Chapter 13: Network Security and Protective Technologies (Set-4)
A firewall “default deny” policy should be paired with
A Open all ports
B Disable NAT
C Documented allow list
D No change control
Default deny blocks everything unless allowed. A documented allow list ensures only required services are opened, supports audits, and prevents accidental exposure caused by undocumented or temporary firewall rule changes.
When reviewing firewall rules, a key risk is
A Shadow IT rules
B Too many backups
C Too much RAM
D Low monitor brightness
Shadow IT rules are unofficial or unapproved changes that may open risky ports. Regular reviews, approvals, and change tracking help ensure firewall policy matches business needs without adding hidden security gaps.
For outbound control, an egress firewall rule often blocks
A Web browsing
B Screen sharing
C Unknown app traffic
D Keyboard input
Egress filtering limits what internal devices can send out. Blocking unknown or unauthorized outbound traffic helps stop malware “phone-home” behavior and reduces chances of data being sent outside secretly.
A stateful firewall can better stop spoofed packets because it
A Uses only MAC
B Tracks valid sessions
C Disables TCP
D Changes DNS zones
By tracking connection states, a stateful firewall can reject packets that do not match an established session. This blocks many forged or out-of-context packets used in scans and attacks.
An application proxy may reduce risk from
A HTTP command abuse
B Cable damage
C Power outage
D Disk fragmentation
Application proxies can validate HTTP methods, headers, and content. They can block unsafe requests, enforce authentication, and prevent certain web-based attacks that simple port-based filtering may miss.
A common DMZ design mistake is
A Separate subnet used
B Logging enabled
C Firewall placed at edge
D Direct LAN access allowed
DMZ servers should not have broad access to the internal LAN. If a DMZ host is compromised, direct LAN access enables lateral movement. Restrict DMZ-to-LAN traffic to only necessary services.
IDS signature detection is strongest against
A Unknown zero-days
B Power failures
C Known attack patterns
D Hardware theft
Signature-based IDS compares traffic to known patterns of attacks. It works well for recognized threats but may miss new or customized attacks, so behavioral detection and layered security are also important.
IPS tuning is important to reduce
A False positives
B Disk space
C CPU fan noise
D Cable length
Poorly tuned IPS rules can block legitimate traffic. Tuning adjusts signatures, thresholds, and exceptions to reduce false positives while still blocking real attacks, maintaining security without disrupting business operations.
Firewall “rule shadowing” means
A No rules exist
B Two rules overlap
C VPN tunnel drops
D Hash values match
Rule shadowing occurs when an earlier rule matches traffic first, making later rules ineffective. This can cause unexpected allows/blocks. Regular rule cleanup and ordering reviews help prevent policy confusion.
A secure approach for admin access is
A Expose RDP to web
B Use default password
C Use VPN + MFA
D Disable logging
Admin access should be restricted to trusted paths. Using a VPN limits exposure, and MFA reduces account takeover risk. Logging and least privilege further protect remote administration services.
The main purpose of key exchange in TLS is
A Establish shared secret
B Choose screen size
C Remove certificates
D Speed up DNS
TLS uses key exchange to create a shared session key securely over an insecure network. After this, fast symmetric encryption protects the session, while certificates help authenticate the server.
If a private key is leaked, attackers can
A Increase bandwidth
B Repair disk errors
C Disable VLANs
D Impersonate owner
A leaked private key can allow attackers to decrypt protected data (in some cases) or create valid digital signatures. This breaks trust, enabling impersonation and potentially unauthorized access to secure systems.
A certificate “CN mismatch” means
A Weak password used
B Low disk space
C Wrong domain name
D VPN is offline
CN/SAN mismatch occurs when the certificate domain does not match the website domain. Browsers warn because the server identity cannot be trusted, increasing risk of spoofing or interception.
Hashing differs from encryption because hashing is
A Two-way process
B One-way process
C Always uses keys
D Used only in VPN
Hashing creates a fixed-length digest and is designed to be one-way. Encryption is reversible with a key. Hashing is used for integrity checks and password storage, not for confidentiality.
A strong password hash storage should include
A Unique salt value
B Plaintext copy
C Shared admin key
D Open database access
Salting adds random data to each password before hashing, preventing identical hashes for identical passwords and resisting rainbow table attacks. Combined with slow hashing, it greatly improves password security.
Digital signatures help prevent
A Power surge
B Cable theft
C Data tampering
D Screen glare
A valid signature confirms content has not changed after signing, because any modification breaks verification. It also confirms the signer identity when verified with the signer’s public key.
