SC0-502試験無料問題集「SCP Security Certified Program (SCP) 認定」

出題：1

Now that the network is moving towards a trusted network, you are preparing for the specific new implementations in GlobalCorp. Just as you wrap up some paperwork for the morning, Blue calls you and lets you know that you are going to be needed in a meeting this afternoon.
You get to Blue office and sit down at the desk. Blue begins the conversation, "You know we have some solid fundamental issues addressed in our new trusted network, but I have yet to feel that we have addressed any serious concerns."
"I're been thinking about some similar issues," you reply.
"Good, then I sure you have been thinking about our email. Right now, I cannot guarantee the integrity of any email, and I cannot guarantee the confidentiality of any email. We have reasonable controls towards guaranteeing the availability of our email, but what the point if there is no confidentiality or integrity?
"I agree. I think that addressing this issue should be an immediate priority."
"One concern is that whatever the system is that we put in place, it must be very user-friendly. As we roll out these new systems, anything that will significantly increase the calls into the help desk is something we need to minimize. A second concern is that it not be too costly. We already have this new investment in the trusted network, we need to be sure that we utilize what are building to the fullest extent possible."
"I think we should be able to do that without much difficulty. I already have some solid ideas," you reply.
"OK, take a few days on this. For the moment, just concern yourself with the executive building; the others can follow the plan in their own buildings. Let meet again this coming Monday and you can describe your suggestion then."
Based on this conversation, and your knowledge of GlobalCorp, select the best solution to the email problems in the network.}

A. After careful consideration you decide that you will implement secure email in a test group using X.509v3 digital certificates. You choose this since every user received their certificate during an earlier phase, and those certificates included the ability to be used for secure email.
Using the X.509v3 certificates, you will configure each machine to use S\MIME. You go to each computer and open Outlook Express, which is the default client email program in the test group. You go to the Tools and Account option, selecting the Mail tab, and the properties for the email account.
You select he Security Tab and in the submenu for the Signing Certificate you configure the certificate for the user's account.You select 3DES as the algorithm to use. You then check the Encrypt Contents And Attachments For All Outgoing Messages check box and the Digitally Sign All Outgoing Messages check box. You accept the default of including the digital id when sending signed messages and the default to add sender certificates to the user address book, and close the properties the email account.
You show the user how to send and receive email, showing the red ribbon that indicates a signed message and the blue lock that indicates an encrypted message.

B. After careful consideration you decide that you will implement secure email in a test group using GPG. You have decided to use GPG to avoid any licensing conflicts that might occur if any user requires secure email exchange with another individual that is in a country with different cryptography laws. You will go to each computer and you will install GPG on each system.
Once installed, you will show each user how to create the required directory structure, by typing the command: gpg --gen-key Once the directory structure is created, you will show each user how to generate the required files, by typing the command: gpg--gen-key Since you want very secure email, you configure each system to use 2048 bit key strength and you select DSA and ElGamal encryption.
With GPG installed and configured, you show each user how to use their new secure email. You have them open Outlook and create a new message to you. Once the message is created, you have them select the Security drop-down list and choose both GPG Sign and GPG Encrypt, and then press send.
You show them on your laptop that you receive the message. You press Reply, and on your laptop also select the Security drop-down menu, where you choose both GPG Sign and GPG Encrypt. The user receives the message, and you show that secure email was successfully sent and received.

C. After careful consideration you decide that you will implement secure email in a test group using PGP. You will use a full licensed version of PGP. You will go to each computer and you will install the full PGP on each system.
Once installed, you will show each user how to create a PGP certificate by requesting the certificate from the CATool CA server you installed specifically for secure email. After the user has received a certificate, you associate that PGP certificate with their Windows domain user account.
With the PGP certificate associated with the user account, you show each user how to manage their key ring. You show them how to generate their key, and you configure all user key strength to be 2048 bits. Now that the user has a strong key and a PGP certificate, you configure the email client of each user.
You explain that each user will have to install the public key of each other user in the network. You test this by sending an email from your laptop with your PGP certificate attached, and you have the user save the attachment to their Outlook folder. With the certificate saved, you show them how to send secure email to you. You receive the email on your laptop, and double-click the lock to show the user that the secure email message was successfully sent and received.

