Correct Answer: Use Network Time Protocol (NTP) ✅

Why?

• NTP (Network Time Protocol) ensures time synchronization across all devices (firewalls, IDS, logs).

• Accurate timestamps are critical for correlating security incidents across multiple systems (e.g., matching firewall logs with IDS alerts).

• Without synchronized time, investigating attacks or tracing events becomes unreliable.

Why Not the Others?

• Firewalls in NAT mode: Focuses on IP translation (irrelevant to log correlation).

• IPsec: Encrypts traffic but doesn’t help with log/event synchronization.

• SNMP: Monitors network devices but doesn’t standardize timestamps for forensic analysis.

Correct Answer: 172.168.12.4 ✅

Why?

• Class B IP addresses range from 128.0.0.0 to 191.255.255.255.

• 172.168.12.4 falls within this range (172 is within 128–191).

Why Not the Others?

• 255.255.255.0: A subnet mask (not an IP address).

• 18.12.4.1: A Class A address (1–126 in the first octet).

• 169.254.254.254: A link-local (APIPA) address (reserved for automatic private addressing, not Class B).

Correct Answer: 802.16 ✅

Why?

• IEEE 802.16 is the standard for Wireless Metropolitan Area Networks (WirelessMAN or «WiMAX»), designed for high-speed broadband wireless coverage over large areas (e.g., cities).

• It supports long-range communication (up to 50 km) and is optimized for MANs.

Why Not the Others?

• 802.15.4: Defines Zigbee and 6LoWPAN (used for low-power, short-range PANs, e.g., IoT).

• 802.15: Covers Wireless Personal Area Networks (WPANs) like Bluetooth (short-range).

• 802.12: Obsolete standard for 100 Mbps Ethernet over demand priority (not wireless).

Correct Answer: Malicious Code ✅

Why?

• Malicious code (e.g., viruses, worms, or trojans) can cause symptoms like:

  • Slow performance

  • Unauthorized restarts

  • System crashes/hangs

• The description matches a virus infection designed to disrupt normal operations.

Why Not the Others?

• Scans and probes: Involve reconnaissance (e.g., port scanning), not system disruption.

• Denial of Service (DoS): Overwhelms a system with traffic (network-based attack, not malware).

• Distributed Denial of Service (DDoS): A coordinated DoS attack from multiple sources (irrelevant here).

Key Point: The symptoms (slowness, forced restarts) point to malware execution, not network flooding or scanning.

Correct Answer: Install a CCTV with cameras pointing to the entrance doors and the street ✅

Why?

• CCTV (Closed-Circuit Television) provides 24/7 real-time monitoring of physical entry points (doors, perimeter) and records footage for later review.

• It deters unauthorized access (visible cameras discourage intruders) and provides evidence if incidents occur.

• Unlike passive measures (fences, lights), CCTV offers active surveillance with remote monitoring capabilities.

Why Not the Others?

• Fences: Only act as a physical barrier (no monitoring/recording).

• Lights: Improve visibility but don’t detect or record intrusions.

• IDS (Intrusion Detection System): Designed for network security (detects cyber threats, not physical breaches).

Correct Answer: Data Integrity ✅

Why?

• Digital signatures verify that emails have not been modified or altered during transmission, ensuring authenticity and integrity.

• While encryption (first step) ensures confidentiality, digital signatures specifically address tamper-proofing, which falls under data integrity.

Why Not the Others?

• Confidentiality: Only covers encryption (protects content from being read by unauthorized parties).

• Availability: Ensures systems/emails are accessible (unrelated to tampering detection).

• Usability: Focuses on user experience, not security mechanisms like signatures.

Correct Answer: Failure of the main node will affect all related child nodes connected to the main node ✅

Why?

• In a tree topology, communication flows hierarchically from the root (N) to main nodes (N1, N2) and then to their child nodes (N11, N12, N21, N22).

• If N1 fails, its dependent nodes (N11 and N12) lose connectivity because they rely on N1 for upstream communication.

• The root (N) and other branches (N2, N21, N22) remain unaffected since they operate independently.

Why Not the Others?

