Chap 3 - Implementation Flashcards
(193 cards)
1
Q
Chap 3-1: Adam is setting up public key infrastructure (PKI) and knows that keeping the passphrases and encryption keys used to generate new keys is a critical part of how to ensure that the root certificate authority remains secure. Which of the following techniques is not a common solution to help prevent insider threats?
Require a new passphrase every time the certificate is used
Use a split knowledge process for the password or key
Require dual control
Implement separation of duties
A
Require dual control
2
Q
Chap 3-3: Chris is preparing to implement an 802.1X-enabled wireless infrastructure. he nows that he wants to use an Exrtensivble Authentication Protocol (EAP)-based protocol that does not require client-side certificates. Which of the following options should he choose?
EAP-MD5
PEAP
LEAP
EAP-TLS
A
PEAP
3
Q
PEAP
A
Protected Extensible Authentication Protocol, relies on server side certificates and relies on tunneling to ensure communications security
Supports TLS
4
Q
LEAP
A
Lightweight Extensible Authentication Protocol. uses WEP keys for encryption and is not recommended.
Does not support TLS
5
Q
EAP-TLS
A
Extensible Authentication Protocol Transport Layer Security; requires certificates on both client and server side, this increasing overhead (aka mutual authentication)
6
Q
EAP-MD5
A
Not recommended for wireless networks, does not support mutual authentication of wireless client and network
7
Q
Chap 3-4: What term is commonly used to describe lateral traffic movement within a network?
Side-stepping
Slider traffic
East-West traffic
Peer interconnect
A
East-West traffic
8
Q
East-West traffic
A
Used to describe lateral traffic movement within a network
9
Q
Chap 3-5: Charlene wants to use security features built into HTTP headers. Which of the following is not an HTTP header security option?
Requiring transport security
Preventing cross site scripting
Disabling SQL injection
Helping prevent MIME sniffing
A
Disabling SQL injection
10
Q
MIME
A
Multipurpose Internet Mail Extensions
MIME sniffing can be used in XSS attacks
Also has a secure version in S/MIME
Multipurpose Internet Mail Extensions (MIME) is an Internet standard that extends the format of email messages to support text in character sets other than ASCII, as well as attachments of audio, video, images, and application programs. Message bodies may consist of multiple parts, and header information may be specified in non-ASCII character sets. Email messages with MIME formatting are typically transmitted with standard protocols, such as the Simple Mail Transfer Protocol (SMTP), the Post Office Protocol (POP), and the Internet Message Access Protocol (IMAP).
11
Q
Chap 3-9: Chalres has been asked to implement DNSSEC for his organization. Which of the following does it provide?
Confidentiality
Integrity
Availability
All of the Above
A
Integrity
12
Q
DNSSEC
A
Domain Name Systems Security Extensions
provides authentication of DNS data allowing DNS queries to be validated even if they are not encrypted; thus ensuring integrity of the CIA triad
13
Q
Chap 3-12: Casey is considering implementing password key devices for her organization. She wants to use a broadly adopted open standard for authentication and needs her keys to support that. Which of the following standards should she look for her keys to implement, in addition to being able to connect via USB, Bluetooth and NFC?
SAML
FIDO
ARF
OpenID
A
FIDO
14
Q
FIDO
A
FIDO U2F is an open standard provided by the Fast IDentity Online Alliance used for security keys
15
Q
Chap 3-13: Nadia is concerned about the content of her emails to her friend Danielle being read as they move between servers. What technology can she use to encrypt her emails, and whose key should she use to encrypt the message?
S/MIME, her private key
Secure POP3, her public key
S/MIME, Danielle’s public key
Secure POP3, Danielle’s private key
A
S/MIME, Danielle’s public key
16
Q
Chap 3-14: What type of communications is SRTP most likely used for?
Email
VoIP
Web
File Transfer
A
VoIP
17
Q
SRTP
A
Secure Real Time Transfer Protocol, used in VoIP communications
18
Q
FTP Port
A
TCP 21
19
Q
FTPS Port
A
TCP 990 (default)
20
Q
SFTP Port
A
SFTP is FTP over SSH, so it uses TCP port 22
21
Q
Chap 3-15: Olivia is implementing a load balanced web application cluster. Her organization already has a redundant pair of load balancers, but each unit is not rated to handle the maximum designed throughput of the cluster by itself. Olivia has recommended that the load balancers be implemented in an active/active design. What concern should she raise as part of this recommendation?
The load balancer cluster cannot be patched without a service outage
The load balancer cluster is vulnerable to a denial of service attack
If one of the load balancers fails, it could lead to service degradation
None of the above
A
If one of the load balancers fails, it could lead to service degradation
a failure in one of the active nodes would result in less maximum throughput and a potential for service degradation
22
Q
What occurs when a certificate is stapled?
Both the certificate and the OCSP responder are sent together to prevent additional retrievals during certificate path validation
The certificate is stored in a secured location that prevents the certificate from being easily removed or modified
Both the host certificate and the root certificate authority’s private key are attached to validate the authenticity of the chain
The certificate is attached to the other certificates to demonstrate the entire certificate chain
A
Both the certificate and the OCSP responder are sent together to prevent additional retrievals during certificate path validation
23
Q
Certificate Stapling
A
Certificate Stapling: also called OCSP stapling - formally known as the TLS Certificate Status Request extension, is a standard for checking the revocation status of X.509 digital certificates.
