Chapter4 Flashcards Preview

Comptia Network+ MP N10-007 > Chapter4 > Flashcards

Flashcards in Chapter4 Deck (85)
Loading flashcards...
1
Q
A laptop that is equipped with a fingerprint scanner that authenticates the user is using which of the following types of technology?
Pattern recognition
Hand geometry
Biometrics
Tamper detection
A

C. The technology that uses human physical characteristics to authenticate users is called biometrics. Biometric devices can identify users based on fingerprints, retinal pattern, voice prints, and other characteristics.

2
Q
An IT department receives a shipment of 20 new computers, and Alice has been assigned the task of preparing them for deployment to end users. The first thing she does is affix a metal tag with a bar code on it to each computer. Which of the following terms best describes the function of this procedure?
Asset tracking
Tamper detection
Device hardening
Port security
A

A. Bar coding the new computers enables the IT department to record their locations, status, and conditions throughout their life cycle, a process known as asset tracking. Bar codes are not used for tamper detection and device hardening. Port security refers to switches, not computers.

3
Q
Which of the following types of physical security is most likely to detect an insider threat?
Smartcards
Motion detection
Video surveillance
Biometrics
A

C. An insider threat by definition originates with an authorized user. Smartcards, motion detection, and biometrics will only detect the presence of someone who is authorized to enter sensitive areas. Video surveillance, however, can track the activities of anyone, authorized or not.

4
Q
Which of the following physical security mechanisms can either “fail close” or “fail open”?
Motion detectors
Video cameras
Honeypots
Door locks
A

D. The terms fail close and fail open refer to the default position of an electric or electronic door lock when there is a power failure. Security is often a trade-off with safety, and in the event that an emergency occurs, cutting off power, whether secured doors are permanently locked or left permanently open is a critical factor. The terms fail close and fail open do not apply to motion detectors or video cameras. A honeypot is a computer configured to lure potential attackers; it is not a physical security mechanism.

5
Q
Which of the following are common types of cameras used for video surveillance of secured network installations? (Choose all correct answers.)
IP
LDAP
CCTV
NAC
A

A and C. Closed circuit television cameras are part of a self-contained system in which the cameras feed their signals to dedicated monitors, usually located in a security center. IP cameras are standalone devices that transmit signals to a wireless access point. While CCTV cameras can only be monitored by users in the security center, or another designated location, IP cameras can be monitored by any authorized user with a web browser. LDAP is a directory services protocol and Network Access Control is a service; neither one is a type of video surveillance device.

6
Q

Which of the following statements describes what it means when the automated lock on the door to a datacenter is configured to fail open?
The door remains in its current state in the event of an emergency.
The door locks in the event of an emergency.
The door unlocks in the event of an emergency.
The door continues to function using battery power in the event of an emergency.

A

C. A door that is configured to fail open reverts to its unsecured state—open—when an emergency occurs. This must be a carefully considered decision, as it can be a potential security hazard. However, configuring the door to fail closed is a potential safety hazard.

7
Q
A high security installation that requires entrants to submit to a retinal scan before the door unlocks is using which of the following types of technology?
Pattern recognition
Hand geometry
Biometrics
Tamper detection
A

C. The technology that uses human physical characteristics to authenticate users is called biometrics. Biometric devices can identify users based on fingerprints, retinal pattern, voice prints, and other characteristics.

8
Q
Which of the following are means of preventing unauthorized individuals from entering a sensitive location, such as a datacenter? (Choose all correct answers.)
Biometric scans
Identification badges
Key fobs
Motion detection
A

A, B, and C. Biometric scans, identification badges, and key fobs are all mean of distinguishing authorized from unauthorized personnel. Motion detection cannot make this distinction.

9
Q
Which of the following security measures can monitor the specific activities of authorized individuals within sensitive areas?
Video surveillance
Identification badges
Key fobs
Motion detection
A

A. Video surveillance can monitor all activities of users in a sensitive area. With properly placed equipment, event specific actions, such as commands entered in a computer, can be monitored. Identification badges, key fobs, and motion detection can indicate the presence of individuals in a sensitive area, but they cannot monitor specific activities.

10
Q
Which of the following physical security devices can use passive RFIDs to enable an authorized user to enter a secured area? (Choose all correct answers.)
Key fob
Keycard lock
Prox card
Cypher lock
A

A and C. A radio frequency identification (RFID) device is a small chip that can be electronically detected by a nearby reader. The chip can contain small amounts of data, such as the authentication credentials needed to grant an individual access to a secured area. Key fobs and proximity cards (prox cards) often use RFIDs to enable users to unlock a door by waving the device near a reader. Keycard locks typically require the card to be inserted into a reader and typically use magnetic strips to store data. Cypher locks rely on data supplied by the user—that is, the combination numbers.

11
Q
Some key fobs used for authenticated entrance to a secured area have a keypad that requires the user to enter a PIN before the device is activated. Which of the following authentication factors is this device using? (Choose all correct answers.)
Something you do
Something you have
Something you are
Something you know
A

B and D. Possession of the key fob is something you have, but the key fob could be lost or stolen, so its security is confirmed by the entrance of a PIN, something you know. Unless the user both lost the key fob and shared the PIN, the device remains secure.

