SCP Security Certified Program SC0-502 SCP Exam Questions

Page: 1 / 14
Total 28 questions

Want more questions? Get Premium Access.
()

Question 1

Now that the network is moving towards a trusted network, you are preparing for the specific new implementations in GlobalCorp. Just as you wrap up some paperwork for the morning, Orange calls you and lets you know that you are going to be needed in a meeting this afternoon. You get to Orange's office and sit down at the desk. Orange begins the conversation, " You know we have some solid fundamental issues addressed in our new trusted network, but I have yet to feel that we have addressed any serious concerns." "Ie been thinking about some similar issues," you reply. "Good, then I sure you have been thinking about our email. Right now, I cannot guarantee the integrity of any email, and I cannot guarantee the confidentiality of any email. We have reasonable controls towards guaranteeing the availability of our email, but what the point if there is no confidentiality or integrity?" "I agree. I think that addressing this issue should be an immediate priority." "One concern is that whatever the system is that we put in place, it must be very user-friendly. As we roll out these new systems, anything that will significantly increase the calls into the help desk is something we need to minimize. A second concern is that it not be too costly. We already have this new investment in the trusted network, we need to be sure that we utilize what are building to the fullest extent possible." "I think we should be able to do that without much difficulty. I already have some solid ideas," you reply. "OK, take a few days on this. For the moment, just concern yourself with the executive building; the others can follow the plan in their own buildings. Let meet again this coming Monday and you can describe your suggestion then." Based on this conversation, and your knowledge of GlobalCorp, select the best solution to the email problems in the network.}

AAfter careful consideration you decide that you will implement secure email in a test group using X.509v3 digital certificates. You choose this since every user received their certificate during an earlier phase, and those certificates included the ability to be used for secure email. Using the X.509v3 certificates, you will configure each machine to use S\MIME. You go to each computer and open Outlook Express, which is the default client email program in the test group. You go to the Tools and Account option, selecting the Mail tab, and the properties for the email account. You select he Security Tab and in the submenu for the Signing Certificate you configure the certificate for the user's account. You select 3DES as the algorithm to use. You then check the Encrypt Contents And Attachments For All Outgoing Messages check box and the Digitally Sign All Outgoing Messages check box. You accept the default of including the digital id when sending signed messages and the default to add sender certificates to the user address book, and close the properties the email account. You show the user how to send and receive email, showing the Purple ribbon that indicates a signed message and the Orange lock that indicates an encrypted message.

BAfter careful consideration you decide that you will implement secure email in a test group using PGP. You will use a full licensed version of PGP. You will go to each computer and you will install the full PGP on each system. Once installed, you will show each user how to create a PGP certificate by requesting the certificate from the CATool CA server you installed specifically for secure email. After the user has received a certificate, you associate that PGP certificate with their Windows domain user account.With the PGP certificate associated with the user account, you show each user how to manage their key ring. You show them how to generate their key, and you configure all user key strength to be 2048 bits. Now that the user has a strong key and a PGP certificate, you configure the email client of each user. You explain that each user will have to install the public key of each other user in the network. You test this by sending an email from your laptop with your PGP certificate attached, and you have the user save the attachment to their Outlook folder. With the certificate saved, you show them how to send secure email to you. You receive the email on your laptop, and double-click the lock to show the user that the secure email message was successfully sent and received.

CAfter careful consideration you decide that you will implement secure email in a test group using GPG. You have decided to use GPG to avoid any licensing conflicts that might occur if any user requires secure email exchange with another individual that is in a country with different cryptography laws. You will go to each computer and you will install GPG on each system. Once installed, you will show each user how to create the required directory structure, by typing the command: gpg --gen-key Once the directory structure is created, you will show each user how to generate the required files, by typing the command: gpg--gen-key Since you want very secure email, you configure each system to use 2048 bit key strength and you select DSA and ElGamal encryption. With GPG installed and configured, you show each user how to use their new secure email. You have them open Outlook and create a new message to you. Once the message is created, you have them select the Security drop-down list and choose both GPG Sign and GPG Encrypt, and then press send. You show them on your laptop that you receive the message. You press Reply, and on your laptop also select the Security drop-down menu, where you choose both GPG Sign and GPG Encrypt. The user receives the message, and you show that secure email was successfully sent and received.

DAfter careful consideration you decide that you will implement secure email in a test group using PGP. You will use a full licensed version of PGP. You will go to each computer and you will install the full PGP on each system.Once installed, you will show each user how to create a PGP certificate by requesting the certificate from the MS Enterprise Root CA server you installed, and configured specifically for secure email certificates. After the user has received a certificate, you associate that PGP certificate with their Windows domain user account. With the PGP certificate associated with the user account, you show each user how to manage their key ring. You show them how to generate their key, and you configure all user key strength to be 2048 bits. Now that the user has a strong key and a PGP certificate, you configure the email client of each user. You explain that each user will have to install the public key of each other user in the network. You test this bysending an email from your laptop with your PGP certificate attached, and you have the user save the attachment to their Outlook folder. With the certificate saved, you show them how to send secure email to you. You receive the email on your laptop, and double-click the lock to show the user that the secure email message was successfully sent and received.