VPN split tunneling is sometimes enabled to
A Save bandwidth
B Remove encryption
C Stop patching
D Reduce latency
Split tunneling can improve performance by sending non-sensitive traffic directly to the internet while only corporate traffic goes through the VPN. However, it increases risk if sensitive traffic leaks outside.
A VPN tunnel protects against
A Wi-Fi eavesdropping
B Local disk crash
C Monitor failure
D Printer jam
On public Wi-Fi, attackers may sniff traffic. VPN encryption protects data from device to VPN server, reducing the chance of interception of logins, emails, and browsing metadata on untrusted networks.
VPN protocols mainly differ in
A Screen resolution
B Keyboard layout
C Security and speed
D File name length
Different VPN protocols vary in encryption strength, handshake method, overhead, and network compatibility. The choice affects performance, reliability, and security, so organizations select based on use-case needs.
A VPN does NOT automatically protect
A Traffic inside tunnel
B Malware on device
C Data to VPN server
D IP masking
A VPN encrypts network traffic but does not clean infections. If malware is already on the device, it can still steal data or credentials. Endpoint protection and patching remain essential.
SIEM alert triage usually starts with
A Deleting all logs
B Disabling firewall
C Checking severity context
D Sharing private keys
Triage reviews alert source, affected systems, time, and indicators to judge urgency. This helps separate false positives from real threats and guides next steps like containment and deeper investigation.
Log integrity is improved by
A Central log server
B Editable log files
C No timestamps stored
D Public log sharing
Sending logs to a central server reduces tampering risk on local machines. With access controls and time sync, centralized logging helps maintain integrity, supports correlation, and improves incident investigations.
A packet sniffer on a switched network often needs
A More RAM only
B Printer driver
C SPAN port access
D Screen capture tool
Switches send traffic only to the correct port, so sniffers may not see all packets. SPAN/mirror ports or network taps provide a copy of traffic for monitoring and analysis.
Vulnerability scanning can miss issues if
A Systems are patched
B Credentials unavailable
C Logs are enabled
D VPN is used
Without credentials, scanners may not fully check internal settings, patch levels, and configuration weaknesses. Credentialed scans provide deeper visibility, improving accuracy of findings for patching and hardening.
Patch management should prioritize
A Critical security fixes
B Low-risk updates
C Wallpaper updates
D Audio driver skins
Critical vulnerabilities are more likely to be exploited, especially if public exploit code exists. Prioritizing them reduces exposure fastest, while scheduling lower-risk updates later keeps systems stable.
Strong access control in networks often uses
A Same password for all
B Open guest accounts
C No account logs
D Role-based access
Role-based access assigns permissions based on job roles, limiting users to what they need. This reduces misuse and damage from compromised accounts, and simplifies permission management across many systems.
MFA is most effective against
A Hardware failure
B Printer issues
C Password theft
D Screen freeze
If attackers steal or guess a password, MFA still requires a second factor, blocking many account takeovers. It is especially important for VPN, email, admin panels, and remote desktop logins.
Auditing is essential for
A Proving compliance
B Increasing bandwidth
C Reducing backup size
D Removing viruses
Auditing provides records showing security controls were used, access was appropriate, and incidents were handled. It supports compliance requirements and helps detect policy violations through regular review.
A full backup + differential strategy restores using
A Only incrementals
B Full + latest differential
C Only full backup
D Latest differential only
Differential backups store all changes since the full backup. Restoration typically needs the last full backup and the most recent differential, making recovery simpler than long incremental chains.
Incremental backups can complicate restore because
A Need only one file
B Always unencrypted
C Many sets required
D Never verify
To restore from incremental backups, you often need the full backup plus each incremental in order. If one incremental is missing or corrupted, recovery may fail, so verification and retention matter.
Backup “retention” must balance
A Screen brightness
B Keyboard speed
C Router range
D Storage cost
Keeping more backup versions improves recovery options but costs more storage. Retention policies balance cost, compliance needs, and recovery goals like restoring older files after delayed discovery of deletion or ransomware.
Backup scheduling should align with
A RPO target
B Wallpaper updates
C USB color
D Mouse pad size
RPO defines acceptable data loss time. If RPO is 4 hours, backups or replication must happen often enough to meet that. Scheduling based on RPO ensures recovery matches business needs.
Disaster recovery testing is important to confirm
A Faster internet
B Plan actually works
C More RAM installed
D DNS is disabled
DR testing validates that backups restore correctly, steps are clear, and teams can meet RTO/RPO. Without testing, hidden issues like missing credentials or broken backups may appear during real disasters.
Data loss prevention is focused on
A Faster file copying
B More disk partitions
C Stopping data exfiltration
D Printing security labels
DLP prevents sensitive data from leaving approved channels. It can monitor emails, uploads, and USB transfers, block risky actions, and enforce encryption or policy controls to reduce data leakage.
