Question No. 1

By now, you are feeling confident that the security of the MegaCorp network is getting under control. You are aware that there are still several critical areas that you must deal with, and today you are addressing one of those areas. You have been able to take care of the router, firewall, security policy, and intrusion detection, now you are concerned with some of the hosts in the network. Since the organization is not very large, you are the only person working in the IT end of the company. It will be up to you to directly work on the systems throughout the network. You make a quick chart of the systems you know should be in the MegaCorp network:

Server0001, 10.10.20.101, Windows 2000 Server Server0010, 10.10.20.102, Windows 2000 Server Server0011, 10.10.20.103, Windows 2000 Server Server0100, 10.10.20.104, Linux (Red Hat 8.0) User systems, 10.10.100.100~10.10.100.200, Windows 2000 Professional The addressing that you recommended months ago is in place, and it follows a distinct logical pattern, you are hoping that no new systems are hidden in the network somewhere. In the company, you have been granted domain administrator rights, and no other user is authorized to have administrator, root, supervisor, or otherwise privileged level of access. All the Windows systems are to belong to one windows domain called SCNA.edu. Users are no longer allowed to install unauthorized applications, and are all to use the file servers for storage. Although they have the ability to do so, users are not supposed to store any work data on their local systems. The servers are located in a server cabinet that is inside your office, so you decide to start working there. Using your knowledge of MegaCorp select the best solution for hardening the MegaCorp operating systems:}

AThe first thing you do is to run a Nessus scan against all the servers in the room, noting the findings of the scans. You then begin on the servers by running some tests on the Linux server. First, you run Tripwire on the entire system to ensure that there are no rogue Root accounts, and the test is positive. Second, you ensure that there are no unauthorized objects available through the network, and third you lock the system down with Bastille. You then work on the Windows servers. You run a check to ensure thereare no unauthorized administrator accounts, and there are not. You create a custom security template and implement the template on each server using the Security Configuration and Analysis Snap-In, and you ensure that each system is updated with the latest patches.Finally, you analyze the user's desktops. You go one by one through the network checking for added user accounts, and you find some. You remove these unauthorized accounts and check for software and applications. Again, you find some applications that are not allowed and you remove them. You check the systems for hardware changes, and address the issues that you find.

BYou start the job by running some analysis on the Windows servers. You do this using the Security
Configuration and Analysis Snap-In, and you ensure that each system is updated with the latest patches. You find several user accounts that have been given local administrator access, and you remove these accounts. You next use the Secedit tool to implement local encryption on the shared hard drive to secure the local files for the network users. You then work on the Linux server. To your surprise there are no unauthorized root accounts, nor any unauthorized shares. You ensure that the permissions are correct on the shared objects, and run Bastille to lock down the server. You then work on the client machines. Before you physically sit at each machine, you run a Nessus scan from your office. Bringing the results with you, you go to each machine and address any issues as identified in the Nessus scan, remove any unauthorized applications

CYou being by running a Nessus scan from your office laptop on the systems in the network, first the servers, then the user workstations. After the scans are complete, you store the reports on your laptop, and you take your laptop to the server room.In the server room, you begin on the Windows servers. You implement a custom security template on each server using the Security Configuration and Analysis Snap-In, remove any unauthorized accounts, ensure that each system is updated with the latest patches, and ensure that the permissions on each shared object are as per policy. You then work on the Linux server, by addressing each point identified in the Nessus scan. You then lock the system with Bastille, ensure that each system is updated with the latest patches, and run a quick Tripwire scan to create a baseline for the system. You take your laptop with you as you go throughout the network to each user workstation, ensure that each system is updated with the latest patches, and you take care of each issue you found on the machines. There are a few systems that you find with unauthorized applications and you remove those applications.