• «Affects all child nodes at the same level»: Incorrect. Only children of the failed node are impacted (e.g., N11/N12 fail if N1 fails, but N21/N22 remain operational).

• «No disturbance to child nodes»: Incorrect. Child nodes lose connectivity if their parent node fails.

• «Affects the root node only»: Incorrect. The root node remains functional; only the subtree under the failed node is disrupted.

Correct Answer: kill -9 [PID] ✅

Why?

• The kill -9 command sends a SIGKILL signal, forcefully terminating a process by its Process ID (PID).

• -9 ensures the process stops immediately, even if it’s unresponsive.

• Example: kill -9 1234 (where 1234 is the PID).

Why Not the Others?

• grep Kill [Target Process]: grep searches text, it doesn’t terminate processes.

• ps ax Kill: ps ax lists processes but doesn’t kill them (incorrect syntax).

• netstat Kill [Target Process]: netstat shows network connections, not process management.

Note: To find the PID first, use ps aux | grep [process_name] or pgrep [process_name]. Then use kill -9 [PID].

Correct Answer: NAT ✅

Why?

• NAT (Network Address Translation) allows multiple devices on a private network to share a limited number of public IP addresses.

• It enhances security by hiding internal IP addresses from external networks, complementing firewall filtering.

• NAT is specifically designed to reduce the need for public IPs while maintaining connectivity.

Why Not the Others?

• DMZ (Demilitarized Zone): Isolates public-facing servers but doesn’t restrict public IP usage.

• Proxies: Can mask IPs but are primarily for traffic filtering/caching, not IP conservation.

• VPN (Virtual Private Network): Secures remote access but doesn’t limit public IP consumption.

NAT directly addresses the need to minimize public IPs while improving firewall effectiveness.

Correct Answer: Risk Identification, Risk Assessment, Risk Treatment, Risk Monitoring & Review ✅

Why?
This is the standard risk management lifecycle:

1. Risk Identification – First, risks must be identified.

2. Risk Assessment – Then, their likelihood and impact are evaluated.

3. Risk Treatment – Mitigation strategies (avoid, transfer, mitigate, accept) are applied.

4. Risk Monitoring & Review – Risks are continuously tracked, and controls are reassessed.

Why Not the Others?

• Risk Treatment before Identification/Assessment: You can’t treat risks before knowing what they are or analyzing them.

• Risk Monitoring before Treatment: Monitoring is ineffective if no controls are in place yet.

• Risk Assessment first without Identification: Assessment requires knowing which risks exist.

This sequence follows best practices (ISO 31000, NIST, etc.).

Correct Answer: RAID 1 ✅

Why?

• RAID 1 (Mirroring) exactly matches the described setup:

  • Data written to one disk is automatically duplicated to another disk in real-time.

  • Provides redundancy by maintaining an identical copy («mirror»).

• This ensures full data backup if one disk fails.

Why Not the Others?

• RAID 0 (Striping): Splits data across disks for performance but no redundancy (high risk).

• RAID 3 (Striping + Parity): Uses parity for error recovery but requires 3+ disks and doesn’t mirror.

• RAID 5 (Striping + Distributed Parity): Balances performance/redundancy but doesn’t mirror—parity is calculated, not copied.

Correct Answer: Registration Authority (RA) ✅

Why?

• The Registration Authority (RA) acts as the verifier for the Certificate Authority (CA) by authenticating the identity of users/organizations before certificates are issued.

• It ensures that certificate requests are legitimate (e.g., validating domain ownership or business credentials).

Why Not the Others?

• Certificate Authority (CA): Issues certificates but relies on the RA for initial verification.

• Directory Management System: Stores/publicizes certificates (e.g., LDAP) but doesn’t verify identities.

• Certificate Management System: A tool to manage certificates but doesn’t validate identities.

Correct Answer: Steven should enable Network Address Translation (NAT) ✅

Why?

• NAT (Network Address Translation) allows multiple workstations to use private IP addresses (e.g., 192.168.x.x) internally while sharing a single (or few) public IP(s) for internet access.

• It hides internal IPs from the public internet, adding a layer of security by preventing direct exposure.

