SCP SC0-502 問題集

質問 1：
You have now been involved in several major changes in the security of GlobalCorp, and specifically the Testbed campus. You have worked on the planning and design of the trusted network, you have worked on the initial rollout of the CA hierarchy, you have worked on assigning certificates to the end users and computers in the Executive building of the Testbed campus, and you have managed the implementation of secure email a critical service for GlobalCorp.
Blue has asked you to meet with the other administrative staff of the Testbed campus and discuss how the certificates will impact the organization. There are a total of about 40 people in the meeting, and you have decided that your primary focus during this meeting will be on encryption\cryptography.
Choose the best solution for providing the correct information to your administrative staff on how encryption\cryptography and digital certificates will be properly used in the network:}
A. You gather the administrative staff together in the conference room to discuss cryptography in the network. You begin your talk with the function of cryptography, in general, and then you move towards specific implementations in the GlobalCorp network.
You explain that public key cryptography is founded on math, and that the big picture fundamental point is that UserA and UserB have a set of mathematically linked keys. You explain that one key of each key pair is made available to the other users in the network. You illustrate this with an example of sending an encrypted message from UserA to UserB.
"We know, for example, that UserA wishes to send a message to UserB and wants that message to be secure. UserA will use the private key that UserB has made available to encrypt the message. Once encrypted, UserA will send the message over the network to UserB. UserB will then use the other key of the pair, the public key to decrypt the message," you explain to the group.
You further explain some of the common algorithms used in the network. You tell them that RSA was the first widely used private key algorithm, and that RSA itself is not used to secure messages, rather to exchange a symmetric key. You explain that Diffie-Hellman was another breakthrough in that it was a private key algorithm that was able to secure messages.
You then describe digital certificates and some of their features. You tell the group that digital certificates can be assigned to different entities, including users and computers. You state that these digital certificates include many options, for example an Issuer Field that holds the distinguished name of the entity that issued the certificate, and a Subject Field that holds the distinguished name of the person who has the private key that corresponds to the public key in the certificate.
B. You gather the administrative staff together in the conference room to discuss cryptography in the network. You begin your talk with the function of cryptography, in general, and then you move towards specific implementations in the GlobalCorp network.
You explain that public key cryptography is founded on math, and that the big picture fundamental point is that UserA and UserB have a set of mathematically linked keys. You explain that one key of each key pair is made available to the other users in the network. You illustrate this with an example of sending an encrypted message from UserA to UserB.
"We know, for example, that UserA wishes to send a message to UserB and wants that message to be secure. UserA will use the public key that UserB has made available to encrypt the message. Once encrypted, UserA will send the message over the network to UserB. UserB will then use the other key of the pair, the private key to decrypt the message," you explain to the group.
You further explain some of the common algorithms used in the network. You tell them that RSA was the first widely used private key algorithm, and that RSA itself is not used to secure messages, rather to exchange a symmetric key. You explain that Diffie-Hellman was another breakthrough in that it was a private key algorithm that was able to secure messages.
You then describe digital certificates and some of their features. You tell the group that digital certificates can be assigned to different entities, including users and computers. You state that these digital certificates include many options, for example an Issuer Field that holds the distinguished name of the entity that issued the certificate, and a Subject Field that holds the distinguished name of the person who has the private key that corresponds to the public key in the certificate.
C. You gather the administrative staff together in the conference room to discuss cryptography in the network. You begin your talk with the function of cryptography, in general, and then you move towards specific implementations in the GlobalCorp network.
You explain that public key cryptography is founded on math, and that the big picture fundamental point is that UserA has a pair of keys and UserB has a pair of keys. You explain that one key of each key pair is made available to the other users in the network. You illustrate this with an example of sending an encrypted message from UserA to UserB.
"We know, for example, that UserA wishes to send a message to UserB and wants that message to be secure. UserB will use the public key that UserA has made available to encrypt the message. Once encrypted, UserB will send the message over the network to UserA. UserA will then use the other key of the pair, the private key to decrypt the message," you explain to the group.
You further explain some of the common algorithms used in the network. You tell them that Diffie-Hellman was the first widely used private key algorithm, and that Diffie-Hellman itself is not used to secure messages, rather to exchange a symmetric key. You explain that RSA was another breakthrough in that it was a private key algorithm that was able to secure messages.