12
Q
Which of the following physical security devices can enable an authorized user to enter a secured area without any physical contact with the device? (Choose all correct answers.)
Key fob
Keycard lock
Prox card
Cypher lock
A

A and C. Key fobs and proximity cards (prox cards) often use RFIDs to enable users to unlock a door by waving the device near a reader. Keycard locks typically use magnetic strips to store data and require the card to be physically inserted into a reader. Cypher locks rely on data manually supplied by the user—that is, the combination numbers.

13
Q
Video surveillance of sensitive areas, such as datacenters, can prevent which of the following types of attacks? (Choose all correct answers.)
Social engineering
Evil twin
Brute force
Insider threats
A

B and D. Video surveillance can conceivably prevent evil twin attacks because these take the form of a rogue access point deliberately connected to the network for malicious purposes. Video surveillance can also help to prevent insider threats by monitoring the activities of authorized users. Video surveillance cannot prevent social engineering, which involves nothing more than communicating with people, or brute-force attacks, which are usually performed remotely.

14
Q

Which of the following statements is true when a biometric authentication procedure results in a false positive?
A user who should be authorized is denied access.
A user who should not be authorized is denied access.
A user who should be authorized is granted access.
A user who should not be authorized is granted access.

A

D. When a false positive occurs during a biometric authentication, a user who should not be granted access to the secured device or location is granted access. A false negative is when a user who should be granted access is denied access.

15
Q
In the datacenter of a company involved with sensitive government data, all servers have crimped metal tags holding the cases closed. All of the hardware racks are locked in clear-fronted cabinets. All cable runs are installed in transparent conduits. These are all examples of which of the following physical security measures?
Tamper detection
Asset tracking
Geofencing
Port security
A

A. All of the mechanisms listed are designed to make any attempts to tamper with or physically compromise the hardware devices immediately evident. This is therefore a form of tamper detection. Asset tracking is for locating and identifying hardware. Geofencing is a wireless networking technique for limiting access to a network. Port security refers to network switch ports.

16
Q
A secured government building that scans the faces of incoming people and compares them to a database of authorized entrants is using which of the following types of technology?
Pattern recognition
Hand geometry
Biometrics
Tamper detection
A

C. The technology that uses human physical characteristics to authenticate users is called biometrics. Biometric devices can identify users based on fingerprints, retinal pattern, voice prints, and other characteristics.

17
Q

Which of the following is not a means of preventing physical security breaches to a network datacenter?
Badges
Locks
Key fobs

A

D. A tailgater is a type of intruder who enters a secure area by closely following an authorized user. Most people are polite enough to hold the door open for the next person without knowing if they are authorized to enter. A tailgater is therefore not an intrusion prevention mechanism. Identification badges, locks, and key fobs are methods of preventing intrusions.

18
Q
Identification badges, key fobs, and mantraps all fall into which of the following categories of security devices?
Physical security
Data security
Asset tracking
Port security
A

A. Identification badges, key fobs, and mantraps are all physical security mechanisms, in that they prevent unauthorized personnel from entering sensitive areas, such as datacenters. These mechanisms are not used for data file security, asset tracking, or switch port security.

19
Q
Which of the following are not means of detecting intruders in a network datacenter? (Choose all correct answers.)
Motion detection
Video surveillance
Biometrics
Smartcards
A

C and D. Biometrics and smartcards are both means of preventing intrusions, whereas motion detection and video surveillance are mechanisms for detecting them.

20
Q

Which of the following statements describes what it means when the automated lock on the door to a datacenter is configured to fail closed?
The door remains in its current state in the event of an emergency.
The door locks in the event of an emergency.
The door unlocks in the event of an emergency.
The door continues to function using battery power in the event of an emergency.

A

B. A door that is configured to fail closed reverts to its secured state—locked—when an emergency occurs. This must be a carefully considered decision, since it can be a potential safety hazard. However, configuring the door to fail open is a potential security hazard.

21
Q

Which of the following IEEE standards describes an implementation of port-based access control for wireless networks?

  1. 11ac
  2. 11n
  3. 1X
  4. 3x
A

C. IEEE 802.1X is a standard that defines a port-based Network Access Control mechanism used for authentication on wireless and other networks. IEEE 802.11ac and 802.11n are standards defining the physical and data link layer protocols for wireless networks. IEEE 802.3x is one of the standards for wired Ethernet networks.

22
Q
In a public key infrastructure (PKI), which half of a cryptographic key pair is never transmitted over the network?
The public key
The private key
The session key
The ticket granting key
A

B. In a PKI, the two halves of a cryptographic key pair are the public key and the private key. The public key is freely available to anyone, but the private key is never transmitted over the network.

23
Q

Which of the following statements about a public key infrastructure (PKI) are true? (Choose all correct answers.)
Data encrypted with the public key can only be decrypted using that public key.
Data encrypted with the private key can only be decrypted using that private key.
Data encrypted with the public key can only be decrypted using the private key.
Data encrypted with the private key can only be decrypted using the public key.

A

C and D. In a PKI, data encrypted with the private key can only be decrypted using the public key. Therefore, anyone receiving data encrypted with the private key can obtain the public key and decrypt it, confirming that the data originated with the private key holder. Because the public key is freely available, anyone can encrypt data using the public key and be sure that only the private key holder can decrypt it.

