SCP SC0-502 問題集

質問 1：
The MegaCorp network has been running smoothly for some time now. You are growing confident that you have taken care of all the critical needs, and that the network is moving towards a new state of maturity in the current configuration. You head out of the office on Friday at noon, since you have put in lots of long hours over the lat month.
On Monday, you are driving into the office, and you happen to look at the speed limit sign that is on the road right next to MegaCorp. On the sign, in black paint, you see the following symbol:
Compaq
)(
Not good, you think, someone has been wardriving your office complex. That better not be in my office. The office building that MegaCorp is in has many other offices and companies, MegaCorp is not the only tenant.
When you get inside, you check all your primary systems, router, firewall, and servers, looking for quick and fast signs of trouble. There does not seem to be any trouble so far. You check through your Snort logs, and so far so good. You are starting to think that whatever the war drivers found, it was not part of MegaCorp.
You know that the MegaCorp policy does not allow for wireless devices, and you have neither installed nor approved any wireless for the network. Since it is still early (you get in at 7:30 on Mondays), you do not have anyone to talk to about adding any wireless devices.
Select the solution that will allow you to find any unauthorized wireless devices in the network in the least amount of time, and with the least disruption to the office and employees.}
A. You take your laptop, which has a built-in wireless network card, and you enable it. You had not enabled the card before, as you know that wireless is not used in this network. You do a quick install of NetStumbler and watch on screen to see what might come up sitting in your office. A few seconds after the WNIC is initialized and NetStumbler is running, you see the following line in NetStumbler: MAC: 46EAB5FD7C43, SSID: Dell, Channel: 11, Type: Peer, Beacon: 100. You expand channel 11 on the left side of NetStumbler, and see that MAC 46EAB5FD7C43 is bolded.
You are surprised to find that there is a wireless device running in the network, and now you are off to see if you can locate the physical device. You take your laptop and head out of your office. You get about 20 feet away from the office when you are stopped by the HR director, who needs help with a laser printer. You also stop to chat about your findings with the CEO, who has just come in to the office. You put your laptop back in your office, to check later in the day.
Although you did not isolate the physical location of the device, you are confident that you have indeed found a rogue device. As soon as you locate the device, you will make a report for the CEO, and see to it that the device is removed immediately.
B. You decide to spend a full hour and a half from 8:00 to 9:30 going over your logs and data. Until then, you wrap up some early email and pull the log files together to review.
It takes some time to gather all the log files that you can find, but you are able to get everything you need. You get the log form the Router, the Firewall, the IDS, the internal servers, and the web and ftp server. For the next 90 minutes you do nothing other than study the logs looking for unusual traffic, or anything that would be a trigger to you that there has been an intruder in the network.
First, you spend time on the router logs. On the routers you see a series of the following events: %SYS-5-CONFIG_I: Configured from console by vty1 (10.10.50.23) This is an event you consider, and dismiss as not from an attacker.
You then analyze the firewall, and again there you find that there are no logs indicating an intruder is present. All the IP traffic is from authorized IP Addresses. The IDS logs yield similar results. Only authorized traffic from hosts that have legitimate IP Addresses from the inside of the network.
Analyzing the server's logs brings you to the same conclusion. All four severs show that the only access has been from the authorized hosts in the network, that no foreign IP Addresses have even attempted a connection into the private servers. The web\ftp server that has a public IP Address has had some failed attempts, but these are all in the realm of what you expect, nothing there stands out to you as well.
After your hour and half, you feel that you have gone through all the logs, and that there is no evidence that there has been any unauthorized access into any of your network resources, and you conclude that the wireless device is not in your office.
C. Since the company has a clear policy against the use of wireless devices, and since you know each employee you are fairly confident that the device in question is not inside the MegaCorp office. You schedule from 8:00 to 8:30 to do a visual walkthrough of the facilities.