It allows the presenter of a certificate to bear the resource cost involved in providing Online Certificate Status Protocol (OCSP) responses by appending (“stapling”) a time-stamped OCSP response signed by the CA to the initial TLS handshake, eliminating the need for clients to contact the CA, with the aim of improving both security and performance.
24
Q
OCSP
A
Online Certificate Status Protocol : An alternative to the certificate revocation list (CRL) and is used to check whether a digital certificate is valid or if it has been revoked.
25
CRL
Certificate Revocation List: a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should no longer be trusted".
CRLs are no longer required by the CA/Browser forum, as alternate certificate revocation technologies (such as OCSP) are increasingly used instead. Nevertheless, CRLs are still widely used by the CAs.
26
Chap 3-18: Greg is setting up a public key infrastructure (PKI). He creates an offline root certificate authority (CA) and then needs to issue certificates to users and devices. What system or device in a PKI receives certificate signing requets (CRSs) from applications, systems and users?
An intermedia CA
An RA (Registration Authority)
a CRL
None of the Above
RA (Registration Authority)
27
PKI
Public Key Infrastructure
System used to created digital certificates
28
RA
Registration Authority
It is responsible for receiving certificate signing requests – for the initial enrollment or renewals – from people, servers, things or other applications
29
Intermediate CA
CA trusted by the root CA to issue certificates
30
Chap 3-19: Mark is responsible for managing his company's load balancer and wants to use a load balancing scheduling technique that will take into account the current server load and active sessions. Which of the following techniques should he choose?
Source IP Hashing
Weighted Response Time
Least Connection
Round Robin
Least Connection
31
Least Connection Load Balancing
Takes Load into consideration and sends the next request to the server with the least number of connections
32
Round Robin Load Balancing
Distributes requests to the next server in order
33
Weighted Response Time Load Balancing
Uses health checks to determine which server responds the most quickly on an ongoing basis and sends the traffic to that server
34
Chap 3-20: During a security review, Matt notices that the vendor he is working with lists their IPSec virtual private network (VPN) as using AH protocol for security of the packets it sends. What concern should Matt note to his team about this?
AH does not provide confidentiality
AH does not provide data integrity
AH does not provide replay protection
None of the above; AH provides confidentiality, authentication and replay protection
AH does not provide confidentiality
Does not provide data confidentiality, because it secures only the header not the payload. That means that AH can provide integrity and replay protection, but leaves the rest of the data at risk. Should use ESP (Encapsulating Security Protocol)
35
AH
IPSec Authentication Header protocol
Does not provide data confidentiality, because it secures only the header not the payload. That means that AH can provide integrity and replay protection, but leaves the rest of the data at risk. Should use ESP (Encapsulating Security Protocol)
36
IPSec
Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).
An IPSec VPN can make a remote location appear as though its connected to your local network?
37
ESP
IPSec Encapsulating Security Protocol: provides data confidentiality (encryption) and authentication (data integrity, data origin authentication, and replay protection). ESP can be used with confidentiality only, authentication only, or both confidentiality and authentication
38
Chap 3-21: Michelle wants to secure mail being retrieved via the Post Office Protocol Version 3 (POP3) because she knows that it is unencrypted by default. What is her best option to do this while leaving POP3 running on its default port?
Use TLS via port 25
Use IKE via port 25
Use TLS via port 110
Use IKE via port 110
Use TLS via port 110
39
IKE /IKEv2
Internet Key Exchange version 2 (IKEv2) is a tunneling protocol, based on IPsec, that establishes a secure VPN communication between VPN devices and defines negotiation and authentication processes for IPsec security associations (SAs).
40
Chap 3-23: The company that Angela works for has deployed a VoIP environment that uses SIP. What threat is the most likely issue for their phone calls?
Call interception
Vishing
War dialing
Denial of service attacks
Call interception
41
SIP
Session Intiation Protocol: used for VoIP, doesnt use TLS to maintain confidentiality
42
War Dialing
attempt to map all numbers for a phone service, usually to find modems
43
SIPS
Secure SIP, SIP extended with TLS
44
NTP
Network Time Protocol: protocol for syncing time across a network
45
Chap 3-27: What security benefits are provided by enabling DHCP snooping or DHCP sniffing on switches in your network?
Prevention of malicious or malformed DHCP traffic
Prevent of Rogue DHCP servers
Collection of information about DHCP bindings
All of the above
All of the Above
46
Chap 3-29: Cassandra is concerned about attacks against her network's Spanning Tree Protocol (STP). She wants to ensure that a new switch introduced by an attacker cannot change the topography by asserting a lower bridge ID than the current configuration. What should she implement to prevent this?
Enable BridgeProtect
Set the bridgeID to a negative number
Disable STP
Enable Root Guard
Enable Root Guard
47
STP
Spanning Tree Protocol - The Spanning Tree Protocol (STP) is a network protocol that builds a loop-free logical topology for Ethernet networks. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them. Spanning tree also allows a network design to include backup links providing fault tolerance if an active link fails.
48
Root Guard
Part of STP, Spanning Tree Protocol; prevents other ports from being as root bridge for a VLAN
49
Chap 3-30: Charles finds a PFX formatted file on the system he is reviewing. What is the PFX file capable of containing?