DThe first thing you decide to do is plug your laptop into the server room, and run a full Nessus scan on the entire network, specifically looking for every backdoor vulnerability that the application can check. This takes some time to compile, but you eventually end up with a list of issues to address on each machine. You move on to the Linux server, and run a fast Tripwire check on the system to look for any additional vulnerabilities. Once that check is done, you install SSH so that all access by every user will be encrypted to the server, and you run Bastille to lock down the system.At the Windows systems, you address any issues found during the Nessus scan, you ensure that each system is updated with the latest patches, and you ensure that the systems are all functioning as fully secure and functional file servers to the network by implementing the HISECWEB.INF template in the Security Configuration and Analysis Snap-In. Finally, you work on each desktop machine by removing any vulnerabilities listed in the scan report. You remove a few pieces of unauthorized hardware and many unauthorized applications.

EYou begin by running a Nessus scan on each computer in the network, using the \hotfix switch to create a full report. The report identifies every vulnerability on each system and lists the specific changes you must make to each system to fix any found vulnerabilities. You take the report to the server room and start with the Linux server. On the server, you run through the steps as outlined in the Nessus report, and end by locking the system using Bastille. Then, you move to the Windows systems, again following the steps of the Nessus report, and ending by using the Security Configuration and Analysis Snap-In to implement the Gold Standard template on every server. Finally, you proceed to each user workstation. At each user machine, you follow each step for each system,based on your report. Once you have addressed all the vulnerabilities in the systems, you run a quick Secedit scan on each system to ensure that they are all locked down and that proper encryption is configured.

Show Answer

Correct Answer: C

Question No. 2

The network has been receiving quite a lot of inbound traffic, and although you have been given instructions to keep the network open, you want to know what is going on. You havedecided to implement an Intrusion Detection System. You bring this up at the next meeting. "After looking at our current network security, and the network traffic we are dealing with, I recommend that we implement an Intrusion Detection System," you begin. "We don't have any more budget for security equipment, it will have to wait until next year." This is the reply from the CEO that you were anticipating. "I realize that the budget is tight, but this is an important part of setting up security." You continue, "If Icannot properly identify all the network traffic, and have a system in place to respond to it, we might not know about an incident until after our information is found for sale on the open market."As expected, your last comment got the group thinking. What about false alarms?" asks the VP of sales, "I hear those things are always goingoff, and just endup wasting everyone" time.""Tha's a fair concern, but it is my concern. When we mplement the system, I will fine tune it and adjust t until the alarms it generates are ppropriate, and are generated when there is egitimately something to be concerned about.We are concerned with traffic that would indicate anattack; only then will the ystem send me an alert." or a few minutes there was talk back and forth in the room, and hen the CEO responds again to your nquiry, "I agree that this type of thing could be helpful. But, we simply don have any morebudget for it. Since it is a good idea, go aheadand find a way to implement this, but don't spend any oney on it."With this nformation, and your knowledge of MegaCorp, choose the answer that will provide the bestsolution for the IDS needs of MegaCorp:}

AYou install Snort on a dedicated machine just outside the router. The machine is designed to send alerts toyou when appropriate. You implement the following rule set: Alert udp any any -> 10.10.0.0\16 (msg: 'O\S Fingerprint Detected'; flags: S12;)Alert tcp any any -> 10.10.0.0\16 (msg: 'Syn\Fin Scan Detected'; flags: SF;)Alert tcp any any -> 10.10.0.0\16 (msg: 'Null Scan Detected'; flags: 0;) og tcp any any -> 10.10.0.0\16 any You then install Snort on the web and ftp server, also with this system designed to send ou alerts whenappropriate. You implement the built-in scan.rules ruleset on the server.

BYou configure a new dedicated machine just outside the router and install Snort on thatmachine. Themachine logs all intrusions locally, and you will connect to the machine remotelyonce each morning to pull the log files to your local machine for analysis. ou run snort with the following command: Snort ev \snort\log snort.conf and using the following ule base: lert tcp any any <> any 80 lert tcp any any <> 10.10.0.0\16 any (content: 'Password'; msg:'Password transfer Possible';) Log tcp any any <- 10.10.0.0\16 23 Log tcp any any <> 10.10.0.0\16 1:1024

CYou install your IDS on a dedicated machine just inside the router. The machine is designed to send alerts o you when appropriate. You begin the install by performing a new install of indows on a clean hard drive. ou install ISS Internet Scanner and ISS System Scanner on the new system. System canner is configured todo full backdoor testing, full baseline testing, and full password testing.Internet Scanner is configured with a custom policy you made to scan for all vulnerabilities. You configure both canners to generate automatic weekly reports and to send you alerts whenan incident of note takes place on the network.

