Chapter 13: Network Security and Protective Technologies (Set-5)
A stateful firewall may fail under attack if its
A DNS cache clears
B State table fills
C Disk space drops
D VLAN tags change
Explanation: During floods (like SYN floods), too many half-open sessions can fill the state table. Legitimate connections may then fail. Mitigations include rate limiting, SYN cookies, and tuned session timeouts.
“SYN flood” primarily targets
A CPU fan speed
B Email storage quota
C HTTPS certificates
D TCP handshake state
Explanation: SYN floods send many SYN packets without completing handshakes. Servers and stateful devices allocate resources for half-open sessions, exhausting capacity and causing denial of service for real users.
A packet-filtering firewall is weakest when traffic uses
A Random MAC names
B Static IP address
C Allowed service port
D Short packet size
Explanation: Basic packet filters mostly check headers and ports. If malicious traffic is sent through an allowed port like 443, the firewall may allow it unless deeper inspection or additional security controls exist.
Deep packet inspection is mainly needed to detect
A Cable damage
B Application-layer attacks
C Low Wi-Fi signal
D Printer queue delays
Explanation: Many attacks hide inside normal-looking web traffic. Deep inspection examines payload content and protocol behavior, helping detect malicious patterns that simple port and IP rules cannot see.
A transparent proxy differs because it
A Requires no client setup
B Uses offline encryption
C Removes firewall rules
D Disables logging
Explanation: Transparent proxies intercept traffic without configuring the client explicitly. This helps enforce web policies centrally, but requires correct network routing and may raise privacy and certificate-trust concerns.
Incorrect DMZ design that allows “dual-homed” servers can cause
A Better redundancy
B Faster patching
C Smaller log files
D Direct LAN bridging
Explanation: A dual-homed DMZ server has interfaces in DMZ and LAN. If compromised, it can become a bridge into the internal network. Best practice is strict firewall separation and minimal pathways.
IDS can miss attacks when traffic is
A Plain HTTP only
B End-to-end encrypted
C Sent over UDP
D Using static ports
Explanation: If IDS cannot decrypt traffic, it sees limited payload data. It may still detect metadata anomalies, but content-based signatures become ineffective. Endpoint inspection or TLS decryption is needed for deeper visibility.
IPS “inline” placement risk includes
A Better visibility only
B More storage capacity
C Single point failure
D Reduced encryption
Explanation: Inline IPS sits directly in the traffic path. If it fails or overloads, it can disrupt network connectivity. High availability designs and bypass/fail-open settings reduce operational risk.
In TLS, certificate validation mainly prevents
A Packet loss
B Slow download speeds
C Router overheating
D Server impersonation
Explanation: Certificate validation checks that a trusted CA issued the certificate for the correct domain and it is valid. This reduces man-in-the-middle attacks by preventing connection to fake servers.
A revoked certificate is one that
A Is no longer trusted
B Has stronger encryption
C Has longer validity
D Is stored offline
Explanation: Revocation means a certificate should not be trusted before expiry, often due to key compromise or mis-issuance. Systems can check revocation using methods like CRLs or OCSP.
Perfect Forward Secrecy helps when
A Password is forgotten
B DNS server is down
C Long-term key leaks
D Backup fails
Explanation: With PFS, session keys are not derived directly from the server’s long-term private key. Even if that private key is later compromised, past recorded sessions cannot be decrypted.
A hash collision is dangerous for signatures because it
A Increases storage cost
B Enables forged documents
C Blocks all HTTPS
D Changes IP routes
Explanation: If attackers can create two different messages with the same hash, they may trick signature systems that sign only the hash. Strong collision-resistant hashes reduce this risk significantly.
“Salting” passwords mainly prevents
A Slow internet speed
B VPN disconnections
C Router firmware bugs
D Rainbow table attacks
Explanation: Salts ensure identical passwords produce different hashes, making precomputed hash tables far less useful. Combined with slow hashing algorithms, salting greatly increases the attacker’s effort.
A digital signature provides non-repudiation because
A It hides the IP
B Signer cannot deny
C It encrypts backups
D It blocks malware
Explanation: Since only the signer should control the private key, a valid signature strongly ties the action to them. With proper key protection and policy, it supports non-repudiation in disputes.
A VPN can still leak identity if
A Browser fingerprinting
B IP changes
C Tunnel encrypts
D MFA is enabled
Explanation: Even if IP is masked, websites can identify users using fingerprints like fonts, device info, cookies, and behavior. VPN improves network privacy but does not fully prevent tracking techniques.
DNS leaks during VPN use happen when
A VPN uses encryption
B IP is masked
C TLS is enabled
D DNS bypasses tunnel
Explanation: If the system continues using the ISP DNS resolver outside the tunnel, observers can still see queried domains. Correct VPN DNS settings and leak protection ensure DNS travels through the encrypted tunnel.