24
Q
Which of the following authentication protocols do Windows networks use for Active Directory Domain Services authentication of internal clients?
RADIUS
WPA2
Kerberos
EAP-TLS
A

C. Windows networks that use AD DS authenticate clients using the Kerberos protocol, in part because it never transmits passwords over the network, even in encrypted form. RADIUS is an authentication, authorization, and accounting service for remote users connecting to a network. Windows does not use it for internal clients. WPA2 is a security protocol used by wireless LAN networks. It is not used for AD DS authentication. EAP-TLS is a remote authentication protocol that AD DS networks do not use for internal clients.

25
Q

Which of the following are examples of multifactor authentication? (Choose all correct answers.)
A system that uses an external RADIUS server for authentication
A system that requires two passwords for authentication
A system that requires a smartcard and a PIN for authentication
A system that requires a password and a retinal scan for authentication

A

C and D. Multifactor authentication combines two or more authentication methods and reduces the likelihood that an intruder would be able to successfully impersonate a user during the authentication process. A password and a retinal scan is an example of a multifactor authentication system. A smartcard and a PIN, which is the equivalent of a password, is an example of multifactor authentication because it requires users to supply something they know and something they have. Multifactor authentication refers to the proofs of identity a system requires, not the number of servers used to implement the system. Therefore, the use of a RADIUS server does not make for an example of multifactor authentication. A system that requires two passwords is not an example of multifactor authentication, because an attacker can compromise one password as easily as two. A multifactor authentication system requires two different forms of authentication.

26
Q

Which of the following statements best describes asymmetric key encryption?
A cryptographic security mechanism that uses the same key for both encryption and decryption
A cryptographic security mechanism that uses public and private keys to encrypt and decrypt data
A cryptographic security mechanism that uses two separate sets of public and private keys to encrypt and decrypt data
A cryptographic security mechanism that uses separate private keys to encrypt and decrypt data

A

B. Asymmetric key encryption uses public and private keys. Data encrypted with the public key can only be decrypted using the private key. The reverse is also true. Symmetric key encryption uses only one key both to encrypt and decrypt data. Security mechanisms that use multiple key sets are not defined as symmetric.

27
Q
Which of the following protocols can you use to authenticate Windows remote access users with smartcards?
EAP
MS-CHAPv2
CHAP
PAP
A

A. The Extensible Authentication Protocol (EAP) is the only Windows remote authentication protocol that supports the use of authentication methods other than passwords, such as smartcards. MS-CHAPv2 is a strong remote access authentication protocol, but it supports password authentication only. Users cannot use smartcards. The Challenge Handshake Authentication Protocol (CHAP) is a relatively weak authentication protocol that does not support the use of smartcards. The Password Authentication Protocol (PAP) supports only clear text passwords, not smartcards.

28
Q

Which of the following statements best defines multifactor user authentication?
Verification of a user’s identity on all of a network’s resources using a single sign-on
Verification of a user’s identity using two or more types of credentials
Verification of a user’s identity on two devices at once
Verification of a user’s membership in two or more security groups

A

B. Multifactor authentication combines two or more authentication methods, requiring a user to supply multiple credentials. This reduces the likelihood that an intruder would be able to successfully impersonate a user during the authentication process. The term multifactor does not refer to the number of resources, devices, or groups with which the user is associated.

29
Q

How many keys does a system that employs asymmetric encryption use?
None. Asymmetric encryption doesn’t require keys.
One. Asymmetric encryption uses one key for both encryption and decryption.
Two. Asymmetric encryption uses one key for encryption and another key for decryption.
Three. Asymmetric encryption requires a separate authentication server, and each system has its own key.

A

C. Asymmetric encryption uses two separate keys, one for encryption and one for decryption. In a public key infrastructure (PKI), each user, computer, or service has both a public key and a private key.

30
Q

How many keys does a system that employs symmetric encryption use?
None. Symmetric encryption doesn’t require keys.
One. Symmetric encryption uses one key for both encryption and decryption.
Two. Symmetric encryption uses one key for encryption and another key for decryption.
Three. Symmetric encryption requires a separate authentication server, and each system has its own key.

A

B. Symmetric encryption uses one key, which the systems use for both encryption and decryption.

31
Q
Which of the following services are methods of tracking a user’s activities on a network? (Choose all correct answers.)
Authentication
Authorization
Accounting
Auditing
A

C and D. Accounting and auditing are both methods of tracking and recording a user’s activities on a network, such as when a user logged on and how long they remained connected. Authentication is the confirmation of a user’s identity, and authorization defines the type of access granted to authenticated users.

32
Q
When a user supplies a password to log on to a server, which of the following actions is the user performing?
Authentication
Authorization
Accounting
Auditing
A

A. Authentication is the process of confirming a user’s identity. Passwords are one of the authentication factors commonly used by network devices. Authorization defines the type of access granted to authenticated users. Accounting and auditing are both methods of tracking and recording a user’s activities on a network, such as when a user logged on and how long they remained connected.

33
Q
When a user swipes a finger across a fingerprint scanner log on to a laptop computer, which of the following actions is the user performing?
Authentication
Authorization
Accounting
Auditing
A

A. Authentication is the process of confirming a user’s identity. Fingerprints and other biometric readers are one of the authentication factors commonly used by network devices. Authorization defines the type of access granted to authenticated users. Accounting and auditing are both methods of tracking and recording a user’s activities on a network, such as when a user logged on and how long they remained connected.