• NAT is a core firewall feature and directly addresses Steven’s needs:

  • Replace public IPs on workstations with private ones.

  • Centralize internet traffic through the firewall for protection.

Why Not the Others?

• DMZ (Demilitarized Zone): Isolates public-facing servers (e.g., web/mail servers) but doesn’t hide internal IPs or replace NAT.

• OSPF (Open Shortest Path First): A routing protocol (irrelevant to IP masking or firewall protection).

• IPsec: Encrypts traffic but doesn’t conceal private IPs or replace NAT’s functionality.

Correct Answer: Switch based ✅

Why?

• Switch-based monitoring requires extra tools like port mirroring (SPAN) or network TAPs because switches isolate traffic by default (unlike hubs).

• Without these, switches don’t forward all traffic to a monitoring port, necessitating additional hardware/software.

Why Not the Others?

• Hub-based: Hubs broadcast all traffic to all ports, so no extra tools are needed for monitoring.

• Router-based: Routers can log/netflow traffic natively, though advanced analysis may need extra software.

• Non-router based: Generic term; doesn’t specify if extra tools are required.

Correct Answer: Reliability ✅

Why?

• Reliability is the most critical factor for backup media—it ensures data can be recovered intact when needed.

• Backup media must be durable, error-resistant, and stable over time (e.g., enterprise tape drives, cloud storage with checksums).

• Unreliable backups risk data corruption or loss, defeating the purpose of a backup plan.

Why Not the Others?

• Capability: Too vague—most media can store data, but reliability determines if it’s usable later.

• Accountability: Refers to tracking access/modifications (important for audits but secondary to backup integrity).

• Extensibility: Pertains to scalability (e.g., adding storage), but unreliable media fails regardless of capacity.

Correct Answer: tcp.flags==0x2b ✅

Why?

• TCP OS fingerprinting relies on analyzing TCP header flags and options (e.g., SYN packets with unusual combinations).

• The filter tcp.flags==0x2b captures:

  • SYN + ACK + URG + PSH + FIN flags (hex 0x2b = binary 00101011).

  • Attackers often manipulate these flags to probe OS-specific responses.

Why Not the Others?

• tcp.flags=0x00: Matches packets with no flags set (rarely used in fingerprinting).

• tcp.options.mss_val<1460: Filters MSS values but doesn’t directly indicate fingerprinting.

• tcp.options.wscale_val==20: Focuses on window scaling (a single parameter, not definitive for fingerprinting).

Correct Answer: Incremental backup ✅

Why?

• Incremental backups only save files created/modified since the last backup (whether full or incremental).

• This method is:

  • Storage-efficient (minimizes backup size).

  • Faster (only new/changed files are copied).

• Example workflow:

  • Day 1: Full backup (all files).

  • Day 2: Backup only files changed since Day 1.

  • Day 3: Backup only files changed since Day 2.

Why Not the Others?

• Full backup: Copies all files every time (inefficient for daily backups).

• Differential backup: Saves files changed since the last full backup (not the last backup of any type).

• Normal backup: Synonym for full backup (not selective).

Correct Answer: Edit the PAM file to enforce Windows Authentication ✅

Why?

• Pluggable Authentication Modules (PAM) is the Linux framework that controls authentication.

• To enforce Windows Active Directory (AD) authentication, you must:

  1. Configure PAM (/etc/pam.d/) to integrate with winbind or sssd (tools for AD integration).

  2. Modify PAM rules to prioritize AD authentication (e.g., auth required pam_winbind.so).

• This ensures all logins validate against AD, complying with the security policy.

Why Not the Others?

• ADLIN file: Doesn’t exist in standard Linux systems.

• Shadow file: Stores local passwords (bypasses AD authentication).

• /var/bin/localauth.conf: Fictitious file; not part of Linux auth systems.

Correct Answer: Unstructured Threats ✅

Why?

• Unstructured threats come from unskilled individuals (e.g., script kiddies, casual hackers) who lack advanced tools or methodologies.

• They typically use:

  • Pre-written scripts/tools.

  • Basic attacks like phishing or simple malware.