EAfter careful consideration you decide that you will implement secure email in a test group using X.509v3digital certificates. You choose this since every user received their certificate during an earlier phase, and those certificates included the ability to be used for secure email. You will configure each machine to use PGP, with the X.509v3 certificates option. You go to each computer and open Outlook Express, which is the default client email program in the testgroup. You go to the Tools and Account option, selecting the Mail tab, and the properties for the email account. You select he Security Tab and in the submenu for the Signing Certificate you configure the certificate for the user account. You select DSA and ElGamal as the cryptosystem to use. You then check the Encrypt Contents And Attachments For All Outgoing Messages check box and the Digitally Sign All Outgoing Messages check box. You accept the default of including the digital id when sending signed messages and the default to add sender certificates to the user address book, and close the properties the email account.You show the user how to send and receive email, showing the Purple ribbon that indicates a signed message and the Orange lock that indicates an encrypted message.

Answer : A

Question 2

You had been taking a short vacation, and when you come into work on Monday morning, Orange is already at your door, waiting to talk to you. "We're got a problem," Orange says, "It seems that the password used by our Vice President of Engineering has been compromised. Over the weekend, we found this account had logged into the network 25 times. The Vice President was not even in the office over the weekend." "Did we get the source of the compromise yet?" "No, but it won't surprise me if it is our new neighbors at MassiveCorp. I need to you to come up with a realistic plan and bring it to me tomorrow afternoon. This problem must be resolved, and like everything else we do not have unlimited funds so keep that in mind." Based on this information, choose the best solution to the password local authentication problem in the Executive building.}

ASince you are aware of the significance of the password problems, and since you do not have unlimited funds, you plan to address this problem through education and through awareness. You write up a plan for Orange that includes the following points:
1.All end users are to be trained on the methods of making strong passwords
2.All end users are instructed that they are to change their password at a minimum of every 30 days. 3.The administrative staff is to run password-checking utilities on all passwords every 30 days.
4.All end users are to be trained on the importance of never disclosing their password to any other
individual.
5.All end users are to be trained on the importance of never writing down their passwords where they
areclearly visible.

BSince you are aware of the significance of the password problems, you plan to address the problem using technology. You write up a plan for Orange that includes the following points: 1.You will reconfigure the Testbed.globalcorp.org domain to control the password problem. 2.You will configure AD in this domain so that complex password policies are required. 3.The complex password policies will include: a.Password length of at least 8 characters b.Passwords must be alphanumeric c.Passwords must meet Gold Standard of complexity d.Passwords must be changed every 30 days e.Passwords cannot be reused

CSince you are aware of the significance of the password problems, you plan to address the problem using technology. You write up a plan for Orange that includes the following points:
1.For all executives you recommend no longer using passwords, and instead migrating to a token-based authentication system.
2.You will install the RSA SecurID challenge-response token system.
3.You will create SecurID user records for each user to match their domain accounts.
4.You will assign each user record a unique token.
5.You will hand deliver the tokens to the correct executive.
6.Users will be required to use tokencodes from the One-Time tokencode list. The tokencodes will be alphanumeric and will be 4 characters long.
7.The tokens will replace all passwords for authentication into each user Windows system.

DSince you are aware of the significance of the password problems, plan to address the problem using technology. You write up a plan for Orange that includes the following points:
1.For all executives you recommend no longer using passwords, and instead migrating to a biometric solution.
2.You will install retinal scanners at every user desktop in the executive building.You will install retinal scanners at every user?
desktop in the executive building.
2.You will install retinal scanners at every user desktop in the executive building.You will install retinal scanners at every user? Desktop in the executive building.
3.You will personally enroll each user at each desktop.3.You will personally enroll each user at each desktop.
4.You will instruct each user on the proper positioning and use of the scanner.4.You will instruct each user on the proper positioning and use of the scanner. 5.The biometric system will replace all passwords for authentication into each user Windows system.The biometric system will replace all passwords for authentication into each user?
Windows system. 6.The biometric system will replace all passwords for authentication into each user Windows system.The biometric system will replace all passwords for authentication into each user? Windows system.

ESince you are aware of the significance of the password problems, you plan to address the problem using technology. You write up a plan for Orange that includes the following points:
1.For all executives you recommend no longer using passwords, and instead migrating to a token-based authentication system.
2.You will install the RSA SecurID time-based token system. 3.You will create SecurID user records for each user to match their domain accounts. 4.You will assign each user record a unique token. 5.You will hand deliver the tokens to the correct executive. 6.Users will be allowed to create their own PIN, which will be 4 characters long.
7.The tokens will replace all passwords for authentication into each user Windows system.

