Chapter 13: Network Security and Protective Technologies (Set-10)
A stateful firewall is most vulnerable to resource exhaustion during
A DNS cache refresh
B VLAN tagging error
C SYN flood attack
D HTTPS certificate check
SYN floods create many half-open TCP sessions. Stateful devices may allocate entries in the state table, exhausting memory. Legitimate connections fail unless protections like rate limits and SYN cookies are used.
“State table timeout” tuning helps reduce risk from
A Stale session entries
B Printer driver conflicts
C Screen resolution change
D Disk defragmentation
If timeouts are too long, inactive sessions remain in the state table and consume resources. Proper timeout tuning frees entries faster, reducing table exhaustion and improving stability under heavy traffic.
A packet-filter firewall cannot reliably stop attacks hidden inside
A Unused closed port
B Allowed HTTPS port
C Blocked ICMP traffic
D Private VLAN only
Packet filters mainly check headers and ports. If malicious content travels over allowed ports like 443, it may pass. Detecting such threats needs deeper inspection, IDS/IPS, or endpoint controls.
TLS inspection at a proxy can reduce privacy because it
A Blocks all websites
B Removes certificates
C Changes router MAC
D Decrypts user traffic
TLS inspection requires decrypting and re-encrypting traffic at the proxy. This enables threat detection but allows the proxy to view content, so strict controls, policies, and secure certificate handling are essential.
A common DMZ risk is a server with two interfaces that
A Bridges LAN access
B Improves redundancy
C Speeds backups
D Shrinks log size
Dual-homed DMZ servers can unintentionally provide a path into the LAN. If compromised, attackers may pivot internally. Best practice is strict separation with minimal allowed flows and no bridging.
IDS may miss malware when traffic is
A Plain text FTP
B Unencrypted HTTP
C End-to-end encrypted
D Using fixed ports
Encrypted traffic hides payload from network IDS sensors. IDS can still use metadata, but content signatures cannot be checked. Endpoint monitoring, decryption, or behavioral analytics improve visibility.
IPS inline deployment risk is highest when it becomes
A Single failure point
B Extra storage system
C DNS resolver role
D Backup retention tool
Inline IPS sits in the traffic path. If it fails, overloads, or misbehaves, connectivity can be affected. High availability pairs and bypass designs reduce downtime risk.
Certificate revocation checks help when a certificate is
A Newly issued today
B Larger key length
C Stored in browser
D Compromised or stolen
If a private key is compromised, the certificate should be revoked to stop trust before expiry. Revocation checks (CRL/OCSP) help clients reject certificates that should no longer be trusted.
Perfect Forward Secrecy matters because past sessions stay safe if
A DNS server is down
B Router reboots daily
C Server key leaks later
D Backups are full
With PFS, each session uses unique ephemeral keys. Even if the server’s long-term private key is stolen later, attackers cannot decrypt previously captured traffic, protecting historical confidentiality.
Hash collision resistance is crucial because collisions can enable
A Forged signed content
B Faster encryption speed
C Stronger Wi-Fi signal
D Smaller backup files
If an attacker can create two different documents with the same hash, a signature on one can appear valid for the other. Collision-resistant hashes reduce this tampering risk.
Password hashing is still unsafe if you store
A Strong passwords
B Unsalted hashes
C Login attempts logs
D HTTPS certificates
Without salts, identical passwords create identical hashes, enabling rainbow table and mass cracking. Proper practice uses unique salts and slow hashing methods to make guessing attacks harder.
MFA can be bypassed if attackers steal a valid
A Router firmware
B VLAN tag value
C Session token
D Backup schedule
If attackers obtain session cookies or tokens, they may access accounts without re-entering MFA. Protecting sessions with secure cookies, short lifetimes, and phishing-resistant methods reduces this risk.
Split tunneling is risky because it creates
A Two routing paths
B Longer passwords
C Smaller log files
D Stronger encryption
With split tunneling, some traffic goes through VPN and some goes directly. This can leak sensitive traffic, reduce centralized monitoring, and expose devices to local-network threats while connected.
VPN privacy is reduced if DNS queries
A Use encrypted HTTPS
B Use strong cipher
C Use long password
D Bypass the tunnel
DNS leaks reveal visited domains even when other traffic is tunneled. Correct VPN DNS settings and leak protection ensure DNS travels inside the tunnel, improving privacy and security.
A site-to-site VPN risk is “over-broad routing” which can
A Reduce encryption strength
B Expose extra subnets
C Delete server logs
D Increase screen brightness
If routes are too wide, more internal networks become reachable than intended. Tight routing plus firewall rules ensures only necessary subnets and ports are accessible across the VPN tunnel.
SIEM alert fatigue happens when
A No logs are collected
B Encryption is disabled
C Too many noisy alerts
D Backups are offline
Excess false positives overwhelm analysts and real threats may be missed. Tuning rules, baselining normal behavior, improving data quality, and prioritizing critical assets reduce noise and improve detection.
