SCP SC0-502 問題集

質問 1：
It has been quite some time since you were called in to address the network and security needs of MegaCorp. You feel good in what you have accomplished so far. You have been able to get MegaCorp to deal with their Security Policy issue, you have secured the router, added a firewall, added intrusion detection, hardened the Operating Systems, and more.
One thing you have not done however, is run active testing against the network from the outside. This next level of testing is the final step, you decide, in wrapping up this first stage of the new MegaCorp network and security system. You setup a meeting with the CEO to discuss.
"We have only one significant issue left to deal with here at MegaCorp," you begin. "We need some really solid testing of our network and our security systems."
"Sounds fine to me, don't you do that all the time anyway? I mean, why meet about this?"
"Well, in this case, I'd like to ask to bring in outside help. Folks who specialize in this sort of thing. I can do some of it, but it is not my specialty, and the outside look in will be better and more independent from an outside team."
"What does that kind of thing cost, how long will it take?"
"It will cost a bit of money, it won't be free, and with a network of our size, I think it can be done pretty quick. Once this is done and wrapped up, I will be resigning as the full time security and network pro here. I need to get back to my consulting company full time. Remember, this was not to be a permanent deal. I can help you with the interview, and this is the perfect time to wrap up that transition."
"All right, fair enough. Get me your initial project estimates, and then I can make a more complete decision. And, Il get HR on hiring a new person right away."
Later that afternoon you talk to the CEO and determine a budget for the testing. Once you get back to your office, you are calling different firms and consultants, and eventually you find a consulting group that you will work with.
A few days later you meet with the group in their office, and you describe what you are looking for, and that their contact and person to report to is you. They ask what is off limits, and your response is only that they cannot do anything illegal, to which they agree and point out is written in their agreement as well.
With this outside consulting group and your knowledge of the network and company, review and select the solution that will best provide for a complete test of the security of MegaCorp.}
A. The consulting group has identified the steps it will follow in testing the network. You have asked to be kept up to date, and given an approximate schedule of events. You intend to follow along with the test, with weekly reports.
The consultants will first run remote network surveillance to identify hosts, followed by port scans and both passive and active fingerprinting. They will then run vulnerability scanners on the identified systems, and attempt to exploit any found vulnerabilities. They will next scan and test the router and firewall, followed by testing of the IDS rules.
They will then perform physical surveillance and dumpster diving to learn additional information. This will be followed by password sniffing and cracking. Finally, they will call into MegaCorp to see what information they can learn via social engineering.
B. The consulting group has identified the steps it will follow in testing the network. You have asked to be kept up to date, and given an approximate schedule of events. You intend to follow along with the test, with weekly reports.
The consultants have decided on a direct strategy. They will work inside the MegaCorp office, with the group introducing themselves to the employees. They will directly interview each employee, and perform extensive physical security checks of the network.
They will review and provide analysis on the security policy, and follow that with electronic testing. They will run a single very robust vulnerability scanner on every single client and server in the network, and document the findings of the scan.
C. The consulting group has identified the steps it will follow in testing the network. You have asked to be kept up to date, and given an approximate schedule of events. You intend to follow along with the test, with weekly reports.
The consultants surprise you with their initial strategy. They intend to spend nearly 100% of their efforts over the first week on social engineering and other physical techniques, using little to no technology. They have gained access to the building as a maintenance crew, and will be coming into the office every night when employees are wrapping up for the day.
All of their testing will be done through physical contact and informal questioning of the employees. Once they finish that stage, they will run short and direct vulnerability scanners on the systems that they feel will present weakness.
D. The consulting group has identified the steps it will follow in testing the network. You have asked to be kept up to date, and given an approximate schedule of events. You intend to follow along with the test, with weekly reports.
The consultants will start the process with remote network surveillance, checking to see what systems and services are available remotely. They will run both passive and active fingerprinting on any identified system. They will run customized vulnerability scanners on the identified systems, and follow that through with exploits, including new zero-day exploits they have written themselves.