Split tunneling raises risk mainly because it
A Improves speed
B Reduces logging
C Creates dual paths
D Forces HTTPS
Explanation: Two paths exist: one through VPN and one direct. Attackers on local networks may exploit the direct path or route-sensitive traffic outside the tunnel, weakening centralized monitoring and security controls.
Site-to-site VPN misconfiguration risk includes
A Strong encryption
B Overly broad routes
C Fast failover
D Smaller packets
Explanation: If routes are too broad, networks may expose more internal subnets than intended. Least-privilege routing and firewall rules should restrict which subnets and services can communicate across the tunnel.
SIEM correlation is powerful because it can detect
A Single log entry
B Screen changes
C Printer faults
D Multi-step attacks
Explanation: Many attacks look harmless in one log source. SIEM correlates events across endpoints, servers, and network tools to identify sequences like phishing login, privilege escalation, and unusual data transfer.
A common SIEM challenge is
A Too little data
B Better encryption
C Alert fatigue
D Extra bandwidth
Explanation: Too many noisy alerts can overwhelm analysts, causing real threats to be missed. Tuning rules, reducing false positives, prioritizing critical assets, and using baselines improve signal-to-noise ratio.
Log time synchronization is critical to
A Increase storage
B Build accurate timeline
C Reduce malware
D Speed up VPN
Explanation: Incident investigations depend on correct timestamps. If devices have different clocks, correlating events becomes unreliable. NTP-based time sync ensures logs across systems align for accurate analysis.
A packet sniffer in a switched LAN misses traffic because
A Switch floods all ports
B DNS blocks packets
C TLS breaks routing
D Switch isolates ports
Explanation: Switches forward frames only to the destination port, so a sniffer on one port cannot see others. Mirror ports (SPAN) or taps are needed to capture broader traffic visibility.
Vulnerability scanners may report false positives due to
A Service banner mismatch
B Strong encryption
C Short passwords
D VLAN segmentation
Explanation: Some scanners rely on version banners to guess vulnerabilities. If banners are hidden, spoofed, or patched without version change, scanners may misreport. Verification and credentialed scans reduce errors.
Patch management failure is most dangerous when
A Updates are logged
B Backups are tested
C Internet-facing systems
D VPN is enabled
Explanation: Exposed systems like web servers, VPN gateways, and remote access services are targeted quickly after new vulnerabilities become public. Delayed patching greatly increases exploitation risk and potential compromise.
Access control is weakest when using
A Least privilege
B Shared admin accounts
C Role-based groups
D Audit logs enabled
Explanation: Shared accounts reduce accountability and make revoking access difficult. If credentials leak, you cannot identify who acted. Individual accounts with MFA and logging improve traceability and security.
MFA can be bypassed by attackers using
A Power failure
B Strong passwords
C Disk encryption
D Session token theft
Explanation: If attackers steal valid session cookies or tokens, they may access accounts without re-entering MFA. Secure cookies, device trust checks, shorter sessions, and phishing-resistant MFA reduce this risk.
A full backup window becomes too long; best improvement is
A Disable encryption
B Remove retention
C Use incremental strategy
D Stop verification
Explanation: Incremental or differential backups reduce daily backup time by copying only changes. This lowers backup windows, but recovery planning must account for restore complexity and ensure verification of backup sets.
Incremental chains are risky mainly because
A Need no storage
B One link can fail
C Restore is always quick
D Encrypts automatically
Explanation: If any incremental set is missing or corrupted, later incrementals may become unusable for restore. Regular verification, redundancy, and periodic full backups reduce dependence on long chains.
Differential backups are preferred over incremental when
A Faster restore needed
B Smallest storage needed
C No network exists
D Only cloud is used
Explanation: Differential restore usually needs only the full backup plus the latest differential. Incremental restore may require many increments. Differential uses more storage than incremental but can simplify recovery.
3-2-1 rule can still fail if
A Offsite copy exists
B Two media used
C Three copies made
D Backups untested
Explanation: Having copies is useless if restores fail. Backups may be incomplete, encrypted by ransomware, or corrupted. Regular test restores and integrity checks confirm backup reliability during real incidents.
A retention policy must consider legal need for
A Data destruction
B Faster internet
C Record preservation
D Printer availability
Explanation: Some industries require keeping logs and backups for set periods. Retention must meet compliance while controlling cost. Clear rules prevent accidental deletion of records needed for audits or investigations.
RTO is best described as
A Max data loss
B Max downtime allowed
C Backup size limit
D VPN tunnel time
Explanation: Recovery Time Objective defines how quickly services must be restored after an outage. Lower RTO needs faster recovery methods like replication, hot standby, or quick restore procedures.
RPO is best described as
A Max downtime allowed
B Firewall rule order
C Log storage method
D Max data loss allowed
Explanation: Recovery Point Objective defines the maximum acceptable amount of data loss measured in time. If RPO is 1 hour, backups or replication must capture changes at least hourly.
DLP tools can block leaks by inspecting
A Outbound content patterns
B Screen resolution
C Keyboard drivers
D CPU temperature
Explanation: DLP checks outgoing emails, uploads, and file transfers for sensitive patterns like ID numbers or confidential documents. It can block, quarantine, or encrypt data based on policy rules.