At 8:00, you grab your notebook, which has a network map and other reference notes, and you begin your walkthrough. You walk into every office, except for the CEO office, which is locked, and access is not granted.
You spend several minutes in each office, and you spend some time in the open area where the majority of the employees work. You do not see any wireless access points, and you do not see any wireless antennas sticking up anywhere. It takes you more than the half an hour you allocated.
By 9:00, the office has filled up, and most people are getting their workweek started. You see the CEO walking in, and motion that you have a question. You say, "I am doing a quick walkthrough of the office, there might be a wireless device in here, and I know they are not allowed, so I am checking to see if I can find it." "As far as I know, there are no wireless devices in the network. We don't allow it, and I know that no one has asked me to put in wireless."
"That what I thought. I sure we don't have any running here." You reply. You are confident the wireless problem is in another office.
D. You take your laptop, initialize your WNIC, plug in your external antenna, and enable NetStumbler. You are glad that you keep all your gear nearby, even when you don normally use it.
It is not yet 8:00, and you will be able to walk the office freely, looking for any rogue device.
You turn on the laptop, and turn on your WNIC and NetStumbler. Right away, you see the
following line: MAC: 46EAB5FD7C43, SSID: Dell, Channel: 11, Type: Peer, Beacon: 100. You
think that is what you were expecting, and you go on looking for the unauthorized device.
You walk around the office for a while, and see no fluctuation in the numbers, and do not see any
other devices on screen. By 8:30, most of the employees have come into the office. You meet the
CEO, who is just coming into the office and give a short report on what you are doing. Everyone
you meet has their lunches, work files, briefcases or laptop bags, and they get settled in like any
other day. You get pulled into several conversations with your co-workers as they get started.
At 9:10, you get back to your laptop and you look down at your screen to see what NetStumbler
has to show. There are now two lines, versus the one that was there before:
MAC: 46EAB5FD7C4, SSID: Dell, Channel: 11, Type: Peer, Beacon: 100.
MAC: 000BCDA36ED, SSID: Compaq, Channel: 9, Type: Peer, Beacon: 75.
You close your laptop confident that you now know the exact location of the rogue device, which
you have identified as a Compaq laptop, running in peer mode, and you go to address the device
immediately.
E. You take your laptop, initialize your WNIC, plug in your external antenna, and enable NetStumbler. You are glad that you keep all your gear nearby, even when you don normally use it. You would have had a 40 minute round trip drive to go home and get your own wardriving equipment.
By 8:30 you have found several wireless devices, but are not sure which, if any might be in your office. The output from NetStumbler shows the following: MAC:46EAB5FD7C43, SSID:Dell, Channel:11, Type:Peer, Beacon:100 MAC:AB3B3E23AB45, SSID:Cisco, Channel:9, Type:AP, Beacon:85 MAC:000625513AAE, SSID:Compaq, Channel:7, Type:Peer, WEP, Beacon:67 MAC:000C4119420F, SSID:Private, Channel:11, Type:AP, Beacon:55
The one you are most interested in is the Compaq device, as although you know the war drivers might have just written it down, you want to look for Compaq devices first. The Compaq is also an AP, so your suspicion is high. You walk around the office, watching for the numbers in NetStumbler to adjust.
As you walk towards the street, you note the strength of the Compaq device weakens, by the time you get near the windows the signal is very weak. So, you turn around and walk away from the street, and sure enough the signal gets stronger. You actually walk out the main office door into the building interior courtyard. Across the courtyard you find the signal stronger and stronger.
After you walk around for some time, you are sure that you have isolated the signal as coming from an office inside the building and exactly opposite MegaCorp. The device is not in your office, and you will report this to the CEO. You will also ask the CEO if you should inform the neighbor that their network is possibly at risk due to their wireless network use.
正解：D

質問 2：
You had been taking a short vacation, and when you come into work on Monday morning, Orange is already at your door, waiting to talk to you.