D. After careful consideration you decide that you will implement secure email in a test group using X.509v3 digital certificates. You choose this since every user received their certificate during an earlier phase, and those certificates included the ability to be used for secure email.
You will configure each machine to use PGP, with the X.509v3 certificates option. You go to each computer and open Outlook Express, which is the default client email program in the test group. You go to the Tools and Account option, selecting the Mail tab, and the properties for the email account.
You select he Security Tab and in the submenu for the Signing Certificate you configure the certificate for the user account. You select DSA and ElGamal as the cryptosystem to use. You then check the Encrypt Contents And Attachments For All Outgoing Messages check box and the Digitally Sign All Outgoing Messages check box. You accept the default of including the digital id when sending signed messages and the default to add sender certificates to the user address book, and close the properties the email account.
You show the user how to send and receive email, showing the red ribbon that indicates a signed message and the blue lock that indicates an encrypted message.

E. After careful consideration you decide that you will implement secure email in a test group using PGP. You will use a full licensed version of PGP. You will go to each computer and you will install the full PGP on each system.
Once installed, you will show each user how to create a PGP certificate by requesting the certificate from the MS Enterprise Root CA server you installed, and configured specifically for secure email certificates. After the user has received a certificate, you associate that PGP certificate with their Windows domain user account.
With the PGP certificate associated with the user account, you show each user how to manage their key ring. You show them how to generate their key, and you configure all user key strength to be 2048 bits. Now that the user has a strong key and a PGP certificate, you configure the email client of each user.
You explain that each user will have to install the public key of each other user in the network. You test this by sending an email from your laptop with your PGP certificate attached, and you have the user save the attachment to their Outlook folder. With the certificate saved, you show them how to send secure email to you. You receive the email on your laptop, and double-click the lock to show the user that the secure email message was successfully sent and received.

正解：A 解答を投票する

出題：2

It has been quite some time since you were called in to address the network and security needs of MegaCorp. You feel good in what you have accomplished so far. You have been able to get MegaCorp to deal with their Security Policy issue, you have secured the router, added a firewall, added intrusion detection, hardened the Operating Systems, and more.
One thing you have not done however, is run active testing against the network from the outside. This next level of testing is the final step, you decide, in wrapping up this first stage of the new MegaCorp network and security system. You setup a meeting with the CEO to discuss.
"We have only one significant issue left to deal with here at MegaCorp," you begin. "We need some really solid testing of our network and our security systems."
"Sounds fine to me, don't you do that all the time anyway? I mean, why meet about this?"
"Well, in this case, I'd like to ask to bring in outside help. Folks who specialize in this sort of thing. I can do some of it, but it is not my specialty, and the outside look in will be better and more independent from an outside team."
"What does that kind of thing cost, how long will it take?"
"It will cost a bit of money, it won't be free, and with a network of our size, I think it can be done pretty quick. Once this is done and wrapped up, I will be resigning as the full time security and network pro here. I need to get back to my consulting company full time. Remember, this was not to be a permanent deal. I can help you with the interview, and this is the perfect time to wrap up that transition."
"All right, fair enough. Get me your initial project estimates, and then I can make a more complete decision. And, Il get HR on hiring a new person right away."
Later that afternoon you talk to the CEO and determine a budget for the testing. Once you get back to your office, you are calling different firms and consultants, and eventually you find a consulting group that you will work with.
A few days later you meet with the group in their office, and you describe what you are looking for, and that their contact and person to report to is you. They ask what is off limits, and your response is only that they cannot do anything illegal, to which they agree and point out is written in their agreement as well.
With this outside consulting group and your knowledge of the network and company, review and select the solution that will best provide for a complete test of the security of MegaCorp.}

A. The consulting group has identified the steps it will follow in testing the network. You have asked to be kept up to date, and given an approximate schedule of events. You intend to follow along with the test, with weekly reports.
The first thing the consultants will do is dumpster diving and physical surveillance, looking for clues as to user information and other secret data that should not be outside of the network. Once they have identified several targets through the dumpster diving, they will run scans to match up and identify the workstations for those users.
After identifying the user workstations, they will run vulnerability checks on the systems, to find holes, and if a hole is found they have been given permission to exploit the hole and gain access of the system.
They will attempt to gain access to the firewall and router remotely, via password guessing, and will test the response of the network to Denial of Service attacks. Finally, they will call into MegaCorp to see what information they can learn via social engineering.