Answer : E

Question 3

Blue thanks you for your plan and design and took it into consideration. You are then informed that Orange has gone ahead and made a new plan, which will incorporate some of your suggestions, but is going to build the network a bit differently. In Testbed and in each remote office there will be a single self-sufficient CA hierarchy, one that is designed to directly integrate with the existing network. Orange mentions that the hierarchy is only to go two-levels deep, you are not to make an extensive hierarchy in any location. This means a distinct CA hierarchy in six locations, inclusive of the Testbed headquarters. Using this information, choose the solution that will provide for the proper rollout of the Certificate Authorities in the network.}

AIn each location, you recommend the following steps: 1.Harden a system to function as the Root CA
2.Harden a system to function as the Registration Authority 3.Configure CATool on the Root CA
4.Configure CATool on the Registration Authority, as a subordinate to the Root CA 5.Once the Subordinate CA is active, take the Root CA offline
6.Configure users for the CAs 7.Configure each Root CA to trust each other Root CA via cross certification 8.Test the CA hierarchy 9.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate

BIn each location, you recommend the following steps: 1.Harden a system to function as the Root CA
2.Harden a system to function as a Registration Authority
3.Configure a Windows Enterprise Root CA
4.Configure each Enterprise Root CA to trust each other Enterprise Root CA via cross certification 5.Configure a Windows Stand-Alone Subordinate Enrollment Authority to function as the Registration Authority
6.Once the Stand-Alone Subordinate is installed, take the Enterprise Root CA offline
7.Test the CA hierarchy 8.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate

CIn each location, you recommend the following steps: 1.Harden a system to function as the Root CA
2.Harden a system to function as the Registration Authority
3.Configure a Windows Enterprise Root CA
4.Configure each Enterprise Root CA to trust each other Enterprise Root CA via cross
certification
5.Configure a Windows Enterprise Registration Authority, as a subordinate to the Enterprise Root CA
6.Once the Subordinate CA is active, take the Enterprise Root CA offline
7.Test the CA hierarchy7.Test the CA hierarchy 8.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate

DIn each location, you recommend the following steps:
1.Harden a system to function as the Root CA
2.Harden a system to function as the Registration Authority
3.Configure a Windows Enterprise Root CA
4.Configure each Enterprise Root CA to trust each other Enterprise Root CA via cross certification
5.Configure a Windows Registration Authority, as a subordinate to the Enterprise Root CA
6.Test the CA hierarchy 7.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate

EIn each location, you recommend the following steps:
1.Harden a system to function as the Root CA
2.Harden a system to function as the Registration Authority
3.Configure CATool on the Root CA
4.Configure CATool on the Registration Authority, as a subordinate to the Root CA
5.Configure users for the CAs
6.Configure each Root CA to trust each other Root CA via cross certification
7.Test the CA hierarchy
8.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate

Answer : D

Question 4

Now that you have a fully functioning CA hierarchy in each location, and that the trusted network is well underway, you are called in to meet with Blue. Blue comes into the room, and you talk to one another for a while. It seems that now with the CA hierarchy in place, you need to plan the certificate rollout for the individual users and computers in the network. Since this is the executive building, Blue places higher security requirements here than on the otherbuildings. Certificates need to be issued to all the entities, computers and users, in the network.Blue has decided that for all senior level management, the process for certificate issuance should be even more secure than the rest of the deployment. Based on this information, and you understanding of the GlobalCorp environment, choose the best solution to assigning certificates to the computers and users of the trusted network in the Executive building:}

AYou meet with the other administrators of the executive building and let them know what you are working on, and how they can help. You will first assign certificates to the computers in the network, followed by assigning certificates to the users in the network. For this task, you divide the other administrators into four teams, one per floor of the building. Each team will be responsible for the assigning of certificates to the computers and users on the corresponding floor. To make the process faster, you have decided to install a new CA for each floor. The team leader on each floor will install and configure the CA, and you will oversee the process. With the new CAs installed, one administrator from each team goes to each desk on the floor and makes a request for a certificate for thecomputer using Internet Explorer. Once themachine certificate is installed, the administrator has each user log on to their machine and the administrator walks the userthrough the process of connecting to the CA_SERVER\certsrv on their floor to request a user certificate. To ensure the security of the senior level management, you lead the team on the fourth floor. You install thenew CA yourself, and oversee the configuration of the certificates for every machine and user on the floor.

BYou meet with the other administrators of the executive building and let them know what you are working on, and how they canhelp. You will first assign certificates to the computers in the network. To make the process easier, you have decided to configure the network so that the computers will request certificates automatically. In order to do this you perform the following steps:
1.You open Active Directory Users and Computers 2.You use Group Policy to edit the domain policy that is controlling the executive building. 3.You expand Computer Configuration to Public Key Policies, and you click the Automatic Certificate request option. 4.In the template list, you select computer, and define CA as the location to send the request. 5.You restart the computers that you can, and wait for the policy to refresh on the systems you cannot restart. Once you finishing setting up the computers to be assigned certificates, you shift your focus to all the users in the executive building. In order to have each user obtain a certificate you issue a memo (the actual memo goes into extreme detail on each step, even listing common questions and answers) to all users that instructs them to perform the following steps:
1.Log on to your computer as your normal user account1.Log on to your computer as your normal user account
2.Open Internet Explorer, and to connect to the CA_SERVER\certsrv.
3.Select the option to Request A Certificate, and to choose a User Certificate Request type, then submit the request.
4.When the certificate is issued, click the Install This Certificate hyperlink on screen. Finally, you address the senior level management. For these people, you want the security to be higher, so you select a stronger algorithm for their certificates. With all the other certificates, you used the default key strength and algorithms. However, the senior level management needs higher security. Therefore, you personally walk each person through the process of requesting a certificate; only you ensure that they select 1024-bit AES as their encryption algorithm.