"We're got a problem," Orange says, "It seems that the password used by our Vice President of Engineering has been compromised. Over the weekend, we found this account had logged into the network 25 times. The Vice President was not even in the office over the weekend."
"Did we get the source of the compromise yet?"
"No, but it won't surprise me if it is our new neighbors at MassiveCorp. I need to you to come up with a realistic plan and bring it to me tomorrow afternoon. This problem must be resolved, and like everything else we do not have unlimited funds so keep that in mind."
Based on this information, choose the best solution to the password local authentication problem in the Executive building.}
A. Since you are aware of the significance of the password problems, you plan to address the
problem using technology. You write up a plan for Orange that includes the following points:
1.For all executives you recommend no longer using passwords, and instead migrating to a token-
based authentication system.
2.You will install the RSA SecurID challenge-response token system.
3.You will create SecurID user records for each user to match their domain accounts.
4.You will assign each user record a unique token.
5.You will hand deliver the tokens to the correct executive.
6.Users will be required to use tokencodes from the One-Time tokencode list. The tokencodes will
be alphanumeric and will be 4 characters long.
7.The tokens will replace all passwords for authentication into each user Windows system.
B. Since you are aware of the significance of the password problems, you plan to address the
problem using technology. You write
up a plan for Orange that includes the following points:
1.For all executives you recommend no longer using passwords, and instead migrating to a token-
based authentication system.
2.You will install the RSA SecurID time-based token system.
3.You will create SecurID user records for each user to match their domain accounts.
4.You will assign each user record a unique token.
5.You will hand deliver the tokens to the correct executive.
6.Users will be allowed to create their own PIN, which will be 4 characters long.
7.The tokens will replace all passwords for authentication into each user Windows system.
C. Since you are aware of the significance of the password problems, you plan to address the problem using technology. You write up a plan for Orange that includes the following points: 1.You will reconfigure the Testbed.globalcorp.org domain to control the password problem. 2.You will configure AD in this domain so that complex password policies are required. 3.The complex password policies will include:
a.Password length of at least 8 characters
b.Passwords must be alphanumeric
c.Passwords must meet Gold Standard of complexity
d.Passwords must be changed every 30 days
e.Passwords cannot be reused
D. Since you are aware of the significance of the password problems, and since you do not have unlimited funds, you plan to address this problem through education and through awareness. You write up a plan for Orange that includes the following points: 1.All end users are to be trained on the methods of making strong passwords 2.All end users are instructed that they are to change their password at a minimum of every 30 days. 3.The administrative staff is to run password-checking utilities on all passwords every 30 days. 4.All end users are to be trained on the importance of never disclosing their password to any other individual. 5.All end users are to be trained on the importance of never writing down their passwords where they are clearly visible.
E. Since you are aware of the significance of the password problems, plan to address the problem
using technology. You write up a plan for Orange that includes the following points:
1.For all executives you recommend no longer using passwords, and instead migrating to a
biometric solution.
2.You will install retinal scanners at every user desktop in the executive building.You will install
retinal scanners at every user? desktop in the executive building.2.You will install retinal scanners
at every user desktop in the executive building.You will install retinal scanners at every user?
desktop in the executive building.
3.You will personally enroll each user at each desktop.3.You will personally enroll each user at
each desktop.
4.You will instruct each user on the proper positioning and use of the scanner.4.You will instruct
each user on the proper positioning and use of the scanner.
5.The biometric system will replace all passwords for authentication into each user Windows
system.The biometric system will replace all passwords for authentication into each user?
Windows system.5.The biometric system will replace all passwords for authentication into each
user Windows system.The biometric system will replace all passwords for authentication into each
user? Windows system.
正解：B

質問 3：
The network has been receiving quite a lot of inbound traffic, and although you have been given instructions to keep the network open, you want to know what is going on. You have decided to implement an Intrusion Detection System. You bring this up at the next meeting.
"After looking at our current network security, and the network traffic we are dealing with, I recommend that we implement an Intrusion Detection System," you begin.
