides access.
ANSWER: asynchronous
5. Name: Class: Date:
Chapter 12: Protection Mechanisms
Copyright Cengage Learning. Powered by Cognero. Page 5
36. A(n) ____________________ is any device that prevents a specific type of information from moving between an
untrusted network and a trusted network.
ANSWER: firewall
37. You might put a proxy server in the __________________, which is exposed to the outside world, neither in the
trusted nor untrusted network.
ANSWER: demilitarized zone
DMZ
38. ____________ is a technology in which multiple real, routable external IP addresses are converted to special ranges
of internal IP addresses, usually on a one-to-one basis.
ANSWER: Network-address translation
Network address translation
NAT
39. ____________________ presents a threat to wireless communications, a practice that makes it prudent to use a
wireless encryption protocol to prevent unauthorized use of your Wi-Fi network.
ANSWER: War driving
40. The ___________ wireless security protocol was replaced by stronger protocols due to several vulnerabilities found in
the early 2000s.
ANSWER: WEP
wired equivalent privacy
41. The Ticket Granting Service (TGS) is one of three services in the __________ system, and provides tickets to clients
who request services.
ANSWER: Kerberos
42. Describe and provide an example for each of the types of authentication mechanisms.
ANSWER: There are three types of authentication mechanisms:
- Something a person knows (for example, passwords and passphrases)
- Something a person has (such as cryptographic tokens and smart cards)
- Something a person produces (such as voice and signature pattern recognition, fingerprints, palm prints, hand
topography, hand geometry, and retina and iris scans)
43. Briefly describe how biometric technologies are generally evaluated.
ANSWER: Biometric technologies are generally evaluated according to three basic criteria:
- False reject rate: the percentage of authorized users who are denied access
- False accept rate:the percentage of unauthorized users who are allowed access
- Crossover error rate: the point at which the number of false rejections equals the number of
false acceptances
44. What should you look for when selecting a firewall for your network?
ANSWER: 1. What type of firewall technology offers the right balance between protection and cost for the needs of the
organization?
2. What features are included in the base price? What features are available at extra cost? Are all cost factors
known?
3. How easy is it to set up and configure the firewall? How accessible are the staff technicians who can
competently configure the firewall?
6. Name: Class: Date:
Chapter 12: Protection Mechanisms
Copyright Cengage Learning. Powered by Cognero. Page 6
4. Can the candidate firewall adapt to the growing network in the target organization?
45. List the most common firewall implementation architectures.
ANSWER: Three architectural implementations of firewalls are especially common: single bastion hosts, screened-host
firewalls, and screened-subnet firewalls.
46. What are NAT and PAT? Describe these technologies.
ANSWER: NAT is a method of converting multiple real, routable external IP addresses to special ranges of internal IP
addresses, usually on a one-to-one basis; that is, one external valid address directly maps to one assigned
internal address. A related approach, called port-address translation (PAT), converts a single real, valid,
external IP address to special ranges of internal IP addresses—that is, a one-to-many approach in which one
address is mapped dynamically to a range of internal addresses by adding a unique port number when traffic
leaves the private network and is placed on the public network.
47. There are six recommended best practices for firewall use according to Laura Taylor. List three of them.
ANSWER: All traffic from the trusted network is allowed out.
The firewall device is never accessible directly from the public network.
Simple Mail Transport Protocol (SMTP) data is allowed to pass through the firewall,
but all of it is routed to a well-configured SMTP gateway to filter and route messaging
traffic securely.
All Internet Control Message Protocol (ICMP) data is denied.
Telnet/terminal emulation access to all internal servers from the public networks is
blocked.
When Web services are offered outside the firewall, HTTP traffic is prevented from
reaching your internal networks via the implementation of some form of proxy access
or DMZ architecture.
48. Describe in basic terms what an IDPS is.
ANSWER: Intrusion detection and prevention systems (IDPSs) work like burglar alarms. When the system detects a
violation—the IT equivalent of an opened or broken window—it activates the alarm. This alarm can be
audible and visible (noise and lights), or it can be a silent alarm that sends a message to a monitoring
company.
49. What is WEP and why is it no longer in favor?
ANSWER: WEP is designed to provide a basic level of security protection to Wi-Fi networks, to prevent unauthorized
access or eavesdropping. However, WEP, like a traditional wired network, does not protect users from each
other; it only protects the network from unauthorized users. In the early 2000s, cryptologists found several
fundamental flaws in WEP, resulting in vulnerabilities that can be exploited to gain access. These
vulnerabilities ultimately led to the replacement of WEP as the industry standard with WPA.
50. What is a packet sniffer and how can it be used for good or nefarious purposes?
ANSWER: A packet sniffer is a network tool that collects and analyzes copies of packets from the network. It can
provide a network administrator with valuable information to help diagnose and resolve networking issues. In
the wrong hands, it can be used to eavesdrop on network traffic.
51. What is asymmetric encryption?
ANSWER: Asymmetric encryption is also known as public key encryption. Whereas symmetric encryption systems use a
single key both to encrypt and decrypt a message, asymmetric encryption uses two different keys. Either key
7. Name: Class: Date:
Chapter 12: Protection Mechanisms
Copyright Cengage Learning. Powered by Cognero. Page 7
can be used to encrypt or decrypt the message, but not both for the same message.
a. VPN
b. transport mode
c. SSL
d. PKI
e. digital certificate
f. asymmetric encryption
g. Vernam cipher
h. transposition cipher
i. content filter
j. footprinting
52. An integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services that
enables users to communicate securely through the use of digital certificates.
ANSWER: d
53. A cryptographic method that incorporates mathematical operations involving both a public key and a private key to
encipher or decipher a message.
ANSWER: f
54. The organized research and investigation of Internet addresses owned or controlled by a target organization.
ANSWER: j
55. In IPSec, an encryption method in which only a packet’s IP data is encrypted,
not the IP headers themselves; this method allows intermediate nodes to read the source and
destination addresses.
ANSWER: b
56. A cryptographic technique developed at AT&T and known as the “one-time pad,” this cipher uses a set of characters
for encryption operations only one time and then discards it.
ANSWER: g
57. Was developed by Netscape in 1994 to provide security for online e-commerce transactions.
ANSWER: c
58. A software program or hardware/software appliance that allows administrators to restrict content that comes into or
leaves a network—for example, restricting user access to Web sites with material that is not related to business, such as
pornography or entertainment.
ANSWER: i
59. A private, secure network operated over a public and insecure network.
ANSWER: a
60. A cryptographic operation that involves simply rearranging the values within a block based on an established pattern.
ANSWER: h
8. Name: Class: Date:
Chapter 12: Protection Mechanisms
Copyright Cengage Learning. Powered by Cognero. Page 8
61. Public key container files that allow PKI system components and end users to validate a public key and identify its
owner.
ANSWER: e