They will next run scans on the router, firewall, and intrusion detection, looking to identify operating systems and configurations of these devices. Once identified, they will run customized scripts to gain access to these devices. Once they complete the testing on the systems, they will dumpster dive to identify any leaked information.
E. The consulting group has identified the steps it will follow in testing the network. You have asked to be kept up to date, and given an approximate schedule of events. You intend to follow along with the test, with weekly reports.
The first thing the consultants will do is dumpster diving and physical surveillance, looking for clues as to user information and other secret data that should not be outside of the network. Once they have identified several targets through the dumpster diving, they will run scans to match up and identify the workstations for those users.
After identifying the user workstations, they will run vulnerability checks on the systems, to find holes, and if a hole is found they have been given permission to exploit the hole and gain access of the system.
They will attempt to gain access to the firewall and router remotely, via password guessing, and will test the response of the network to Denial of Service attacks. Finally, they will call into MegaCorp to see what information they can learn via social engineering.
正解：A

質問 2：
You finish the work you were doing in the morning, and head out to the monthly meeting. During this meeting, the Vice President of Strategic Partner Relations informs the group of some news, "we have decided that we need to implement a new web site that is for our strategic partners only. This site will be used for various purposes, but will primarily be used as a means of information exchange."
"So, is this going to be a private site?" asks Orange.
"Absolutely. We will not want any public users on this website. It's just for the people we identify in our Strategic Partner Program. I need those of you in security to be sure that this site is secure." "We can take care of that. How many people do you think will be accessing the site?" asks
Orange.
"Not too many, perhaps around fifty."
"So, is it correct to assume that you know each of these fifty people?"
"Yes, that is correct."
"OK, well this should not be too hard. Wel get working on this right away."
The meeting ends, and you and Orange chat more about the web site issue.
"Well, we know that only around fifty people are going to access the, and we know who these fifty
are. This should not cause too many problems," Orange says.
"I agree. Do you think it will be all right to spend any money outside of the site itself?" you ask.
"Since we are dealing with so few people, that shouldn be a problem. However, we cannot go
overboard. Go ahead and write up plan for this and get it back to me in a day or two."
Based on your knowledge of GlobalCorp, choose the best solution to the web site security issue.}
A. You decide to use existing security technology of digital certificates and SSL to secure the site. You first install a new IIS server that will be the host of the web site. You then connect to the GlobalCorp CA for the executive building and request a new certificate for the web site.
You then configure the web site to Require a Secure Channel (SSL) and install the certificate. One you install the new certificate, you connect from the new server to the CA in each office where one or more of the fifty people that require access works. At that CA, you install the CA certificate, so that the new server will trust the certificates that each CA issues.
Next, you return to the configuration of the new web site. To make the site more secure, you require client certificates, and enable mappings for each user account. You call each user and ensure that they have a certificate from their own CA, which the new server now trusts. You walk them through the process of connecting to the site, and verify that secure access to them has been granted.
B. You decide that you will use freely available PGP certificates to secure access to the website. You will first install a new IIS web server to hose the site. You then configure one user account, with a strong password. You map this account as the only account that has access to the website.
You then log on locally, as this user account, to the server and create a public\private key pair. From that account you then send an outgoing email to all fifty users with the account private key. You finish the configuration of the website by making changes in the Security properties of the website.
In the Security properties, you select the Advanced tab. On the Advanced tab, you check the box to map this account to a local digital certificate, and you select the new certificate you just created.
Next, you contact each remote user and instruct them to open the email from you. You have them store the key they receive in their personal certificate store. To verify the install is correct, you walk them through the process of viewing their certificates in the MMC. Once verified, you have the user connect to the website, and enter the location of their certificate when asked for authentication credentials.
C. You decide to use digital certificates on smart cards to secure the web site. You will first install a new IIS web server to host the site. You then connect to the CA_SERVER and request a new certificate for the server. The server certificate will be used for authentication, and you have the certificate issued and stored on a portable USB drive.