B. The consulting group has identified the steps it will follow in testing the network. You have asked to be kept up to date, and given an approximate schedule of events. You intend to follow along with the test, with weekly reports.
The consultants will start the process with remote network surveillance, checking to see what systems and services are available remotely. They will run both passive and active fingerprinting on any identified system. They will run customized vulnerability scanners on the identified systems, and follow that through with exploits, including new zero-day exploits they have written themselves.
They will next run scans on the router, firewall, and intrusion detection, looking to identify operating systems and configurations of these devices. Once identified, they will run customized scripts to gain access to these devices. Once they complete the testing on the systems, they will dumpster dive to identify any leaked information.

C. The consulting group has identified the steps it will follow in testing the network. You have asked to be kept up to date, and given an approximate schedule of events. You intend to follow along with the test, with weekly reports.
The consultants have decided on a direct strategy. They will work inside the MegaCorp office, with the group introducing themselves to the employees. They will directly interview each employee, and perform extensive physical security checks of the network.
They will review and provide analysis on the security policy, and follow that with electronic testing. They will run a single very robust vulnerability scanner on every single client and server in the network, and document the findings of the scan.

D. The consulting group has identified the steps it will follow in testing the network. You have asked to be kept up to date, and given an approximate schedule of events. You intend to follow along with the test, with weekly reports.
The consultants will first run remote network surveillance to identify hosts, followed by port scans and both passive and active fingerprinting. They will then run vulnerability scanners on the identified systems, and attempt to exploit any found vulnerabilities. They will next scan and test the router and firewall, followed by testing of the IDS rules.
They will then perform physical surveillance and dumpster diving to learn additional information. This will be followed by password sniffing and cracking. Finally, they will call into MegaCorp to see what information they can learn via social engineering.

E. The consulting group has identified the steps it will follow in testing the network. You have asked to be kept up to date, and given an approximate schedule of events. You intend to follow along with the test, with weekly reports.
The consultants surprise you with their initial strategy. They intend to spend nearly 100% of their efforts over the first week on social engineering and other physical techniques, using little to no technology. They have gained access to the building as a maintenance crew, and will be coming into the office every night when employees are wrapping up for the day.
All of their testing will be done through physical contact and informal questioning of the employees. Once they finish that stage, they will run short and direct vulnerability scanners on the systems that they feel will present weakness.

正解：D 解答を投票する

出題：3

Now that you have MegaCorp somewhat under control, you are getting ready to go home for the night. You have made good progress on the network recently, and things seem to be going smoothly. On your way out, you stop by the CEO office and say good night. You are told that you will be meeting in the morning, so try to get in a few minutes early.
The next morning, you get to the office 20 minutes earlier than normal, and the CEO stops by your office, "Thanks for coming in a bit early. No problem really, I just wanted to discuss with you a current need we have with the network."
"OK, go right ahead." You know the network pretty well by now, and are ready for whatever is thrown your way.
"We are hiring 5 new salespeople, and they will all be working from home or on the road. I want to be sure that the network stays safe, and that they can get access no matter where they are."
"Not a problem," you reply. "Il get the plan for this done right away."
"Thanks a lot, if you have any questions for me, just let me know."
You are relieved that there was not a major problem and do some background work for integrating the new remote users. After talking with the CEO more, you find out that the users will be working from there home nearly all the time, with very little access from on the road locations.
The remote users are all using Windows 2000 Professional, and will be part of the domain. The CEO has purchased all the remote users brand new Compaq laptops, just like the one used in the CEO office, and which the CEO takes home each night; complete with DVD\CD-burner drives, built-in WNICs, 17" LCD widescreen displays, oversized hard drives, a gig of memory, and fast processing. wish I was on the road to get one of those, you think.
You start planning and decide that you will implement a new VPN Server next to the Web and FTP Server. You are going to assign the remote users IP Addresses: 10.10.60.100~10.10.60.105, and will configure the systems to run Windows 2000 Professional.
Based on this information, and your knowledge of the MegaCorp network up to this point, choose the best solution for the secure remote user needs:}