Network segmentation is strongest when combined with
A Access control lists
B Flat network design
C Shared admin passwords
D Disabled firewall logs
Segmentation alone is not enough if routing allows broad access. ACLs and firewall rules enforce who can talk across segments, preventing unauthorized movement from user networks to critical server zones.
VLAN security is improved by
A Using default VLAN
B Open trunk everywhere
C Disabling unused ports
D No change tracking
Unused switch ports should be disabled or placed in a restricted VLAN to prevent rogue device connections. This reduces unauthorized access and supports better control of physical network entry points.
Secure DNS helps reduce risk of
A Monitor flicker
B USB malware only
C RAM overheating
D DNS cache poisoning
Secure DNS measures like DNSSEC validation and controlled resolvers reduce the chance of forged DNS responses. This helps prevent users being redirected to malicious sites due to poisoned or spoofed DNS records.
HTTPS enforcement mainly reduces
A Unencrypted login risk
B Printer queue errors
C Battery drain
D Screen burn-in
Enforcing HTTPS ensures credentials and session cookies are encrypted during transmission. This reduces interception on shared networks and prevents attackers from stealing logins through simple network sniffing.
Endpoint security should include
A Default admin login
B Disabled antivirus
C Regular patching
D Open USB policy
Many endpoint attacks exploit unpatched browsers, OS, and apps. Regular patching closes known holes, while antivirus/EDR, firewall, and safe browsing policies provide layered defense against phishing and malware.
Device encryption keys should be protected using
A Plain text notes
B Secure key storage
C Public web post
D Shared group chat
If encryption keys are exposed, encryption becomes useless. Keys should be stored securely, access controlled, and backed up safely for recovery. Organizations often use key management systems or TPM-based storage.
Secure remote desktop exposure should be limited by
A Internet port forwarding
B Default username
C VPN-only access
D No account lockout
Keeping remote desktop behind a VPN removes it from public scanning and brute-force attempts. Adding MFA, strong passwords, lockout rules, and logging further reduces remote access compromise risks.
A good security policy should include
A Incident reporting steps
B Game installation rules
C Screen saver timing
D Folder color guide
Policies should tell users how to report suspicious emails, malware signs, or data loss quickly. Clear reporting steps speed response, reduce damage, and ensure incidents are handled consistently.
Incident response “containment” example is
A Buying new switches
B Ignoring alerts
C Deleting audit logs
D Isolating infected PC
Containment limits spread and damage by isolating affected systems, blocking malicious IPs, or disabling compromised accounts. Quick containment prevents ransomware or malware from moving to other devices and servers.
Incident response “recovery” includes
A Sharing admin password
B Disabling patches
C Restoring from backups
D Opening all ports
Recovery returns systems to normal safely. It often includes restoring clean data, patching exploited weaknesses, re-enabling services carefully, and monitoring for reinfection to ensure the environment remains stable.
Incident response “post-incident” output is
A New keyboard purchase
B Lessons learned report
C DNS cache clear only
D Disable SIEM alerts
Post-incident review documents timeline, root cause, what worked, and what failed. It leads to improved controls, training, and monitoring so similar incidents are less likely and response is faster.
Best way to reduce firewall misconfiguration is
A Change control process
B No rule reviews
C Share admin accounts
D Disable policy docs
Change control ensures firewall modifications are approved, documented, tested, and reviewed. This prevents accidental exposure, supports audits, and helps quickly roll back risky changes when issues are detected.
A common egress monitoring indicator is
A Normal DNS queries
B Stable backup size
C Unusual outbound spikes
D Clean audit reports
Large unexpected outbound traffic may indicate data exfiltration or malware. Monitoring egress logs and SIEM alerts helps detect abnormal patterns early, allowing investigation before major data loss happens.
VPN can fail to protect privacy if
A HTTPS is used
B MFA is enabled
C Logs are reviewed
D DNS leaks occur
If DNS queries bypass the VPN tunnel, observers can still see domains being accessed. Proper VPN configuration and secure DNS settings reduce leaks and improve privacy and security on untrusted networks.
Backup “air gap” concept means
A Faster cloud sync
B Stored offline copy
C Shared network folder
D Same disk partition
An air-gapped backup is kept offline or isolated from the network, making it harder for ransomware to encrypt it. This improves recovery reliability when online backups are targeted.
A strong backup practice for ransomware is
A Immutable backup storage
B Only cloud sync
C Disable backup logs
D Use one copy only
Immutable backups cannot be changed or deleted for a set period. This protects backup data from ransomware and insider threats, ensuring a clean recovery point remains available when production files are encrypted.