34
Q
Which of the following security protocols can authenticate users without transmitting their passwords over the network?
Kerberos
802.1X
TKIP
LDAP
A

A. Kerberos is a security protocol used by Active Directory that employs a system of tickets to authenticate users and other network entities without the need to transmit credentials over the network. IEEE 802.1X does authenticate by transmitting credentials. Temporal Key Integrity Protocol (TKIP) and Lightweight Directory Access Protocol (LDAP) are not authentication protocols.

35
Q
Which of the following security procedures is often tied to group membership?
Authentication
Authorization
Accounting
Auditing
A

B. Authentication is the process of confirming a user’s identity. Authorization defines the type of access granted to authenticated users. In many instances, the authorization process is based on the groups to which a user belongs. Accounting and auditing are both methods of tracking and recording a user’s activities on a network, such as when a user logged on and how long they remained connected.

36
Q
Which of the following standards is most commonly used to define the format of digital certificates?
802.1X
X.509
802.1q
X.500
A

B. X.509, published by the International Telecommunication Union’s Standardization sector (ITU-T), defines the format of digital certificates. X.500, another standard published by the ITU-T, defines functions of directory services. IEEE 802.1X is an authentication standard, and IEEE 802.1q defines the VLAN tagging format used on many network switches.

37
Q

Which of the following statements about authentication auditing are not true?
Auditing can disclose attempts to compromise passwords.
Auditing can detect authentications that occur after hours.
Auditing can identify the guess patterns used by password cracking software.
Auditing can record unsuccessful as well as successful authentications.

A

C. Auditing of authentication activities can record both successful and unsuccessful logon attempts. Large numbers of logon failures can indicate attempts to crack passwords. Auditing tracks the time of authentication attempts, sometimes enabling you to detect off-hours logons that indicate an intrusion. Auditing does not record the passwords specified during authentications, so it cannot identify patterns of unsuccessful guesses.

38
Q
Which of the following types of key is included in a digital certificate?
Public
Private
Preshared
Privileged
A

A. As part of a public key infrastructure (PKI), digital certificates are associated with a key pair, consisting of a public key and a private key. The public key is supplied with the certificate to any party authenticating the entity to which the certificate was issued. The private key is supplied to the entity with the certificate, but it is not distributed as part of the certificate. Preshared keys are not associated with certificates, and privileged keys do not exist.

39
Q
When a user swipes a smartcard through a reader to log on to a laptop computer, which of the following actions is the user performing?
Authentication
Authorization
Accounting
Auditing
A

A. Authentication is the process of confirming a user’s identity. Smartcards are one of the authentication factors commonly used by network devices. Authorization defines the type of access granted to authenticated users. Accounting and auditing are both methods of tracking and recording a user’s activities on a network, such as when a user logged on and how long they remained connected.

40
Q
Combining elements like something you know, something you have, and something you are to provide access to a secured network resource is a definition of which of the following types of authentication?
Multifactor
Multisegment
Multimetric
Multifiltered
A

A. Multifactor authentication combines two or more authentication methods and reduces the likelihood that an intruder would be able to successfully impersonate a user during the authentication process. A password (something you know) and a retinal scan (something you are) is an example of a multifactor authentication system. A smartcard and a PIN, which is the equivalent of a password, is another example of multifactor authentication because it requires users to supply something they know and something they have. Multisegment, multimetric, and multifiltered are not applicable terms in this context.

41
Q

How does MAC address filtering increase the security of a wireless LAN?
By preventing access points from broadcasting their presence
By allowing traffic sent to or from specific MAC addresses through the Internet firewall
By substituting registered MAC addresses for unregistered ones in network packets
By permitting only devices with specified MAC addresses to connect to an access point

A

D. MAC address filtering enables administrators to configure an access point to allow only devices with specific addresses to connect; all other traffic is rejected. Access points broadcast their presence using an SSID, not a MAC address. MAC address filtering protects wireless LANs when implemented in an access point, not a firewall. MAC address filtering does not call for the modification of addresses in network packets.

42
Q
Which of the following terms describes a system that prevents computers from logging on to a network unless they have the latest updates and antimalware software installed?
NAC
LDAP
RADIUS
TKIP-RC4
A

A. Network Access Control is a mechanism that defines standards of equipment and configuration that systems must meet before they can connect to the network. Lightweight Directory Access Protocol (LDAP) provides communication between directory service entities. RADIUS is an authentication, authorization, and accounting service for remote users connecting to a network. Temporal Key Integrity Protocol (TKIP) with the RC4 cipher is an encryption protocol used on wireless networks running the Wi-Fi Protected Access (WPA) security protocol.

43
Q

Which of the following statements best describes symmetric key encryption?
A cryptographic security mechanism that uses the same key for both encryption and decryption
A cryptographic security mechanism that uses public and private keys to encrypt and decrypt data
A cryptographic security mechanism that uses two separate sets of public and private keys to encrypt and decrypt data
A cryptographic security mechanism that uses separate private keys to encrypt and decrypt data

A

A. Symmetric key encryption uses only one key both to encrypt and decrypt data. Asymmetric key encryption uses public and private keys. Security mechanisms that use multiple key sets are not defined as symmetric.