Central logging is stronger when logs are stored in
A Tamper-resistant storage
B User-writable folder
C Public shared drive
D Browser cache only
Attackers often try to delete or edit logs. Tamper-resistant or write-once storage protects log integrity, supporting accurate investigations and compliance audits even after compromise.
Accurate incident timelines require
A Faster Wi-Fi speed
B Smaller packet size
C NTP time sync
D More RAM installed
If device clocks differ, event ordering becomes unreliable. Time synchronization via NTP keeps timestamps consistent across servers, endpoints, and network devices, enabling correct SIEM correlation and investigation.
Credentialed vulnerability scans are better because they can check
A Screen saver time
B Keyboard drivers
C Printer ink status
D Internal patch levels
Credentialed scans log in and inspect software versions, configs, and missing patches more accurately. Non-credentialed scans may only guess from open ports or banners, causing misses or false positives.
Patch delays are most dangerous for
A Internet-facing services
B Offline spreadsheets
C Local printers only
D Screen calibration apps
Exposed services like VPN gateways, web servers, and remote admin tools are targeted quickly after vulnerabilities become public. Delaying patches greatly increases exploitation and compromise risk.
Incremental backup chains are risky because
A They are always huge
B One link can fail
C Restore needs one set
D Encryption is impossible
Restoring requires the full backup plus each incremental in order. If any incremental is missing or corrupted, later recovery may fail. Verification and periodic full backups reduce this risk.
Differential backups are chosen when you want
A Smallest storage use
B No encryption used
C Simpler restore
D No full backups
Differential restore usually needs only the last full backup and the latest differential. This is easier than incremental chains, though differential backups can grow larger over time.
The 3-2-1 rule can still fail if backups are
A Never tested
B Stored offsite
C On two media
D Kept as three copies
Backups may be corrupted or incomplete. Without regular test restores, you may discover failure only during disaster. Verification ensures backups are usable and meet recovery objectives.
Immutable backups help most by preventing
A HTTPS certificate expiry
B Backup deletion changes
C VPN tunnel overload
D VLAN misrouting
Immutable storage prevents modification or deletion for a set time. This protects restore points from ransomware and insiders, ensuring clean recovery data remains available when production data is attacked.
DLP systems are effective when they inspect
A CPU temperature
B Monitor pixels
C Keyboard clicks
D Outbound sensitive data
DLP checks outbound email, uploads, and transfers for sensitive patterns and policy violations. It can block, quarantine, or encrypt data to prevent unauthorized leakage of confidential information.
VLAN segmentation fails if inter-VLAN routing is
A Properly restricted
B Logged and audited
C Too permissive
D Protected by ACLs
VLANs separate networks, but routing between VLANs can re-connect them. If routing is open, attackers can move laterally. ACLs and firewall rules must restrict cross-VLAN access.
VLAN hopping risk increases if trunking is
A Auto-negotiated
B Manually fixed
C Limited VLAN list
D Disabled on access
Dynamic trunk protocols can be abused to form unauthorized trunks. Best practice is to disable auto trunking, set ports explicitly, and limit trunk VLANs to reduce VLAN hopping risks.
Router takeover risk rises sharply when remote admin is
A Disabled completely
B Exposed to internet
C Restricted by VPN
D Logged and monitored
Internet-exposed admin pages are scanned and attacked. Restricting management to VPN, using strong credentials and MFA where possible, and applying firmware updates reduces takeover risk.
Secure DNS reduces redirection attacks by preventing
A Battery drain
B Disk corruption
C Spoofed responses
D Screen burn-in
DNS spoofing can redirect users to fake sites. Secure DNS methods and trusted resolvers reduce the chance of forged answers, improving safety even before HTTPS checks occur.
HSTS protects users mainly by blocking
A HTTP downgrade
B Wi-Fi sniffing
C Disk failure
D Printer queue
HSTS forces browsers to use HTTPS, preventing downgrade to insecure HTTP. This reduces man-in-the-middle risk on untrusted networks by enforcing encrypted connections to the site.
Device encryption fails if attackers obtain
A Screen lock time
B Router IP address
C DNS cache file
D Recovery keys
If recovery keys are stolen, attackers can decrypt disks. Keys must be secured with access controls and safe storage. Hardware-backed key storage and careful recovery key handling reduce this risk.
Secure remote desktop is best protected by combining
A VPN, MFA, logs
B Open port forwarding
C Default admin login
D Disabled lockouts
Keeping RDP behind VPN reduces exposure, MFA reduces credential theft impact, and logs help detect abuse. Lockouts and patching further harden remote access against common attacks.
Incident containment may avoid full shutdown because it can
A Increase encryption strength
B Improve internet speed
C Lose volatile evidence
D Fix malware automatically
RAM evidence like active connections and running processes disappears on shutdown. Better containment isolates systems from network while preserving evidence for investigation, unless safety demands immediate power-off.