Only certificates and chain certificates, no private keys
Only a private key
A server certificate, intermediate certificate and the private key
None of the above, because PFX files are used for certificate requests only
A server certificate, intermediate certificate and the private key
50
PFX File
Can contain server certificates, intermediate certificates and private keys
51
PEM file
Can contain Privacy Enhanced Mail certificates (multiple), and a private key
52
DER file
Distinguished Encoding Rules: can store all kinds of certificates and private keys, usually used on Java platforms
53
CER file
SSL certificate file used by web servers to help verify the identity and security of the site in question
54
P12 file
contains a digital certificate that uses PKCS#12 (Private Key Cryptography standard #12) encryption
55
P7B (or PKCS#7)
Can contain only certificates and certificate chains, not private keys
56
Chap 3-34: Charles wants to use IPSec and needs to be able to determine the IPSec policy for traffic based on the port it is being sent to on the remote system. Which IPSec mode should he use?
IPSec tunnel mode
IPSec IKE mode
IPSec PSK mode
IPSec transport mode
IPSec transport mode
57
IPSec transport mode
Used in VPN, Allows for different policies per port
58
IPSec tunnel mode
Used in VPN, Does not allow for different policies per port
59
Chap 3-35: Wi-Fi Protected Setup (WPS) includes four modes for adding devices to a network. Which mode has significant security concerns due to a brute-force exploit?
PIN
USB
Push Button
NFC
PIN
60
WPS
Wi-Fi Protected Setup: has many security issues and not used in enterprise. Used in home for easy of setup
61
Chap 3-38: What two connection methods are used for most geofencing applications?
Cellutar and GPS
USB and Bluetooth
GPS and Wi-Fi
Cellular and Bluetooth
GPS and Wi-Fi
62
Chap 3-39: Gabriel is setting up a new e-commerce server. He is concerned about security issues. Which of the following would be the best location to place an e-commerce server?
DMZ
Intranet
Guest Network
Extranet
DMZ
DMZ is in between internal and external facing firewalls. It is specifically designed as a location to place public facing servers
63
Chap 3-40: Janelle is the security administrator for a small company. She is trying to improve security throughout the network. Which of the following steps should she take first?
Implement antimalware on all computers
Implement acceptable use policies
Turn off unneeded services on all computers
Set password reuse policies
Turn off unneeded services on all computers
This is typically the first step in securing computers/networks
64
Chap 3-41: Ben is responsible for a new application with a worldwide user base that will allow users to sign up to access existing data about them. He would like to use a method of authentication that will permit him to verify that users are the correct people to match up with their accounts. How can he validate these users?
Require that they present their social security number
Require them to use a federated identity via Google
Require them to use knowledge based identification
Require them to validate an email sent to the account they signed up with
Require them to use knowledge based identification
65
Chap 3-42: Jason wants to implement a remote access VPN for users in his organization who primarily rely on hosted web applications. What common VPN is best suited to this if he wants to avoid deploying client software to his end-user systems?
a TLS VPN
An RDP VPN
An internet Control Message Protocol (ICMP) VPN
An IPSec VPN
TLS VPN
66
Chap 3-45: Megan is preparing a certificate signing request (CSR) and knows that she needs to provide a CN for her web server. What information will she put into the CN field for the CSR?
Her name
The hostname
The company's name
The fully qualified domain name of the system
The fully qualified domain name of the system
67
CN
Common Name, same as FQDN
68
Chap 3-49: What type of firewall examines the content and context of each packet it encounters?
Packet filtering firewall
Stateful packet filtering firewall
Application layer firewall
Gateway firewall
Stateful packet filtering firewall
69
Heatmap
wireless network heatmap is a visual representation of a wireless network showing where the strong and weak sections are
70
Chap 3-53: You're outlining your plans for implementing a wireless network to upper managementr. What wireless security standard should you adopt if you don't want enterprise authentication but want to provide secure authentication for users that doesn't required a shared password or phrase?
WPA3
WPA
WPA2
WEP
WPA3
Also implements simultaneous authentication of equals
71
Chap 3-54: Brandon wants to Ensure that his intrusion prevention system (IPS) is able to stop attack traffic. What deployment method is most appropriate for this requirement?
Inline, deployed as an IPS
Passive via a tap, deployed as an IDS
Inline, deployed as an IDS
Passive via a top, deployed as an IPS
Inline, deployed as an IPS
72
Passive via a Tap; Network tap
System that monitors events on a local network; usually only receives a copy of data passing through and cannot act to affect the network
73
Chap 3-57: Melissa's website provides users who access it via HTTPS with a TLS connection. Unfortunately, Melissa forgot to renew her certificate, and it is presenting users with an error. What happens to the HTTPS connection when the certificate expires?
All traffic will be unencrypted
Traffic for users who do not click OK at the certificate error will be unencrypted
Trust will be reduced but traffic will still be encrypted
Users will be redirected to the certificate authority's site for a warning until the certificate is renewed
Trust will be reduced but traffic will still be encrypted
74
Chap 3-58: Isaac is reviewing his organization's secure coding practices document for custom-facing web applications and wants to ensure that their input validation recommendations are appropriate. Which of the following is not a common practice for input validation?
Ensure validation occurs on a trusted server
Validate all client supplied data before it is processed
Validate expected data types and ranges
Ensure validation occurs on a trusted client
Ensure validate occurs on a trusted client
75
Chap 3-59: Frank knows that the systems he is deploying have a built-in TPM module. Which of the following capabilities is not a feature provided by a TPM?
A random number generator
Remote attestation capabilities
A cryptographic processor used to speed up SSL/TLS
The ability to bind and seal data
A cryptographic processor used to speed up SSL/TLS
76
Chap 3-60: What is the primary use pf hashing in databases?