44
Q
Which of the following is the best description of geofencing?
Something you have
Something you know
Something you do
Somewhere you are
A

D. Geofencing is the generic term for a technology that limits access to a network or other resource based on the client’s location. It is therefore best described as somewhere you are. A finger gesture would be considered something you do, a password something you know, and a smartcard something you have.

45
Q

Which of the following describes the primary difference between single sign-on and same sign-on?

Single sign-on requires the user to supply credentials only once, whereas with same sign-on, the user must supply the credentials repeatedly.
Single sign-on enables users to access different resources with one set of credentials, whereas same sign-on requires users to have multiple credential sets.
Single sign-on credentials consist of one username and one password, whereas same sign-on credentials consist of one username and multiple passwords.
Single sign-on requires multifactor authentication, such as a password and a smartcard, whereas same sign-on requires only a password for authentication.

A

A. Single Sign On uses one set of credentials and requires the user to supply them only once to gain access to multiple resources. Same Sign On also uses a single set of credentials, with one password, but the user must perform individual logons for each resource. Neither Single Sign On nor Same Sign On requires multifactor authentication.

46
Q
Which of the following is the best description of biometrics?
Something you know
Something you have
Something you are
Something you do
A

C. Biometrics is a type of authentication factor that uses a physical characteristic that uniquely identifies an individual, such as a fingerprint or a retinal pattern. Biometrics is therefore best described as something you are, as opposed to something you know, have, or do.

47
Q
Which of the following authentication factors is an example of something you have?
A fingerprint
A smartcard
A password
A finger gesture
A

B. Something you have refers to a physical possession that serves to identify a user, such as a smartcard. This type of authentication is typically used as part of a multifactor authentication procedure, because a smartcard or other physical possession can be lost or stolen. A fingerprint would be considered something you are, a password something you know, and a finger gesture something you do.

48
Q

Which of the following statements best describes the primary scenario for the use of TACACS+?
TACACS+ was designed to provide authentication, authorization, and accounting services for wireless networks.
TACACS+ was designed to provide authentication, authorization, and accounting services for the Active Directory directory service.
TACACS+ was designed to provide authentication, authorization, and accounting services for remote dial-up users.
TACACS+ was designed to provide authentication, authorization, and accounting services for network routers and switches.

A

D. Terminal Access Controller Access Control System Plus (TACACS+) is a protocol designed to provide AAA services for networks with many routers and switches, enabling administrators to access them with a single set of credentials. It was not designed to provide AAA services for wireless networks, Active Directory, or remote dial-in users.

49
Q
Which of the following is not one of the functions provided by TACACS+?
Authentication
Authorization
Administration
Accounting
A

C. Terminal Access Controller Access Control System Plus (TACACS+) is a protocol that was designed to provide AAA services for networks with many routers and switches. AAA stands for authentication, authorization, and accounting, but not administration.

50
Q
The new door lock on your company’s datacenter door requires you to supply both a PIN and a thumbprint scan. Which of the following types of authentication factors does the lock use? (Choose all correct answers.)
Something you have
Something you know
Something you are
Something you do
A

B and C. A PIN, like a password, is something you know, and a thumbprint, or any other biometric factor, is something you are. An example of something you have would be a smartcard, and an example of something you do would be a finger gesture.

51
Q
Your new smartphone enables you to configure the lock screen with a picture of your husband, on which you draw eyes, nose, and a mouth with your finger to unlock the phone. This is an example of which of the following authentication factors?
Something you have
Something you know
Something you are
Something you do
A

D. The act of drawing on the screen with your finger is a gesture, which is an example of something you do. A PIN or a password is something you know; a thumbprint, or any other biometric factor, is something you are; and a smartcard is an example of something you have.

52
Q
Which of the following authentication factors is an example of something you do?
A fingerprint
A smartcard
A password
A finger gesture
A

D. Something you do refers to a physical action performed by a user, such as a finger gesture, which helps to confirm his or her identity. This type of authentication is often used as part of a multifactor authentication procedure because a gesture or other action can be imitated. A fingerprint would be considered something you are, a password something you know, and a smartcard something you have.

53
Q
Which of the following authentication factors is an example of something you know?
A fingerprint
A smartcard
A password
A finger gesture
A

C. Something you know refers to information you supply during the authentication process, such as a password or PIN. This is the most common type of authentication factor because it cannot be lost or stolen unless the user violates security policies. A fingerprint would be considered something you are, a finger gesture something you do, and a smartcard something you have.

54
Q
Which of the following authentication factors is an example of something you are?
A fingerprint
A smartcard
A password
A finger gesture
A

A. Something you are refers to a physical characteristic that uniquely identifies an individual, such as a fingerprint or other form of biometric. This type of authentication is often used as part of a multifactor authentication procedure because a biometric element can conceivably be compromised. A finger gesture would be considered something you do, a password something you know, and a smartcard something you have.

55
Q
Which of the following is an implementation of Network Access Control (NAC)?
RADIUS
802.1X
LDAP
TACACS+
A

B. NAC is a set of policies that define security requirements that clients must meet before they are permitted to connect to a network. 802.1X is a basic implementation of NAC. RADIUS and TACACS+ are Authentication, Authorization, and Accounting (AAA) services. They are not NAC implementations themselves, although they can play a part in their deployment. Lightweight Directory Access Protocol (LDAP) provides directory service communications.