• Their actions are opportunistic, not targeted or well-planned.

Why Not the Others?

• Structured Threats: Sophisticated attackers (e.g., APTs, organized crime) with advanced skills/resources.

• External Threats: Originate outside the network (could be structured or unstructured).

• Internal Threats: Come from insiders (employees, contractors)—skill level varies.

Correct Answer: Make an initial assessment ✅

Why?

• First responders must quickly verify the nature of the incident before taking action.

• Steps include:

  • Confirming if traffic is malicious (e.g., unusual spikes, known attack patterns).

  • Identifying affected systems/services.

  • Checking logs/Wireshark details (source IPs, protocols).

Why Not the Others?

• Avoid Fear, Uncertainty, and Doubt (FUD): A general principle, but not an action.

• Communicate the incident: Critical, but only after assessment (to avoid false alarms).

• Disable Virus Protection: Harmful—antivirus might detect/block attack vectors.

Correct Answer: ARP Sweep ✅

Why?

• An ARP Sweep (or ARP Scan) involves sending a high volume of ARP requests to map IP addresses to MAC addresses across the network.

  • Attackers use it to discover live hosts (reconnaissance phase).

  • James is checking for:

    • Unusual ARP request traffic.

    • Suspicious source IPs (e.g., external or unexpected internal IPs).

Why Not the Others?

• ARP Spoofing/Poisoning: Involves forging ARP replies (not requests) to redirect traffic (e.g., MITM attacks).

• ARP Misconfiguration: Causes duplicate IPs or MAC conflicts (not malicious traffic patterns).

Correct Answer: Pipe Model ✅

Why?

• The Pipe Model in VPN QoS guarantees dedicated bandwidth between two Customer Edge (CE) devices, simulating a private «pipe.»

  • Traffic is isolated and predictable, with fixed resources (e.g., 10 Mbps between Site A and Site B).

  • Ideal for point-to-point or strict SLA requirements.

Why Not the Others?

• Hose Model: Provides shared bandwidth (like a «hose») across multiple sites, but no guarantees between specific CEs.

• Hub-and-Spoke VPN: Centralizes traffic through a hub, but QoS varies based on spoke-to-spoke paths.

• AAA Model: Focuses on authentication/accounting (irrelevant to traffic guarantees).

Correct Answer: A follow-up ✅

Why?

• The final step in incident response is follow-up (or lessons learned). This includes:

  • Post-incident review to analyze what happened and why.

  • Documenting improvements for future prevention.

  • Updating policies/training based on findings.

• It ensures the organization is better prepared for future incidents.

Why Not the Others?

• Containment: Done early to stop the threat from spreading (not last).

• Eradication: Removing the threat (e.g., malware) happens mid-process.

• Recovery: Restoring systems occurs before follow-up but isn’t the final step.

Correct Answer: The network layer ✅

Why?

• IPsec (Internet Protocol Security) operates at Layer 3 (Network Layer) of the OSI model.

  • It encrypts and authenticates IP packets directly, securing data at the network level.

  • Functions include:

    • Encapsulating Security Payload (ESP): Encrypts packet payloads.

    • Authentication Header (AH): Ensures packet integrity.

• IPsec is independent of applications (Layer 7) or physical links (Layer 1/2), making it versatile for VPNs.

Why Not the Others?

• Data Link Layer (L2): Handles MAC addresses/frames (e.g., Ethernet, PPP)—IPsec doesn’t function here.

• Session Layer (L5): Manages dialogues (e.g., RPC), but IPsec doesn’t rely on sessions.

• Application/Physical Layers (L1/L7): IPsec doesn’t interact with physical media or app data directly.

Correct Answer: Internet usage ✅

Why?

• Companies typically establish Internet Usage Policies to define:

  • Employee monitoring rights (e.g., web browsing, email, network activity).

  • Acceptable use of company systems.

• These policies legally justify monitoring for productivity, security, or compliance (e.g., blocking malicious sites).

Why Not the Others?

• Information System Policy: Covers broader IT infrastructure (not specifically monitoring).

• User Access Control: Governs permissions (e.g., role-based access), not activity tracking.