To encrypt stored data, this preventing exposure
For indexing and retrieval
To obfuscate data
To substituent for sensitive data, allowing it to be used without exposure
For indexing and retrieval
Hashing is commonly used in databases to increase the speed of indexing and retrieval since it is typically faster to search for a hashed key rather than the original value stored in a database
77
PSK
Pre-shared Key
78
Chap 3-61: Hans is a security administrator for a large company. Users on his network visit a wide range of websites. He is concerned that they might get malware from one of these many websites. Which of the following would be his best approach to mitigate this threat?
Implement host based antimalware
Blacklist known infected sites
Set browsers to allow only signed components
Set browsers to block all active content (ActiveX, javascript, etc..)
Set browsers to allow only signed components
79
Chap 3-63: Olivia is building a wireless network and wants to implement Extensible Authentication Protocol (EAP) based protocol for authentication. What EAP version should she use if she wants to prioritize reconnection speed and doesn't want to deploy client certificates for authentication?
EAP-FAST
EAP-TLS
PEAP
EAP-TTLS
EAP-FAST
80
EAP-FAST
EAP protocol for wireless authentication; specifically designed for organizations that want to quickly complete reconnections and not require certificates to be installed on endpoint devices
81
EAP-TTLS
EAP Tunneling Transport Layer Security; required client side certificates
82
Chap 3-64: You work at a large company. You are concerned about ensuring that all workstations have a common configuration, that no rogue software is installed, and that all patches are kept up top date, Which of the following would be the most effective for accomplishing this?
Use VDI
Implement restrictive policies
Use an image for all workstations
Implement strong patch management
Use VDI
83
VDI
Virtual Desktop Infrastructure
84
Chap 3-66: Patrick wants to deploy a virtual private networking (VPN) technology that is as easy for end users as possible. What type of VPN should he deploy?
IPSec VPN
SSL/TLS VPN
HTML5 L2TP VPN
SAML VPN
SSL/TLS VPN
85
SSL/TLS VPN
Virtual Private Network that does not require a local client
86
Chap 3-70: Alana has implemented an HSM. Which of the following capabilities is not a typical HSM feature?
Encryption and decryption for digital signatures
Boot attestation
Secure management of digital keys
Strong authentication support
Boot attestation
87
Chap 3-72: Alaina wants to prevent bulk gathering of email addresses and other directory information from her web exposed LDAP directory. Which of the following solutions would not help with this?
Using a back-off algorithm
Implementing LDAPS
Requiring Authentication
Rate limiting queries
Implementing LDAPS
88
Back-off algorithm
An exponential backoff algorithm is a form of closed-loop control system that reduces the rate of a controlled process in response to adverse events.
89
Chap 3-73: Alaina has been told that her organization uses a SAN certificate in their environment. What does this tell Aliana about the certificate in use in her organization?
It is used for a storage area network
It is provided by SANS, a network security organization
The certificate is part of a self-signed, self-assigned namespace
The certificate allows multiple hostnames to be protected by the same certificate
The certificate allows multiple hostnames to b e protected by the same certificate
90
SAN certificate
Subject Alternative Name: The certificate allows multiple hostnames to be protected by the same certificate
91
Chap 3-80: Ixxia is a software development team manager. She is concerned about memory leaks in code. What type of testing is most likely to find memory leaks?
Fuzzing
Stress Testing
Static Code Analysis
Normalization
Static Code Analysis
92
Chap 3-81: What IP address does a load balancer provide for external connections to web servers in a load balanced group?
The IP address for each server in a prioritized order
The load balancer's IP address
The IP address for each server, in a round-robin order
A virtual IP address
A virtual IP address
93
Chap 3-87: What type of topology does an ad hoc wireless network use?
Point-to-multipoint
Star
Point-to-Point
Bus
Point-to-Point
94
Star (networks)
wired network topology
95
Bus
wired network topology
96
Point-to-multipoint
Wireless network topology for infrastructure mode access points
97
Password Vault
What Security+ calls a Password manager, aka LastPass, BitWarden, etc...
98
Chap 3-90: Matt has enabled port security on the network switches in his building. What does port security do?
Filters by MAC address
Prevents routing protocol updates from being sent from protected ports
Establishes Private VLANs
Prevents duplicate MAC addresses from connecting to the network
Filters by MAC address
Port security filters by MAC address allowing whitelisted MAC addresses to connect to the port and blocking blacklisted MAC addresses. Port security can be static, using a predetermined list of dynamically allowing a specific number of addresses to connect, or in can be run in a combo mode
99
Chap 3-86: Laurel is reviewing the configuration for an email server in her organization and discovers that there is a service running on TCP Port 993. What secure email service has she most likely discovered?
Secure POP3
Secure SMTP
Secure IMAP (IMAPS)
Secure MIME (SMIME)
Secure IMAP (IMAPS)
100
Secure IMAP (IMAPS) default Port
TCP Port 993
101
Secure SMTP default Port
TCP Port 587
102
Secure POP3 default Port
TCP Port 995
103
Chap 3-91: Tom is responsible for VPN connections in his company. His company uses IPSec for VPNs. What is the primary purpose of AH in IPSec?
Encrypt the entire packet
Encrypt just the header
Authenticate the entire packet
Authenticate just the header
Authenticate the entire packet
104
Chap 3-92: Miles wants to ensure that his internal DNS cannot be queried outside users. What DNS design pattern uses different internal and external DNS servers to provide potentially different DNS responses to users of those networks?