You then describe digital certificates and some of their features. You tell the group that digital certificates can be assigned to different entities, including users and computers. You state that these digital certificates include many options, for example an Issuer Field that holds the distinguished name of the entity that issued the certificate, and a Subject Field that holds the distinguished name of the person who has the private key that corresponds to the public key in the certificate.
D. You gather the administrative staff together in the conference room to discuss cryptography in the network. You begin your talk with the function of cryptography, in general, and then you move towards specific implementations in the GlobalCorp network.
You explain that public key cryptography is founded on math, and that the big picture fundamental point is that UserA and UserB have a set of mathematically linked keys. You explain that one key of each key pair is made available to the other users in the network. You illustrate this with an example of sending an encrypted message from UserA to UserB.
"We know, for example, that UserA wishes to send a message to UserB and wants that message to be secure. UserA will use the private key that UserB has made available to encrypt the message. Once encrypted, UserA will send the message over the network to UserB. UserB will then use the other key of the pair, the public key to decrypt the message," you explain to the group.
You further explain some of the common algorithms used in the network. You tell them that RSA was the first widely used private key algorithm, and that RSA itself is not used to secure messages, rather to exchange a symmetric key. You explain that Diffie-Hellman was another breakthrough in that it was a private key algorithm that was able to secure messages.
You then describe digital certificates and some of their features. You tell the group that digital certificates can be assigned to different entities, including users and computers. You state that these digital certificates include many options, for example an Issuer Field that holds the distinguished name of the person who issued the certificate, and a Subject Field that holds the full OIDs describing the use of the certificate by the holder of the certificate.
E. You gather the administrative staff together in the conference room to discuss cryptography in the network. You begin your talk with the function of cryptography, in general, and then you move towards specific implementations in the GlobalCorp network.
You explain that public key cryptography is founded on math, and that the big picture fundamental point is that UserA has a pair of keys and UserB has a pair of keys. You explain that one key of each key pair is made available to the other users in the network. You illustrate this with an example of sending an encrypted message from UserA to UserB.
"We know, for example, that UserA wishes to send a message to UserB and wants that message to be secure. UserA will use the public key that UserB has made available to encrypt the message. Once encrypted, UserA will send the message over the network to UserB. UserB will then use the other key of the pair, called the private key, to decrypt the message," you explain to the group.
You further explain some of the common algorithms used in the network. You tell them that Diffie-Hellman was the first widely used public key algorithm, and that Diffie-Hellman itself is not used to secure messages, rather to exchange a symmetric key. You explain that RSA was another breakthrough in that it was a public key algorithm that was able to secure messages.
You then describe digital certificates and some of their features. You tell the group that digital certificates can be assigned to different entities, including users and computers. You state that these digital certificates include many options, for example an Issuer Field that holds the distinguished name of the entity that issued the certificate, and a Subject Field that holds the distinguished name of the person who has the private key that corresponds to the public key in the certificate.
正解：E

質問 2：
You have now seen to it that all end users and computers in the Testbed office have received their certificates. The administrative staff has been trained on their use and function in the network. The following day, you meet with Orange to discuss the progress.
"So far so good," starts Orange, "all the users have their certificates, all the computers have their certificates. I think we are moving forward at a solid pace. We have talked about the ways we will use our certificates, and we need to move towards securing our network traffic."
"I agree," you reply, "last week I ran a scheduled scan, and we still have vulnerability in our network traffic. The folks from MassiveCorp would love to have a sniffer running in here, I sure of that."
"That exactly the point. We need a system in place that will ensure that our network traffic is not so vulnerable to sniffing. We have to get some protection for our packets. I like you to design the system and then we can review it together."
The meeting ends a few minutes later, and you are back in your office working on the design. Choose the best solution for protecting the network traffic in the executive office of the Testbed campus:}
A. After further analysis on the situation, you decide that you will need to block traffic in a more complete way at the border firewalls. You have decided that by implementing stricter border control, you will be able to manage the security risk of the packets that enter and leave the network better.
You implement a new firewall at each border crossing point. You will configure half of the firewalls with Checkpoint FW-1 NG and the other half with Microsoft ISA. By using two different firewalls, you are confident that you will be minimizing any mass vulnerability.