• Confidential Data Policy: Focuses on data protection (e.g., NDAs), not behavioral monitoring.

Correct Answer: PCI DSS ✅

Why?

• PCI DSS (Payment Card Industry Data Security Standard) is the global security standard specifically designed to protect cardholder data.

  • Mandates encryption, access controls, network monitoring, and regular audits for any organization handling credit/debit card transactions.

  • Non-compliance can result in heavy fines or revoked processing privileges.

Why Not the Others?

• HIPAA: Protects healthcare data (irrelevant to cardholder info).

• ISEC: Not a recognized security standard.

• SOX (Sarbanes-Oxley): Focuses on financial reporting integrity (not payment card security).

Correct Answer: SAN ✅

Why?

• SAN (Storage Area Network) is a dedicated high-speed network that separates storage devices (e.g., disk arrays) from servers and user networks.

  • Uses Fibre Channel or iSCSI for block-level storage access.

  • Ideal for enterprises needing scalable, centralized storage with minimal latency.

Why Not the Others?

• NAS (Network Attached Storage): Shares storage at the file level (not block-level) over existing LANs (less isolated).

• SCSA/SAS: Not valid storage network terms.

Correct Answer: Default deny ✅

Why?

• Default deny is a security strategy where the firewall blocks all traffic by default, only allowing explicitly permitted services.

• Jason’s approach matches this:

  • Whitelisting specific services (allowed).

  • Denying everything else (default stance).

• This minimizes attack surfaces by blocking unauthorized traffic automatically.

Why Not the Others?

• Default allow: Permits all traffic unless blocked (high risk, opposite of Jason’s policy).

• Default restrict/access: Not standard firewall terminology.

orrect Answer: Extreme ✅

Why?

• Risk matrices evaluate risk based on two factors:

  1. Likelihood (Probability): «Very high» (as stated).

  2. Impact: «80% of the bank’s business» (critical/catastrophic).

• Extreme risk is assigned when high probability meets high impact, warranting immediate action (e.g., mitigation, contingency plans).

Why Not the Others?

• High: Reserved for either high probability or high impact (not both).

• Medium/Low: Underestimates the severity (e.g., medium = moderate probability or impact).

Correct Answer: netstat -ao ✅

Why?

• netstat -ao is the most effective option available to check both open ports and the applications using them:

  • -a: Displays all active connections and listening ports.

  • -o: Shows the Process ID (PID) of applications bound to each port.

• This lets Alex:

  • Identify suspicious ports (e.g., unexpected listeners like 0.0.0.0:1234).

  • Trace PIDs to specific apps in Task Manager (e.g., PID 5678 → malware.exe).

Why Not the Others?

• netstat -an: Shows ports and IPs but no PIDs (can’t link ports to apps).

• netstat -o: Shows PIDs but only for active connections (misses listening ports).

• netstat -a: Shows ports but no PIDs or numeric IPs (harder to analyze).

Correct Answer: Lyle would be best suited if he chose a NIPS implementation ✅

Why?

• NIPS (Network Intrusion Prevention System) is the ideal solution for Lyle’s requirements because it:

  • Operates network-wide, protecting all connected devices (workstations, servers, etc.).

  • Automatically drops malicious packets (e.g., exploits, malware traffic) in real time.

  • Is easier/faster to deploy than host-based solutions (no need to install agents on every endpoint).

  • Provides centralized management, saving time for Lyle’s small IT team.

Why Not the Others?

• HIDS/HIPS (Host-based): Requires installation on each computer (time-consuming for 150+ workstations).

• NEPT (Not a standard security term): Likely a distractor with no relevance.

The correct parameters required to calculate the risk factor are:

✅ Risk Factor = Threat × Vulnerability × Impact

Why These Parameters?

1. Threat: The potential source of harm (e.g., hackers, malware, natural disasters).

2. Vulnerability: Weaknesses (flaws/gaps) that threats could exploit (e.g., unpatched software, misconfigurations).

3. Impact: The consequence if the threat exploits the vulnerability (e.g., data loss, downtime, financial damage).

Why Not «Attack»?