56
Q
Which of the following is the service responsible for issuing certificates to client users and computers?
DNS
AAA
CA
ACL
A

C. A certification authority (CA) is the service that receives requests for certificate enrollment from clients and issues the certificates when the requests are approved. Domain Name System (DNS); Authentication, Authorization, and Accounting (AAA) services; and access control lists (ACLs) do not issue certificates.

57
Q
hich of the following is not one of the roles involved in an 802.1X transaction?
Supplicant
Authentication server
Authorizing agent
Authenticator
A

C. An 802.1X transaction involves three parties: the supplicant, which is the client attempting to connect to the network; the authenticator, which is a switch or access point to which the supplicant is requesting access; and the authentication server, which is typically a RADIUS implementation that verifies the supplicant’s identity. There is no party to the transaction called an authorizing agent.

58
Q
Which of the following terms describes the process by which a client user or computer requests that it be issued a certificate, either manually or automatically?
Authorization
Enrollment
Authentication
Certification
A

B. Enrollment is the process by which a client submits a request for a certificate from a certification authority (CA). The enrollment process can be automated and invisible to the user, or it can be a manual request generated using an application. Authorization and authentication, and certification are not terms used for certificate requests.

59
Q

In an 802.1X transaction, what is the function of the supplicant?
The supplicant is the service that issues certificates to clients attempting to connect to the network.
The supplicant is the service that verifies the credentials of the client attempting to access the network.
The supplicant is the network device to which the client is attempting to connect.
The supplicant is the client user or computer attempting to connect to the network.

A

D. An 802.1X transaction involves three parties: the supplicant, which is the client attempting to connect to the network; the authenticator, which is a switch or access point to which the supplicant is requesting access; and the authentication server, which is typically a RADIUS implementation that verifies the supplicant’s identity. The supplicant is not involved in issuing certificates.

60
Q

In an 802.1X transaction, what is the function of the authenticator?
The authenticator is the service that issues certificates to clients attempting to connect to the network.
The authenticator is the service that verifies the credentials of the client attempting to access the network.
The authenticator is the network device to which the client is attempting to connect.
The authenticator is the client user or computer attempting to connect to the network.

A

C. An 802.1X transaction involves three parties: the supplicant, which is the client attempting to connect to the network; the authenticator, which is a switch or access point to which the supplicant is requesting access; and the authentication server, which is typically a RADIUS implementation that verifies the supplicant’s identity. The authenticator is not involved in issuing certificates.

61
Q
An 802.1X transaction involves three roles: the supplicant, the authenticator, and the authentication server. Of the three, which role typically takes the form of a RADIUS implementation?
The supplicant
The authenticator
The authentication server
None of the above
A

C. The authentication server role is typically performed by a Remote Authentication Dial-In User Service (RADIUS) server. In an 802.1X transaction, the supplicant is the client attempting to connect to the network, the authenticator is a switch or access point to which the supplicant is requesting access, and the authentication server verifies the client’s identity.

62
Q

Which of the following best describes an example of a captive portal?
A switch port used to connect to other switches
A web page with which a user must interact before being granted access to a wireless network
A series of two doors through which people must pass before they can enter a secured space
A web page stating that the user’s computer has been locked and will only be unlocked after payment of a fee

A

B. A captive portal is a web page displayed to a user attempting to access a public wireless network. The user typically must supply credentials, provide payment, or accept a user agreement before access is granted. A captive portal does not refer to a switch port, a secured entryway to a room, or a type of extortionate computer attack.

63
Q
A user attempting to connect to a Wi-Fi hotspot in a coffee shop is taken to a web page that requires her to accept an End User License Agreement before access to the network is granted. Which of the following is the term for such an arrangement?
Captive portal
Ransomware
Port security
Root guard
A

A. A web page that prompts users for payment, authentication, or acceptance of a EULA is a captive portal. Ransomware is a type of attack that extorts payment. Port security and root guards are methods for protecting access to switch ports.

64
Q
Which of the following are standards that define combined authentication, authorization, and accounting (AAA) services? (Choose all correct answers.)
802.1X
RADIUS
TACACS+
LDAP
A

B and C. Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) are both services that provide networks with authentication, authorization, and accounting. 802.1X provides only authentication, and Lightweight Directory Access Protocol (LDAP) provides communication between directory service entities.

65
Q
Which of the following standards was originally designed to provide authentication, authorization, and accounting services dial-up network connections?
RADIUS
TACACS+
Kerberos
LDAP
A

A. Remote Authentication Dial-In User Service (RADIUS) was originally conceived to provide AAA services for Internet Service Providers (ISPs), which at one time ran networks with hundreds of modems providing dial-up access to subscribers. Terminal Access Controller Access Control System Plus (TACACS+) is a protocol that was designed to provide AAA services for networks with many routers and switches but not for dial-up connections. Kerberos and Lightweight Directory Access Protocol (LDAP) are not AAA services.