"We don't have any more budget for security equipment, it will have to wait until next year." This is the reply from the CEO that you were anticipating.
"I realize that the budget is tight, but this is an important part of setting up security." You continue, "If I cannot properly identify all the network traffic, and have a system in place to respond to it, we might not know about an incident until after our information is found for sale on the open market." As expected, your last comment got the group thinking.
"What about false alarms?" asks the VP of sales, "I hear those things are always going off, and just end up wasting everyone" time."
"Tha's a fair concern, but it is my concern. When we implement the system, I will fine tune it and adjust it until the alarms it generates are appropriate, and are generated when there is legitimately something to be concerned about. We are concerned with traffic that would indicate an attack; only then will the system send me an alert."
For a few minutes there was talk back and forth in the room, and then the CEO responds again to your inquiry, "I agree that this type of thing could be helpful. But, we simply don have any more budget for it. Since it is a good idea, go ahead and find a way to implement this, but don't spend any money on it."
With this information, and your knowledge of MegaCorp, choose the answer that will provide the best solution for the IDS needs of MegaCorp:}
A. You install Snort on a dedicated machine just outside the router. The machine is designed to send alerts to you when appropriate. You implement the following rule set:
Alert udp any any -> 10.10.0.0\16 (msg: "O\S Fingerprint Detected"; flags: S12;) Alert tcp any any -> 10.10.0.0\16 (msg: "Syn\Fin Scan Detected"; flags: SF;) Alert tcp any any -> 10.10.0.0\16 (msg: "Null Scan Detected"; flags: 0;) Log tcp any any -> 10.10.0.0\16 any
You then install Snort on the web and ftp server, also with this system designed to send you alerts when appropriate. You implement the built-in scan.rules ruleset on the server.
B. You install two computers to run your IDS. One will be a dedicated machine that is on the outside of the router, and the second will be on the inside of the router. You configure the machine on the outside of the router to run Snort, and you combine the default rules of several of the built-in rule sets. You combine the ddos.rules, dos.rules, exploit.rules, icmp.rules, and scan.rules.
On the system that is inside the router, running Snort, you also combine several of the built-in rule sets. You combine the scan.rules, web-cgi.rules, ftp.rules, web-misc.rules, and web-iis.rules. You configure the alerts on the two systems to send you email messages when events are identified. After you implement the two systems, you run some external scans and tests using vulnerability checkers and exploit testing software. You modify your rules based on your tests.
C. You install Snort on a dedicated machine just inside the router. The machine is designed to send alerts to you when appropriate. You do have some concern that the system will have too many rules to operate efficiently. To address this, you decide to pull the critical rules out of the built-in rule sets, and create one simple rule set that is short and will cover all of the serious incidents that the network might experience.
alert udp any 19 <> $HOME_NET 7 (msg:"DOS UDP Bomb"; classtype:attempted-dos; sid:271;
rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack"; id:242;
fragbits:M;
classtype:attempted-dos; sid:270; rev:1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN Probe"; id: 678; itype: 8; content: "1234";
classtype:attempted-recon; sid:221; rev:1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize: 0; itype: 8;
classtype:attempted-recon; sid:469; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS";flags:SRAFPU; classtype:attempted-recon; sid:625; rev:1;) alert tcp $HOME_NET 31337 -> $EXTERNAL_NET 80 (msg:"SCAN synscan microsoft"; id: 39426; flags: SF; classtype:attempted-recon; sid:633; rev:1;)
D. You configure a new dedicated machine just outside the router and install Snort on that machine. The machine logs all intrusions locally, and you will connect to the machine remotely once each morning to pull the log files to your local machine for analysis.
