Chapter 13: Network Security and Protective Technologies (Set-9)
While migrating services, the safest firewall change method is
A Allow all temporarily
B Disable logging
C Stage and test
D Open any-any
Explanation: Safe firewall updates use change control: add rules in stages, test with limited scope, monitor logs, and then finalize. This prevents accidental exposure and reduces downtime from incorrect rule changes.
A “shadowed” firewall rule is one that
A Never matches traffic
B Blocks all packets
C Encrypts packets
D Updates automatically
Explanation: Rule shadowing happens when an earlier rule matches the traffic first, so the later rule is never used. This causes confusion and can hide risky rules, so periodic rule ordering reviews are important.
Stateful firewall timeouts must be tuned to avoid
A Screen flicker
B Disk partition loss
C Printer queue growth
D Table exhaustion
Explanation: If sessions stay in the state table too long, large traffic or attack activity can fill the table. Tuning idle timeouts and using rate limits helps keep state resources available for real users.
A proxy firewall can enforce policy by
A CPU overclocking
B Content filtering
C Disk defragmenting
D Wi-Fi boosting
Explanation: Proxy firewalls inspect application data like web requests. They can block risky URLs, file types, or commands, enforce authentication, and provide detailed logs for policy compliance and security visibility.
The main reason to use an internal firewall is
A Faster internet speed
B Better screen output
C Segment isolation
D More storage space
Explanation: Internal firewalls control traffic between internal network segments, such as users and servers. This limits lateral movement during attacks and enforces separate security policies for different zones.
IDS placed on a SPAN port is used to
A Monitor copied traffic
B Block traffic inline
C Store backup sets
D Renew certificates
Explanation: A SPAN (mirror) port sends a copy of traffic to an IDS for analysis. This allows detection without interrupting flows, but it cannot block traffic unless combined with prevention controls.
IPS should often be deployed first in
A Always-block mode
B No-rule mode
C Offline mode
D Detect-only mode
Explanation: Starting IPS in monitoring mode helps identify false positives and tune signatures. After testing, blocking can be enabled safely. This staged approach reduces risk of breaking legitimate business traffic.
A DMZ web server should typically access the LAN only for
A Any internal service
B All database tables
C Required backend ports
D All admin shares
Explanation: DMZ servers should have minimal access into the LAN. Only specific ports to specific internal services should be allowed, reducing the chance of deeper compromise if the DMZ server is attacked.
For secure admin access, best practice is to
A Use open RDP
B Restrict by VPN
C Share one login
D Disable audit logs
Explanation: Putting admin services behind VPN reduces exposure to internet scans and brute force attacks. Combined with MFA, strong passwords, and logging, it greatly lowers remote administration compromise risk.
In TLS, a certificate primarily proves
A Server identity
B Faster browsing
C Larger bandwidth
D Smaller packets
Explanation: Certificates bind a domain identity to a public key and are signed by trusted CAs. Clients validate certificates to reduce server impersonation and to establish secure encrypted HTTPS connections.
A certificate chain is validated to ensure
A Faster DNS response
B Less encryption used
C Trusted CA path
D VPN tunnel stability
Explanation: Browsers trust certificates when they can build a chain from the website certificate to a trusted root CA. This trust path helps confirm the website is authentic and not a spoofed copy.
TLS uses symmetric encryption mainly because it is
A Harder to manage
B Public by design
C Keyless method
D Faster for bulk
Explanation: Symmetric encryption is computationally efficient for large data transfers. TLS typically uses asymmetric methods only to establish shared session keys, then uses symmetric algorithms for the secure data channel.
A strong hash function should resist
A Collisions
B Screen capture
C VPN timeouts
D Printer errors
Explanation: Collision resistance means it is very hard to find two different inputs with the same hash. This is important for integrity checks and signatures, preventing attackers from substituting content unnoticed.
A digital signature is verified using the signer’s
A Private key
B Shared password
C Public key
D VPN secret
Explanation: The signer creates the signature with a private key. Others verify it using the matching public key. Successful verification confirms integrity and authenticity of the signed data.
Key exchange is necessary because it allows
A Faster screen refresh
B Secure session key
C Disk space increase
D Malware removal
Explanation: Key exchange securely establishes shared keys over an insecure network. This enables symmetric encryption for fast secure communication without exposing the session key to eavesdroppers.
VPN client software must handle
A Disk formatting
B Screen locking
C Printer sharing
D Tunnel setup
Explanation: The VPN client authenticates the user, negotiates encryption, and creates the tunnel to the VPN server. It then routes selected traffic through the tunnel based on configuration and security policy.