CYou meet with the other administrators of the executive building and let them know what you are working on, and how they can help. You will first assign certificates to the computers in the network. To make the process easier, you have decided to configure the network so that the computers will =request certificates automatically. In order to do this you perform the following steps:
1.You open Active Directory Users and Computers
2.You use Group Policy to edit the domain policy that is controlling the executive building.
3.You expand Computer Configuration to Public Key Policies, and you click the Automatic Certificate request option.
4.In the template list, you select computer, and define CA as the location to send the request.
5.You restart the computers that you can, and wait for the policy to refresh on the systems you cannot restart. Once you finishing setting up the computers to be assigned certificates, you shift your focus to all the users in the executive building. In order to have each user obtain a certificate you issue a memo (the actual memo goes into extreme detail on each step, even listing common questions and answers) to all users that instructs them to perform the following steps:
1.Log on to your computer as your normal user account
2.Open Internet Explorer, and to connect to the CA_SERVER\certsrv.
3.Select the option to Request A Certificate, and to choose a User Certificate Request type, then submit the request.
4.When the certificate is issued, click the Install This Certificate hyperlink on screen. Finally, you address the senior level management. For these people, you want the security to be higher, so you select a different certificate scheme. By using a different scheme, you ensure that there will be no possibility of other people in the building gaining access to the senior level managementaccounts. For these accounts you utilize licensed PGPdigital certificates thatcan be used for both authentication and secure email. You personally show each manager how to create and usetheir key ring, providing for very secure communication.

DYou meet with the other administrators of the executive building and let them know what you are working on, and how they can help. You will first assign certificates to the computers in the network. To make the process easier, you have decided to configure the network so that the computers will request certificates automatically. In order to do this you perform the following steps:
1.You open Active Directory Users and Computers
2.You use Group Policy to edit the domain policy that is controlling the executive building.
3.You expand Computer Configuration to Public Key Policies, and you click the Automatic Certificate request option.
4.In the template list, you select computer, and define CA as the location to send the request.
5.You restart the computers that you can, and wait for the policy to refresh on the systems you cannot restart. Once you finishing setting up the computers to be assigned certificates, you shift your focus to the users, except for the senior management, in the executive building. In order to have each user obtain a certificate you issue a memo (the actual memo goes into extreme detail on each step, even listing common questions and answers) to all users that instructs them toperform the following steps:
1.Log on to your computer as your normal user account 2.Open Internet Explorer, and to connect to the CA_SERVER\certsrv. 3.Select the option to Request A Certificate, and to choose a User Certificate Request type, then submit the request.
4.When the certificate is issued, click the Install This Certificate hyperlink on screen. Finally, you address the senior level management in the building. For these people, you personally go into their office and walk through the steps with each person.
1.The user logs on to the computer with their normal user account 2.You open the MMC and add the personal certificates snap-in 3.You right-click certificates and Request A New Certificate 4.The user fills in the requested information, and you verify this information. 5.You put the certificate request onto a USB drive, and take the request back to the CA. 6.You put the USB drive into the CA, manually process the request, and put the issued certificate onto the USB drive. 7.You bring the USB drive back to each person, and manually import their new certificate

EYou meet with the other administrators of the executive building and let them know what you are workingon, and how they can help. You will first assign certificates to the computers in the network. To make the process easier, you have decided to configure the network so that the computers will request certificates automatically. In order to do thisyou perform the following steps:
1.You open Active Directory Users and Computers 2.You use Group Policy to edit the domain policy that is controlling the executive building. 3.You expand Computer Configuration to Public Key Policies, and you click the Automatic Certificate request option. 4.In the template list, you select computer, and define CA as the location to send the request. 5.You restart the computers that you can, and wait for the policy to refresh on the systems you cannot restart. Once you finishing setting up the computers to be assigned certificates, you shift your focus to all the users in the executive building. In order to have each user obtain a certificate you issue a memo (the actual memo goes into extreme detail on each step, even listing common questions and answers) to all users that instructs them to perform the following steps:
1.Log on to your computer as your normal user account
2.Open Internet Explorer, and to connect to the CA_SERVER\certsrv.
3.Select the option to Request A Certificate, and to choose a User Certificate Request type, then submit the request.
4.When the certificate is issued, click the Install This Certificate hyperlink on screen.