DYou install Snort on a dedicated machine just inside the router. The machine is designed to send alerts to ou when appropriate. You do have some concern that the system will have toomany rules to operate efficiently. To address this, you decide to pull the critical rules out of the built-in rule ets, and create one simple rule set that is short and will cover all of the seriousincidents that the network might experience. alert udp any 19 <>
$HOME_NET 7 (msg:'DOS UDP Bomb'; classtype:attempted-dos;sid:271; rev:1;) lert udp $EXTERNAL_NET any
-> $HOME_NET any (msg:'DOS Teardrop attack';id:242; fragbits:M;classtype:attempted-dos; sid:270;
rev:1;)alert icmp
$EXTERNAL_NET any -> $HOME_NET any (msg:'DDOS TFN Probe'; id: 678; itype: 8;
content:'1234';classtype:attempted-recon; sid:221; rev:1;) lert icmp XTERNAL_NET any ->
$HOME_NET any (msg:'ICMP PING NMAP'; size:;itype:8;classtype:attempted econ; sid:469;
rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET any msg:'SCAN
XMAS';flags:SRAFPU; lasstype:attempted-recon; sid:625; rev:1;) lert tcp HOME_NET 31337
> $EXTERNAL_NET 80 (msg:'SCAN synscan microsoft'; id: 9426; flags: F;
lasstype:attempted-recon; sid:633; rev:1;)

EYou install two computers to run your IDS. One will be a dedicated machine that is on the outside of therouter, and the second will be on the inside of the router. You configure themachine on the outside of the router to run Snort, and you combine the default rules of several of the built-inrule sets. You combine the ddos.rules, dos.rules, exploit.rules, icmp.rules, nd scan.rules. n the system that is inside the router, running Snort, you also combine several of thebuilt-in rule sets. You combine thes can.rules,webcgi.rules,ftp.rules, web-misc.rules, andweb-iis.rules.You configure the alerts on the two systems to send youemail messages when events are identified. After youimplement he two systems, you run some external scans and tests using vulner ability checkers and exploit testing software. You modify your rules based on your tests.

Show Answer

Correct Answer: E

Question No. 3

It has been quite some time since you were called in to address the network and security needs of MegaCorp. You feel good in what you have accomplished so far. You have been able to get MegaCorp to deal with their Security Policy issue, you have secured the router, added a firewall, added intrusion detection, hardened the Operating Systems, and more. One thing you have not done however, is run active testing against the network

from the outside. This next level of testing is the final step, you decide, in wrapping up this first stage of the new MegaCorp network and security system. You setup a meeting with the CEO to discuss. "We have only one significant issue left to deal with here at MegaCorp," you begin. "We need some really solid testing of our network and our security systems." "Sounds fine to me, don't you do that all the time anyway? I mean, why meet about this?" "Well, in this case, I'd like to ask to bring in outside help. Folks who specialize in this sort of thing. I can do some of it, but it is not my specialty, and the outside look in will be better and more independent from an outside team." "What does that kind of thing cost, how long will it take?" "It will cost a bit of money, it won't be free, and with a network of our size, I think it can be done pretty quick. Once this is done and wrapped up, I will be resigning as the full time security and network pro here. I need to get back to my consulting company full time. Remember, this was not to be a permanent deal. I can help you with the interview, and this is the perfect time to wrap up that transition." "All right, fair enough. Get me your initial project estimates, and then I can make a more complete decision. And, Il get HR on hiring a new person right away." Later that afternoon you talk to the CEO and determine a budget for the testing. Once you get back to your office, you are calling different firms and consultants, and eventually you find a consulting group that you will work with. A few days later you meet with the group in their office, and you describe what you are looking for, and that their contact and person to report to is you. They ask what is off limits, and your response is only that they cannot do anything illegal, to which they agree and point out is written in their agreement as well. With this outside consulting group and your knowledge of the network and company, review and select the solution that will best provide for a complete test of the security of MegaCorp.}