66
Q
MAC filtering is an access control method used by which of the following types of hardware devices?
Wireless access point
RADIUS server
Domain controller
Smartcards
A

A. Wireless access points (WAPs) typically include the ability to maintain an access control list, which specifies the MAC addresses of devices that are permitted to connect to the wireless network. The technique is known as MAC address filtering. RADIUS servers, domain controllers, and smartcards typically do include MAC filtering capabilities

67
Q
Which of the following technologies utilize access control lists to limit access to network resources? (Choose all correct answers.)
NTFS
LDAP
WAP
Kerberos
A

A and C. NTFS files and folder all have access control lists (ACLs), which contain access control entries (ACEs) that specify the users and groups that can access them and the specific permissions they have been granted. Wireless access points (WAPs) have access control lists that contain MAC address of the devices that are permitted to connect to the wireless network. Lightweight Directory Access Protocol and Kerberos are protocols that provide directory service communication and authentication, respectively. Neither one uses access control lists.

68
Q

Which of the following statements about RADIUS and TACACS+ are correct?
By default, RADIUS uses UDP, and TACACS+ uses TCP.
By default, RADIUS uses TCP, and TACACS+ uses UDP.
By default, both RADIUS and TACACS+ use TCP.
By default, both RADIUS and TACACS+ use UDP.

A

A. RADIUS uses User Datagram Protocol (UDP) ports 1812 and 1813 or 1645 and 1646 for authentication, whereas TACACS+ uses TCP port 49.

69
Q
Which of the following standards provides authentication, authorization, and accounting services for network routers and switches?
RADIUS
TACACS+
Kerberos
LDAP
A

B. Terminal Access Controller Access Control System Plus (TACACS+) is a protocol designed to provide AAA services for networks with many routers and switches, enabling administrators to access them with a single set of credentials. Remote Authentication Dial-In User Service (RADIUS) provides AAA services, but not for routers and switches. Kerberos and Lightweight Directory Access Protocol (LDAP) are not AAA services.

70
Q
Which of the following terms refers to the process of determining whether a user is a member of a group that provides access to a particular network resource?
Authentication
Accounting
Authorization
Access control
A

C. Authorization is the process of determining what resources a user can access on a network. Typically, this is done by assessing the user’s group memberships. Authentication is the process of confirming a user’s identity. Accounting is the process of tracking a user’s network activity. Access control is the creation of permissions that provide users and groups with specific types of access to a resource.

71
Q
Which of the following terms refers to the process of confirming a user’s identity by checking specific credentials?
Authentication
Accounting
Authorization
Access control
A

A. Authentication is the process of confirming a user’s identity by checking credentials, such as passwords, ID cards, or fingerprints. Authorization is the process of determining what resources a user can access on a network. Accounting is the process of tracking a user’s network activity. Access control is the creation of permissions that provide users and groups with specific types of access to a resource.

72
Q
Which of the following terms refers to the process by which a system tracks a user’s network activity?
Authentication
Accounting
Authorization
Access control
A

B. Accounting is the process of tracking a user’s network activity, such as when the user logged on and logged off and what resources the user accessed. Authentication is the process of confirming a user’s identity by checking credentials. Authorization is the process of determining what resources a user can access on a network. Access control is the creation of permissions that provide users and groups with specific types of access to a resource.

73
Q

Which of the following statements are true about a public key infrastructure?

(Choose all correct answers.)
Data encrypted with a user’s public key can be decrypted with the user’s public key.
Data encrypted with a user’s public key can be decrypted with the user’s private key.
Data encrypted with a user’s private key can be decrypted with the user’s private key.
Data encrypted with a user’s private key can be decrypted with the user’s public key.

A

B and D. In a public key infrastructure, data encrypted with a user’s public key can only be decrypted with the user’s private key and data encrypted with a user’s private key can only be decrypted with the user’s public key. This enables the system to provide both message encryption and nonrepudiation. If data encrypted with a user’s public key could be decrypted with that same public key, the system would provide no security at all. If data encrypted with a user’s private key could be decrypted with that same private key, the user could only send secure messages to him- or herself.

74
Q
Which of the following is not a factor that weakens the security of the Wired Equivalent Privacy (WEP) protocol used on early IEEE 802.11 wireless LANs?
40-bit encryption keys
24-bit initialization vectors
Static shared secrets
Open System Authentication
A

D. Open System Authentication enables any user to connect to the wireless network without a password, which actually increases the security of the protocol. This is because most WEP implementations use the same secret key for both authentication and encryption. An intruder that captures the key during the authentication process might therefore penetrate the data encryption system as well. By not using the key for authentication, you reduce the chances of the encryption being compromised. The use of short, 40-bit encryption keys was mandated at the time by U.S. export restrictions. Later protocols used keys at least 128 bits long. The IV is a randomized value appended to the shared secret to ensure that the cipher never encrypts two packets with the same key. The relatively short IV that WEP uses results in a reasonable probability of key duplication, if an attacker captured a sufficient number of packets. Shared secrets that do not change provide attackers with more time to crack them. The lack of a mechanism to automatically change WEP shared secrets weakened the protocol considerably.

75
Q
Which of the following encryption ciphers was replaced by CCMP-AES when the WPA2 wireless security protocol was introduced?
EAP
WEP
TKIP
CCMP
A

C. Wi-Fi Protected Access (WPA) is a wireless security protocol that was designed to replace the increasingly vulnerable Wired Equivalent Privacy (WEP). WPA added an encryption protocol called Temporal Key Integrity Protocol (TKIP). This too became vulnerable, and WPA2 was introduced, which replaced TKIP with an Advanced Encryption Standard (CCMP-AES) protocol.