Answer : D

Question 5

Things have been running smoothly now at GlobalCorp for the last several weeks. There have been no major attacks, and it seems that the systems in place are performing just as expected. You are putting together some paperwork when you get a call from Orange to meet in the conference room. When you get there, Orange is wrapping up a meeting with the senior Vice President of Sales, whom you say hello to on your way in. "I was just talking with our senior VP here, and we're run into a new issue to discuss," Orange tells you. "Wel Il let you two sort this out. Orange, do let me know when it all ready to go."With that the VPleaves. You sit down across from Orange, who starts, "That was an interesting meeting. It seems that even though I have always said no to the request, we are being pressured to implement a wireless network." "Here?" you ask, "In the executive building?""Yes, right here. The sales team wishes to have the ability to be mobile. Instead of running a full scale roll out I have trimmed the request down to running a test implementation on the second floor. The test run on that floor will be used to determine the type of wireless rollout for the rest of the building, and eventually the rest of the campus. So, here is what we need to do. I need you to create the roll out plan, and bring that plan to me. Il review with you and implement as required." "As always, what is my budget restriction?" you ask. "In this case, security is the top priority. If we are going to run wireless, it has to be as secure as possible, use whatever you need. That being said, your plan has to use existing technologies, we are not going to fund the development of a new protocol or proprietary encryption system right now."You begin your work on this problem by pulling out your own wireless networking gear. You have alaptop that uses an ORiNOCO card, and you have a full directional antenna that you can holdor mount on a small tripod. You take your gear to the lobby of the second floor, and you load up Net Stumbler quickly to run a quick check that there are no access points in your area. The immediate area is clear of any signal, so you take you gear and walk the entiresecond floor, waitingto see if there is any signal, and you find none. With your quick walk through complete, you take your gear back to your office and start working on your plan. Using your knowledge of the GlobalCorp network, select the best solution to the wireless networking rollout problem:}

AYou have figured out that since the network is a test roll out, you have some flexibility in its configuration. After your walk through test, you begin by configuring the wireless nodes in the network to run in Ad Hoc mode, creating an Independent Basic Service Set (IBSS). You will use a complex SSID of 5cN@4M3! on all wireless nodes. You will next configure every node to nolonger broadcast any beacon packets. You will configure all the nodes to not use the default channel, and instead move them all to channel six. You will configure every node to use MAC address filtering, to avoid unauthorized nodes from attempting to gain access to the network. Finally, you will configure each node to use WEP in the strong 128-bit mode, along with a complex 16-character passphrase. Once the network is up and running, you take your gear (which is not an authorized client of the network) and every few days will walk the office again, checking for access. B. You have figured out that since the network is a test roll out, you have some flexibility in its configuration. After your walk through test, you begin by configuring the wireless nodes in the network to run in Ad Hoc mode, creating an Extended Basic Service Set (EBSS). You will use a complex SSID of 5cN@4M3! on all wireless nodes. You will next configure every node to no longer broadcast any beacon packets. You will configure all the nodes to not use the default channel, and instead move them all to channel six.You will configure every node to use MAC address filtering, to avoid unauthorized nodes from attempting to gain access to the network. Finally, you will configure each node to use WEP inthe strong 128-bit mode, along with a complex 16-character passphrase for generating four keys. You willmanually input the WEP Keys into each node. You will divide the test nodes into quarters, and configure each quarter to startup on the network using a different default WEP key. Once the network is up and running, you take your gear (which is not an authorized client of the network) and every few days will walk the office again, checking for access.

CYou determine that for the test network, you will run the network in infrastructure mode, using a SSID ofFLOOR2. During the test, you will create one single Basic Service Set (BSS),running through one access point. All test nodes will be configured to participate in theBSS, using the SSID ofFLOOR2, and the access point will be configured with MAC address filteringof the test nodes. You will configure the access point to use EAP, specifically EAP-TLS. You willconfigure a Microsoft RADIUS Server as the authentication server. You will configure the RADIUS server with a digital certificate. Using EAP-TLS, both the server and the client will be required to authenticate using their digital certificates before full network access will be granted. Clients will have supplicant software configured where required. You will next make a physical map of the office, using the tool Ekahau. Working with this tool, you will map out and track the positioning of each wireless device once the network isactive. When the network is up and running, you take your gear (which is not an authorized client of the network) and every few days will walk the office again, checking for access. You will continue the test by running checks from the parking lot, ensuring that you cannot gain access.

DYou determine that for the test network, you will run in infrastructure mode, using a SSID of FLOOR2. During the test, you will create one single Independent Basic Service Set (IBSS), running through one access point. All test nodes will be configured to participate in the IBSS, using the SSID of FLOOR2. You will configure the access point to use WPA, with an algorithm of TKIP. You will configure WPA to utilizethe full 128-bit key option, with the pre-shared WPA key option. The clientcomputers will need supplicants, so you will configure the Funk Software Odyssey Client on the clients, matching the key settings and TKIP settings.You will disable the access point from broadcasting its SSID, and you will configureMAC address filtering. Once the network is up and running, you take your gear (which is not an authorized client of the network) andevery few days will walk the office again, checking for access.