Eradication is incomplete if you only remove the malware but not
A Printer settings
B Persistence methods
C Screen resolution
D Backup scheduling
Malware may reinstall via scheduled tasks, registry entries, or stolen credentials. True eradication removes persistence, patches exploited vulnerabilities, and resets compromised accounts to prevent attacker return.
Recovery must include monitoring because attackers may
A Improve DNS speed
B Shrink log sizes
C Disable encryption
D Reinfect systems
After restoring services, monitoring helps confirm the threat is gone and detects repeat attempts. Without monitoring, dormant backdoors or missed persistence can cause rapid reinfection and repeated incidents.
Firewall misconfiguration is often detected by
A Unexpected open services
B Longer passwords
C Smaller backup size
D Faster ping time
Misconfigured rules may expose RDP, databases, or admin panels to wider networks. Routine port scans, rule audits, and log monitoring help identify unexpected exposure and correct risky configurations.
A proxy that performs TLS inspection must install a
A VPN client app
B DNS cache file
C Trusted root cert
D Router firmware patch
Clients must trust the proxy’s generated certificates, so a trusted root certificate is installed on endpoints. Poor management of this trust can create security and privacy risks, so strict control is required.
Certificate pinning reduces risk mainly from
A Screen capture tools
B Rogue CA issuance
C Backup corruption
D VLAN misrouting
Pinning limits which certificate or public key is acceptable for a service. Even if a rogue CA issues a valid-looking certificate, pinning can block it, reducing impersonation risk.
A strong incident response plan must define
A Roles and steps
B Keyboard layouts
C Printer drivers
D Screen brightness
Clear roles, contacts, and steps reduce confusion during incidents. The plan should cover identification, containment, eradication, recovery, communications, and evidence handling to respond quickly and consistently.
Audit trails become unreliable if attackers can
A Use HTTPS
B Use VPN
C Modify logs
D Apply patches
If attackers alter logs, investigations and compliance evidence become untrustworthy. Centralized, access-controlled, and tamper-resistant logging plus integrity checks helps preserve reliable audit trails.
Least privilege is hardest to maintain when permissions are
A Role-based
B Logged centrally
C Verified regularly
D Never reviewed
Over time, users accumulate extra rights for temporary tasks. Without regular reviews, privilege creep grows. Periodic access reviews and role-based models keep permissions aligned with current job needs.
A “break-glass” admin account should be
A Used daily
B Highly restricted
C Shared broadly
D Stored in email
Break-glass accounts are emergency-only accounts for recovery. They should be strongly protected, monitored, and used rarely, with secure storage of credentials and clear procedures to prevent misuse.
Backup encryption keys must be protected because compromise allows
A Reading backup data
B Faster backups
C Smaller log files
D Better VPN speed
Encrypted backups are only safe if keys remain secret. If keys leak, attackers can decrypt full copies of sensitive data. Use secure key management and limit access to encryption keys.
A major backup risk during ransomware is when backups are
A Air-gapped offline
B Immutable storage
C Same network writable
D Offsite protected
If backups are writable on the same network, ransomware may encrypt or delete them. Offline or immutable backups protect restore points, enabling recovery even when production systems are attacked.
DLP false positives often increase when rules are
A Too broad
B Narrow and tested
C Based on roles
D Verified weekly
Overly broad pattern rules can match normal data and trigger unnecessary blocks. Tuning, context-aware rules, and phased deployment reduce false positives while still protecting sensitive information.
A security baseline is valuable because it provides
A Faster internet speed
B Extra disk storage
C Better screen color
D Standard secure settings
Baselines define approved secure configurations for systems and devices. They reduce misconfiguration risk, simplify audits, and make patching and hardening consistent across many endpoints and servers.
Endpoint hardening includes reducing attack surface by
A Enabling all ports
B Disabling unused services
C Sharing admin logins
D Disabling updates
Unused services and open ports create entry points. Disabling them reduces vulnerabilities and limits what attackers can exploit. Hardening also includes patching, strong auth, and logging.
SIEM effectiveness drops if log sources are
A Centralized and synced
B Stored securely
C Incomplete or missing
D Reviewed regularly
If key sources like domain controllers, VPNs, and firewalls are not logging, attacks may go unnoticed. Complete coverage, time sync, and tuned correlation rules improve detection reliability.
A secure change-control process reduces risk by ensuring changes are
A Approved and documented
B Hidden and untracked
C Randomly applied
D Done without testing
Change control ensures security changes are reviewed, tested, and recorded. This prevents accidental exposure, supports auditing, and enables quick rollback if a firewall or security tool update causes problems.
The strongest overall approach for network security is
A Single firewall only
B VPN only
C Layered defenses
D Passwords only
No single control stops all threats. Layered defenses combine firewalls, IDS/IPS, encryption, MFA, patching, segmentation, backups, and monitoring. This reduces attack success and improves detection and recovery.