At each firewall you implement a new digital certificate for server authentication, and you configure the firewall to require every user to authenticate all user connections. You block all unauthorized traffic and run remote test scans to ensure that no information is leaking through.
Once the test scans are complete, you verify that all users are required to authenticate with the new firewall before their traffic is allowed to pass, and everything works as you planned.
B. You decide that you will implement an IPSec solution, using custom IPSec settings. You wish to utilize the digital certificates that are available in the network. You decide that you wish for there to be maximum strength, and therefore you choose to implement IPSec using both AH and ESP.
First, you configure a custom policy for the servers in the network. You verify that none of the default policies are currently implemented, and you create a new policy. Your new policy will use SHA for AH and SHA+3DES for ESP. You make sure that the policy is to include all IP traffic, and for Authentication Method, you use the certificate that is assigned to each server. You reboot the servers that you can and use secedit to force the others to refresh their policy.
Next, with the help of the administrative staff, you will configure each client in the network. For the clients, you verify that no default policy is enabled, and you create a policy that uses SHA for AH and SHA+3DES for ESP. You make sure that the policy is to include all IP traffic, and for Authentication Method, you use the certificate that is assigned to each server. You reboot the client machines that you can and use secedit to force the others to refresh their policy.
C. You spend time analyzing the network and decide that the best solution is to take advantage of VPN technology. You will create one VPN endpoint in each building. Your plan is to create a unique tunnel between each building.
You first install a new Microsoft machine, and configure it to perform the functions of Routing and Remote Access. You then create a tunnel endpoint, and configure each machine to use L2TP to create the tunnel.
To increase security, you will implement full 256-bit encryption on each tunnel, and you will use 3DES on one half of the tunnels and AES on the other half of the tunnels. You will be sure that each tunnel uses the same algorithm on both ends, but by using two algorithms you are sure that you have increased the security of the network in a significant way.
D. You decide that you will implement an IPSec solution, using the built-in functionality of Windows. You decide that you wish for there to be maximum strength, and therefore you choose to implement IPSec using both AH and ESP.
First, you configure each server in the network with a new IPSec policy. You choose to implement the default Server IPSec Policy. Using this policy you are sure that all communication both to and from the server will utilize IPSec. You reboot the servers that you can and use secedit to force the others to refresh their policy.
Next, with the help of the administrative staff, you will configure each client in the network. For the clients, you use the default Client IPSec Policy. You reboot the client machines that you can and use secedit to force the others to refresh their policy.
E. You decide that you will implement an IPSec solution, using custom IPSec settings. You wish to utilize the digital certificates that are available in the network. You decide that you wish for there to be maximum strength, and therefore you choose to implement IPSec using both AH and ESP.
First, you configure a custom policy for the servers in the network. To increase strength, you will implement your custom policy on top of the default Server IPSec Policy. You verify that the policy is running, and then you create a new policy. Your new policy will use SHA+3DES for AH and SHA for ESP. You make sure that the policy is to include all IP traffic, and for Authentication Method, you use the certificate that is assigned to each server. You reboot the servers that you can and use secedit to force the others to refresh the two policies.
Next, with the help of the administrative staff, you will configure each client in the network. For the clients you also need the highest in security, so you will use a custom policy on the default policy. You verify that the default Client IPSec policy is enabled, and then you create a policy that uses SHA+3DES for AH and SHA for ESP. You make sure that the policy is to include all IP traffic, and for Authentication Method, you use the certificate that is assigned to each server. You reboot the client machines that you can and use secedit to force the others to refresh the two policies.
正解：B

質問 3：
You had been taking a short vacation, and when you come into work on Monday morning, Blue is already at your door, waiting to talk to you.
"We're got a problem," Blue says, "It seems that the password used by our Vice President of Engineering has been compromised." Over the weekend, we found this account had logged into the network 25 times. The Vice President was not even in the office over the weekend."
"Did we get the source of the compromise yet?"
"No, but it won't surprise me if it is our new neighbors at MassiveCorp. I need to you to come up with a realistic plan and bring it to me tomorrow afternoon. This problem must be resolved, and like everything else we do not have unlimited funds so keep that in mind."
Based on this information, choose the best solution to the password local authentication problem in the Executive building.}
A. Since you are aware of the significance of the password problems, you plan to address the
problem using technology. You write up a plan for Blue that includes the following points:
1.For all executives you recommend no longer using passwords, and instead migrating to a token-
based authentication system.