You then configure a machine to function as the enrollment machine for smart cards. You are going to manage the smart cards yourself. At the machine that you are going to use for the smart cards, you first configure the system with an enrollment agent certificate from the CA_SERVER, and then you install the driver for the smart card reader.
Once the driver is installed, you make certificate requests for each of the fifty users. You start with the first user, by logging in to the CA and selecting the option to Request A Certificate For A Smart Card On Behalf Of Another User Using The Smart Card Enrollment Station radio button. You then select the Smartcard User template, and enter the user name. When prompted, you put a blank smart card in the reader and press the Enroll button, followed by entering the default PIN.
Once you have created all fifty smart cards, you continue with the configuration of the web site. You configure the site to Require Secure Channel (SSL) and configure the site certificate from the USB drive. You then configure the site to require the user to have certificates as well, enabling mapping for the specific users of this site.
You then test access to the site from a remote machine using the smart card and PIN to be authenticated to the site. Once the test is complete, you write a short howto file and send it along with the smart card, smart card reader, and driver to each of the fifty users. You follow up with each user upon receipt to walk them through the configuration.
D. You decide to use strong authentication via biometrics, specifically fingerprint scanning to secure the web site. You will first install a new IIS web server to host the site. You then configure fifty user accounts for the remote users, and assign those accounts very strong passwords.
You then ship one biometric mouse and software to each remote client. You call each user and walk them through the process of configuration of their equipment. First, you tell them to create a matching user account with the same user name and very strong password as you used on the IIS server. You then have them install the software, which you instruct them to configure so that the biometric will be linked to the user account.
Once the software is installed, you instruct them to connect the mouse to their system and load the appropriate driver. With the driver installed, you tell them how to load the program and enroll their fingerprint. Once they have their fingerprint enrolled, and it is matched to their user account, you let them know that their side of the configuration is complete, and that you will call them shortly to finish the process.
You return to the configuration of the IIS server. In the Security properties of the website, you select the Advanced authentication tab. On the Advanced tab, you check the box for mapping user accounts to external biometric devices, and you check the box to allow the remote machine to control the mapping. You finish the configuration by configuring the site to use 128-bit RSA to encrypt the data between the client and the server.
With the server configuration done, you call the client back and have them log in using their biometric mouse. Once logged in, you instruct them to connect to the website and verify the secure site is running.
E. You decide that you will use digital certificates to secure the web site. You will first install a new private CA that the remote users can connect to and request their certificates. This CA will be protected with a very strong password. Each user will be given a user account to access the CA, also protected with a strong password.
Next, you install the new private web server. You then connect to the new CA and make a request for a certificate for the web site. Once you receive the certificate, you configure the web site to use the certificate to Require a Secure Channel (SSL). You then select the option to require client certificates, and you enable mapping for each user account.
Finally, you will call each person and instruct them on the process of connecting to the CA and requesting their certificate, which you will instruct them to store on their local machine. Once they have their certificate, you have them test access to the site, and when successful you move on to the next person.
正解：C

質問 3：
The MegaCorp network has been running smoothly for some time now. You are growing confident that you have taken care of all the critical needs, and that the network is moving towards a new state of maturity in the current configuration. You head out of the office on Friday at noon, since you have put in lots of long hours over the lat month.
On Monday, you are driving into the office, and you happen to look at the speed limit sign that is on the road right next to MegaCorp. On the sign, in black paint, you see the following symbol:
Compaq
)(
Not good, you think, someone has been wardriving your office complex. That better not be in my office. The office building that MegaCorp is in has many other offices and companies, MegaCorp is not the only tenant.
When you get inside, you check all your primary systems, router, firewall, and servers, looking for quick and fast signs of trouble. There does not seem to be any trouble so far. You check through your Snort logs, and so far so good. You are starting to think that whatever the war drivers found, it was not part of MegaCorp.