• Attack is an action (e.g., phishing, DDoS), not a parameter for risk calculation. It’s a subset of threat (which encompasses both capability and intent).

Correct Answer: A NIDS device would work best for the company ✅

Why?

• NIDS (Network Intrusion Detection System) fits the company’s requirements perfectly because it:

  • Monitors network traffic for malicious/irregular activity (e.g., exploits, scans).

  • Alerts IT staff without blocking or dropping traffic (passive monitoring).

  • Operates out-of-band, analyzing copies of traffic (no impact on network performance).

Why Not the Others?

• NIPS (Network Intrusion Prevention System): Actively blocks/drops malicious traffic (violates the «no dropping» requirement).

• HIDS/HIPS (Host-based): Monitors/protects individual endpoints (not network-wide).

Correct Answer: Circuit-level gateway ✅

Why?

• Circuit-level gateways operate at the session layer (Layer 5) of the OSI model:

  • They monitor TCP handshakes (SYN, ACK) to validate sessions without inspecting packet contents.

  • Hide private network info by acting as an intermediary (e.g., SOCKS firewall proxies).

Why Not the Others?

• Application-level gateway (Proxy firewall): Works at Layer 7 (inspects app-layer data like HTTP/SMTP).

• Stateful multilayer inspection: Combines Layer 3 (network) and Layer 4 (transport) inspection (tracks connection state).

• Packet filtering: Operates at Layer 3/4 (no session-layer functionality or privacy masking).

Correct Answer: Signature-based IDS ✅

Why?

• Signature-based IDS relies on pattern matching to detect threats:

  • Compares network traffic against a database of known attack signatures (e.g., malware patterns, exploit code).

  • Effective against known threats (e.g., SQL injection, ransomware signatures).

Why Not the Others?

• Anomaly-based IDS: Uses baselines of normal behavior to flag deviations (no pattern matching).

• Behavior-based IDS: Focuses on user/entity behavior analytics (UEBA), not predefined patterns.

• Stateful protocol analysis: Monitors protocols for compliance with standards (e.g., HTTP/SSL anomalies).

The correct command to update Red Hat computers (RHEL-based systems), download security packages, force installations, and update all installed packages is:

✅ up2date -d -f -u

Why?

• up2date is Red Hat’s legacy package management tool (modern RHEL uses yum or dnf, but older systems may still use up2date).

• Flags:

  • -d: Download packages.

  • -f: Force installation (overrides conflicts).

  • -u: Update all installed packages.

Why Not the Others?

• up2data -u: Misspelled (up2date is correct). Missing -d (download) and -f (force).

• WSUS -d -f -u: WSUS is a Windows-only update service (irrelevant for Linux).

• sysupdate -d: Not a valid Red Hat command.

Correct Answer: Issue-Specific Security Policy (ISSP) ✅

Why?

An Acceptable Use Policy (AUP) is an Issue-Specific Security Policy (ISSP) because:

• It addresses specific behavioral guidelines (e.g., proper use of company IT resources, internet, email).

• ISSPs are focused policies (unlike broad EISP or technical SSSP).

• Examples of AUPs under ISSP:

  • «No personal streaming on work devices.»

  • «Prohibited: Bypassing security controls.»

Why Not the Others?

• Enterprise Information Security Policy (EISP): High-level framework (e.g., «We value security»), not granular rules.

• System-Specific Policy (SSSP): Technical controls (e.g., «Firewall rules for Server X»).

• Incident Response Policy (IRP): Procedures for handling breaches (irrelevant to daily use guidelines).

Correct Countermeasures for Malware Prevention:

✅ Install antivirus software
(Essential for real-time malware detection and blocking.)

✅ Implementing strong authentication schemes (e.g., MFA)
(Prevents unauthorized access even if passwords are compromised.)

✅ Complying with the company’s security policies
(Ensures patch management, least privilege, and other critical controls.)

Why Not «Strong Password Policy»?

While important, passwords alone are ineffective against most malware (e.g., phishing, exploits, or drive-by downloads don’t always need passwords). Focus on:

• Antivirus (blocks execution).