A. You choose to configure the VPN server first, by installing the VPN High Encryption Service Pack and the HISECVPN.INF built-in security template through the Security Configuration and Analysis Snap-In. Once the Service pack and template are installed, you configure five user accounts and a static pool of IP Addresses for each account.
You then configure the PPTP service on the VPN server, without using inbound or outbound filters ?due to the protection of the Service Pack. You grant each user the right to dial into the server remotely, and move on to the laptops.
On each laptop, you install the VPN High Encryption Service Pack, to bring the security level of the laptops up to the same level as the VPN server. You then configure a shortcut on each desktop that controls the direct transport VPN connection from the client to the server.

B. You configure the VPN clients first, by installing the VPN High Encryption Service Pack. With this installed, you configure the clients to use RSA, with 1024-bit keys. You configure a shortcut on the desktop that automatically uses the private\public key pair to communicate with the VPN Server, regardless of where the user is locally connected.
On the VPN Server, you also install the VPN High Encryption Service Pack, and configure 1024bit RSA encryption. You create five new user accounts, and grant them all remote access rights, using Active Directory Sites and Services. You configure the VPN service to send the server public key to the remote users upon the request to configure the tunnel. Once the request is made, the VPN server will build the tunnel, from the server side, to the client.

C. You decide to start the configuration on the VPN clients. You create a shortcut on the desktop to connect to the VPN Server. Your design is such that the user will simply double-click the shortcut and the client will make the VPN connection to the server, using PPTP. You do not configure any filters on the VPN client systems.
On the VPN Server, you first configure routing and remote access for the new accounts and allow them to have Dial-In access. You then configure a static IP Address pool for the five remote users. Next, you configure the remote access policy to grant remote access, and you implement the following PPTP filtering:
Inbound Protocol 47 (GRE) allowed Inbound TCP source port 0, destination port 1723 allowed Inbound TCP source port 520, destination port 520 allowed Outbound Protocol 47 (GRE) allowed Outbound TCP source port 1723, destination port 0 allowed Outbound TCP source port 520, destination port 520 allowed

D. You begin with configuring the VPN server, which is running Windows 2000 Server. You create five new accounts on that system, granting each of them the Allow Virtual Private Connections right in Active Directory Users and Computers. You then configure the range of IP Addresses to provide to the clients as: 10.10.60.100 through 10.10.60.105. Next, you configure five IPSec Tunnel endpoints on the server, each to use L2TP as the protocol.
Then, you configure the clients. On each system, you configure a shortcut on the desktop to use to connect to the VPN. The shortcut is configured to create an L2TP IPSec tunnel to the VPN server. The connection itself is configured to exchange keys with the user ISP to create a tunnel between the user ISP endpoint and the MegaCorp VPN Server.

E. To start the project, you first work on the laptops you have been given. On each laptop, you configure the system to make a single Internet connection to the user ISP. Next, you configure a shortcut on the desktop for the VPN connection. You design the connection to use L2TP, with port filtering on outbound UDP 500 and UDP 1701. When a user double-clicks the desktop icon you have it configured to make an automatic tunnel to the VPN server.
On the VPN server, you configure the system to use L2TP with port filtering on inbound UDP 500 and UDP 1701. You create a static pool of assigned IP Address reservations for the five remote clients. You configure automatic redirection on the VPN server in the routing and remote access MMC, so once the client has connected to the VPN server, he or she will automatically be redirected to the inside network, with all resources available in his or her Network Neighborhood.

正解：C 解答を投票する

出題：4

You go back through your notes to the day that you recommended that the company get a firewall in place. Red had been convinced that the ISP protected the network, and that a firewall was too much technology on top of the router. Now that you have been given this responsibility, and since you have configured the router already, you wish to get the firewall in place as quickly as possible.
You meet quickly with the CEO and mention that the network currently has no firewall, a serious problem. You inform the CEO that this must be fixed immediately, and that you have several firewall options. For this one instance, the CEO tells you to build the best solution; the decision is not going to be based on direct cost.
Based on your knowledge of and the information you have from MegaCorp, select the best solution to the organization firewall problem:}