You know that the MegaCorp policy does not allow for wireless devices, and you have neither installed nor approved any wireless for the network. Since it is still early (you get in at 7:30 on Mondays), you do not have anyone to talk to about adding any wireless devices.
Select the solution that will allow you to find any unauthorized wireless devices in the network in the least amount of time, and with the least disruption to the office and employees.}
A. You take your laptop, which has a built-in wireless network card, and you enable it. You had not enabled the card before, as you know that wireless is not used in this network. You do a quick install of NetStumbler and watch on screen to see what might come up sitting in your office. A few seconds after the WNIC is initialized and NetStumbler is running, you see the following line in NetStumbler: MAC: 46EAB5FD7C43, SSID: Dell, Channel: 11, Type: Peer, Beacon: 100. You expand channel 11 on the left side of NetStumbler, and see that MAC 46EAB5FD7C43 is bolded.
You are surprised to find that there is a wireless device running in the network, and now you are off to see if you can locate the physical device. You take your laptop and head out of your office. You get about 20 feet away from the office when you are stopped by the HR director, who needs help with a laser printer. You also stop to chat about your findings with the CEO, who has just come in to the office. You put your laptop back in your office, to check later in the day.
Although you did not isolate the physical location of the device, you are confident that you have indeed found a rogue device. As soon as you locate the device, you will make a report for the CEO, and see to it that the device is removed immediately.
B. You decide to spend a full hour and a half from 8:00 to 9:30 going over your logs and data. Until then, you wrap up some early email and pull the log files together to review.
It takes some time to gather all the log files that you can find, but you are able to get everything you need. You get the log form the Router, the Firewall, the IDS, the internal servers, and the web and ftp server. For the next 90 minutes you do nothing other than study the logs looking for unusual traffic, or anything that would be a trigger to you that there has been an intruder in the network.
First, you spend time on the router logs. On the routers you see a series of the following events: %SYS-5-CONFIG_I: Configured from console by vty1 (10.10.50.23) This is an event you consider, and dismiss as not from an attacker.
You then analyze the firewall, and again there you find that there are no logs indicating an intruder is present. All the IP traffic is from authorized IP Addresses. The IDS logs yield similar results. Only authorized traffic from hosts that have legitimate IP Addresses from the inside of the network.
Analyzing the server logs brings you to the same conclusion. All four severs show that the only access has been from the authorized hosts in the network, that no foreign IP Addresses have even attempted a connection into the private servers. The web\ftp server that has a public IP Address has had some failed attempts, but these are all in the realm of what you expect, nothing there stands out to you as well.
After your hour and half, you feel that you have gone through all the logs, and that there is no evidence that there has been any unauthorized access into any of your network resources, and you conclude that the wireless device is not in your office.
C. You take your laptop, initialize your WNIC, plug in your external antenna, and enable NetStumbler. You are glad that you keep all your gear nearby, even when you don normally use it. You would have had a 40 minute round trip drive to go home and get your own wardriving equipment.
By 8:30 you have found several wireless devices, but are not sure which, if any might be in your office. The output from NetStumbler shows the following:
MAC:46EAB5FD7C43, SSID:Dell, Channel:11, Type:Peer, Beacon:100 MAC:AB3B3E23AB45, SSID:Cisco, Channel:9, Type:AP, Beacon:85 MAC:000625513AAE, SSID:Compaq, Channel:7, Type:Peer, WEP, Beacon:67 MAC:000C4119420F, SSID:Private, Channel:11, Type:AP, Beacon:55
The one you are most interested in is the Compaq device, as although you know the war drivers might have just written it down, you want to look for Compaq devices first. The Compaq is also an AP, so your suspicion is high. You walk around the office, watching for the numbers in NetStumbler to adjust.
As you walk towards the street, you note the strength of the Compaq device weakens, by the time you get near the windows the signal is very weak. So, you turn around and walk away from the street, and sure enough the signal gets stronger. You actually walk out the main office door into the building interior courtyard. Across the courtyard you find the signal stronger and stronger.