A site-to-site VPN is best for
A Single user travel
B Local file rename
C Branch connectivity
D Printer driver update
Explanation: Site-to-site VPN connects whole networks at different locations, such as headquarters and branches. Gateways create encrypted tunnels so users at both sites can securely access shared resources.
Split tunneling can weaken security monitoring because
A Traffic bypasses tunnel
B DNS never works
C VPN always disconnects
D Logs become smaller
Explanation: If some traffic goes directly to the internet, it may bypass corporate security tools and logs. This reduces visibility and can expose sensitive traffic on unsafe networks, increasing risk.
VPN “IP masking” means websites see
A User real IP
B VPN server IP
C Router private IP
D DNS server IP
Explanation: When connected to a VPN, websites typically see the public IP of the VPN server. This can improve privacy and location masking, though other tracking methods can still identify users.
SIEM is most helpful when logs come from
A One device only
B Printer devices
C Many sources
D Only web browser
Explanation: SIEM correlates logs from endpoints, servers, firewalls, IDS/IPS, and applications. Multi-source visibility helps detect multi-step attacks and provides a central view for investigation and response.
Security alert “triage” means
A Prioritize and assess
B Delete all logs
C Disable firewall
D Share admin access
Explanation: Triage evaluates alert severity, scope, and credibility. It helps teams decide what needs immediate action and what may be a false positive, improving response speed and resource use.
A packet sniffer can expose risk by capturing
A Screen resolution
B Battery percentage
C Printer ink levels
D Credentials in plaintext
Explanation: On insecure or unencrypted traffic, sniffers may capture usernames, passwords, and session tokens. This is why encryption like TLS and VPN is important, and why sniffing tools must be restricted.
Vulnerability scanning is not enough unless followed by
A Wallpaper update
B Cable replacement
C Remediation actions
D Screen calibration
Explanation: Scans only identify weaknesses. Security improves when teams patch, harden configurations, close unused ports, and re-scan to verify fixes. Without remediation, vulnerabilities remain exploitable.
Patch management should track
A Mouse pad sizes
B Patch status records
C Screen color themes
D Printer paper types
Explanation: Tracking shows which systems are updated, pending, or failed. This prevents blind spots where critical servers remain unpatched and helps ensure consistent security posture across the organization.
Access control is improved most by
A Least privilege
B Shared passwords
C Open guest accounts
D No audit logs
Explanation: Least privilege grants only required permissions for a job role. This reduces damage from mistakes or compromised accounts and makes security management easier through role-based access and regular permission reviews.
Authentication is strengthened by
A Default passwords
B Shared accounts
C MFA enabled
D Open admin port
Explanation: MFA adds a second factor beyond passwords, such as OTP or authenticator app. It significantly reduces account takeover risk, especially for email, VPN, cloud apps, and remote administration.
Authorization should be reviewed regularly to prevent
A Faster browsing
B Better printing
C Bigger backups
D Privilege creep
Explanation: Users often gain extra permissions over time and never lose them. Regular reviews remove unnecessary access, reducing risk and ensuring users have only the permissions required for their current role.
A full backup plus incrementals is risky if
A Internet is fast
B One incremental corrupt
C VPN is enabled
D Logs are stored
Explanation: Incremental backups form a chain. If one incremental is missing or damaged, later recovery may fail. Verification and periodic new full backups reduce dependence on long chains.
Differential backups are easier to restore because
A Fewer sets needed
B Smaller than incrementals
C Need no full backup
D Always offline
Explanation: A differential restore usually requires the last full backup plus the latest differential. Incremental restores may require many sets. Differential uses more storage, but simplifies recovery operations.
Backup “retention” policies should consider
A Keyboard comfort
B Screen brightness
C Compliance needs
D Mouse speed
Explanation: Some data and logs must be kept for specific time periods due to laws or policies. Retention should balance compliance, recovery needs, and storage cost while preventing accidental deletion of required records.
Backup “air gap” is best described as
A Faster cloud access
B Encrypted email link
C Printer network setup
D Offline isolated copy
Explanation: Air-gapped backups are kept offline or isolated from the main network, making them harder for ransomware to encrypt. This improves chances of having a clean restore point after an attack.
Backup verification should be scheduled because
A Backups can fail
B Logs are always correct
C VPN blocks backups
D Encryption is optional
Explanation: Backups may be incomplete or corrupted due to errors or permissions. Scheduled verification and test restores confirm that data can be recovered when needed, preventing surprises during real incidents.
Disaster recovery planning should define
A Printer brand
B Screen resolution
C RTO and RPO
D Keyboard layout
Explanation: RTO sets acceptable downtime, and RPO sets acceptable data loss. These targets guide backup frequency, replication, staffing, and procedures so recovery meets business requirements during outages.