• Authentication (e.g., MFA stops credential-based attacks).

• Policies (e.g., disabling macros, restricting admin rights).

Correct Answer: This address means that the source is using an IPv6 address and is spoofed, signifying an IPv4 address of 127.0.0.1 ✅

Why?

• The address 1080:0:FF:0:8:800:200C:4171 is a valid IPv6 address.

• However, this specific IPv6 format embeds an IPv4 loopback address (127.0.0.1) in its structure:

  • The ::FF:0:... segment is part of a transitional IPv6 format (e.g., IPv4-mapped IPv6).

  • When decoded, it often points back to localhost (127.0.0.1)—a common spoofing tactic.

Why Not the Others?

• «Translates as 13.1.68.3»: Incorrect—no standard IPv6-to-IPv4 translation results in this.

• «802.1x»: Irrelevant—this is an authentication protocol, not an addressing scheme.

• «IPv4»: Wrong—the address is clearly IPv6.

The correct Wireshark filter to detect TCP packets with no flags set is:

✅ tcp.flags == 0x000

Why?

• In TCP, flags (SYN, ACK, FIN, etc.) are represented by hexadecimal values in the packet header.

• 0x000 means all flags are unset (binary 000000).

• This is rare in normal traffic, making it useful to detect:

  • Port scans (e.g., NULL scans).

  • Malformed packets (used in evasion/DDoS attacks).

Why Not the Others?

• tcp.flags == 0000x, 000x0, x0000: Invalid syntax (Wireshark expects 0x prefix for hex values).

Correct Answer: They could use Tripwire ✅

Why?

• Tripwire is a file integrity monitoring (FIM) tool designed to:

  • Detect unauthorized changes to critical files (e.g., website content, system binaries).

  • Generate alerts when files are modified, added, or deleted.

  • Compare current file states against a cryptographic baseline (e.g., SHA-256 hashes).

Why Not the Others?

• Snort: An IDS/IPS for network traffic (already deployed—failed to prevent this attack).

• Wireshark: A packet analyzer (useful for traffic inspection, not file monitoring).

• Nessus: A vulnerability scanner (proactive, not reactive to file changes).

Correct Answer: IP Layer (Network Layer) ✅

Why?

• Packet-filtering firewalls operate at the IP Layer (Layer 3) of the TCP/IP model (equivalent to the Network Layer in OSI).

  • They inspect IP headers (source/destination IP, protocol) and TCP/UDP ports (Layer 4).

  • Decisions are based on:

    • Source/Destination IP addresses.

    • Protocol type (e.g., TCP, UDP, ICMP).

    • Port numbers (e.g., block port 23/TELNET).

Why Not the Others?

• Application Layer (L7): Proxy firewalls work here (e.g., HTTP filtering).

• Network Interface Layer (L1/L2): MAC filtering happens here (not packet filtering).

• TCP Layer (L4): While packet filters use ports (L4), their primary operation is at L3.

Correct Answer: CCMP (AES-CCMP) with CBC-MAC ✅

Why?

• WPA2 uses CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) as its default encryption/integrity mechanism.

  • CBC-MAC (Cipher Block Chaining Message Authentication Code) is the integrity check component of CCMP.

  • It prevents replay attacks by validating packet authenticity (tampered packets are discarded).

Why Not the Others?

• CRC-32/CRC-MAC: Used in WEP (weak and deprecated).

• CBC-32: Not a valid cryptographic term.

Correct Answer: ISO/IEC 27005 ✅

Why?

• ISO/IEC 27005 is the dedicated standard for information security risk management, providing:

  • Guidelines for risk assessment, treatment, and continuous monitoring.

  • Alignment with ISO 27001 (ISMS requirements).

• It covers:

  • Risk identification, analysis, evaluation.

  • Risk treatment options (avoid, transfer, mitigate, accept).

Why Not the Others?

• ISO 27002: Code of practice for controls (e.g., Annex A of ISO 27001), but not risk-specific.

• ISO 27004: Metrics for measuring security effectiveness (post-implementation).

• ISO 27006: Guidelines for auditing certification bodies (irrelevant to risk management).