AThe consulting group has identified the steps it will follow in testing the network. You have asked to be kept up to date, and given an approximate schedule of events. You intend to follow along with the test, with weekly reports. The consultants will first run remote network surveillance to identify hosts, followed by port scans and both passive and active fingerprinting. They will then run vulnerability scanners on the identified systems, and attempt to exploit any found vulnerabilities. They will next scan and test the router and firewall, followed by testing of the IDS rules They will then perform physical surveillance and dumpster diving to learn additional information. This will be followed by password sniffing and cracking. Finally, they will call into MegaCorp to see what information they can learn via social engineering.

BThe consulting group has identified the steps it will follow in testing the network. You have asked to be kept up to date, and given an approximate schedule of events. You intend to follow along with the test, with weekly reports. The first thing the consultants will do is dumpster diving and physical surveillance, looking for clues as to user information and other secret data that should not be outside of the network. Once they have identified several targets through the dumpster diving, they will run scans to match up and identify the workstations for those users. After identifying the user workstations, they will run vulnerability checks on the systems, to find holes, and if a hole is found they have been given permission to exploit the hole and gain access of the system.They will attempt to gain access to the firewall and router remotely, via password guessing, and will test the response of the network to Denial of Service attacks. Finally, they will call into MegaCorp to see what information they can learn via social engineering.

CThe consulting group has identified the steps it will follow in testing the network. You have asked to be kept up to date, and given an approximate schedule of events. You intend to follow along with the test, with weekly reports The consultants surprise you with their initial strategy. They intend to spend nearly 100% of their efforts over the first week on social engineering and other physical techniques, using little to no technology. They have gained access to the building as a maintenance crew, and will be coming into the office every night when employees are wrapping up for the day. All of their testing will be done through physical contact and informal questioning of the employees. Once they finish that stage, they will run short and direct vulnerability scanners on the systems that they feel will present weakness.

DThe consulting group has identified the steps it will follw in testing the network. You have asked to be kept up to date, and given an approximate schedule of events. You intend to follow along with the test, with weekly reports. The consultants have decided on a direct strategy. They will work inside the MegaCorp office, with the group introducing themselves to the employees. They will directly interview each employee, and perform extensive physical security checks of the network. They will review and provide analysis on the security policy, and follow that with electronic testing. They will run a single very robust vulnerability scanner on every single client and server in the network, and document the findings of the scan.

EThe consulting group has identified the steps it will follow in testing the network. You have asked to be kept up to date, and given an approximate schedule of events. You intend to follow along with the test, with weekly reports.The consultants will start the process with remote network surveillance, checking to see what systems and services areavailable remotely. They will run both passive and active fingerprinting on any identified system. They will run customized vulnerability scanners on the identified systems, and follow that through with exploits, including new zero-day exploits they have written themselves. They will next run scans on the router, firewall, and intrusion detection, looking to identify operating systems and configurations of these devices. Once identified, they will run customized scripts to gain access to these devices. Once they complete the testing on the systems, they will dumpster dive to identify any leaked information.

