A and C are correct. An uninterruptible power supply (UPS) and network

interface card (NIC) teaming support resiliency and uptime goals. The UPS

ensures the system stays up if power is lost. NIC teaming automatically

recovers if one of the NICs or NIC inputs fail. Resiliency methods help

systems heal themselves and recover from faults automatically. A cold site

cannot take over automatically and is not quick. Off-site backups would

need to be retrieved and applied by a person, so they aren’t automatic. See

Chapter 1.

A and E are correct. Disabling unnecessary services and closing

unneeded ports are steps you can take to harden a server. They are

preventive controls because they help prevent an incident. Cable locks are a

type of physical control and are typically used on laptops, not on servers.

Monitoring logs on security information and event management (SIEM)

systems is a detective control. A backup plan is a corrective control. See

Chapter 1.

A is correct. Hardware locks are deterrent controls because they would

deter someone from entering or accessing the servers in bays if bay door

locks are used. They are also examples of physical controls. None of the

other answers increase the security of the server room. Data encryption is a

technical control designed to protect data on the servers. A vulnerability

assessment is a managerial control designed to discover vulnerabilities.

Backups are corrective controls designed to reverse the impact of data loss

or corruption. See Chapter 1.

D is correct. The netstat -s command will display a summary of protocol

statistics on a Linux system. You can use the dig (short for domain

information groper) command on Linux systems to query Domain Name

System (DNS) servers and verify if you can resolve names to IP addresses.

The nslookup (short for name server lookup) command can also be used to

query DNS servers. The ifconfig command is used to display information

and configure network interfaces on Linux systems. See Chapter 1.

A is correct. You should run the command ifconfig eth0 promisc to

enable promiscuous mode on eth0, the network interface card (NIC).

Promiscuous mode allows a NIC to process all traffic it receives, instead of

only traffic addressed to it. The ipconfig command is used on Windows

systems and doesn’t support this feature. The scenario indicates she wants

to collect traffic going through the switch, so connecting to a router isn’t

necessary. Port mirroring on a switch sends a copy of all traffic received by

the switch to the mirror port. The scenario indicates this is configured, so

the switch doesn’t need to be reconfigured. See Chapter 1.

A is correct. The cat command (short for concatenate) displays the entire

contents of a file and the auth.log file shows all unsuccessful (and

successful) logins, and this is the only choice of the available answers that

confirms past activity. An account lockout policy locks an account after too

many incorrect passwords within a certain time frame, but a spraying attack

uses a time lapse between each password attempt to bypass an account

lockout policy. Salting passwords is often used to prevent rainbow table-

based attacks, but salts aren’t effective against spraying attacks. The logger

command is used to add log entries into the syslog file but doesn’t examine

log entries. See Chapter 1.

A is correct. A security information and event management (SIEM)

system collects, aggregates, and correlates logs from multiple sources.

Syslog is a protocol that specifies log entry formats that many SIEMs use. It

is also the name of a log on Linux systems. NetFlow is a network protocol

(developed by Cisco) used to collect and monitor network traffic. The

sFlow (short for sampled flow) protocol is used to collect a sampling of

network traffic for monitoring. See Chapter 1.