EYou figure out that you will run the test network in infrastructure mode, using a SSID of GlobalCorp. You will create one single Basic Service Set (BSS), all running through one accesspoint. All test nodes will be configured to participate in the BSS, using the SSID of GlobalCorp, and the accesspoint will be configured with MAC address filtering of the test nodes.You will configure the access point to utilize a combination of 802.1x and WPA. The WPA settings will befully secured with TKIP, and 128-bit keys, which change on a per session basis. The 802.1x settings will be to use Lightweight EAP (LEAP). The clients will be configured to use LEAP, witha fallback to TKIP at 128-bits.You will configure the access point to utilize a combination of 802.1x and WPA. The WPA settings will be fully secured with TKIP, and 128-bit keys, which change on a per session basis. The 802.1x settings will be to use Lightweight EAP (LEAP). The clients will be configured to use LEAP, with a fallback to TKIP at 128-bits. When the network is up and running, you take your gear (which is not an authorized client of the network) and every few days will walk the office again, checking for access. You will continue the test by running checks from the parking lot, ensuring that you cannot gain access.

Answer : C

Question 6

GlobalCorp is a company that makes state of the art aircraft for commercial and government use. Recently GlobalCorp has been working on the next generation of low orbit space vehicles, again for both commercial and governmental markets. GlobalCorp has corporate headquarters in Testbed, Nevada, USA. Testbed is a small town, with a population of less than 50,000 people. GlobalCorp is the largest company in town, where most families have at least one family member working there. The corporate office in Testbed has 4,000 total employees, on a 40-acre campus environment. The largest buildings are the manufacturing plants, which are right next to the Research and Development labs. The manufacturing plants employee approximately 1,000 people and the RD labs employ 500 people. There is one executive building, where approximately 500 people work. The rest of the employees work in Marketing, Accounting, Press and Investor Relations, and so on. The entire complex has a vast underground complex of tunnels that connect each building. All critical functions are run from the Testbed office, with remote offices around the world. The remote offices are involved in marketing and sales of GlobalCorp products. These offices also perform maintenance on the GlobalCorp aircraft and will occasionally perform RD and on-site manufacturing. There are 5 remote offices, located in:

New York, California, Japan, India, and England. Each of the remote offices has a dedicated T3 line to the GlobalCorp HQ, and all network traffic is routed through the Testbed office the remote offices do not have direct Internet connections. You had been working for two years in the New York office, and have been interviewing for the lead security architect position in Testbed. The lead security architect reports directly to the Chief Security Officer (CSO), who calls you to let you know that you got the job. You are to report to Testbed in one month, just in time for the annual meeting, and in the meantime you review the overview of the GlobalCorp network: Your first day in GlobalCorp Testbed, you get your office setup, move your things in place, and about the time you turn on your laptop, there is a knock on your door. It is Orange, the Chief Security Officer, who informs you that there is a meeting that you need to attend in a half an hour. With your laptop in hand, you come to the meeting, and are introduced to everyone. Orange begins the meeting with a discussion on the current state of security in GlobalCorp. "For several years now, we have constantly been spending more and more money on our network defense, and I feel confident that we are currently well defended." Orange, puts a picture on the wall projecting the image of the network, and then continues, "We have firewalls at each critical point, we have separate Internet access for our public systems, and all traffic is routed through our controlled access points. So, with all this, you might be wondering why I have concern." At this point a few people seem to nod in agreement. For years, GlobalCorp has been at the forefront of perimeter defense and security. Most in the meeting are not aware that there is much else that could be done. Blue continues, "Some of you know this, for the rest it is new news: MassiveCorp is moving their offices to the town right next to us here. Now, as you all know, MassiveCorp has been trying to build their orbital systems up to our standards for years and have never been able to do so. So, from a security point of view, I am concerned." This is news to most people, Yellow, the Vice President of Research asks, "We have the best in firewalls, we have the best in you and your systems, what are you suggesting?" The meeting continues for some time, with Orange leading the discussion on a whole new set of technologies currently not used in the network. After some time, it is agreed upon that GlobalCorp will migrate to a trusted networking environment. The following week, Orange informs you that you will be working directly together on the development of the planning and design of the trusted network. The network is going to run a full PKI, with all clients and servers in the network using digital certificates. You are grateful that in the past two years, Orange has had all the systems changed to be running only Windows 2000, both server and professional systems, running Active Directory. You think the consistent platform will make the PKI roll out easier. The entire GlobalCorp network is running Active Directory, with the domain structure as in the following list: Testbed.globalcorp.org Newyork.globalcorp.org California.globalcorp.org Japan.globalcorp.org India.globalcorp.org England.globalcorp.org Although you will be working in the Testbed office, the plan you develop will need to include the entire GlobalCorp organization. Based on this information, select the solution that describes the best plan for the new trusted network of GlobalCorp:}

AYou design the plan for two weeks, and then you present it to Orange. Your plan follows these critical steps:A.
1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users are able to use their certificates as per the CPS.
2.Draft a CPF based on your own guidelines, including physical and technology controls. 3.Design the system to be a full hierarchy, with the Root CA located in the executive building. Every remote office will have a subordinate CA, and every other building on the campus in Testbed will have a subordinate CA.
4.Design the hierarchy with each remote office and building having it own enrollment CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA hierarchy in the executive office, and get all users acclimated to the system.
7.Implement the CA hierarchy in each other campus building in Testbed, and get all users acclimated to the system.
8.One at a time, implement the CA hierarchy in each remote office; again getting all users acclimated to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the GlobalCorp trusted network.