Show Answer

Correct Answer: A

Question No. 4

By now, you are feeling confident that the security of the MegaCorp network is getting under control. You are aware that there are still several critical areas that you must dealwith, and today you are addressing one of those areas. You have been able to take care of the router, firewall, security policy, and intrusion detection, now you are concerned with some of the hosts in the network. Since the organization is not very large, you are the only person working in the IT end of the company. Itwill be up to you to directly work on the systems throughout the network. You make a quick chart of the systems you know should be in the MegaCorp network:

Server0001, 10.10.20.101, Windows 2000 Server Server0010, 10.10.20.102, Windows 2000 Server Server0011, 10.10.20.103, Windows 2000 Server Server0100, 10.10.20.104, Linux (Red Hat 8.0) User systems, 10.10.100.100~10.10.100.200, Windows 2000 Professional The addressing that you recommended months ago is in place, and it follows a distinct logical pattern,you are hoping that no new systems are hidden in the network somewhere. In the company, you have been granted domain administrator rights, and no other user is authorized tohave administrator, root, supervisor, or otherwise privileged level of access. All the Windows systems are to belong to one windows domain called SCNA.edu. Users are no longer allowed to install unauthorized applications, and are all to use the file servers for storage. Although they have the ability to do so, users are not supposed to store any work data on their local systems. The servers are located in a server cabinet that is inside your office, so you decide to start working there. Using your knowledge of MegaCorp select the best solution for hardening the MegaCorp operating systems:}

AThe first thing you do is to run a Nessus scan against all the servers in the room, noting the findings of the scans. You then begin on the servers by running some tests on the Linux server. First, you run Tripwire on the entire system to ensure that there are no rogue Root accounts, and the test is positive. Second, you ensure that there are no unauthorized objectsavailable through the network, and third you lock the system down with Bastille. You then work on the Windows servers. You run a check to ensure there are no unauthorized administrator accounts, and there are not. You create a custom security template and implement the template on each server using the Security Configuration and Analysis Snap-In, and you ensure that each system is updated with the latest patches. Finally, you analyze the user desktops. You go one by one through the network checking for added user accounts, and you find some. You remove these unauthorized accounts and check for software and applications. Again, you find some applications that are not allowed and you remove them.You check the systems for hardware changes, and address the issues that you find.

BYou start the job by running some analysis on the Windows servers. You do this using the Security Configuration and Analysis Snap-In, and you ensure that each system is updated with the latest patches. You find several user accounts that have been given local administrator access, and youremove these accounts. You next use the Secedit tool to implement local encryption on the shared hard drive to secure the local files for the network users.You then work on the Linux server. To your surprise there are nounauthorized root accounts, nor any unauthorized shares. You ensure that the permissions are correct on the shared objects, and run Bastille to lock down the server. You then work on the client machines. Before you physically sit at each machine, you run a Nessus scan from your office. Bringing the results with you, you go to each machine andaddress any issues as identified in the Nessus scan, remove any unauthorized applications

CThe first thing you decide to do is plug your laptop into the server room, and run a full Nessus scan on the entire network, specifically looking for every backdoor vulnerability that theapplication can check. This takes some time to compile, but you eventually end up with a list of issues to address on each machine. You move on to the Linux server, and run a fast Tripwire check on the system to look forany additional vulnerabilities. Once that check is done, you install SSH so that all access by every user will be encrypted to the server, and you run Bastille to lock down the system. At the Windows systems, you address any issues found during the Nessus scan, you ensure that each system is updated with the latest patches, and you ensure that the systems are allfunctioning as fully secure and functional file servers to the network by implementing the HISECWEB.INFtemplate in the Security Configuration and Analysis Snap-In.Finally, you work on each desktop machine by removing any vulnerabilities listed in the scan report. You remove a few pieces of unauthorized hardware and many unauthorized applications.

DYou being by running a Nessus scan from your office laptop on the systems in the network, first the servers, then the user workstations. After the scans are complete, you store the reports on your laptop, and you take your laptop to the server room. In the server room, you begin on the Windows servers. You implement a custom security template on eachserver using the Security Configuration and Analysis Snap-In, remove any unauthorized accounts, ensure that each system is updated with the latest patches, and ensure that the permissions on each shared object are as per policy. You then work on the Linux server, by addressing each point identified in the Nessusscan. You then lock thesystem with Bastille, ensure that each system is updated with the latestpatches, and run a quick Tripwire scan to create a baseline for the system. You take your laptop with you as you go throughout the network to each userworkstation, ensure that each system is updated with the latest patches, and you take care of each issue you found on the machines. There are a few systems that you find with unauthorized applications and you removethose applications.