DNSSEC
Split horizon DNS
DMZ DNS
DNS Proxying
Split horizon DNS
105
Split horizon DNS
In computer networking, split-horizon DNS (also known as split-view DNS, split-brain DNS, or split DNS) is the facility of a Domain Name System (DNS) implementation to provide different sets of DNS information, usually selected by the source address of the DNS request.
106
Chap 3-94: Amanda wants to allow users from other organizations to log in to her wireless network. What technology would allow her to do this using their own home organization's credentials?
Preshared Keys
802.11q
RADIUS federation
OpenID Connect
RADIUS federation
107
Chap 3-97: Janice is explaining how IPSec works to a new network administrator. She is trying to explian the role of IKE. Which of the following most closely matches the role of IKE in IPSec?
It encrypts the packet
It establishes the SAs
it authenticates the packet
It establishes the tunnel
It establishes the SAs
Used to set up security associations (SAs) on both sides of the tunnel. The SAs have all the settings (i.e.: cryptography algorithms, hashes, etc..) for the tunnel. The IKE is not directly involved in encrypting or authentication. It also does not establish the tunnel
108
Chap 3-98: What certificate is most likely to be used by an offline certificate authority (CA)?
Root
Machine/computer
User
Email
Root
109
Chap 3-99: Emily manages the IDS/IPS for her network. She has network-based intrusion prevention system installed (NIPS) and properly configured. It is not detecting obvious attacks on one specific network segment. She has verified that the NIPS is properly configured and working properly. What would be the most effective way for her to address this?
Implement port mirroring for that segment
Install a NIPS on that segment
Upgrade to a more effective NIPS
Isolate that segment into its own VLAN
Implement port mirroring for that segment
110
Chap 3-101: Elenora is responsible for log collection and analysis for a company with locations around the country. She has discovered that remote sites generate high volumes of log data, which can cause bandwidth consumption issues for those sites. What type of technology could she deploy at each site to help with this?
Deploy a log aggregator
Deploy a honeypot
Deploy a bastion host
None of the above
Deploy a log aggregator
These will typically compress logs
111
Bastion host
A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet. Because of its exposure to potential attack, a bastion host must minimize the chances of penetration.
112
Chap 3-104: Endpoint detection and response has three major components that make up its abiloity to provide visibility into endpoints. Which of the following is not one of those three parts?
Data search
Malware analysis
Data exploration
Suspicious activity detection
Malware analysis
113
Chap 3-105: Isabelle is responsible for security at a mid-sized company. She wants to prevent users on her network from visiting job hunting sites while at work. Which of the following would be the best device to accomplish this goal?
Proxy Server
NAT
A packet filter firewall
NIPS
Proxy Server
114
Chap 3-109: What channels do not cause issues with channel overlap in US installations of 2.4 Ghz Wifi networks
1, 3, 5, 7, 9, and 11
2, 6, and 10
1, 6, and 11
Wi-Fi channels do not suffer channel overlap
1, 6, and 11
115
Chap 3-113: You are selecting an authentication method for your company's servers. You are looking for a method that periodically reauthenticates clients to prevent session hijacking. Which of the following would be your best choice?
PAP
SPAP
CHAP
OAuth
CHAP
116
PAP
a password-based authentication protocol used by Point-to-Point Protocol (PPP) to validate users. As the Point-to-Point Protocol (PPP) sends data unencrypted and "in the clear", PAP is vulnerable to any attacker who can observe the PPP session.
Does not reauthenticate
117
CHAP
Challenge Handshake Authentication Protocol: unencrypted
periodically reauthenticates the client but does not notify the user, specifically to prevent session hijacking
Also provides protection against replay attacks by the peer through the use of a challenge which is generated by the authenticator,
118
SPAP
Shiva Password Authentication Protocol: adds password encryption. Does not reauthenticate (propreitary)
119
Chap 3-119: Carl has been asked to setup access control for a server. The requirements state that users at a lower privilege level should not be able to see or access data files at a higher privilege level. What access control model would best fit these requirements?
MAC
DAC
RBAC
SAML
MAC
120
MAC
Mandatory Access Control - will not allow users at a lower privilege level to see things for a higher privilege level
121
DAC
Discretionary Access Control - allows data owner to configure their own security
122
RBAC
Role Based Access Control - access control based on defined roles
123
Chap 3-121: Claire has been notified of a zero-day flaw in a web application. She has the exploit code including a SQL injection attack that is being actively exploited. How can she quickly react to prevent this issue from impacting her environment if she needs the application to continue to fuction?
Deploy a detection rule to her IDS
Manually update the application code after reverse engineering it
Deploy a few via her WAF
Install the vendor provided patch
Deploy a few via her WAF
124
Chap 3-123: Derek is in charge of his organization's certificate authorities (CAs) and wants to add a new CA. His organization already has three CAs operating in a mesh: A- South American CA; B- North American CA; C- European CA; As they expand into Australia, he wants to add D- Australian CA. Which CAs will Derek need to issue certificates to from D to ensure the systems in the Australian domain are able to access servers in A, B and C's domains?