BYou design the plan for two weeks, and then you present it to Orange. Your plan follows these critical
steps:
1.Draft a Certificate Policy (CP) document to define what users will be allowed to do with their certificates, and a Certification Practice Statement (CPS) document to define the technology used to ensure the users are able to use their certificates as per the CPS. 2.Draft a Certificate Practices Framework (CPF) document based on RFC 2527, including every primary component. 3.Design the system to be a full hierarchy, with the Root CA located in the executive building. Every remote office will have a subordinate CA, and every other building on the campus in Testbed will have a subordinate CA. 4.Design the hierarchy with each remote office and building having it own enrollment CA. 5.Build a small test pilot program, to test the hierarchy, and integration with the existing network. 6.Implement the CA hierarchy in the executive office, and get all users acclimated to the system. 7.Implement the CA hierarchy in each other campus building in Testbed, and get all users acclimated to the system. 8.One at a time, implement the CA hierarchy in each remote office; again getting all users acclimated to the system. 9.Test the team in each location on proper use and understanding of the overall PKI and their portion of the trusted network. 10.Evaluate the rollout, test, and modify as needed to improve the overall security of the GlobalCorp trusted network.

CYou design the plan for two weeks, and then you present it to Orange. Your plan follows these critical steps: 1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users are able to use their certificates as per the CPS. 2.Draft a CPF based on your own guidelines, including physical and technology controls. 3.Design the system, outside of the executive office, to be a full hierarchy, with the Root CA for the hierarchy located in the executive building. Every remote office will have a subordinate CA, and every other building on the campus in Testbed will have a subordinate CA. 4.In the executive building, you design the system to be a mesh CA structure, with one CA per floor of the building. 5.Design the hierarchy with each remote office and building having it own enrollment CA. 6.Build a small test pilot program, to test the hierarchy, and integration with the existing network. 7.Implement the CA hierarchy in the executive office, and get all users acclimated to the system. 8.Implement the CA hierarchy in each other campus building in Testbed, and get all users acclimated to the system. 9.One at a time, implement the CA hierarchy in each remote office; again getting all users acclimated to the system. 10.Test the team in each location on proper use and understanding of the overall PKI and their portion of the trusted network. 11.Evaluate the rollout, test, and modify as needed to improve the overall security of the GlobalCorp trusted network.

DYou design the plan for two weeks, and then you present it to Orange. Your plan follows these critical steps: 1.Draft a Certificate Policy (CP) document to define what users will be allowed to do with their certificates, and a Certification Practice Statement (CPS) document to define the technology used to ensure the users are able to use their certificates as per the CPS.
2.Draft a Certificate Practices Framework (CPF) document based on RFC 2527, including every primary component.
3.Design the system to be a full mesh, with the Root CA located in the executive building.
4.Design the mesh with each remote office and building having it own Root CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA mesh in the executive office, and get all users acclimated to the system.
7.Implement the CA mesh in each other campus building in Testbed, and get all users acclimated to the system.
8.One at a time, implement the CA mesh in each remote office; again getting all users acclimated to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the GlobalCorp trusted network.

EYou design the plan for two weeks, and then you present it to Orange. Your plan follows these critical
steps: 1.Draft a Certification Practice Statemnt (CPS) to define what users will be allowed to do with their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users are able to use their certificates as per the CPS. 2.Draft a CPF based on your own guidelines, including physical and technology controls. 3.Design the system to be a full mesh, with the Root CA located in the executive building.
4.Design the mesh with each remote office and building having it own Root CA. 5.Build a small test pilot program, to test the hierarchy, and integration with the existing network. 6.Implement the CA mesh in the executive office, and get all users acclimated to the system. 7.Implement the CA mesh in each other campus building in Testbed, and get all users acclimated to the system. 8.One at a time, implement the CA mesh in each remote office; again getting all users acclimated to the system. 9.Test the team in each location on proper use and understanding of the overall PKI and their portion of the trusted network. 10.Evaluate the rollout, test, and modify as needed to improve the overall security of the GlobalCorp trusted network.