EYou begin by running a Nessus scan on each computer in the network, using the \hotfix switch to create a full report. The report identifies every vulnerability on each system and lists the specific changes you must make to each system to fix any found vulnerabilities. You take the report to the server room and start with the Linux server. On the server, you run through the steps as outlined in the Nessus report, and end by locking the system using Bastille. Then, you move to the Windows systems, again following the steps of the Nessus report, and ending by using the Security Configuration and Analysis Snap-In to implement the GoldStandard template on every server. Finally, you proceed to each user workstation. At each user machine, you follow each step for each system, based on your report. Once you have addressed all the vulnerabilities in the systems, you run a quick Secedit scan on each system to ensure that they are all locked down and that proper encryption is configured.

Show Answer

Correct Answer: D

Question No. 5

Blue thanks you for your plan and design and took it into consideration. You are then informed that Orange has gone ahead and made a new plan, which will incorporate some of your suggestions, but is going to build the network a bit differently. In Testbed and in each remote office there will be a single self-sufficient CA hierarchy, one that is designed to directly integrate with the existing network. Orange mentions that the hierarchy is only to go two-levels deep, you are not to make an extensive hierarchy in any location. This means a distinct CA hierarchy in six locations, inclusive of the Testbed headquarters. Using this information, choose the solution that will provide for the proper rollout of the Certificate Authorities in the network.}

AIn each location, you recommend the following steps: 1.Harden a system to function as the Root CA
2.Harden a system to function as the Registration Authority 3.Configure CATool on the Root CA
4.Configure CATool on the Registration Authority, as a subordinate to the Root CA 5.Once the Subordinate CA is active, take the Root CA offline
6.Configure users for the CAs 7.Configure each Root CA to trust each other Root CA via cross certification 8.Test the CA hierarchy 9.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate

BIn each location, you recommend the following steps: 1.Harden a system to function as the Root CA
2.Harden a system to function as a Registration Authority
3.Configure a Windows Enterprise Root CA
4.Configure each Enterprise Root CA to trust each other Enterprise Root CA via cross certification 5.Configure a Windows Stand-Alone Subordinate Enrollment Authority to function as the Registration Authority
6.Once the Stand-Alone Subordinate is installed, take the Enterprise Root CA offline
7.Test the CA hierarchy 8.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate

CIn each location, you recommend the following steps: 1.Harden a system to function as the Root CA
2.Harden a system to function as the Registration Authority
3.Configure a Windows Enterprise Root CA
4.Configure each Enterprise Root CA to trust each other Enterprise Root CA via cross
certification
5.Configure a Windows Enterprise Registration Authority, as a subordinate to the Enterprise Root CA
6.Once the Subordinate CA is active, take the Enterprise Root CA offline
7.Test the CA hierarchy7.Test the CA hierarchy 8.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate

DIn each location, you recommend the following steps:
1.Harden a system to function as the Root CA
2.Harden a system to function as the Registration Authority
3.Configure a Windows Enterprise Root CA
4.Configure each Enterprise Root CA to trust each other Enterprise Root CA via cross certification
5.Configure a Windows Registration Authority, as a subordinate to the Enterprise Root CA
6.Test the CA hierarchy 7.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate

EIn each location, you recommend the following steps:
1.Harden a system to function as the Root CA
2.Harden a system to function as the Registration Authority
3.Configure CATool on the Root CA
4.Configure CATool on the Registration Authority, as a subordinate to the Root CA
5.Configure users for the CAs
6.Configure each Root CA to trust each other Root CA via cross certification
7.Test the CA hierarchy
8.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate

Show Answer

Correct Answer: D

Free SCP SC0-502 Exam Actual Questions

The questions for SC0-502 were last updated On Nov 3, 2024