You run snort with the following command: Snort ev \snort\log snort.conf and using the following rule base:
Alert tcp any any <> any 80 Alert tcp any any <> 10.10.0.0\16 any (content: "Password"; msg:"Password transfer Possible";) Log tcp any any <- 10.10.0.0\16 23 Log tcp any any <> 10.10.0.0\16 1:1024
E. You install your IDS on a dedicated machine just inside the router. The machine is designed to send alerts to you when appropriate. You begin the install by performing a new install of Windows on a clean hard drive.
You install ISS Internet Scanner and ISS System Scanner on the new system. System Scanner is configured to do full backdoor testing, full baseline testing, and full password testing. Internet Scanner is configured with a custom policy you made to scan for all vulnerabilities. You configure both scanners to generate automatic weekly reports and to send you alerts when an incident of note takes place on the network.
正解：B

質問 4：
You have now been involved in several major changes in the security of GlobalCorp, and specifically the Testbed campus. You have worked on the planning and design of the trusted network, you have worked on the initial rollout of the CA hierarchy, you have worked on assigning certificates to the end users and computers in the Executive building of the Testbed campus, and you have managed the implementation of secure email a critical service for GlobalCorp.
Blue has asked you to meet with the other administrative staff of the Testbed campus and discuss how the certificates will impact the organization. There are a total of about 40 people in the meeting, and you have decided that your primary focus during this meeting will be on encryption\cryptography.
Choose the best solution for providing the correct information to your administrative staff on how encryption\cryptography and digital certificates will be properly used in the network:}
A. You gather the administrative staff together in the conference room to discuss cryptography in the network. You begin your talk with the function of cryptography, in general, and then you move towards specific implementations in the GlobalCorp network.
You explain that public key cryptography is founded on math, and that the big picture fundamental point is that UserA and UserB have a set of mathematically linked keys. You explain that one key of each key pair is made available to the other users in the network. You illustrate this with an example of sending an encrypted message from UserA to UserB.
"We know, for example, that UserA wishes to send a message to UserB and wants that message to be secure. UserA will use the private key that UserB has made available to encrypt the message. Once encrypted, UserA will send the message over the network to UserB. UserB will then use the other key of the pair, the public key to decrypt the message," you explain to the group.
You further explain some of the common algorithms used in the network. You tell them that RSA was the first widely used private key algorithm, and that RSA itself is not used to secure messages, rather to exchange a symmetric key. You explain that Diffie-Hellman was another breakthrough in that it was a private key algorithm that was able to secure messages.
You then describe digital certificates and some of their features. You tell the group that digital certificates can be assigned to different entities, including users and computers. You state that these digital certificates include many options, for example an Issuer Field that holds the distinguished name of the entity that issued the certificate, and a Subject Field that holds the distinguished name of the person who has the private key that corresponds to the public key in the certificate.
B. You gather the administrative staff together in the conference room to discuss cryptography in the network. You begin your talk with the function of cryptography, in general, and then you move towards specific implementations in the GlobalCorp network.
You explain that public key cryptography is founded on math, and that the big picture fundamental point is that UserA and UserB have a set of mathematically linked keys. You explain that one key of each key pair is made available to the other users in the network. You illustrate this with an example of sending an encrypted message from UserA to UserB.
"We know, for example, that UserA wishes to send a message to UserB and wants that message to be secure. UserA will use the public key that UserB has made available to encrypt the message. Once encrypted, UserA will send the message over the network to UserB. UserB will then use the other key of the pair, the private key to decrypt the message," you explain to the group.
You further explain some of the common algorithms used in the network. You tell them that RSA was the first widely used private key algorithm, and that RSA itself is not used to secure messages, rather to exchange a symmetric key. You explain that Diffie-Hellman was another breakthrough in that it was a private key algorithm that was able to secure messages.
You then describe digital certificates and some of their features. You tell the group that digital certificates can be assigned to different entities, including users and computers. You state that these digital certificates include many options, for example an Issuer Field that holds the distinguished name of the entity that issued the certificate, and a Subject Field that holds the distinguished name of the person who has the private key that corresponds to the public key in the certificate.
