Home > Articles > Cisco Certification > Network Security Concepts and Policies

Network Security Concepts and Policies

Chapter Description

In this chapter, you learn how to develop a comprehensive network security policy to counter threats against information security. You also learn about possible threats and how to describe and implement the process of developing a security policy.

Review Questions

Use the questions here to review what you learned in this chapter. The correct answers are found in the appendix, “Answers to Chapter Review Questions.”

  1. Which are the three primary objectives of security?

    1. Integrity
    2. Confidentiality
    3. Antireplay functionality
    4. Authentication
    5. Availability
  2. Which are the three categories of controls?

    1. Administrative
    2. Executive
    3. Managerial
    4. Technical
    5. Physical
  3. Show that you understand the different types of controls by matching them with their related technology.

    Type of controls

    1. Preventative
    2. Deterrent
    3. Detective

    Technologies

    1. Motion sensor
    2. Video surveillance
    3. Lock
  4. Match the different types of hackers and the like with their appropriate description.

    Hacker types

    1. White hat
    2. Black hat
    3. Gray hat
    4. Blue hat
    5. Cracker
    6. Phreaker
    7. Script kiddy
    8. Hacktivist

    Hacker descriptions

    1. Bug tester
    2. Hacker with little skill
    3. Unethical hacker
    4. Hacker of telecommunication systems
    5. Ethically questionable hacker
    6. Hacker with a political agenda
    7. Synonymous with black hat hacker
    8. Breaks security for nonmalicious reasons
  5. Organize the following steps in the order in which they are used to compromise targets and applications.

    1. Escalate privilege
    2. Leverage the compromised system
    3. Perform footprint analysis
    4. Install back doors
    5. Enumerate applications and operating systems
    6. Gather additional passwords and secrets
    7. Manipulate users to gain access
  6. Which of the following is (are) not part of the technical policies. (Select all that apply.)

    1. End-user policy
    2. Acceptable usage policy
    3. Email policy
    4. Governing policy
    5. Rainbow Series
    6. Network policy
    7. Common Criteria Standard
    8. Wireless policy
  7. Reorder the classification levels of the private sector, from the least secure document to the most secure document.

    1. Confidential
    2. Private
    3. Public
    4. Sensitive
  8. Which of the following is not a criterion used to classify data?

    1. Value
    2. Age
    3. Useful life
    4. Copyright
    5. Personal association
  9. Match each of the following information classification roles with its definition.

    Roles

    1. Owner
    2. Custodian
    3. User

    Definitions

    1. Responsible for using the data
    2. Responsible on a day-to-day basis for the classified data
    3. Ultimately responsible for the data
  10. Which of the following is a technical control?

    1. Network Admission Control system
    2. Security policies and standards
    3. Security audits
    4. Security awareness training
    5. Change and configuration management
  11. Which of the following is not a characteristic of defense in depth?

    1. Security mechanisms back each other up.
    2. Security mechanisms do not depend on each other.
    3. Does not require IDS or IPS.
    4. The weakest links can be augmented so that single points of failure can be eliminated.
  12. Match the definition with the appropriate attack method.

    Definitions

    1. Searching a network host and open ports
    2. Capturing electrical transmission
    3. Hiding information within a transmission
    4. Intercepting traffic that passes over a physical network

    Attack methods

    1. Packet sniffing
    2. Man-in-the-middle
    3. Emanation capturing
    4. Covert channel
    5. Impersonation
    6. Port scanning
  13. Reorder the phases of a system development life cycle.

    1. Operations and maintenance
    2. Initiation
    3. Disposition
    4. Acquisition and development
    5. Implementation
  14. Which of the following security concepts limits a user’s rights to the lowest possible level needed to perform his tasks?

    1. Need to know
    2. Least privilege
    3. Universal participation
    4. Diversity of defense