2.You will install the RSA SecurID time-based token system.
3.You will create SecurID user records for each user to match their domain accounts.
4.You will assign each user record a unique token.
5.You will hand deliver the tokens to the correct executive.
6.Users will be allowed to create their own PIN, which will be 4 characters long.
7.The tokens will replace all passwords for authentication into each user Windows system.
B. Since you are aware of the significance of the password problems, and since you do not have
unlimited funds, you plan to address this problem through education and through awareness. You
write up a plan for Blue that includes the following points:
1.All end users are to be trained on the methods of making strong passwords
2.All end users are instructed that they are to change their password at a minimum of every 30
days.
3.The administrative staff is to run password-checking utilities on all passwords every 30 days.
4.All end users are to be trained on the importance of never disclosing their password to any other
individual.
5.All end users are to be trained on the importance of never writing down their passwords where
they are clearly visible.
C. Since you are aware of the significance of the password problems, you plan to address the
problem using technology. You write up a plan for Blue that includes the following points:
1.For all executives you recommend no longer using passwords, and instead migrating to a token-
based authentication system.
2.You will install the RSA SecurID challenge-response token system.
3.You will create SecurID user records for each user to match their domain accounts.
4.You will assign each user record a unique token.
5.You will hand deliver the tokens to the correct executive.
6.Users will be required to use tokencodes from the One-Time tokencode list. The tokencodes will
be alphanumeric and will be 4 characters long.
7.The tokens will replace all passwords for authentication into each user Windows system.
D. Since you are aware of the significance of the password problems, you plan to address the
problem using technology. You write up a plan for Blue that includes the following points: 1.You will reconfigure the Testbed.globalcorp.org domain to control the password problem. 2.You will configure AD in this domain so that complex password policies are required. 3.The complex password policies will include:
a.Password length of at least 8 charactersa.
b.Passwords must be alphanumericb.
c.Passwords must meet Gold Standard of complexityc.
d.Passwords must be changed every 30 daysd.
e.Passwords cannot be reusede.
E. Since you are aware of the significance of the password problems, plan to address the problem
using technology. You write up a plan for Blue that includes the following points:
1.For all executives you recommend no longer using passwords, and instead migrating to a
biometric solution.
2.You will install retinal scanners at every user desktop in the executive building.
3.You will personally enroll each user at each desktop.
4.You will instruct each user on the proper positioning and use of the scanner.
5.The biometric system will replace all passwords for authentication into each user Windows
system.
正解：A

質問 4：
Now that the network is moving towards a trusted network, you are preparing for the specific new implementations in GlobalCorp. Just as you wrap up some paperwork for the morning, Orange calls you and lets you know that you are going to be needed in a meeting this afternoon.
You get to Orange's office and sit down at the desk. Orange begins the conversation, " You know we have some solid fundamental issues addressed in our new trusted network, but I have yet to feel that we have addressed any serious concerns."
"Ie been thinking about some similar issues," you reply.
"Good, then I sure you have been thinking about our email. Right now, I cannot guarantee the integrity of any email, and I cannot guarantee the confidentiality of any email. We have reasonable controls towards guaranteeing the availability of our email, but what the point if there is no confidentiality or integrity?"
"I agree. I think that addressing this issue should be an immediate priority."
"One concern is that whatever the system is that we put in place, it must be very user-friendly. As we roll out these new systems, anything that will significantly increase the calls into the help desk is something we need to minimize. A second concern is that it not be too costly. We already have this new investment in the trusted network, we need to be sure that we utilize what are building to the fullest extent possible."
"I think we should be able to do that without much difficulty. I already have some solid ideas," you reply.
"OK, take a few days on this. For the moment, just concern yourself with the executive building; the others can follow the plan in their own buildings. Let meet again this coming Monday and you can describe your suggestion then."
Based on this conversation, and your knowledge of GlobalCorp, select the best solution to the email problems in the network.}
A. After careful consideration you decide that you will implement secure email in a test group using PGP. You will use a full licensed version of PGP. You will go to each computer and you will install the full PGP on each system.
Once installed, you will show each user how to create a PGP certificate by requesting the certificate from the CATool CA server you installed specifically for secure email. After the user has received a certificate, you associate that PGP certificate with their Windows domain user account.