After you walk around for some time, you are sure that you have isolated the signal as coming from an office inside the building and exactly opposite MegaCorp. The device is not in your office, and you will report this to the CEO. You will also ask the CEO if you should inform the neighbor that their network is possibly at risk due to their wireless network use.
D. You take your laptop, initialize your WNIC, plug in your external antenna, and enable NetStumbler. You are glad that you keep all your gear nearby, even when you don't normally use it. It is not yet 8:00, and you will be able to walk the office freely, looking for any rogue device.
You turn on the laptop, and turn on your WNIC and NetStumbler. Right away, you see the
following line: MAC: 46EAB5FD7C43, SSID: Dell, Channel: 11, Type: Peer, Beacon: 100. You
think that is what you were expecting, and you go on looking for the unauthorized device.
You walk around the office for a while, and see no fluctuation in the numbers, and do not see any
other devices on screen. By 8:30, most of the employees have come into the office. You meet the
CEO, who is just coming into the office and give a short report on what you are doing. Everyone
you meet has their lunches, work files, briefcases or laptop bags, and they get settled in like any
other day. You get pulled into several conversations with your co-workers as they get started.
At 9:10, you get back to your laptop and you look down at your screen to see what NetStumbler
has to show. There are now two lines, versus the one that was there before:
MAC: 46EAB5FD7C4, SSID: Dell, Channel: 11, Type: Peer, Beacon: 100.
MAC: 000BCDA36ED, SSID: Compaq, Channel: 9, Type: Peer, Beacon: 75.
You close your laptop confident that you now know the exact location of the rogue device, which
you have identified as a Compaq laptop, running in peer mode, and you go to address the device
immediately.
E. Since the company has a clear policy against the use of wireless devices, and since you know each employee you are fairly confident that the device in question is not inside the MegaCorp office. You schedule from 8:00 to 8:30 to do a visual walkthrough of the facilities.
At 8:00, you grab your notebook, which has a network map and other reference notes, and you begin your walkthrough. You walk into every office, except for the CEO office, which is locked, and access is not granted.
You spend several minutes in each office, and you spend some time in the open area where the majority of the employees work. You do not see any wireless access points, and you do not see any wireless antennas sticking up anywhere. It takes you more than the half an hour you allocated.
By 9:00, the office has filled up, and most people are getting their workweek started. You see the CEO walking in, and motion that you have a question. You say, "I am doing a quick walkthrough of the office, there might be a wireless device in here, and I know they are not allowed, so I am checking to see if I can find it." "As far as I know, there are no wireless devices in the network. We don't allow it, and I know that no one has asked me to put in wireless." "That what I thought. I sure we don't have any running here." You reply. You are confident the wireless problem is in another office.
正解：D

質問 4：
Although you feel that you have taken solid steps in the security of MegaCorp, you would like to have some more analysis and documentation of the state of the network, and the systems in place protecting MegaCorp resources.
The CEO wants to know what MegaCorp should be spending on securing these resources, and wants justification for the numbers that you provide. You inform the group that you will be able to provide them with a Risk Analysis on the defined resources, and you also suggest that MegaCorp perform a full business Risk Analysis, and that they make it part of their policy to perform ongoing analysis.
During the first meeting after the agreement on analysis, a sales manager tells you the following; "We are rolling out a new online sales component to our organization. It will be up to you to design the system for this, but we anticipate it being up and running next month and are looking to have initial revenues of around $1,000 per day through that component."
"All right," you respond "If the initial revenues are going to be around $1,000 per day, what are you projecting will be the daily revenue through this in 6 and 12 months?"
The CEO answers this question, "Our projections are to have an average of about $2,000 per day in six months and $3,000 per day within a year."
"And, what is this system going to be responsible for? By that I mean, is this just an order taking machine, is it tied into inventory, is it tied into shipping, and so on?" you ask.