He needs all the other systems to issue D certificates so that his systems will be trusted there
He needs to provide the private keys from D to the other CAs
He needs to issues certificates from D to each of the other CAs and then have the other CAs issue D a certificate
He needs to receive the private key from each of the other CAs and use it to sign the root certificate for D
He needs to issues certificates from D to each of the other CAs and then have the other CAs issue D a certificate
because they are in a mesh, there is no root CA, so each CA must trust the others
125
SNMP
Simple Network Management Protocol, latest is v3
126
Chap 3-126: Eric is responsible for his organization's mobile device security. They us a modern mobile device management (MDM) tool to manage BYOD mobile device environment. Eric needs to ensure that the applications and data that his organization provides to the user of those mobile devices remain as secure as possible. Which of the following technologies will provide him with the best security?
Storage segmentation
Containerization
Full Disk Encryption
Remote Wipe
Containerization
127
What 3-130: What is the primary advantage of cloud-native security solutions when compared to third party solutions deployed to the same cloud environment?
Lower cost
Better security
Tighter integration
All of the Above
Tighter integration
128
Chap 3-131: Ed needs to securely connect to a DMZ from an administrative network using SSH (Secure Shell). What type of system is frequently deployed to allow this it be done securely across security boundaries for network segments with different security levels?
An IPS
A NAT Gateway
A router
A jump box
A jump box
129
Chap 3-138: Marek has configured systems in his network to perform boot attestation. What has he configured the systems to do?
To run only trusted software based on previously stored hashes using a chained boot process
To notify a BOOTP server when the system has booted up
To hash the BIOS of the system to ensure that boot process has occurred securely
To notify a remote system or management tool that the boot process was secure using measurements from the boot process
To notify a remote system or management tool that the boot process was secure using measurements from the boot process
130
Chap 3-140: Which of the following steps is a common way to harden the Windows registry?
Ensure the registry is fully patched
Set the registry to read only mode
Disable remote registry access if not required
Encrypt all user mode registry keys
Disable remote registry access if not required
131
Chap 3-141: Lois is designing the physical layout for her wireless access point (WAP) placement in her organization. Which of the following items is not a concern when designing a WAP layout?
Determining construction materials of walls around the access points
Assessing power levels from other access points
Performing a site survey
Maximizing coverage overlap
Maximizing coverage overlap
132
Chap 3-142: Gabby has been laid off from the organization she has worked at for almost a decade. Mark needs to make sure that Gabby's account is securely handled after her last day of work. What can he do to her account as an interim step to best ensure that the files are still accessible and the account could be returned to use if Gabby returns after the layoff?
Delete the account and re-create it when it is needed
Disable the account and re-enable it if it is needed
Leave the account active in case Gabby returns
Change the password to one Gabby does not know
Disable the account and re-enable it if it is needed
133
Chap 3-143: Mason is responsible for security at company that has traveling salespeople, The company has been using ABAC for access control to the network. Which of the following is an issue that is specific to ABAC and might cause it to incorrectly reject logins?
Geographic location
Wrong password
Remote access is not allowed by ABAC
Firewalls usually block ABAC
Geographic location
134
ABAC
Attribute Based Access Control: determines access (permissions) based on designated attributes, e.g.: location
135
Rule Based Access Control
determines access (permissions) based on rules
136
Chap 3-147: Amelia is looking for a network authentication method that can use digital certificates and does not require end users to remember passwords. Which of the following would best fit her requirements?
OAuth
Tokens
OpenID
RBAC
Tokens
137
Tokens
Tokens are physical devices that often contain cryptographic data for authentication. They can store digital certificates for use with authentication
138
Chap 3-149: The firewall that Walter has deployed looks at every packet sent by systems that travel through it, ensuring each packet matches the rules that it operates and filters traffic by. What type of firewall is being described?
Next generation
Stateless
Application layer
Stateful
Stateless
139
Stateless Firewall
Firewall which looks at every packet sent by systems that travel through it, ensuring each packet matches the rules that it operates and filters traffic by.
140
Stateful Firewall
Firewall which pays attention to the conversations and will allow packets in a conversation between devices to pass through once it has verified the initial exchange
141
Chap 3-150: Nancy wants to protect and manage her RSA keys while using a mobile device. What type of solution could she purchase to ensure that the keys are secure so that she can perform public key authentication?
An application based PKI
An OPAL Encrypted drive
A MicroSD HSM
An offline CA
A MicroSD HSM
142
Storm Control
Storm control enables the switch to monitor traffic levels and to drop broadcast, multicast, and unknown unicast packets when a specified traffic level – called the storm control level – is exceeded,
143
Chap 3-160: Megan wants to set up an account that can be issued to visitors. She configures a kiosk application that will allow users in her organization to sponsor the visitor, set the amount of time the user will be on-site, then allow them to log into the account, set a password, and use Wi-Fi and other services. What type of account has Megan created?
A user account
A guest account
A shared account
A service account
A guest account
144
Chap 3-162: Patrick has been asked to identify a UTM appliance for his organization. Which of the following capabilities is not a common feature for a UTM device?
IDS and or IPS
Antivirus
MDM
DLP
MDM
Unified Threat Management devices commonly serve as firewalls, IDS, IPS, Antivirus, web proxies, web application and deep packet inspection, secure email gateways, DLP, SIEM, and even VPN devices..
Does not provide Mobile Device Management
145
UTM
Unified Threat Management devices commonly serve as firewalls, IDS, IPS, Antivirus, web proxies, web application and deep packet inspection, secure email gateways, DLP, SIEM, and even VPN devices
146
Chap 3-162: A company wire policy is bring created to define various security levels. Which of the following systems of access control would use documented security levels like Confidential or Secret for information
RBAC
MAC
DAC
BAC
MAC
147
Forward Proxy
Used to apply policies to user requests sent to web servers and other services.