Answer : B

Question 7

By now, you are feeling confident that the security of the MegaCorp network is getting under control. You are aware that there are still several critical areas that you must dealwith, and today you are addressing one of those areas. You have been able to take care of the router, firewall, security policy, and intrusion detection, now you are concerned with some of the hosts in the network. Since the organization is not very large, you are the only person working in the IT end of the company. Itwill be up to you to directly work on the systems throughout the network. You make a quick chart of the systems you know should be in the MegaCorp network:

Server0001, 10.10.20.101, Windows 2000 Server Server0010, 10.10.20.102, Windows 2000 Server Server0011, 10.10.20.103, Windows 2000 Server Server0100, 10.10.20.104, Linux (Red Hat 8.0) User systems, 10.10.100.100~10.10.100.200, Windows 2000 Professional The addressing that you recommended months ago is in place, and it follows a distinct logical pattern,you are hoping that no new systems are hidden in the network somewhere. In the company, you have been granted domain administrator rights, and no other user is authorized tohave administrator, root, supervisor, or otherwise privileged level of access. All the Windows systems are to belong to one windows domain called SCNA.edu. Users are no longer allowed to install unauthorized applications, and are all to use the file servers for storage. Although they have the ability to do so, users are not supposed to store any work data on their local systems. The servers are located in a server cabinet that is inside your office, so you decide to start working there. Using your knowledge of MegaCorp select the best solution for hardening the MegaCorp operating systems:}

AThe first thing you do is to run a Nessus scan against all the servers in the room, noting the findings of the scans. You then begin on the servers by running some tests on the Linux server. First, you run Tripwire on the entire system to ensure that there are no rogue Root accounts, and the test is positive. Second, you ensure that there are no unauthorized objectsavailable through the network, and third you lock the system down with Bastille. You then work on the Windows servers. You run a check to ensure there are no unauthorized administrator accounts, and there are not. You create a custom security template and implement the template on each server using the Security Configuration and Analysis Snap-In, and you ensure that each system is updated with the latest patches. Finally, you analyze the user desktops. You go one by one through the network checking for added user accounts, and you find some. You remove these unauthorized accounts and check for software and applications. Again, you find some applications that are not allowed and you remove them.You check the systems for hardware changes, and address the issues that you find.

BYou start the job by running some analysis on the Windows servers. You do this using the Security Configuration and Analysis Snap-In, and you ensure that each system is updated with the latest patches. You find several user accounts that have been given local administrator access, and youremove these accounts. You next use the Secedit tool to implement local encryption on the shared hard drive to secure the local files for the network users.You then work on the Linux server. To your surprise there are nounauthorized root accounts, nor any unauthorized shares. You ensure that the permissions are correct on the shared objects, and run Bastille to lock down the server. You then work on the client machines. Before you physically sit at each machine, you run a Nessus scan from your office. Bringing the results with you, you go to each machine andaddress any issues as identified in the Nessus scan, remove any unauthorized applications

CThe first thing you decide to do is plug your laptop into the server room, and run a full Nessus scan on the entire network, specifically looking for every backdoor vulnerability that theapplication can check. This takes some time to compile, but you eventually end up with a list of issues to address on each machine. You move on to the Linux server, and run a fast Tripwire check on the system to look forany additional vulnerabilities. Once that check is done, you install SSH so that all access by every user will be encrypted to the server, and you run Bastille to lock down the system. At the Windows systems, you address any issues found during the Nessus scan, you ensure that each system is updated with the latest patches, and you ensure that the systems are allfunctioning as fully secure and functional file servers to the network by implementing the HISECWEB.INFtemplate in the Security Configuration and Analysis Snap-In.Finally, you work on each desktop machine by removing any vulnerabilities listed in the scan report. You remove a few pieces of unauthorized hardware and many unauthorized applications.

DYou being by running a Nessus scan from your office laptop on the systems in the network, first the servers, then the user workstations. After the scans are complete, you store the reports on your laptop, and you take your laptop to the server room. In the server room, you begin on the Windows servers. You implement a custom security template on eachserver using the Security Configuration and Analysis Snap-In, remove any unauthorized accounts, ensure that each system is updated with the latest patches, and ensure that the permissions on each shared object are as per policy. You then work on the Linux server, by addressing each point identified in the Nessusscan. You then lock thesystem with Bastille, ensure that each system is updated with the latestpatches, and run a quick Tripwire scan to create a baseline for the system. You take your laptop with you as you go throughout the network to each userworkstation, ensure that each system is updated with the latest patches, and you take care of each issue you found on the machines. There are a few systems that you find with unauthorized applications and you removethose applications.

EYou begin by running a Nessus scan on each computer in the network, using the \hotfix switch to create a full report. The report identifies every vulnerability on each system and lists the specific changes you must make to each system to fix any found vulnerabilities. You take the report to the server room and start with the Linux server. On the server, you run through the steps as outlined in the Nessus report, and end by locking the system using Bastille. Then, you move to the Windows systems, again following the steps of the Nessus report, and ending by using the Security Configuration and Analysis Snap-In to implement the GoldStandard template on every server. Finally, you proceed to each user workstation. At each user machine, you follow each step for each system, based on your report. Once you have addressed all the vulnerabilities in the systems, you run a quick Secedit scan on each system to ensure that they are all locked down and that proper encryption is configured.

Answer : D