Network segmentation reduces risk of
A Faster web browsing
B Lateral movement
C Better audio quality
D Lower battery drain
Explanation: Segmentation separates networks into zones with controlled access. If one zone is compromised, attackers cannot easily move to critical servers, reducing spread and limiting damage.
VLAN security improves when you
A Enable all trunks
B Use default VLAN
C Disable all ACLs
D Limit trunk VLANs
Explanation: Trunks should carry only required VLANs. Limiting allowed VLANs reduces attack paths and misconfiguration impact. Combined with proper port settings, it reduces VLAN hopping and unauthorized access.
Router security improves by disabling
A Firewall rules
B Firmware updates
C Remote admin access
D Strong passwords
Explanation: Exposing router management to the internet invites brute-force and exploit attacks. Disable remote admin or restrict it to VPN, and use strong passwords and firmware updates to reduce takeover risk.
Secure DNS is important because attackers can
A Redirect domain queries
B Increase RAM speed
C Block CPU fans
D Change screen tone
Explanation: DNS spoofing or poisoning can send users to fake sites even if they type correct URLs. Using trusted resolvers and secure DNS methods reduces risk of incorrect DNS answers.
HTTPS enforcement prevents attackers from reading
A Monitor pixels
B Login credentials
C Printer paper size
D Disk partitions
Explanation: HTTPS encrypts data in transit using TLS. This protects passwords, cookies, and personal data from sniffing on shared networks and reduces tampering during transmission.
Endpoint security should include device
A Wallpaper themes
B Printer settings
C Screen savers
D Patch updates
Explanation: Many endpoint attacks exploit old software. Regular patching closes known vulnerabilities in OS and apps. Combined with antivirus/EDR and firewall controls, it reduces infection and compromise risk.
Device encryption is ineffective if
A Disk is full
B Screen is dim
C Keys are stolen
D Router is slow
Explanation: Encryption protects data only if keys remain secret. If attackers obtain recovery keys, they can decrypt the drive. Strong key protection, access control, and secure storage are essential.
Secure remote desktop should enforce
A MFA and lockout
B Open internet port
C Default credentials
D No logging set
Explanation: MFA reduces password theft impact and lockout reduces brute force attempts. Keeping remote desktop behind VPN and enabling logging further reduces risk and helps detect unauthorized access attempts.
A strong security policy should include
A Printer troubleshooting
B Reporting procedures
C Screen calibration
D Mouse cleaning
Explanation: Users must know how to report suspicious emails, data loss, or malware signs. Clear reporting procedures speed response and containment, reducing damage and improving overall incident handling.
Incident response “containment” aims to
A Delete evidence
B Disable backups
C Limit spread
D Open all ports
Explanation: Containment prevents the incident from worsening by isolating infected devices, blocking malicious traffic, or disabling compromised accounts. Fast containment reduces data loss and prevents spread to other systems.
Incident response “eradication” means
A Remove root cause
B Increase server load
C Create new accounts
D Disable SIEM alerts
Explanation: Eradication removes malware and fixes exploited weaknesses. It includes deleting persistence methods, patching vulnerabilities, and resetting compromised credentials so attackers cannot return after containment.
Incident response “recovery” includes
A Share admin passwords
B Disable patches
C Delete audit logs
D Restore clean services
Explanation: Recovery brings systems back safely using clean backups and patched configurations. Monitoring continues after recovery to ensure threats do not return and that operations remain stable.
Centralized logging improves investigations by
A Reducing encryption
B Correlating events
C Blocking all traffic
D Increasing bandwidth
Explanation: Central logs from many systems allow investigators to correlate actions across time and devices. This helps build accurate attack timelines and detect patterns that are missed in isolated local logs.
Time sync for logs is often provided by
A VPN protocol
B TLS certificate
C NTP service
D DMZ firewall
Explanation: NTP synchronizes device clocks so log timestamps match across servers, endpoints, and network devices. Accurate time is crucial for correlation, SIEM analysis, and incident response investigations.
Backup encryption is important because backups may contain
A Only public files
B No user info
C Only system icons
D Complete sensitive data
Explanation: Backups often contain full copies of databases and documents. If stolen, they can expose everything. Encrypting backups and enforcing strong access control reduces breach impact.
A good ransomware-ready backup plan includes
A Immutable backups
B Single online copy
C No restore tests
D No retention rules
Explanation: Immutable backups cannot be modified or deleted for a set period, protecting restore points from ransomware and insider threats. Combined with offsite storage and testing, they improve recovery success.
The best way to reduce repeated security incidents is
A Ignore alerts
B Lessons learned
C Disable monitoring
D Share admin access
Explanation: Post-incident reviews identify root causes, control gaps, and training needs. Updating policies, patching processes, and monitoring based on lessons learned prevents repeat incidents and improves response speed.