Clients a connection request, proxy response and terminates the initial request. Proxy sends the request to the remote serve destination, applying policies as required
148
Reverse Proxy
Acts as a gateway between users and application servers, allowing content caching and traffic manipulation. Often used by CDNs to help traffic management.
149
secure LDAP (LDAPS) default port
TCP Port 636
150
DNS default port
TCP Port 53
151
LDAP default port
TCP Port 389
152
HSM
Hardware Security Module
Can do:
- can act as a cryptographic key manager, including creating, storing, and securely handling encryption keys and certificates
- can act as a cryptographic accelerator, helping to offload encryption functions like TLS
153
HIDS/HIPS
Host Based IDS/IPS; lives on desktop/laptop system
154
Chap 3-171: Which of the following access control methods grants permissions based on the user's position in the organization
MAC
RBAC
DAC
ABAC
RBAC
155
Chap 3-173: Keberos uses which of the following to issue tickets?
Authentication service
Certificate Authority
Ticket-granting service
Distribution center
Distribution center
156
Chap 3-178: Your company relies heavily on cloud and SaaS service providers such as SFDC, O365 and Google. Which of the following would you have security concerns about?
LDAP
TACACS+
SAML
Transitive Trust
SAML
157
Transitive Trust
Two-way relationship that is automatically created between a parent and child domain in a Microsoft Active Directory (AD) forest.
158
Chap 2-179: What is the primary difference between MDM and UEM?
MDM does not include patch management
UEM does not include support for mobile devices
UEM supports a broader range of devices
MDM patches domain machines, not enterprise machines
UEM supports a broader range of devices
159
UEM
Unified Endpoint Management
160
MDM
Mobile Device Management, tends to focus on mobile devices
161
Chap 2-181: Gary is designing his cloud infrastructure and needs to provide firewall-like capability for the virtual systems he is running. Which of the following cloud capabilities acts like a virtual firewall?
Security groups
Dynamic Resource Allocation
VPC Endpoints
Instance Awareness
Security groups
Security groups are virtual firewalls for instances, allowing rules to be applied to traffic between instances.
162
Chap 2-185: Gary's organization uses a NAT gateway at its network edge. What security benefit does a NAT gateway provide?
It statefully blocks traffic based on port and protocol as a type of firewall
It can detect malicious traffic and stop it from passing through
It allows systems to connect to another network without being directly exposed to it
It allows non-IP-based addresses to be used behind a legitimate IP address
It allows systems to connect to another network without being directly exposed to it
163
NAC
Network Access Control - a kind of check
164
Chap 3-188: An end-user attached a switch that advertises itself with a lower spanning tree priority than the existing switches. Which of the following can prevent this from happeneing?
802.11n
Port recall
RIP guard
BPDU guard
BPDU guard
Bridge Protocol Data Unit, protects the network infrastructure by preventing unknown devices from participanting in the spanning tree.
165
Tracy wants to limit when users can log in to a standalone Windows workstation. What can Tracy do to make sure that an account called "visitor" can only log in between 8AM and 5PM every weekday?
Running the command: net user visitor /time: M-F,8am-5pm
Running the command: netreg visitor -daily -working-hours
Running the command: login limit:daily time: 8-5
The cannot be done from the Windows command line
Running the command: net user visitor /time: M-F,8am-5pm
166
net user
Windows command that allows you to manage local and domain users on a Windows box. The following items can be managed:
Specify the username to the account you want to perform the action on
Set or change the password for the specified user account. Use * to get a prompt for the password.
/domain Used for managing domain accounts
/add Create a new user account
/delete Delete a user account
/active Enable or disable the user account. Options are yes or no.
/expire Set the date when the account expires
/time Specifies the times that a user is allowed to log in
/homedir Set the home directory path of the user account.
167
Chap 3-2192: Mike's manager has asked him to verify that the certificate chain for their production website is valid. What has she asked Mike to validate?
That the certificate has not been revoked
That users who visit the website can verify that the site and the CAs in the chain are all trustworthy
That the encryption used to create the certificate is strong and has not been cracked
That the certificate was issued properly and that prior certificates issued for the same system have also been issued properly
That users who visit the website can verify that the site and the CAs in the chain are all trustworthy
168
Chap 3-193: Maria is responsible for security at a small company. She is concerned about unauthorized devices being connected to the network. She is looking for a device authentication process. Which of the following would be the best choice for her.
CHAP
Kerberos
802.11i
802.1X
802.1X
169
802.1X
IEEE standard for port based network access control. This protocol is frequently used to authenticate devices.
170
Chap 3-194: Which wireless standard uses CCMP to provide encryption for network traffic?
WPA2
WEP
Infrared
Bluetooth-
WPA2
WPA2 uses AES-based CCMP for Counter Mode Block Chaining Message Authentication (CBC-MAC) Protocol to encapsulate traffic, providing confidentiality
171
Chap 3-199: Greg's company has a remote location that uses an IP-based streaming security camera system. How could Greg ensure that the remote location's networked devices can be managed as if they are local devices and that the traffic to that remote location is ensure?
An as-needed TLS VPN
An always-on TLS VPN
An as-needed IPSec VPN
An always-on IPsec VPN
An always-on IPsec VPN
172
Chap 3-200: What does the OPAL standard specify?