C. You gather the administrative staff together in the conference room to discuss cryptography in the network. You begin your talk with the function of cryptography, in general, and then you move towards specific implementations in the GlobalCorp network.
You explain that public key cryptography is founded on math, and that the big picture fundamental point is that UserA has a pair of keys and UserB has a pair of keys. You explain that one key of each key pair is made available to the other users in the network. You illustrate this with an example of sending an encrypted message from UserA to UserB.
"We know, for example, that UserA wishes to send a message to UserB and wants that message to be secure. UserB will use the public key that UserA has made available to encrypt the message. Once encrypted, UserB will send the message over the network to UserA. UserA will then use the other key of the pair, the private key to decrypt the message," you explain to the group.
You further explain some of the common algorithms used in the network. You tell them that Diffie-Hellman was the first widely used private key algorithm, and that Diffie-Hellman itself is not used to secure messages, rather to exchange a symmetric key. You explain that RSA was another breakthrough in that it was a private key algorithm that was able to secure messages.
You then describe digital certificates and some of their features. You tell the group that digital certificates can be assigned to different entities, including users and computers. You state that these digital certificates include many options, for example an Issuer Field that holds the distinguished name of the entity that issued the certificate, and a Subject Field that holds the distinguished name of the person who has the private key that corresponds to the public key in the certificate.
D. You gather the administrative staff together in the conference room to discuss cryptography in the network. You begin your talk with the function of cryptography, in general, and then you move towards specific implementations in the GlobalCorp network.
You explain that public key cryptography is founded on math, and that the big picture fundamental point is that UserA and UserB have a set of mathematically linked keys. You explain that one key of each key pair is made available to the other users in the network. You illustrate this with an example of sending an encrypted message from UserA to UserB.
"We know, for example, that UserA wishes to send a message to UserB and wants that message to be secure. UserA will use the private key that UserB has made available to encrypt the message. Once encrypted, UserA will send the message over the network to UserB. UserB will then use the other key of the pair, the public key to decrypt the message," you explain to the group.
You further explain some of the common algorithms used in the network. You tell them that RSA was the first widely used private key algorithm, and that RSA itself is not used to secure messages, rather to exchange a symmetric key. You explain that Diffie-Hellman was another breakthrough in that it was a private key algorithm that was able to secure messages.
You then describe digital certificates and some of their features. You tell the group that digital certificates can be assigned to different entities, including users and computers. You state that these digital certificates include many options, for example an Issuer Field that holds the distinguished name of the person who issued the certificate, and a Subject Field that holds the full OIDs describing the use of the certificate by the holder of the certificate.
E. You gather the administrative staff together in the conference room to discuss cryptography in the network. You begin your talk with the function of cryptography, in general, and then you move towards specific implementations in the GlobalCorp network.
You explain that public key cryptography is founded on math, and that the big picture fundamental point is that UserA has a pair of keys and UserB has a pair of keys. You explain that one key of each key pair is made available to the other users in the network. You illustrate this with an example of sending an encrypted message from UserA to UserB.
"We know, for example, that UserA wishes to send a message to UserB and wants that message to be secure. UserA will use the public key that UserB has made available to encrypt the message. Once encrypted, UserA will send the message over the network to UserB. UserB will then use the other key of the pair, called the private key, to decrypt the message," you explain to the group.
You further explain some of the common algorithms used in the network. You tell them that Diffie-Hellman was the first widely used public key algorithm, and that Diffie-Hellman itself is not used to secure messages, rather to exchange a symmetric key. You explain that RSA was another breakthrough in that it was a public key algorithm that was able to secure messages.
You then describe digital certificates and some of their features. You tell the group that digital certificates can be assigned to different entities, including users and computers. You state that these digital certificates include many options, for example an Issuer Field that holds the distinguished name of the entity that issued the certificate, and a Subject Field that holds the distinguished name of the person who has the private key that corresponds to the public key in the certificate.
正解：E