A. You decide to take advantage of the features of Microsoft ISA Server and Checkpoint NG. You implement two firewalls, each with two network cards. From one Ethernet interface of the router, you connect to a Checkpoint firewall, and from the other Ethernet interface on the router, you connect to a Microsoft ISA firewall.
The Checkpoint firewall is connected via one NIC to the router, and the other NIC is connected to
the Web and FTP Server. The Microsoft ISA Server is connected via one NIC to the router and the
other NIC is connected to the LAN switch.
You perform the following steps and configurations to setup the firewalls:
1.First, you configure the IP Address on both network cards of both firewalls.
2.Second, you select the Floodgate-1, SMART Clients, and Policy Server as the only components
to install and complete the installation of Checkpoint.
3.Third, you configure the Checkpoint firewall so only Web and FTP traffic are allowed inbound.
4.Fourth, you select the Cache Mode option during the install of ISA Server and complete the
installation of Microsoft ISA Server.
5.Fifth, you allow all outbound traffic through the ISA Server.
6.Sixth, you allow only inbound traffic through the ISA Server that is in response to outbound
requests.

B. After you analyze the company, you decide to implement a firewall using Microsoft ISA Server. You create a DMZ with the Web and FTP server on the network segment between the router and the new firewall. The firewall will have two NICs, one connected to the router, and one connected to the LAN switch.
You perform the following steps and configurations to setup the firewall:
1.First, you install a new version of ISA Server, installed in Firewall mode.
2.Second, you configure the inbound network card to disallow all network traffic that did not
originate from inside the network or from the Web and FTP Server.
3.Third, you configure anti-spoofing rules to prevent spoofing attacks.
4.Fourth, you configure all outbound traffic to be allowed.
5.Fifth, you configure inbound traffic with the SYN flag on to be allowed, and to be logged to a
SYSLOG server inside the network.

C. After you run an analysis on the network and the MegaCorp needs, you decide to implement a firewall using Checkpoint NG. The firewall will have three NICs. One NIC is connected to the router, one NIC is connected to the Web and FTP server and one NIC is connected to the LAN switch.
You perform the following steps and configurations to setup the firewall:
1.First, you install a new version of Checkpoint NG, selecting the VPN-1 and Firewall-1 components, and complete the installation. 2.Second, you configure the inbound rules to allow only SYN packets that are destined for ports 80, 20, and 21 on the Web and FTP server. 3.Third, you disallow all inbound traffic for the internal network, unless it is in response to an outbound request. 4.Fourth, you configure anti-spoofing rules on the inbound interface and log those connections to a log server.

D. After you analyze the network, you have decided that you are going to implement a firewall using Microsoft ISA Server. The new firewall will have four NICs. You connect the two Ethernet interfaces on the routers to two of the firewall NICs. You connect one NIC to the Web and FTP server and one NIC to the LAN switch.
You perform the following steps and configurations to setup the firewall:
1.First, you format a new hard drive and install a new copy of Windows 2000 Server.
2.Second, you configure the correct IP Addresses on the four network cards.
3.Third, you install ISA Server into Firewall only mode, and complete the installation.
4.Fourth, you configure all inbound traffic to require the SYN flag to be set, all other inbound
network traffic is denied
5.Fifth, you configure the network card towards the Web and FTP server will only allow ports 80,
20, and 21.
6.Sixth, you configure all outbound traffic to be allowed.

E. After analysis, you decide to implement a firewall using Checkpoint NG. You begin by installing a new machine, with a fresh hard drive, and the loading of NG. The new firewall will have four NICs. You connect the two Ethernet interfaces on the routers to two of the firewall NICs. You connect one firewall NIC to the Web and FTP server and one firewall NIC to the LAN switch.
You perform the following steps and configurations to setup the firewall:
1.First, you configure the IP Addresses on all four network cards of the Checkpoint firewall.
2.Second, you select only the VPN-1 & Firewall-1 components to install and complete the
installation of Checkpoint.
3.Third, you configure the only new inbound network traffic to be destined for the WWW and FTP
services on the Web and FTP server
4.Fourth, you block all other incoming traffic.
5.Fifth, you create anti-spoofing rules to block inbound traffic that might be spoofed.
6.Sixth, you configure all traffic to be allowed in the outbound direction

正解：C 解答を投票する