Online personal access licenses
Self-encrypting drives
The original of personal accounts and libraries
Drive sanitization modes for degaussers
Self-encrypting drives
173
OPAL Standard
The OPAL storage specification defines how to protect confidentiality for stored data and how storage devices from storage manufacturers can work together.
For example, it defines a way of encrypting the stored data so that an unauthorized person who gains possession of the device cannot see the data. That is, it is a specification for self-encrypting drives (SED).
174
Chap 3-203: Jason is considering deploying a Network IPS and wants to be able to detect advanced persistent threats (APTs). What type of IPS detection method is most likely to detect behaviors of an APT after it has gathered baseline information about normal operations?
Signature-based IPS detections
Heuristic-based IPS detections
Malicious tool hash IPS detections
Anomaly-based IPS detections
Anomaly-based IPS detections
175
Anomaly-based IPS detections
Build a behavioral baseline for networks and then assess differences from those baselines. They may also use heuristic detection as well
176
Chap 3-205: Dennis wants to deploy a firewall that can provide URL filtering. What type of firewall should he deploy?
A packet filter
A stateful packet inspection firewall
A next generation firewall
None of the above
A next generation firewall
177
Next Generation Firewall
Firewall that may have some or all of the following capabilities
- built in IPS or IDS, to analyze traffic for alerts or take action
- Antimalware/Antivirus
- Geo-IP and geolocation capabilities
- Proxying
- Web application firewall (WAF) designed to protect applications
- Sandboxing
178
Chap 3-209: Waleed's organization uses a combination of internally developed and commercial applications that they deploy to mobile devices used by staff throughout the company. What type of tool can be used to handle a combination of BYOD phones and corporate tablets that need to have these applications loaded onto them and removed from them when their users are not longer part of the organization?
MOM
MLM
MIM
MAM
MAM
179
MAM
Mobile Application Management - designed to allow applications to be delivered to and removed from managed mobile devices
180
MOM
Microsoft Operations Manager - an old MS system management tool, replaced by Operations Manager
181
Chap 3-211: Charles is concerned that users of Android devices in his company that are delaying OTA updates. Why would Charles be concerned about this, and what should he do about it?
OTA updates patch applications, and a NAC agent would report on all phones in the organization
OTA updates update device encryption keys are necessary for security, and a PKI would track encryption certificates and keys
OTA updates patch firmware and updates phone configurations, and an MDM tool would provide reports on firmware versions and phone settings
OTA updates are sent by phones to report on online activity and tracking, and an MDM tool receives OTA updates to monitor phones
OTA updates patch firmware and updates phone configurations, and an MDM tool would provide reports on firmware versions and phone settings
182
Chap 3-213: Barbara wants to implement WPA3 Personal. Which of the following features is a major security improvement in WPA3 over WPA2?
DDoS monitoring and prevention
Pre-channel security
Brute-force attack prevention
Improvements from 64-bit and 128-bit encryption
Brute-force attack prevention
183
Chap 3-215: Greg has implemented a system that allows users to access accounts like administrator and root without knowing the actual passwords for the accounts. When users attempt to use elevated accounts, their request is compared to policies that determine if the request should be allowed. The system generates a new password each time a trusted user requests access, and then logs the access request. What type of system has Greg implemented?
a MAC system
a PAM system
a FDE system
a TLS system
a PAM system
184
PAM system
Privileged access management - used to manage and control privileged accounts securely
185
Chap 3-214: Isaac wants to implement mandatory access controls on an Android-based device. What can he do to accomplish this?
Run Android in single user mode
Use SEAndroid
Change the Android registry to MAC mode
Install MACDroid
Use SEAndroid
186
SELinux
Security Enhanced Linux - allows MAC to be implemented for Linux based systems. SEAndroid is and Android implementation of SELinux
187
CASB
Cloud Access Security Broker
188
Chap 3-218: John wants to deploy a solution that will provide content filtering for web applications, CASB functionality, DLP, and threat protection. What type of solution can he deploy to provide these features?
A reverse proxy
A VPC gateway
An NG SWG
A next gen firewall
An NG SWG
189
NG SWG
Next Generation Secure Web Gateway
Can have the following features:
- web filtering
- TLS decryption to allow traffic analysis
- advanced threat protection
- CASB features
- DLP
190
Chap 3-220: Sharif uses the chmod terminal command in Linux to set the permissions of a file using the command: chmod 700 example.txt. What permission has he set on this file?
All users have write access to the file
The user has full access to the file
All users have execute access to the file
The user has execute access to the file
The user has full access to the file
191
Chap 3-221: Patrick regularly connects to untrusted networks when he travels and is concerned that an on-path attack could be executed against him as he browsers websites. He would like to validation certificates against known certificates for those websites. What technique can he use to do this?
Check the CRL
User certificate pinning
Compare his private key to their public key
Compare their public key to their private key
User certificate pinning
192
Certificate Pinning
Associates a known certificate with a host and then compares the known certificate with the certificate that is presented. This can help prevent man-in-the-middle attacks, but can fail if the certificate is updated and the pinned certificate isn't.
193
Chap 3-223: Michelle's organization uses self-signed certificates throughout its internal infrastructure. After a compromise, Michelle needs to revoke one of the self-signed certificates. How can she do that?
Contact the certificate authority and request that they revoke the certificate
Add the certificate to the CRL
Remove the certificate to the list of whitelisted certificates from each machine that trusts it
Reissues the certificate, causing the old version to be invalid
Remove the certificate to the list of whitelisted certificates from each machine that trusts it
This is a known time sink for self signed certs