Network segmentation is ineffective if
A VLANs used
B ACLs enforced
C Inter-VLAN routing open
D Logs reviewed
Explanation: If routing freely allows traffic between segments, attackers can move laterally despite VLANs. Proper ACLs and firewall rules must restrict cross-segment access to only necessary ports and services.
VLAN hopping mitigation includes
A Use default VLAN
B Disable unused trunks
C Allow DTP everywhere
D Share admin login
Explanation: Prevent VLAN hopping by disabling dynamic trunking, using fixed port modes, limiting trunk VLANs, and disabling unused ports. Proper switch hardening reduces chances of unauthorized cross-VLAN access.
Secure router configuration should change
A Screen brightness
B File extensions
C Print settings
D Default admin credentials
Explanation: Default router usernames/passwords are widely known and easily exploited. Changing them, limiting remote management, enabling firmware updates, and using strong Wi-Fi encryption are core network security practices.
Firmware updates are critical because they often fix
A Browser cookies
B File naming issues
C Remote exploit bugs
D Screen flicker
Explanation: Network devices may have vulnerabilities that allow remote takeover. Firmware updates patch these security flaws. Delayed updates leave routers, firewalls, and VPN devices exposed to known attacks.
HSTS helps security by preventing
A Port scanning
B HTTP downgrade
C Disk corruption
D VPN disconnects
Explanation: HSTS forces browsers to use HTTPS for a domain, blocking attempts to downgrade to insecure HTTP. It reduces man-in-the-middle risks on untrusted networks by enforcing encrypted connections.
Endpoint encryption fails if attackers get
A Strong password
B Small file size
C VPN address
D Decryption keys
Explanation: Encryption protects data only if keys remain secure. If attackers obtain recovery keys, they can decrypt disks. Secure key management, access controls, and hardware-backed storage reduce key theft risk.
Secure remote desktop should avoid exposing
A RDP to internet
B Internal admin port
C VPN gateway
D MFA prompt
Explanation: Public RDP is heavily scanned and attacked with brute force and exploits. Best practice is to restrict RDP behind VPN, use MFA, strong policies, and log monitoring to detect abuse.
Incident “eradication” can fail if you only
A Patch exploited flaw
B Remove malware file
C Identify persistence
D Reset passwords
Explanation: Removing a visible file may not remove persistence like scheduled tasks, registry changes, or stolen credentials. Proper eradication includes removing root cause, persistence methods, and patching exploited weaknesses.
During containment, turning off all systems can be harmful because it
A Stops backups
B Increases encryption
C Speeds recovery
D Loses volatile evidence
Explanation: Immediate shutdown can destroy RAM evidence like running processes, network connections, and malware in memory. Safer containment often isolates systems from network while preserving evidence for investigation.
Centralized logging is safer when logs are
A Stored locally only
B Editable by users
C Write-once protected
D Shared publicly
Explanation: Write-once or tamper-resistant storage prevents attackers from erasing traces after compromise. Strong access controls and integrity checks ensure logs remain reliable evidence during incident response and audits.
A firewall can be bypassed if an allowed service is exploited using
A Closed DMZ
B Same open port
C Disabled routing
D Strong hashing
Explanation: If a vulnerable service is allowed through the firewall, attackers can exploit it via the permitted port. Firewalls reduce exposure but must be paired with patching, hardening, and monitoring.
Proxy firewall SSL inspection introduces risk if
A Certificates managed poorly
B VPN is enabled
C Logs are centralized
D VLANs are used
Explanation: TLS inspection requires installing trusted inspection certificates and handling private keys securely. Poor certificate management can break trust, cause security gaps, or expose decrypted traffic if keys are compromised.
VPN authentication is strongest when using
A Password only
B Shared group login
C Default PIN code
D Certificate + MFA
Explanation: Combining device certificates with MFA reduces credential theft impact. Certificates identify trusted devices, while MFA confirms the user. This layered approach is harder to phish and improves remote access security.
The best control to reduce SIEM noise is
A Disable all alerts
B Delete old logs
C Tune detection rules
D Stop time sync
Explanation: Rule tuning adjusts thresholds, whitelists known safe behavior, and focuses on high-value assets. This reduces false positives, improves analyst efficiency, and ensures critical security alerts are not missed.
Backup encryption is important mainly because backups contain
A Only public data
B Sensitive full copies
C No credentials ever
D Only logs
Explanation: Backups often include complete datasets, user files, and sometimes credentials. If stolen, they can expose everything. Encrypting backups and controlling access reduces data breach impact.
Immutable backups help most against
A Hardware overheating
B Faster browsing
C Printer misfeeds
D Ransomware deletion
Explanation: Ransomware may encrypt or delete backups to prevent recovery. Immutable backups cannot be altered during the retention window, preserving clean restore points and greatly improving chances of successful recovery.