With the PGP certificate associated with the user account, you show each user how to manage their key ring. You show them how to generate their key, and you configure all user key strength to be 2048 bits. Now that the user has a strong key and a PGP certificate, you configure the email client of each user.
You explain that each user will have to install the public key of each other user in the network. You test this by sending an email from your laptop with your PGP certificate attached, and you have the user save the attachment to their Outlook folder. With the certificate saved, you show them how to send secure email to you. You receive the email on your laptop, and double-click the lock to show the user that the secure email message was successfully sent and received.
B. After careful consideration you decide that you will implement secure email in a test group using X.509v3 digital certificates. You choose this since every user received their certificate during an earlier phase, and those certificates included the ability to be used for secure email.
You will configure each machine to use PGP, with the X.509v3 certificates option. You go to each computer and open Outlook Express, which is the default client email program in the test group. You go to the Tools and Account option, selecting the Mail tab, and the properties for the email account.
You select he Security Tab and in the submenu for the Signing Certificate you configure the certificate for the user account. You select DSA and ElGamal as the cryptosystem to use. You then check the Encrypt Contents And Attachments For All Outgoing Messages check box and the Digitally Sign All Outgoing Messages check box. You accept the default of including the digital id when sending signed messages and the default to add sender certificates to the user address book, and close the properties the email account.
You show the user how to send and receive email, showing the Purple ribbon that indicates a signed message and the Orange lock that indicates an encrypted message.
C. After careful consideration you decide that you will implement secure email in a test group using X.509v3 digital certificates. You choose this since every user received their certificate during an earlier phase, and those certificates included the ability to be used for secure email.
Using the X.509v3 certificates, you will configure each machine to use S\MIME. You go to each computer and open Outlook Express, which is the default client email program in the test group. You go to the Tools and Account option, selecting the Mail tab, and the properties for the email account.
You select he Security Tab and in the submenu for the Signing Certificate you configure the certificate for the user's account. You select 3DES as the algorithm to use. You then check the Encrypt Contents And Attachments For All Outgoing Messages check box and the Digitally Sign All Outgoing Messages check box. You accept the default of including the digital id when sending signed messages and the default to add sender certificates to the user address book, and close the properties the email account.
You show the user how to send and receive email, showing the Purple ribbon that indicates a signed message and the Orange lock that indicates an encrypted message.
D. After careful consideration you decide that you will implement secure email in a test group using GPG. You have decided to use GPG to avoid any licensing conflicts that might occur if any user requires secure email exchange with another individual that is in a country with different cryptography laws. You will go to each computer and you will install GPG on each system.
Once installed, you will show each user how to create the required directory structure, by typing the command: gpg --gen-key Once the directory structure is created, you will show each user how to generate the required files, by typing the command: gpg--gen-key Since you want very secure email, you configure each system to use 2048 bit key strength and you select DSA and ElGamal encryption.
With GPG installed and configured, you show each user how to use their new secure email. You have them open Outlook and create a new message to you. Once the message is created, you have them select the Security drop-down list and choose both GPG Sign and GPG Encrypt, and then press send.
You show them on your laptop that you receive the message. You press Reply, and on your laptop also select the Security drop-down menu, where you choose both GPG Sign and GPG Encrypt. The user receives the message, and you show that secure email was successfully sent and received.
E. After careful consideration you decide that you will implement secure email in a test group using PGP. You will use a full licensed version of PGP. You will go to each computer and you will install the full PGP on each system.
Once installed, you will show each user how to create a PGP certificate by requesting the certificate from the MS Enterprise Root CA server you installed, and configured specifically for secure email certificates. After the user has received a certificate, you associate that PGP certificate with their Windows domain user account.
With the PGP certificate associated with the user account, you show each user how to manage their key ring. You show them how to generate their key, and you configure all user key strength to be 2048 bits. Now that the user has a strong key and a PGP certificate, you configure the email client of each user.
You explain that each user will have to install the public key of each other user in the network. You test this by sending an email from your laptop with your PGP certificate attached, and you have the user save the attachment to their Outlook folder. With the certificate saved, you show them how to send secure email to you. You receive the email on your laptop, and double-click the lock to show the user that the secure email message was successfully sent and received.
正解：C