76
Q
Which of the following wireless security protocols was substantially weakened by its initialization vector?
WPA
WEP
WPA2
PEAP
A

B. Wired Equivalent Privacy (WEP) was one of the first commercially available security protocols for wireless LANs. WEP requires 24 bits of the encryption key for the initialization vector, substantially weakening the encryption. WEP was soon found to be easily penetrated and was replaced by Wi-Fi Protected Access (WPA) and then WPA2. Extensible Authentication Protocol (EAP) is a framework for the encapsulation of authentication messages.

77
Q
Unauthorized users are connecting to your wireless access point and gaining access to the network. Which of the following is a step you can take to prevent this from happening?
Disable SSID broadcasting
Use Kerberos for authentication
Place the access point in a DMZ
Implement MAC address filtering
A

A and D. Disabling SSID broadcasting prevents a wireless network from appearing to clients. The clients must specify the SSID to which they want to connect. MAC address filtering is a form of access control list (ACL) that is maintained in the access point and that contains the addresses of devices that are to be permitted to access the network. Both of these mechanisms make it more difficult for unauthorized devices to connect to the access point. Kerberos is an authentication protocol used by Active Directory, and relocating the access point to a DMZ will not resolve the problem.

78
Q
Which of the following wireless security protocols uses TKIP for encryption?
WEP
WPA
WPA2
AES
A

B. Wi-Fi Protected Access (WPA) is a wireless security protocol that was designed to replace the increasingly vulnerable Wired Equivalent Privacy (WEP). WPA added an encryption protocol called Temporal Key Integrity Protocol (TKIP). This too became vulnerable, and WPA2 was introduced, which replaced TKIP with an Advanced Encryption Standard protocol (CCMP-AES).

79
Q
Which of the following standards defines a framework for the authentication process but does not specify the actual authentication mechanism?
WPA
EAP
TKIP
TLS
A

B. Extensible Authentication Protocol (EAP) is a framework for the encapsulation of authentication messages. EAP is used on wireless networks and point-to-point connections and supports dozens of different authentication methods. Wi-Fi Protected Access (WPA) is a wireless encryption standard. Temporal Key Integrity Protocol (TKIP) is an encryption algorithm. Transport Layer Security (TLS) is an encryption protocol used for Internet communications.

80
Q
EAP and 802.1X are components that help to provide which of the following areas of wireless network security?
Authentication
Authorization
Encryption
Accounting
A

A. Extensible Authentication Protocol (EAP) and 802.1X are both components of an authentication mechanism used on many wireless networks. EAP and 802.1X do not themselves provide authorization, encryption, or accounting services.

81
Q
Which of the following Extended Authentication Protocol (EAP) variants utilize tunneling to provide security for the authentication process? (Choose all correct answers.)
PEAP
EAP-FAST
EAP-TLS
EAP-PSK
A

A and B. Protected Extended Authentication Protocol (PEAP) encapsulates EAP inside a Transport Layer Security (TLS) tunnel. Flexible Authentication via Secure Tunneling (FAST) also establishes a TLS tunnel to protect user credential transmissions. EAP-TLS uses TLS for encryption, but not for tunneling. EAP-PSK uses a preshared key to provide an authentication process that does not use encryption.

82
Q
Which of the following wireless network security protocols provides open and shared key authentication options?
WPA
WEP
WPA2
EAP
A

B. Wired Equivalent Privacy (WEP), which was one of the first commercially successful security protocols for wireless LANs, enabled administrators to choose between open and shared key authentication. The open option enabled clients to connect to the network with an incorrect key. The shared option required the correct key, but it also exposed the key to potential intruders. The correct option is not to use WEP at all, as it was easily penetrated and subsequently replaced by Wi-Fi Protected Access (WPA) and then WPA2. Extensible Authentication Protocol (EAP) is a framework for the encapsulation of authentication messages. None of the other three provides a choice between open and shared key options.

83
Q
Which of the following wireless LAN security protocols was rendered obsolete after it was found to be extremely easy to penetrate?
WEP
WPA
WPA2
EAP
A

A. Wired Equivalent Privacy (WEP) was one of the first commercially available security protocols for wireless LANs, but it was soon found to be easily penetrated and was replaced by Wi-Fi Protected Access (WPA) and then WPA2. Extensible Authentication Protocol (EAP) is a framework for the encapsulation of authentication messages.

84
Q
Which of the following protocols does the Wi-Fi Protected Access (WPA) security protocol use for encryption?
AES
TKIP
MD5
SHA
A

B. WPA uses the Temporal Key Integrity Protocol (TKIP) for encryption. It does not use Advanced Encryption Standard (AES), which eventually replaced TKIP in WPA2. Secure Hash Algorithm (SHA) and Message Digest 5 (MD5) are both file hashing algorithms, not used for wireless network encryption.

85
Q
Which of the following stream ciphers does the Temporal Key Integrity Protocol (TKIP) use for encryption on a wireless network?
RC4
AES
CCMP
SHA
A

A. TKIP uses the RC4 stream cipher for its encryption. Advanced Encryption Standard (AES) is used with CCMP on version 2 of the Wi-Fi Protected Access (WPA2) security protocol, not version 1 (WPA), which uses TKIP. Secure Hash Algorithm (SHA) is a file hashing algorithm, not used for wireless network encryption.