"Right now, and as far as the current plan goes, this is an order taking system. It will not be tied into any of our other systems."
"Are we going to get a new Internet connection for this server, or is it going to run off the current connection we have? I recommend a new connection, but am curious to know if that has been considered."
"I think we can stick with our current connection for the time being. If it seems like there is a need in the future for the expenses of a new connection, we can discuss it then. Anything else?"
"Not right now, as issues come up I will talk to you about them." The rest of the meeting does not require your attendance, so you head back to your office.
Based on your knowledge of the MegaCorp environment, select the solution that best allow you to justify the expense of protecting the new server.}
A. With only this one single system to analyze, you decide that a Quantitative Risk Analysis is appropriate. You identify three major threats: Power Outage, Administrator-level system compromise, and Denial of Service attacks. You assign the power outage a low likelihood, the administrative compromise a medium likelihood, and the DoS a high likelihood.
You assign the power outage a high level of damage, you assign the administrative compromise a high level of damage, and you assign the DoS a low level of damage. Since the likelihood of the power outage is low, you do not recommend spending any new money on this in your report to the CEO. Since the level of damage is so high due to the administrative compromise, you recommend new security systems to protect against that threat. You recommend that the systems in place to mitigate the threat of the administrative compromise also be capable of addressing the DoS threat.
B. You decide to perform a Quantitative Risk Analysis on the server. You meet with the sales director to find out that the server will only hold a copy of the catalog. You estimate that since the system will be directly connected with a public IP Address, and since it will hold customer data that it is a likely target for attack.
You know that you have solid security systems in place, but you think there will be a legitimate attack to compromise this server at least once per month. Based on this information you decide that the ARO is 12, and the SLE will be one day of operation plus one day to restore the system, therefore $6,000. With an ARO of 12, and with a SLE of $6,000 you determine that the ALE for the system is $72,000.
You report to the CEO that although the current security systems in place are solid, this server requires security of it??s own. You identify the $72,000 that could be lost every year due to attacks, and request resources to properly protect the server.
C. You decide to follow the Facilitated Risk Analysis Process (FRAP) for the server. You sit down in your office by yourself, and you list out the vulnerabilities that might exist for the server. You then categorize those vulnerabilities into High, Medium, and Low.
Taking each individual vulnerability that you discovered, you further detail that listing the degree of impact that vulnerability could have, again categorizing them as High, medium, and Low.
When you are done, you have a list that shows five vulnerabilities, only one of them High, and that is attempted system compromise. You have identified this vulnerability to have a Low impact, since it will only contain the MegaCorp catalog and no other critical services.
You report back to the CEO that the current systems in place are adequate, and your only suggestion is to possibly increase the power backup to a larger model for the server.
D. You decide to perform a Qualitative Risk Analysis on the new server. You organize a short meeting with the sales director to get a better idea of what will be stored on the system. You know the projected sales volumes, and you find out that on the system will be nothing more than a catalog, where people can order MegaCorp products.
Since there is nothing of value stored on the server, you decide that the Level of Damage that would happen if this system is compromised is low and that the Likelihood of an Attack to gain access is low. Since the company needs the system for sales, you decide that the threat of a power loss is significant.
Your report back to the CEO is that the current security systems in place are adequate for the new system, that it will be protected by the firewall and IDS. You do request to increase the resources for power equipment, specifically a large battery backup for the server.
E. Since this is the only system that you are requested to analyze, and the CEO is looking for numbers, you decide to run a fast Qualitative Risk Analysis. You know that the server is going to generate $6,000 per month, and you think there will most likely be an attack on the server at least twice a month. This means that for this server, you have an SLE of $6,000 and an ALE of 24. With an SLE of $6,000, and with an ALE of 24, you determine that the SRO for the system is $144,000.
You report to the CEO that there is a risk of $144,000 to this server every year, and you recommend that for the first year that full risk amount be spent on mitigating the risk, so that in subsequent years you can report the risk has been reduced to zero.
正解：B