Correct Answer:
✅ Their first step is the acquisition of required documents, reviewing of security policies and compliance.

Why?

1. Foundation First: Before analysis or hypotheses, the team must:

   • Gather network diagrams, asset inventories, and security policies.

   • Review compliance requirements (e.g., PCI DSS, HIPAA) to align the assessment scope.

2. Collaborative Clarity: Non-IT members (Accounting, Marketing, etc.) need context from documents to contribute effectively.

3. Avoid Assumptions: Skipping this step risks gaps (e.g., missing critical systems or policies).

Why Not the Others?

• Analyze gathered data: Premature—data can’t be analyzed without first knowing what systems/policies exist.

• Hypothesize findings: Unscientific—vulnerability assessments rely on evidence, not guesses.

• Executive report: Done after the assessment, not before.

Correct Answer: SRAM (Static RAM) ✅

Why?

• SRAM provides ultra-fast access times (as low as 10–20 ns), making it ideal for:

  • RAID controllers needing rapid cache operations (e.g., write-back caching).

  • High-performance storage systems where low latency is critical.

• Volatile but faster than DRAM: No refresh cycles needed (unlike SDRAM).

Why Not the Others?

• NVRAM (Non-Volatile RAM): Persistent but slower (used for logs, not caching).

• SDRAM (Synchronous DRAM): Common in PCs but slower (~50–100 ns).

• NAND Flash: Slow (ms-level access) and wears out—used for SSDs, not caching.

Correct Answer: Attorney ✅

Why?

• An attorney (lawyer) is the only qualified professional who can:

  • Provide legal advice on privacy laws (e.g., CCPA, HIPAA).

  • Represent the company in court against Harry’s lawsuit.

  • Navigate defamation, privacy breaches, or wrongful disclosure claims.

Why Not the Others?

• PR Specialist: Handles public image (e.g., press releases), not legal defense.

• Incident Handler: Manages cybersecurity breaches, not lawsuits.

• Evidence Manager: Organizes digital forensics (useful for investigations but not legal counsel).

Correct Answer: Physical Layer (Layer 1) and Data Link Layer (Layer 2) ✅

Why?

A Network Interface Card (NIC) operates across two OSI layers:

1. Physical Layer (Layer 1):

   • Handles electrical signals, cabling, and bit transmission (e.g., converting digital data to electrical/optical signals).

2. Data Link Layer (Layer 2):

   • Manages MAC addressing, Ethernet framing, and error detection (e.g., CRC checks).

Why Not the Others?

• Network Layer (L3): Handles IP addressing (routers, not NICs).

• Presentation/Session Layers (L5/L6): Deal with data formatting/encryption and session management (irrelevant to NICs).

Based on the requirement of «should not be expensive» while still providing data redundancy, the most appropriate RAID level Nancy should suggest is:

✅ RAID 1

Why RAID 1?

• Cost-Effective: Only requires 2 disks (no additional parity disks like RAID 3/5/6).

• Redundancy: Full mirroring (if one disk fails, data is intact on the other).

• Simplicity: Easy to implement and manage.

Why Not the Others?

• RAID 0: No redundancy (unsafe for critical data).

• RAID 10: Combines mirroring + striping but requires 4+ disks (more expensive).

• RAID 3: Uses parity (requires 3+ disks and specialized hardware).

Correct Answer: Based on the potential technical effect of the incident ✅

Why?

As a network administrator in a bank, your priority must be business continuity and risk mitigation. Here’s how to assess:

1. Main Server Connectivity Issue

   • Impact: Critical. Likely affects multiple employees, transactions, or customer services.

   • Urgency: High. Could indicate network failure, security breach, or hardware crash.

   • Action: Immediate investigation (check server logs, network paths, security alerts).

2. Single Employee Login Issue

   • Impact: Isolated. Likely a local account/password problem.

   • Urgency: Low. Can be deferred or delegated to helpdesk.

Why Not the Others?

• First come, first served: Irresponsible in banking—ignores risk severity.

• Management approval: Too slow for time-sensitive outages.

• Type of response needed: Secondary to technical impact analysis.